 |
 |
The worst one I found over here was "Hacker Defender" Here's a good symptom that you have it. When installing windows 2000 service Pack 4, it files while copying winmgmt.exe. Or go to C:\%windir%\system32\wbem and see if winmgmt.exe is listed. If it is not listed in the folder, then it probably has this "hacker defender" What they did was to install Hacker Defender as a service which hides all of it's files, and registry entries from the operating system. They renamed Serv-U to be winmgmt.exe so when you press CTRL-ALT-DELETE and see the processes, winmgmt.exe looks like a legit windows process. Other bots I found often renamed Serv-u to be svchost.exe. The only way I have found to see these as services is to use Windows 2000 or XP's computer management and connect to it remotely, and look at the services. Also you can connect to that computers c drive remotely and see it from an uninfected pc. Now the best way to get rid of these things obviously is to reload the PC's, however Windows XP, and Windows 2000 Pro Resource kit, comes with a file called SC.EXE. It's a service controller resource. This utility is quite nice to get rid of services. You can type Sc to get a list of the services, but the syntax is: sc delete servicename On a machine with "Hacker Defender" it was sc delete hackerdefender073 sc delete servu Reboot, delete the hxdef.exe and its supporting files. You can use SC.EXE to get rid of other trojan services as well BTW, Symantec accepted my submission of hxdef.exe and the 9-3-03 definitions detect this file. I'm sure that if they got some machines on our subnets they probably got some more as well. -----Original Message----- From: Russell J. Lahti [mailto:[log in to unmask]] Sent: Friday, September 05, 2003 2:26 PM To: [log in to unmask] Subject: Re: New "Image" of our Virus Removal/Security Patch CD is availab le for download if needed Just to add to what Tim is saying: It is quite common to run into applications that are loaded as hidden that will not be picked up by antivirus software because they're actually legitimate applications that can be used to backdoor systems. It is also trivial to bypass most antivirus software by altering the applications to mask particular signatures. There are likely many systems out there that were exploited, plugged the RPC hole by shutting it off or installing the patch, and then loading backdoors for future use. The exploit was in known circulation for about a week before MSU started filtering RPC traffic from the Internet, and filtering from within campus didn't happen until a couple weeks later. Plenty of time for many many systems to be backdoored in various ways, not necessarily by viruses and worms. There's plenty to be looking for including open ports that shouldn't be, and user accounts with elevated privileges (even on single-user systems) to name a few. -Russell Skutt, Tim wrote: > I've ran that particular scan tool on some hosts over here in the College of > business. I found in some cases that DCOM was disabled in the registry. > (HKLM\software\microsoft\ole) > EnableDCOM should be Y > > On some that came back I found trojans on the PC's as a result of the RPC > vulnerability. Often they run processes that disable the ability for a > system admin to connect to them remotely. > > I submitted some of the trojans found to Symantec. > > Tim