Serious Virus/Trojan - VSMONS.EXE Flooding Port 445

I'm Technical Services Manager for a medium sized transport organisation (circa 300 node network over twenty sites).

Our largest site has just been hit by a very serious, but as yet unidetifiable virus/trojan. We have scoured the net and used all our contacts to try and find someone else who has seen this, but so far no joy. Details as follows:

>Multiple Workstations (about 30) at one subnet on our WAN are generating huge amounts of TCP traffic for port 445 on random addresses(tens of millions of packets).
>Problem only seems to affect XP workstations
>Patching to latest MS levels does not seem to help (I guess we may have locked the stable door a little late . . .)
>We have found a suspicious looking process running on all the “busy” workstations, named “vsmons.exe” (we note with suspicion that this is one character different from the ZoneAlarm executable name “vsmon.exe”)
>The executable is being told to start by five different locations in the registry
>The executable resides as hidden, read-only file in \windows\system32\
>If the process is running and the registry settings are removed, they are almost instantly re-written.
>If the process is terminated (sometimes there is more than one instance of the process) and the registry settings removed, but the machine is connected to the network, it restarts a process and re-writes the registry.
>We have managed to keep one machine “clean” by unplugging it, killing the processes and cleaning the registry. As soon as we reconnected to the LAN it re-infected.
>Infected machines appear to lose all of their default shares (C$, ADMIN$)


VirusScan Enterprise 7 (DAT 4377) does not show up anything, or the latest Stinger. Likewise Trend says everything is clean.

I've written a script using kix and a few command line tools, which temporarily cleans the machines (kills any active vsmons processes, removes executable and cleans out any related registry entries). Unfortunately, give it twenty minutes left on our LAN and the machines will re-infect.

For the time being our other sites seem to have escaped, since we have blocked all traffic for port 445 with an access list on the sites default gateway, but its just covering up the problem. Currently, we are getting 75,000 hits a minute against the blocking access list!

Any suggestions much appreciated,

Andy

 

I found the same file on a computer today wher I was removing some virus and spyware, and as I was using Sygate Firewall, it show me that it was trying to acces the site fumado.tevichoche.com (IP address 205.209.170.150) using port 8777. I couldn´t find too some information till now, when I find this forum. I hope soon somebody could identify this problem and give us a solution.

 

Hi,

I stumbled across this thread whilst looking on google.

I have the same problem too, I cannot delete VSMONS.EXE, and it is sending a large amount of outgoing net traffic from my computer.

I have encountered two other files, same symptoms, I cannot fix them either. They are MS32CFG.EXE and WINUP.EXE

 

Can you send a sample of those files to submit@diamondcs.com.au please !

samples@nod32.com would surely appreciate copies too

 

Will do, though I've got a really annoying "icing on the cake" problem at the moment. Though VirusScan7 on all our workstations will not stop this, GroupShield on our Exchange Server does, only it doesn't tell you what on Earth its detected! I'll try and find a webmail account to send it to you.

Be careful though.

Andy

 

Whoa!

Yes Manuel, I see the port 8777 traffic now as well, my network's going for 205.209.170.156.

This really is a bugger, unfortunately it doesn't look like we caught this in time. It's spread to our other sites. Thankfully we can control this with routing to some degree but I really need McAfee to come up with a fix pretty soon.

Thanks,

Andy

 

Hi!

Foundthe virus all over the place in our machines.

It is possible to kill the porcess using pskill (pstools) from SysInternals or other tool capable of killing processes.

http://www.sysinternals.com/ntw2k/freeware/pskill.shtml

After this delete file and clean all the registry entries.

 

Hi BlackMax,

Yes, it is possible to clean it with PSKill, that's what I used in my script (which you can have if you want, for what it's worth), the problem is unless we can nail every last one of them at the same time, as soon as they get back on the LAN, they'll re-infect.

We are having some success with MS Patching though, just using Windows Update to get to absolutely the latest level, then cleaning it, but it's slow going.

I've now registered to get hold of a copy of WIndows Update Services as soon as it comes out (might be another six months though yet).

Let me know if you'd like the script, there's not much to it, just a little collection of files and a few command line tools.

Cheers,

Andy

 

How do you get rid of this trojan? my virus scan can't move it to the virus vault and when I go into the msconfig and uncheck the vsmons.exe (there are usually 2 or 3) it just comes right back. I don't understand the usage of PsKill. Please help!
Thanks
Dina

 

Dina,

I can give you my script which will clear it (kills processes, cleans registry and removes exe), but you need to get all available Windows Updates before you run it in order to prevent it coming back.

You should be able to send me an email with your address and I'll send it over.

Cheers,

Andy Platt

 

will it just be an .exe file that u send? or what do I do with it? Also, what is your email address?
Thanks a bunch
Dina

 

The folks at the Internet Storm Center have a malware analysis team.

You can contact them here and submit the sample.

They're a great resource for analyzing current security related incidents.

 

Sample has now been sent to SANS. Thanks for everyone's help.

