Serious Virus/Trojan - VSMONS.EXE Flooding Port 445

That's really weird cop, you've got me stumped I'm afraid.

Sorry

Andy

 

Hi,

It would appear that I have experienced the same problem that has been described in above posts. I have been working to sort a badly configured personal PC and thought I had it sorted when I started looking at the final problem reported by the owner - high broadband usage. This was found only because the user was using a bandwidth limited broadband service and had reports that her usage was nearing it's limit. As the PC had been virtually unusable, she claimed that it couldn't have been her that was using the bandwidth. I monitored the usage over a period of about five minutes and, with no visible programs running, around 5mb was sent and received. What was really odd about this was that even when turning off Internet access using Zone alarm there was still some data escaping, although I'm not sure whether this may have been general chatter between the usb modem and host machine as it was only a very small amount...

Anyway, the process (reported by ZonaAlarm) that caught my attention most was called ms32cfg.exe; as I didn't know what it was and searching google (until this morning) produced only one result in french or german... Although not entirely convinced of this processes purpose, it was not reported as viral by Mcafee or AVG (both with the most recent updates). For the above reasons and the need to get the machine working it was decided to format and re-install Windows XP Pro (as was previously running on the machine). Before the format I was backing up all of the data to another drive when Windows reported that it wouldn't allow me to move a file "C:\syss.txt". On inspection the file contains a log of IRC sessions. I tested my suspicion that it was the ms32cfg process that was writing to this log by stopping the process and moving the file - I was able to move it ok (I did a slightly more thorough test than this using tools from SysInternals). As soon as I restarted the process the file was created and locked once again. From what I can gather the purpose of the irc session is to download a file called lsass_445 which I can only assume has something to do with Windows Security in the form of the Local Security Authority Service. It would appear that this file is not actually retrieved, although I may be wrong. Although my Internet searches for ms32cfg came up blank, some of the keywords searched for did indeed return a result, and I found this article which seems to explain very similar problems to those that I am experiencing (specifically regards the creation of the irc log file).

http://www.security-forums.com/forum/viewtopic.php?t=13788&view=previous

The main difference to note is that the traffic mentioned in this article is on port 135, yet the traffic I was seeing an abundance of was on port 445 (as reported in the original post).

Searching sophos for virus info on rbot.af (as discussed in the posts at the url above) returns the following page (there appear to be many variants of the rbot.gen and rbot.a families) which seems to tie in with some points in the original post by Andy.

http://www.sophos.com/virusinfo/analyses/w32rbotw.html

My experience of this process is also similar to amoscosop in that on occassions whilst on site (as in the customers site), Internet Explorer would refuse to connect to any sites whilst a ping to google.com returned a result fine (i.e. both ping and dns were fine).

Following the advice of alien8, I also uploaded the file to Jotti's malware scan and got the following results - tying it back into the xbot family..

File: ms32cfg.exe
Status: INFECTED/MALWARE
Packers detected: YODA 1.2, YODA

AntiVir: No viruses found (1.23 seconds taken)
BitDefender: Backdoor.SDBot.Gen (5.02 seconds taken)
ClamAV: No viruses found (5.82 seconds taken)
Dr.Web: Win32.HLLW.MyBot (6.54 seconds taken)
F-Prot Antivirus: No viruses found (0.45 seconds taken)
F-Secure Anti-Virus: Backdoor.Rbot.gen (4.80 seconds taken)
Kaspersky Anti-Virus: Backdoor.Rbot.gen (4.10 seconds taken)
McAfee VirusScan: No viruses found (2.09 seconds taken)
Norman Virus Control: No viruses found (28.13 seconds taken)

