The worst one I found over here was "Hacker Defender"
Here's a good symptom that you have it. When installing windows 2000
service Pack 4, it files while copying winmgmt.exe. Or go to
C:\%windir%\system32\wbem and see if winmgmt.exe is listed. If it is not
listed in the folder, then it probably has this "hacker defender"
What they did was to install Hacker Defender as a service which hides all of
it's files, and registry entries from the operating system.
They renamed Serv-U to be winmgmt.exe so when you press CTRL-ALT-DELETE and
see the processes, winmgmt.exe looks like a legit windows process. Other
bots I found often renamed Serv-u to be svchost.exe.
The only way I have found to see these as services is to use Windows 2000 or
XP's computer management and connect to it remotely, and look at the
services. Also you can connect to that computers c drive remotely and see
it from an uninfected pc.
Now the best way to get rid of these things obviously is to reload the PC's,
however Windows XP, and Windows 2000 Pro Resource kit, comes with a file
called SC.EXE. It's a service controller resource.
This utility is quite nice to get rid of services. You can type Sc to get a
list of the services, but the syntax is:
sc delete servicename
On a machine with "Hacker Defender" it was
sc delete hackerdefender073
sc delete servu
Reboot, delete the hxdef.exe and its supporting files.
You can use SC.EXE to get rid of other trojan services as well
BTW, Symantec accepted my submission of hxdef.exe and the 9-3-03 definitions
detect this file.
I'm sure that if they got some machines on our subnets they probably got
some more as well.
From: Russell J. Lahti [mailto:[log in to unmask]]
Sent: Friday, September 05, 2003 2:26 PM
To: [log in to unmask]
Subject: Re: New "Image" of our Virus Removal/Security Patch CD is
availab le for download if needed
Just to add to what Tim is saying:
It is quite common to run into applications that are loaded as
hidden that will not be picked up by antivirus software because
they're actually legitimate applications that can be used to
backdoor systems. It is also trivial to bypass most antivirus
software by altering the applications to mask particular
There are likely many systems out there that were exploited,
plugged the RPC hole by shutting it off or installing the patch,
and then loading backdoors for future use. The exploit was in
known circulation for about a week before MSU started filtering
RPC traffic from the Internet, and filtering from within campus
didn't happen until a couple weeks later. Plenty of time for
many many systems to be backdoored in various ways, not
necessarily by viruses and worms.
There's plenty to be looking for including open ports that
shouldn't be, and user accounts with elevated privileges
(even on single-user systems) to name a few.
Skutt, Tim wrote:
> I've ran that particular scan tool on some hosts over here in the College
> business. I found in some cases that DCOM was disabled in the registry.
> EnableDCOM should be Y
> On some that came back I found trojans on the PC's as a result of the RPC
> vulnerability. Often they run processes that disable the ability for a
> system admin to connect to them remotely.
> I submitted some of the trojans found to Symantec.