System Process (PID 8) creates mail

[wkrueger]

Windows 2000 Pc with SP4.
We had a problem where one of our external IP addresses was being
blocked due to spam coming from it. It was not the mail server address
(which is NAT'd through the firewall), but rather a user's station.
This user has no email app, nor a reason to send SMTP mail. I threw
about 6 tools at it (spybot, adaware, pestscan, installed Norton AV
corp, Norton Spyware, Trend micro AV) and found about 4 viruses and 6
pieces of spyware-malware.

I do not think I can just stop the hunt and format the PC, as the apps
on the box are tricky and expensive to reset - due to proprietary
vendor installs.

I put TCPview on the machine and saw that every 5 minutes, the System
process (PID was 8) was generating email to external addresses. The
ports it was using were somewhat random (1151, 1160, 1241, 1242, 1148)
and the external addresses changed every so often. I was able to block
email from this machine, so the effect has stopped.

That is my tale of woe, now my questions (may be dumb):
Is there an executable that is behind SYSTEM? I do not see an .exe with
that name. Is it a kernel type of app? Is there a way to compare dates
of the 'file' to something from the Windows 2000?

I am concerned that there is still a bug that could somehow reactivate
if the user does something dumb again. The machine is still trying its
mail send, but I am blocking it. Is there a better tool to track the
app that is trying to talk to the outside world? What other ways can
clean the machine?

 

[Steven L Umbach]

A pristine install is certainly the best solution but that is your call.
What you could do is to try Process Explorer to see more detailed info on
the process and if it is installed as a service and Autoruns to see if you
can see where it is started from. Their RootkitRevealer is something else to
take a look at if you think it may be a root kit compromise. You should also
configure your firewall to block outbound traffic from that computer to
unauthorized ports assuming your firewall has that capability and if it does
not you may want to buy one that can. A firewall that can have a default
block all outbound rule where you define the explicit exceptions for
authorized traffic would heave prevented your IP from being blocked in the
first place and examination of firewall logs could have alerted you to
problems from that and other computers on your network. Also try scanning
your computer in Safe Mode with your malware/spyware applications and try a
dedicated trojan detection and removal program such as Ewido. Look in Add
and Remove programs in case the rough application shows there. --- Steve

http://www.sysinternals.com/Utilities/RootkitRevealer.html
http://www.ewido.net/en/ --- Ewido

 

[wkrueger]

Thanks for the tips. Yeah, if I was good, I would have examined the
logs more closely. But we get some much traffic, I tend to get
overwhelmed. I did finally just use the filter to look at smtp traffic
coming from inside our network.
The firewall can block based on IP and port, but right now my email
server has two NICs, and both are sending email. I need to look at
that, so that all email is coming from the email box only goes out the
email IP. Also, I have a few visitors that need access to their email
server via SMTP, so the service is not blocked on the internet IP.
I will try the process explorer and rootkit revealer. I just could not
see what was driving the System process. There was no app or any path
in Tlist. Addremove was clean, but I will see if I can someone to run
some of the cleaners in Safe mode (was a remote PC).

 

[wkrueger]

I used Process Explorer to see what was under the System Process
listing. I then used TDI Monitor from sysinternals to see which of the
apps under System were trying to send email. I found something called
msdxdsvc.exe that was trying to send email. I looked at the properties
and it was listed as a .Net application. Tricky... but there was no
msdxdsvc found on google, MS' website, nor 6 machines I had here in the
office - all of which had .net installed.
I used kill to stop this app, deleted it, then rebooted. The flow of
email from this machine finally stopped.
Thanks - Steven - your tips got me in the right direction to stop this
attack. I just heated the thought of a reformat/rebuild of this machine.

 

[Roger Abell [MVP]]

But keep in mind that finding the app that was generating the outbound
SMTP does not mean you have found what might (still) be present
collecting what was being emailed.