The next step was to download Sophos and run a full scan on the system, alas it too came up with nothing. I then downloaded f-secure trial as f-secure recognised the file that was uploaded via Jotti's malware scan. Sadly, I couln't get the latest virus definitions to install (maybe due to me running a trial) and was not at all impressed with the product so I uninstalled. The next software trial downloaded was Kaspersky. NB. Whilst I was downloading these trials, I noticed another suspect file on the machine called wuamgrd.exe, which a search on google confirmed to be a trojan. This file was actually picked up and removed by F-Secure. I installed Kaspersky and after updating all virus definitions I scanned the Windows\System32 folder (as this is where the ms32cfg.exe file was located). Kaspersky immediately recognised and (on my instruction) deleted three files. ms32cfg.exe (recognised as backdoor.rbot.gen by kav), wuamgrd.0xe (recognised as backdoor.sdbot.jg by kav) (also note that this file had already been renamed by f-secure) and sys1file32.exe (recognised as backdoor.rbot.gen by kav). I am assuming that the virii we are looking at here are just variations on a theme and whilst the likes of sophos will actually release a .ide file to deal with the complete removal, Kaspersky can recognise the virus pattern and advise removal based on that alone. The slight downfall of this method is that none of the 'supporting evidence' of the virus is removed, e.g. the registry keys. I am currently running a full system scan with Kaspersky and as soon as that is complete I will try to identify any other files/reg keys etc used by the virii and post them here.

The obvious keys (i.e. the ones that contain the actual filename of the suspect files) in the registry that relate to the three files (note that only wuamgrd.exe and ms32cfg.exe seem to create entries in the registry) mentioned above are:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Update = wuamgrd.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Update = wuamgrd.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\Microsoft Update = wuamgrd.exe
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Update = wuamgrd.exe
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Update = wuamgrd.exe
HKU\S-1-5-21-1614895754-527237240-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Update = wuamgrd.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Features = ms32cfg.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Features = ms32cfg.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\Microsoft Features = ms32cfg.exe
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Features = ms32cfg.exe
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Features = ms32cfg.exe
HKU\S-1-5-21-1614895754-527237240-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Features = ms32cfg.exe

I also went through the motions of uploading the other two files that were found to Jotti's malware scan and got the following results:

File: sys1file32.exe
Status: INFECTED/MALWARE
Packers detected: MORPHINE 1.3, UPX

AntiVir: No viruses found (2.06 seconds taken)
BitDefender: Backdoor.SDBot.Gen (4.22 seconds taken)
ClamAV: No viruses found (5.17 seconds taken)
Dr.Web: Win32.HLLW.MyBot (8.53 seconds taken)
F-Prot Antivirus: No viruses found (2.89 seconds taken)
F-Secure Anti-Virus: Backdoor.Rbot.gen (6.52 seconds taken)
Kaspersky Anti-Virus: Backdoor.Rbot.gen (6.50 seconds taken)
McAfee VirusScan: No viruses found (2.23 seconds taken)
Norman Virus Control: No viruses found (1.13 seconds taken)

File: wuamgrd.exe
Status: INFECTED/MALWARE
Packers detected:

AntiVir: Worm/Rbot.BI (1.27 seconds taken)
BitDefender: No viruses found (4.00 seconds taken)
ClamAV: No viruses found (5.01 seconds taken)
Dr.Web: Win32.HLLW.MyBot (5.65 seconds taken)
F-Prot Antivirus: No viruses found (0.34 seconds taken)
F-Secure Anti-Virus: Backdoor.SdBot.jg (4.37 seconds taken)
Kaspersky Anti-Virus: Backdoor.SdBot.jg (4.82 seconds taken)
McAfee VirusScan: No viruses found (2.90 seconds taken)
Norman Virus Control: No viruses found (31.06 seconds taken)

I have found that all I needed to do to remove the virii was to stop the processes executing, delete the files themselves (all hidden files in %windir%\system32) and then remove the registry keys. This, as far as I can tell has removed all traces of the virii.

For those interested, I have attached the output of four files (all four files are joined as there appears to be a one file upload limit). The first is a sample of the syss.txt file created on the root of c:\ by ms32cfg.exe (note that ip addresses are masked) and the other three are the output from Process Explorer (by Sysinternals) of the three processes running.

