DDos.RAT.Rbot

sailorsam · Jan 5, 2005

Hi all,
TDS has found a trace of DDos.RAT.Rbot in my wins.exe file. I have emailed the file to DiamondCS for advice on what to do, however as they are taking a no doubt well earned break, I am wondering, whilst I am awaiting their reply, if anyone can tell me if this is a particularly nasty beast or an ordinary nuisance.

Thanks in advance

frogfoot · Jan 5, 2005

could be this one here

Pilli · Jan 5, 2005

Hi SailorSam, When rbot traces are found and shown in the lower console window you should be able to right click and then delete.

HTH Pilli

sailorsam · Jan 6, 2005

Hi Philli,
I originally tried deleting the file through TDS window. However it wouldn't delete wins.exe. Checking the size of the file against a clean version it is one kb larger. I also tried renaming the file to .old and replacing it with the clean one. This also failed to work. The same trace was found by TDS. Should I have made this change in "safe mode"

Thanks for your help,

Pilli · Jan 6, 2005

Should I have made this change in "safe mode"
Click to expand...

Yes, doing this would make sense as the file might be locked by another process, so rescan in safe mode and let us know how you get on.

Thanks. Pilli

dvk01 · Jan 6, 2005

What operating system are you using

Don't delete the wins file yet I suspect you might be trying to delete the wrong wins.exe file

SomeO/S have a genuine version and this trojan doewsn't overwrite it usually but drops a different one in a diferent folder

please do this go to here and download 'Hijack This!'. double click on the file and it will self extract to C:\program files\hijackthis.
Go to that folder then doubleclick the Hijackthis.exe
Click the "Scan" button, when the scan is finished the scan button will become "Save Log" click that and save the log.
Go to where you saved the log and click on "Edit > Select All" then click on "Edit > Copy" then Paste the log back here in a reply.
It will possibly show issues deserving our attention, but most of what it lists will be harmless or even required,
so do NOT fix anything yet.
Someone here will be happy to help you analyze the results.

sailorsam · Jan 6, 2005

Hi Philli & Derek,

Here is the hackthis log.
Logfile of HijackThis v1.98.2
Scan saved at 6:07:25 AM, on 7/01/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\termsrv.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\msdtc.exe
C:\WINNT\system32\crypserv.exe
C:\Program Files\ProcessGuard\dcsuserprot.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\System32\llssrv.exe
C:\WINNT\system32\mgabg.exe
E:\Program Files\Protector Plus\PPAVMon.exe
E:\Program Files\Protector Plus\PPServ.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\slserv.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\lserver.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\wins.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\System32\dns.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
E:\Keyboard\SpeedKey.exe
E:\PROGRA~1\PROTEC~1\PPTbc.EXE
E:\PROGRA~1\PROTEC~1\PPInupdt.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
E:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
E:\Zone Labs\ZoneAlarm\zlclient.exe
E:\Program Files\Protector Plus\POPSCAN.EXE
C:\Program Files\ProcessGuard\pgaccount.exe
C:\Program Files\ProcessGuard\procguard.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\WINNT\system32\QuickTime\QuickTimeUpdateHelper.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
E:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
E:\Hackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://hww.melbpc.org.au/motd/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://hww.melbpc.org.au/search/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.google.com.au/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://pcworld.idg.com.au
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://hww.melbpc.org.au/search/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://hww.melbpc.org.au/search/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\WINNT\system32\inetsrv\iisadmin\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://news.google.com.au/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NTIECatcher Class - {C56CB6B0-0D96-11D6-8C65-B2868B609932} - e:\Program Files\Xi\NetTransport 2\NTIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [Microsoft IntelliType Pro] "e:\Keyboard\SpeedKey.exe"
O4 - HKLM\..\Run: [PP2000 Taskbar Control] E:\PROGRA~1\PROTEC~1\PPTbc.EXE
O4 - HKLM\..\Run: [PP2000 InstaUpdate] E:\PROGRA~1\PROTEC~1\PPInupdt.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [TDS3] E:\Program Files\TDS3\TDS-3.exe
O4 - HKLM\..\Run: [SBAutoUpdate] "E:\Program Files\SpywareBlaster\sbautoupdate.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "E:\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [!1_pgaccount] "C:\Program Files\ProcessGuard\pgaccount.exe"
O4 - HKLM\..\Run: [QuickTime Task] "e:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [!1_ProcessGuard_Startup] "C:\Program Files\ProcessGuard\procguard.exe" -minimize
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Add to filterlist (WebWasher) - http://-Web.Washer-/ie_add
O8 - Extra context menu item: Download all by Net Transport - E:\Program Files\Xi\NetTransport 2\NTAddList.html
O8 - Extra context menu item: Download by Net Transport - E:\Program Files\Xi\NetTransport 2\NTAddLink.html
O8 - Extra context menu item: Download using LeechGet - file://E:\Program Files\LeechGet 2004\\AddUrl.html
O8 - Extra context menu item: Download using LeechGet Wizard - file://E:\Program Files\LeechGet 2004\\Wizard.html
O8 - Extra context menu item: Parse with LeechGet - file://E:\Program Files\LeechGet 2004\\Parser.html
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_42.cab
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://e:\AUTOCADLT02\AcDcToday.ocx
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://e:\AUTOCADLT02\InstBanr.ocx
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://e:\AUTOCADLT02\InstFred.ocx
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://e:\AUTOCADLT02\AcPreview.ocx