Andy Platt

 

Dana,

If you register with the forum and make another post I will be able to send you an email throught the forum with the files you need and instructions.

Cheers,

Andy

 

Could you submit the file here:
http://virusscan.jotti.dhs.org/

Which will scan with: AntiVir, BitDefender, ClamAV, Dr.Web, F-Prot Antivirus,
F-Secure Anti-Virus, Kaspersky Anti-Virus, McAfee VirusScan and Norman Virus Control (all in one go)

Cheers,

Steve

 

Potentially Identified?

Interestingly I've had this response from NOD32 this morning:

Hello,

the file was a new variant belonging to a failry well-known family of Win32/Rbot Backdoors. It's been named Win32/Rbot.HF and NOD32 should detect it soon. It is a backdoor server controlled via IRC network. It has many 'features' including keylogger, file server
or SOCKS proxy. It is able to exploit some of the recent MS Windows
vulnerabilities for spreading, including, for example, the WebDav
vulnerability. It doesn't seem to exploit a vulnerability that is not
covered by Microsoft security updates. It also has a list of weak
passwords that are tried against shares on machines on the network. Try
to ensure that your machines have all the recent security updates from
Microsoft. When the next update is released, NOD32 will be able to
detect this backdoor. We will perform more detailed analysis to see why
your machines get infected again and again.

Best regards,

Juraj Sarinay
ESET s.r.o.

Only thing is, SANS are hinting that it might be a Sasser variant. Hmm . . .

 

Alien8,

I don't see any page at that link you posted?

Andy

 

That's odd... looks okay from here, it's "Jotti's malware scan 2.32".

You just click the browse button at the top and then click the submit button...

Do you get any error messages or is it just blank?

Cheers,

Steve

 

Looks like RBot

Alien8,

Sorry about that, seems to be working now. Dunno, maybe I'm just a bit tired.

Well, Jotti seems to confirm what NOD32 are saying, here's the result:

Service load: 0% 100%

File: vsmons.exe
Status: INFECTED/MALWARE
Packers detected:

AntiVir No viruses found (1.33 seconds taken)
BitDefender No viruses found (3.99 seconds taken)
ClamAV No viruses found (4.89 seconds taken)
Dr.Web No viruses found (5.61 seconds taken)
F-Prot Antivirus No viruses found (0.32 seconds taken)
F-Secure Anti-Virus Backdoor.Rbot.gen (3.68 seconds taken)
Kaspersky Anti-Virus Backdoor.Rbot.gen (3.80 seconds taken)
McAfee VirusScan No viruses found (1.85 seconds taken)
Norman Virus Control No viruses found (37.24 seconds taken)


RBot it is then, thing is, I think I'm going to have to wait for McAfee to get their arse in gear and identify this variant (seen as that's what we have installed on our 300 workstations). Otherwise I'm going to have to buy and install 300 copies of Kaspersky or F-Secure.

Thanks for pointing me at Jotti though, that's really useful.

Andy

 

Hi Andy,

Looks like the some of the vendors need to play catch up with NOD and Kaspersky

I've sent you a pm...

Cheers,

Steve

 

Anyone have an idea how it go on to your system?

 

As far as how it got on to our system, well . . . there's a world of opportunities here.

I think the source was one machine which picked up Morphine just over a week ago. I've seen a post that said Morphine can carry RBot, so that sounds like a reasonable suspect, though it was picked up and deleted by VirusScan 7 (supposedly).

As to how that got on to our system.

Well, we have a lot of suppliers and customers who just breeze into our building and hook up to our LAN. I used to get quite upset at first, but after you get overruled for the umpteenth time, you kind of get used to it. ;-)

Hey-ho,

Andy

 

We have seen an unidentified virus/trojan which behaves exactly as you describe, sending out huge numbers of packets on port 445. However, unlike yours, the connections mapped to one PID which was associated with explorer.exe. I scanned it with multiple products and even uploaded it to our AV vendor which declared it clean. Needless to say, I am not buying it.

On the one system we were able to personally examine, there were a 13 patches which needed to be applied. The patches were applied but did not resolve the issue. We ended up rebuilding that system.

I have heard reports indicating that applying patches on other systems fixed it, but I think folks may be reporting on a different virus which has been forcing reboots.

 

I guess then the only thing you can do to prevent this is to filter or close the ports, so when the vendor or customer plugs in you can limit the exposure of re-infection..which I am sure you have already done.

 

Hi guys:

I'm Nework Manager at an ISP, and my IDS shows a huge of 445 port traffic, usually we filter that port. I heard (and i've read) that such traffic is generated by XP and W2000 machines mainly. BUT now we are facing several claims regarding to troubles with XP and W2000, from that platforms, despite those are connected (this means be able to resolve DNS and perform ping test successfuly), can't navigate from the web browser.

The only way to re-establish the Internet navigation is by restarting the PC.

I remark that during that trouble the user can perform PING test to hostnames (i.e. ping www.cisco.com) perfectly, but they can't navigate


Does somebody knows why this issue happen