Help with virus identification

[John Daragon]

I'm a contract developer working on-site for a client in the UK with
about 600 Windows machines - a mix of XP, Win2003, some Win2000 and a
couple of NT4.0 boxes. The network appears to be well maintained, and we
have up-to-date McAfee virus protection on all of the boxes.

Alas, we appear to have a virus infection, and I've been unable so far
to identify the culprit, so I thought I'd describe the symptoms here to
see if anyone recognised it...

The symptoms we have noticed so far are these:

On the Win2003 and XP boxes Windows File Protection has replaced all
files with extensions of .exe and .dll in %SYSTEMROOT%, with the
exception of explorer.exe. This appears to happen intermittently and
during login.

On the Win2000 machines (which are mainly members of a Citrix
application farm), where there is no WFP, the damage has consisted of
the deletion of .exe and .dll files from %SYSTEMROOT%, so I sort of
assume that's what would be happening on XP/2003, too.

There appears to be no unusual network traffic, and no unexpected ports
appear to have listeners associated with them (although I use typical
developer PCs with 4 different RDBMS systems &c on them, so my port map
is a bit cluttered at the best of times...)

All in all, although we have to take down the odd 2000 machine to
re-image it, the impact we've noticed so far has been pretty light but
I'm worried that there may be other payloads that I'm not yet aware of.

Does this ring any bells with anyone ?

jd

 

[David H. Lipman]

From: "John Daragon" <[email protected]>

| I'm a contract developer working on-site for a client in the UK with
| about 600 Windows machines - a mix of XP, Win2003, some Win2000 and a
| couple of NT4.0 boxes. The network appears to be well maintained, and we
| have up-to-date McAfee virus protection on all of the boxes.
|
| Alas, we appear to have a virus infection, and I've been unable so far
| to identify the culprit, so I thought I'd describe the symptoms here to
| see if anyone recognised it...
|
| The symptoms we have noticed so far are these:
|
| On the Win2003 and XP boxes Windows File Protection has replaced all
| files with extensions of .exe and .dll in %SYSTEMROOT%, with the
| exception of explorer.exe. This appears to happen intermittently and
| during login.
|
| On the Win2000 machines (which are mainly members of a Citrix
| application farm), where there is no WFP, the damage has consisted of
| the deletion of .exe and .dll files from %SYSTEMROOT%, so I sort of
| assume that's what would be happening on XP/2003, too.
|
| There appears to be no unusual network traffic, and no unexpected ports
| appear to have listeners associated with them (although I use typical
| developer PCs with 4 different RDBMS systems &c on them, so my port map
| is a bit cluttered at the best of times...)
|
| All in all, although we have to take down the odd 2000 machine to
| re-image it, the impact we've noticed so far has been pretty light but
| I'm worried that there may be other payloads that I'm not yet aware of.
|
| Does this ring any bells with anyone ?
|
| jd


Please submit samples of altered files to Virus Total --
http://www.virustotal.com/flash/index_en.html
The submission will then be tested against many different AV vendor's scanners.
That will give you an idea what it is and who recognizes it. In addition, unless told
otherwise, Virus Total will provide the sample to all participating vendors.

You can also submit a suspect, one at a time, via the following email URL...
mailto:[email protected]?subject=SCAN

When you get the report, please post back the exact results.

 

[John Daragon]

From: "John Daragon" <[email protected]>

| I'm a contract developer working on-site for a client in the UK with
| about 600 Windows machines - a mix of XP, Win2003, some Win2000 and a
| couple of NT4.0 boxes. The network appears to be well maintained, and we
| have up-to-date McAfee virus protection on all of the boxes.
|
| Alas, we appear to have a virus infection, and I've been unable so far
| to identify the culprit, so I thought I'd describe the symptoms here to
| see if anyone recognised it...
|
| The symptoms we have noticed so far are these:
|
| On the Win2003 and XP boxes Windows File Protection has replaced all
| files with extensions of .exe and .dll in %SYSTEMROOT%, with the
| exception of explorer.exe. This appears to happen intermittently and
| during login.
|
| On the Win2000 machines (which are mainly members of a Citrix
| application farm), where there is no WFP, the damage has consisted of
| the deletion of .exe and .dll files from %SYSTEMROOT%, so I sort of
| assume that's what would be happening on XP/2003, too.
|
| There appears to be no unusual network traffic, and no unexpected ports
| appear to have listeners associated with them (although I use typical
| developer PCs with 4 different RDBMS systems &c on them, so my port map
| is a bit cluttered at the best of times...)
|
| All in all, although we have to take down the odd 2000 machine to
| re-image it, the impact we've noticed so far has been pretty light but
| I'm worried that there may be other payloads that I'm not yet aware of.
|
| Does this ring any bells with anyone ?
|
| jd


Please submit samples of altered files to Virus Total --
http://www.virustotal.com/flash/index_en.html
The submission will then be tested against many different AV vendor's scanners.
That will give you an idea what it is and who recognizes it. In addition, unless told
otherwise, Virus Total will provide the sample to all participating vendors.

You can also submit a suspect, one at a time, via the following email URL...
mailto:[email protected]?subject=SCAN

When you get the report, please post back the exact results.

David, hi;

I'm sure we will, when we find an altered file... Alas as yet we've
just had a whole swathe deleted...

jd

 

[David H. Lipman]

From: "John Daragon" <[email protected]>


| David, hi;
|
| I'm sure we will, when we find an altered file... Alas as yet we've
| just had a whole swathe deleted...
|
| jd

OK JD:

Two more suggestions...