 

I believe I have an rbot variant on my computer as well, the problem is, I can't access any anti virus site, including sophos(although the main site in other language than english works) and it immediately quits regedit whenever I try to run it. So I'm in a stump to trying to remove this.

 

I didn't actually try this yesterday so no guarantees.. but what about starting the machine with nothing running? I.e, use msconfig to choose a selective startup and untick the box to Load Startup Items. This should allow you to boot to windows without the virus being active. From there, you should be able to stop the process, delete the actual file and then remove the registry entries. Then reboot normally and download some virus protection and do a thorough scan to make sure you are clean. NB. This advice is based purely on my experience yesterday, obviously if you are experiencing anything different (a different variant maybe) then it may not apply.

Chris

 

Hi, Chris and everyone (Greetings from Spain, too)

Let's go to it

Well, as I was recently attacked by various virii, I have investigated about that strange affluency of virii.

First of all, I have your file syss.txt and, yes, it's about irc and so forth. This afternoon, I have entered Internet and my firewall (Agnitum Outpost) has detected a new process (mscfg32.exe).At first time, I blocked up that process; but at twice, I let it run on my computer (I was probing my antivirus effectiveness: if the process has virus, the antivirus should clean it or delete it or detect it). None of the latter three: no detection, no removal.

Second, this is what mscfg32.exe is doing on my machine, I'll try to explain it the best way I can: I'm looking the events report of the firewall. Although, I have blocked this process, it opens all possible local ports one by one, they are outgoing connections to a port (Microsoft_ds), to the domain server which you connect to. This consumes resources: I began my Internet session with 126 Mb. of transaction charge (in Task Manager, Processes), now I've got 174 Mb., and I have no other application opened that consumes great resources.

So I'm going to delete that mscfg32.exe.

One last and important thing: my antivirus (Panda) detected various virii related to tftp archives. I remind that Symantec shows how to delete that archives well. I'll try to clean that archives too.

Later I tell you.

 

Hi Chris, Rulkas, ubb.

Just a pointer from our experience. The most important step in getting this cleared up from our point of view was going through the laborious process of Windows Updating all your machines with all critical updates (not normally laborious, but with 300 machines dispersed across 20 sites it gets a bit tiring).

While you may be able to clear the virus by ending the process and removing its files and registry entries, you are not protected against re-infection. This is particularly relevant if you are on a LAN with other affected machines as in our case.

To put it bluntly . . .

Control using access lists to block port 445 and 8777 if you can
Windows Update all critical updates
Then clean

Roll on Windows Update Services . . .

Cheers,

Andy Platt

 

Dameslap
I seen in another post that you have a script that can shut the process down on multiple computers. I was wondering if you could shoot that to me in an email. That would really help us out for the moments.
Thanks

 

Hi, Chris, DameSlap,...

Yes, the process ms32cfg.exe (no mscfg32.exe as I said earlier) is no longer in my machine.

First, I have deleted the file ms32cfg.exe (normally in \system32 folder). Then, I have deleted all registry entries (Start-Run-Regedit) with the phrase "Microsoft Features = ms32cfg.exe" (as Chris says on post 27).
Later, I have updated the computer (via Windows Update...lot of time spent, but it's necessary as DameSlap says).

Ms32cfg.exe may be a new variant of the famous virus rbot, the other file Chris says in post 27 is a rbot virus (note the beginning of "Microsoft Update" in the registry).

Last things:

One, to ubb, you should consider the Safe Mode way. Reboot your computer, press f8, and select "Start Windows in Safe Mode". By this way, the computer only loads the minimum processes for the operating system to run. So, in normal conditions, the o.s should not load this malign processes, and, may be, you can enter regedit with no problem. Try it.

(Note that I say should, because in computering I think not all is true)

The other, ZoneAlarm Firewall. I don't like it. I use Agnitum Outpost. It works great. It passes the Leaktest (a test to probe whether your firewall is safe or not). I can't remember where the link to the Leaktest is, anyway, search for "Leaktest" in the web.