Thanks for your help,

Ian

dvk01 · Jan 6, 2005

I can't see any start up for the wins.exe so it is likely it's the genuine version you have running

I would like to see a hjt log from the latest version 1.99 though to check

and please send me a copy of the wins.exe so I can check it out for you

send to submit@thespykiller.co.uk preferably zipped so the mail servers won't reject it

It is unusual for the wins.exe to be overwritten or infected but it might have happened but because you are having problems deleting it, it suggets that it is the genuine windows version

dvk01 · Jan 6, 2005

That wins appears to be the genuine wins.exe from M$

I can't see any malicious code inside it

No antivirus or anmtitrojan flags it and it doesn't look like it's been altered in any way

It is ususal to have 2 copies as you say in the email

C:\winnt\system32 is it's normal place but a back up copy is always kept in C:\winnt\system32\dllcache so that the Windows file protection system can replace the original copy if it ever detects anything wrong with it

I can only assume that the tds detection was a flase positive

If you have the tds scan log please either post it or send me a copy by email and I'll see what I think

dvk01 · Jan 6, 2005

The only thing I find slightly disturbing about it is the file date of it's creation and modified of 2 december 2004

did you install w2K on that date

I will have the file examined by Kapersky and see what they come up with just in case

Unfortunately I use XP so don't have a wins file to compare it to as XP doesn't use it

sailorsam · Jan 6, 2005

Hi Derek,

Attached is the log file from TDS3

08:26:21 [Init] Trojan Defence Suite v3.2.0 - Registered to *****
08:26:21 [Init] Started 07-01-05 08:26:21 AUS Eastern Standard Time (UTC: -10), Internet Time @934.97
08:26:21 [Init] Loading TDS-3 Systems ...
08:26:21 [Init] • Priority : OK.
08:26:21 [Init] Token successfully adjusted.
08:26:21 [Init] • TDS Privileges : OK. Adjusted TDS-3 token privileges to maximum
08:26:21 [Init] • Plugins : OK. Loaded 13
08:26:21 [Init] • Exec Protection : OK. Installed
08:26:21 [Init] Loading Radius Advanced Scanning Systems ... <R3 Engine, DCS Labs>
08:26:25 [Init] • Radius Advanced Specialist Extensions on standby for 13 trojan families
08:26:25 [Init] • Systems Initialised [44216 references - 20387 primaries/11695 traces/12134 variants/other]
08:26:25 [Init] Radius Systems loaded. <Databases updated 07-01-2005>
08:26:25 [Init] TDS-3 Ready. <Administrator@210.49.113.47, 127.0.0.1 - Australia>
08:26:25 [Tip Of The Day] Shopping for DiamondCS services and software is easy! Simply visit http://www.diamondcs.com.au/shop.php
08:26:25 [TDS] Good morning Administrator.
08:26:28 [Mutex Memory Scan] Started...
08:26:30 [Mutex Memory Scan] Finished (no trojan mutexes found).
08:26:30 [Trace Scan] Started...
08:26:44 [Trace Scan] Finished.
08:26:45 [CRC32] Started - verifying 29 files ...
08:26:45 [CRC32] File doesn't exist: C:\autoexec.bat
08:26:46 [CRC32] Test finished.
08:26:56 [Screen Text] Saved to E:\Program Files\TDS3\scr1.txt