#1 -

Download and execute HiJack This! (HJT)
http://www.spywareinfo.com/~merijn/files/HijackThis.exe

Create a HJT log file and post it in one of the below locations...

{ Please - Do NOT post the HJT Log here ! }

Forums where you can get expert advice for HiJack This! (HJT) logs.

NOTE: Registration is not required in the below before posting a log
http://www.thespykiller.co.uk/forum/?action=forum


NOTE: Registration is REQUIRED in any of the below before posting a log
http://www.bleepingcomputer.com/forums/forum22.html
http://castlecops.com/forum67.html
http://www.dslreports.com/forum/cleanup
http://www.cybertechhelp.com/forums/forumdisplay.php?f=25
http://www.atribune.org/forums/index.php?showforum=9
http://www.geekstogo.com/forum/Malware_Removal_HiJackThis_Logs_Go_Here-f37.html
http://gladiator-antivirus.com/forum/index.php?showforum=170
http://forum.networktechs.com/forumdisplay.php?f=130
http://forums.maddoktor2.com/index.php?showforum=17
http://www.spywarewarrior.com/viewforum.php?f=5
http://forums.spywareinfo.com/index.php?showforum=18
http://forums.techguy.org/f54-s.html
http://forums.tomcoyote.org/index.php?showforum=27
http://forums.subratam.org/index.php?showforum=7
http://www.5starsupport.com/ipboard/index.php?showforum=18
http://www.malwarebytes.org/forums/index.php?showforum=7
http://makephpbb.com/phpbb/viewforum.php?f=2
http://forums.techguy.org/54-security/
http://forums.security-central.us/forumdisplay.php?f=13



#2 -


Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file. http://www.ik-cs.com/multi-av.htm

Additional Instructions:
http://pcdid.com/Multi_AV.htm


* * * Please report back your results * * *

 

[Virus Guy]

Remove the drive from a suspect machine and slave it to a known-good
(trusted) machine with AV software and scan the suspect drive.

 

[John Daragon]

Remove the drive from a suspect machine and slave it to a known-good
(trusted) machine with AV software and scan the suspect drive.

Thanks for the advice. That'll go onto my list of things to do. My
worry, though, is that this is, of course, a network and the damage
appears to occur *at logon*, which means that the machines with the
symptoms may well not be themselves infected. Taking the drives out of a
Domain Controller will be an expensive operation, removing the physical
disks from the SAN will be more or less impossible in the sort term.

jd

 

[John Daragon]

From: "John Daragon" <[email protected]>


| David, hi;
|
| I'm sure we will, when we find an altered file... Alas as yet we've
| just had a whole swathe deleted...
|
| jd

OK JD:

Two more suggestions...

#1 -

Download and execute HiJack This! (HJT)
http://www.spywareinfo.com/~merijn/files/HijackThis.exe

Create a HJT log file and post it in one of the below locations...

{ Please - Do NOT post the HJT Log here ! }

(snip of really useful advice...)

Thanks Dave - I'll see if I can get that done today on my desktop
machine, at least. I'm worried, though, that as the damage appears to
occur at logon the actual executable code that causes it may not even
reside on the machines showing the symptoms. It's a relatively
sophisticated, if not that large, network - almost all data that changes
sits on a SAN and startup / logon operations are controlled by Active
Directory policies. I feel some monitoring code development coming on...

jd

 

[Adam Piggott]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I'm a contract developer working on-site for a client in the UK with
about 600 Windows machines - a mix of XP, Win2003, some Win2000 and a
couple of NT4.0 boxes. The network appears to be well maintained, and we
have up-to-date McAfee virus protection on all of the boxes.

Alas, we appear to have a virus infection, and I've been unable so far
to identify the culprit, so I thought I'd describe the symptoms here to
see if anyone recognised it...

The symptoms we have noticed so far are these:

On the Win2003 and XP boxes Windows File Protection has replaced all
files with extensions of .exe and .dll in %SYSTEMROOT%, with the
exception of explorer.exe. This appears to happen intermittently and
during login.

I know that the current strains of Nuwar are very widespread and inject
themselves (at least) into .exe's. I think I have seen them scan the local
network for other machines to infect as well (if my memory serves). They
come via email as "Greeting card"-type attachments.

You could try installing a stand-alone anti-virus product like Eset's NOD32
to get a "second opinion" - apart from it's excellent detection I know
NOD32 has been very good at heuristically detecting new Nuwar variants, and
some of those I've come across McAfee have missed.

If the infected files are being deleted you could try undeleting them, or
switching off Windows File Protection long enough to get a sample.
- --
Adam Piggott, Proprietor, Proactive Services (Computing).
http://www.proactiveservices.co.uk/

Please replace dot invalid with dot uk to email me.
Apply personally for PGP public key.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (MingW32)

iD8DBQFF1Cmc7uRVdtPsXDkRAlc2AKCJ7TWu8AOuItJXLSOxNiK3YV1YeACfVN28
5ghOMqUyloDB9+qPXw3niug=
=R1po
-----END PGP SIGNATURE-----

 

[titu]

fufu

 

[Gabriele Neukam]

This appears to happen intermittently and
during login.

Two ideas cross my mind:

The server which the machines are logging in to, has an AV program
running that misunderstands the content of the machine in question as
"infected" and deletes them without questioning. The slocal ystem
restore of the XP machines then recreates the "lost files" from the
System Volume Information directory.

The server has some malicious script running as a time bomb, that
arbitrarily looks for a machine that logs in, and issues a series of
commands that will delete all \*.exe and \*.dll

Just my 2 Eurocent


Gabriele Neukam

(e-mail address removed)

 

[titu]

firht