worm/SMTP nightmare...

[johnnyzero]

I have a client who's been unable to send any emails because he's being
"locked out" of his ISP's SMTP server. The ISP says that his machine
must have a worm because it's sending out 10 or more requests /second
to their SMTP server; at which point it exceeds their server limiting
and it locks him out.

Anyway, I've tried about 10 different software & online scanning
solutions and I still can't even detect (let alone eradicate) the
"worm" that he supposedly has. I can't believe that some of the "major
players" can't at least detect it!

*ProtectorPlus
*Moosoft's The Cleaner
*Panda ActiveScan (online)
*Panda 2000 Titanium (trial)
*MS Malicious Software Removal Tool
*TrendMicro HouseCall (online)
*Symantec (online)
*several others

Any ideas? This guy's online biz is prett much at a standstill until he
can send emails again. As you can probably tell, nastyware removal is
not really my forte.


Thanks! JohnB

 

[David H. Lipman]

From: "johnnyzero" <[email protected]>

| I have a client who's been unable to send any emails because he's being
| "locked out" of his ISP's SMTP server. The ISP says that his machine
| must have a worm because it's sending out 10 or more requests /second
| to their SMTP server; at which point it exceeds their server limiting
| and it locks him out.
|
| Anyway, I've tried about 10 different software & online scanning
| solutions and I still can't even detect (let alone eradicate) the
| "worm" that he supposedly has. I can't believe that some of the "major
| players" can't at least detect it!
|
| *ProtectorPlus
| *Moosoft's The Cleaner
| *Panda ActiveScan (online)
| *Panda 2000 Titanium (trial)
| *MS Malicious Software Removal Tool
| *TrendMicro HouseCall (online)
| *Symantec (online)
| *several others
|
| Any ideas? This guy's online biz is prett much at a standstill until he
| can send emails again. As you can probably tell, nastyware removal is
| not really my forte.
|
| Thanks! JohnB


Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file. http://www.ik-cs.com/multi-av.htm


* * * Please report back your results * * *

 

[johnnyzero]

Thanks Dave.

Actually I had just downloaded Multi-AV right before posting my msg,
but hadn't had a chance to really check it out yet. I assume it's a
bare-bones C/L interface for a couple of the more popular AV scanning
engines.

great idea - I'll let you know what it comes up with.

it looks pretty spartan & light on the docs, but such is the way most
programs were back-in-the-day - when command lines ruled the earth.

(and we also had to walk uphill to school - both ways!)...

JohnB.

 

[David H. Lipman]

From: "johnnyzero" <[email protected]>

| Thanks Dave.
|
| Actually I had just downloaded Multi-AV right before posting my msg,
| but hadn't had a chance to really check it out yet. I assume it's a
| bare-bones C/L interface for a couple of the more popular AV scanning
| engines.
|
| great idea - I'll let you know what it comes up with.
|
| it looks pretty spartan & light on the docs, but such is the way most
| programs were back-in-the-day - when command lines ruled the earth.
|
| (and we also had to walk uphill to school - both ways!)...
|
| JohnB.

Yes, it is spartan and light on the docs. I guess I should spend a little more time on
them. After you use the tool, any feedback will be greatly appreciated. It is a little
more than bare-boned. Their are anti malware constucts in the scripts as well as corrective
masures for the side effects of malware.

 

[Guest]

Well,if none of these:
*ProtectorPlus
*Moosoft's The Cleaner
*Panda ActiveScan (online)
*Panda 2000 Titanium (trial)
*MS Malicious Software Removal Tool
*TrendMicro HouseCall (online)
*Symantec (online)
*several others


detects malware ,your client is probably not infected -all of them are
reputable scanners .May be the problem is somewhere else...

Panda Titanium 2000 - there is no such a product.Panda Software's first
Titanium products was in 2003 and was called just Titanium ,next are 2004
,2005 and now 2006...


Panda_man

 

[johnnyzero]

That's what I'm starting to think too. If it's not a worm, what else
could be sending all those requests to the SMTP server?

(btw, "Panda Titanium 2006" - typo)...

 

[Steven L Umbach]

If your malware and spyware scans have come up with nothing and you have
also scanned in Safe Mode it is time to dig a little deeper. I would use
TCPView from SysInternals to see if you can see activity to their SMTP
server on port 25 TCP outbound and what the executable is and what other
activity is going on. You also might to want to look into using something
like the free Ethereal packet sniffer or port reporter from Microsoft to log
port activity as a service. It may very well be a legitimate
process/application gone awry and sometimes uninstalling it and reinstalling
may help. Sometimes it happens from no apparent reason and reinstalling the
operating system is in order after backing up and needed data first of
course but I would change the network adapter before doing that as I have
seen flaky network adapters do a lot of crazy things. I am not an Exchange
expert but if an Exchange server or other mail server is involved someone
may be relaying spam through his mail server. --- Steve

http://www.sysinternals.com/Utilities/TcpView.html --- TCPView
http://www.microsoft.com/downloads/...9B-BAE9-4243-B9D6-63E62B4BCD2E&displaylang=en
--- Port Reporter

 

[johnnyzero]

Thanks Steven.