In the alarm window below the main scan control window is:

Scan Control Dumped @ 08:30:28 07-01-05
File Trace: Default trojan filename: DDoS.RAT.rBot
File: C:\WINNT\System32\wins.exe

I am happy to hear that it is probably a false positive.

Thanks again

Cheers,

Ian

sailorsam · Jan 6, 2005

I missed the question on the date of the windows installation. Windows was installed a few years ago. I first noticed the alarm on or around the 22nd December. If my memory serves me correctly zone alarm asked for permission for WINS.exe to access the internet (with a particular IP address - didn't take much notice at the time). I granted permission and I think that the next scan picked up the trace. These two matters could be unrelated.

Cheers,

Ian

dvk01 · Jan 6, 2005

Ah

File Trace: Default trojan filename: DDoS.RAT.rBot
File: C:\WINNT\System32\wins.exe

It isn't saying that the file is infected just that it has the same name as a known trojan that runs from that location in other versions of windows

I think it's because one version of DDoS.RAT.rBot does use the name wins.exe and as only WIN2000 use wins.exe legitimately and runs it from system32 folder it's a reasonable detection

I hope when Gavin comes back from holidays he will try and alter the detection to exclude win2000 but how I don't know

dvk01 · Jan 7, 2005

I have just heard back from Kapersky that the wins.exe is completely clean and IS the standard windows file and not a trojan one

Gavin - DiamondCS · Jan 13, 2005

Thanks ! I have removed this trace for the next update, which should be out very soon

dvk01 · Jan 13, 2005

Nice to see you back Gavin

Hopefully refreshed from a nice break and ready for another year of battles against the baddies

Cybervato · Jun 12, 2005

Well,

I found out I also got this trojan/worm, and I fixed it by removing the WINS service and rebooting the server then I re-installing WINS service and its seems to have fixed this issue, Don't know how it got loaded in the first place.

Hope this helps..!

Log in or Sign up

DDos.RAT.Rbot

sailorsam Registered Member

frogfoot Registered Member

Pilli Registered Member

sailorsam Registered Member

Pilli Registered Member

dvk01 Global Moderator

sailorsam Registered Member

dvk01 Global Moderator

dvk01 Global Moderator

dvk01 Global Moderator

sailorsam Registered Member

sailorsam Registered Member

dvk01 Global Moderator

dvk01 Global Moderator

Gavin - DiamondCS Former DCS Moderator

dvk01 Global Moderator

Cybervato Guest

Log in or Sign up

DDos.RAT.Rbot

sailorsam Registered Member

frogfoot Registered Member

Pilli Registered Member

sailorsam Registered Member

Pilli Registered Member

dvk01 Global Moderator

sailorsam Registered Member

dvk01 Global Moderator

dvk01 Global Moderator

dvk01 Global Moderator

sailorsam Registered Member

sailorsam Registered Member

dvk01 Global Moderator

dvk01 Global Moderator

Gavin - DiamondCS Former DCS Moderator

dvk01 Global Moderator

Cybervato Guest

Useful Searches