Actually, you must've read my mind: I just finished downloading TCPView
& another util called SmartSniff. Will TCPView let me see WHICH
process/exe is causing all the SMTP activity?

I'll try running these on my client's machine and we'll see what
happens.

thanks again,
JohnB

 

[johnnyzero]

Thanks Steven. Actually, I was just in the process of downloading
TCPView to see if I could find out WHICH app or process is causing all
the port/SMTP activity. What is it they say - "great minds think
alike"? :-]

Anyway, it told me that there was a lotta port activity that shouldn't
be there - but I'm still not able to find out "who" is doing it. I also
tried a bunch more malware/anti-v scanners (AVG, Multi-AV); all came up
negative. Tried installing an updated NIC driver & rebooted in case the
adapter was somehow hashed driver-wise.

Oh well - I think at this point I'm just gonna save this guy's OE
folders and then restore his system from a known-good drive image from
last week. I use Acronis TrueImage for backup/restore; works well.

thanks again for your help,
JohnB

 

[Steven L Umbach]

What was the name of the process and or executable that was linked to that
port?? I also like Process Explorer which gives much more detail about a
process including what services are using the process if any. Does all this
activity still happen when he boots into Safe Mode with networking?? If it
turns out to be a legitimate application try to uninstall it and then
reinstall it again. Since you have a known good drive image that is probably
your best solution though us curious minds like to know exactly what is
going on. If you can try posting the results of netstat -anbp tcp or
TCPView from his computer. --- Steve

 

[johnnyzero]

Oh boy...

We did a hard disk image restore from 12/31/05 (pre-worm problem) and
the problem is still there! The only other thing I did was restore his
OE folders & messages.

At this point I can only think of three possible explanations:

1) One of the messages in his OE folders re-introduced the worm.

2) It's a boot sector worm which wasn't eliminated by restoring the
NTFS partition.

3) It's some kind of zero-day exploit that was *present* on his system
on 12/31, but didn't activate until some time after that.

Before I go and low-level format, re-install WinXP, etc I was wondering
if anyone has any other suggestions.

thnaks,
JohnB

 

[cquirke (MVP Windows shell/user)]

We did a hard disk image restore from 12/31/05 (pre-worm problem) and
the problem is still there! The only other thing I did was restore his
OE folders & messages.

Several possibilities, all predictable and illustrative:

1) The worm re-infected the system same way as last time

IOW, primary re-entry. This is particularly likely if the malware has
an off-system component that tracks infected systems,and re-asserts
the infection if it is found tobe missing.

2) The worm was present in the system backup

Full system backups scope on a time basis only, and malware often
stays dormant for a while before drawing attention to itself. One
advantage of this delay is to permeate all full system backups.

3) The worm was part of the restoreed "data"

Data backups scope between data and code, but to do so effectively,
the data store must be kept hygenic - i.e. free of incoming malware,
or infectable files that could be infected by resident malware even if
they were clean to begin with. As OE mailboxes hide malware
attachments within them, such "data" is unhygenic.

At this point I can only think of three possible explanations:

1) One of the messages in his OE folders re-introduced the worm.

Yep; see (3).

2) It's a boot sector worm which wasn't eliminated by restoring the
NTFS partition.

Unlikely. Boot code is highly unlikely to persist into an NT session,
and its hard to include worm complexity within such a store.

3) It's some kind of zero-day exploit that was *present* on his system
on 12/31, but didn't activate until some time after that.

Possible, or an exploit that is still unpatched (and possibly
undiscovered) that allows primary re-infection as soon as you
re-connect to the Internet.

To be present in your original installation requires no magical
zero-day exploit; all it means is that the malware wasn't recognised
when it arrived, and has since managed to establish itself as beyond
the reach of attempts to remove it informally.

Before I go and low-level format, re-install WinXP, etc I was wondering
if anyone has any other suggestions.

If there's a lesson from this, it is that "wipe and rebuild" is a poor
substitute for detecting and managing malware.

To live with an SMTP infector, I'd seek to block outgoing SMTP traffic
from anything other than the email app you actually use.

---------- ----- ---- --- -- - - - -

Don't pay malware vendors - boycott Sony

 

[David H. Lipman]

From: "johnnyzero" <[email protected]>

| Oh boy...
|
| We did a hard disk image restore from 12/31/05 (pre-worm problem) and
| the problem is still there! The only other thing I did was restore his
| OE folders & messages.
|
| At this point I can only think of three possible explanations:
|
| 1) One of the messages in his OE folders re-introduced the worm.
|
| 2) It's a boot sector worm which wasn't eliminated by restoring the
| NTFS partition.
|
| 3) It's some kind of zero-day exploit that was *present* on his system
| on 12/31, but didn't activate until some time after that.
|
| Before I go and low-level format, re-install WinXP, etc I was wondering
| if anyone has any other suggestions.
|
| thnaks,
| JohnB

What worm ?

There are no "Boot Sector Worms". There are Boot Sector Viruses bu they are not worms as
they don't use network protocols to spread.

You never reported the results of the scan using the Multi AV Scanning Tool.

 

[Steven L Umbach]

Did the problem exist before you restored anything to the image install??
Did you find anything from using netstat -anbp tcp or TCPView from his
computer and if so could you paste the results? Did you try replacing the
nic? -- Steve