See you!!

 

Hi everybody!
I've found the ms32cft and vsmons process in msconfig.
I had 3 usser accounts, and what i've done was, remove 2 of the accounts and keep one, kill both process in the task manager and then delete the registry entries by searching ms32cft and vsmons.
i think that if u r in a lan u should disconnect each pc and try to do this, and only connect them again when each machine is clean.
I know that is difficult to back up and delete all the usser acounts, but in my case it seems to work, i didnt see that process again.
i've also found the syss.txt file, and deleted it.
good luck...

 

Re: Serious Virus/Trojan - ms32cfg.exe & wuamgrd.exe

I've found many instances of ms32cfg.exe and wuamgrd.exe throughout our network of 30 computers this last week. I blocked the associated ports on the firewall, but until I killed the processes our network was at a standstill. Was this a firewall inadequacy, end user opening email attachments, or p2p download infection? Norton AV is worthless…

 

I've just started with a "clean" system. Within a few hours I had ms32cfg, winupdatexx and wuam exe's in my registry, generating network traffic. So it has to be a firewall inadequacy.

 

Hi All, I just want to post some observations of a new Trojan/virus (possibly related to vsmons.exe) that I encountered on my computer (running XP Home Edition).

Symptoms:

- high traffic on Port 445.
- 'netstat -a' shows many open ports, with stuff being sent to addresses with 'Microsoft' in them.
- when LAN is disconnected, autodialler keeps trying to connect to one of the following sites:
- temple.ircgod.org
- fresita.tevichoche.com
- Anomalous port traffic traced to unidentified process 'gdavuc.exe' found running in memory (all other processes in memory appeared to be kosher).
- 4 different registry entries starting 'gdavuc.exe'.
- (NOTE) no sign of any software entitled 'gdavuc.exe' on my hard disc anywhere (except for a prefetch entry).
- vsmons.exe found in C:\WINDOWS\system32, and a prefetch entry was found (BUT - this process was not running in memory - could be coincidental?)
- The latest versions of Spybot Search and Destroy (v 1.3), and Norton Antivirus Corporate Edition (v 8.1, files current for 24 August 2004, run in safe mode) failed to find these processes (although Sypbot did clean up several other things).

Notes:

- I probably got this infection because I didn't install XP security patches (yeah - probably bad karma).
- A google search turned up absolutely nothing for 'gdavuc'.
- I found that Norton 'Live Updater' was disabled and locked (I didin't do this). The latest virus description files were dated a few days before I was alerted to the high traffic on port 445.
- I originally had an old version of Norton (v 7.1). When I tried to uninstall this prior to installing later versions, I kept running into fatal errors (had to use a 'brute force' approach in the end).

Clean Up:

Updated XP. Reinstalled Norton, and ran with latest definitions (nothing found). Killed process 'gdavuc.exe' (anomalous port activity ceased). Deleted all registry entries for 'gdavuc.exe'. Renamed 'vsmons.exe' as 'vsmons.old'. Also deleted registry information for C:\\Program Files\\NavNT\\vptray.exe, which we assumed was an old version of the Norton utility (but was still found in memory after Norton was supposedly uninstalled - our tech guy thought this might be because of the incomplete uninstallation).

My computer appears to be functioning normally now - I have not noted any unusual port activity.

HOWEVER: I don't understand (and this could be ignorance) how a process (gdavuc.exe) could be running in memory and yet not be present as software on my hard disk (we killed the process, checked for software and found none, rebooted, and found the process running in memory again). Does this mean that some OTHER program creates a file 'gdavuc.exe', executes it, and then deletes the software leaving just the process in memory? If so, I haven't found that other program!! It could still be lurking on my computer.

Any thoughts/comments appreciated.

 

I experienced similar symptons in the last few days. Virtually all my resources
were being used sending traffic. EZtrust virus software appeared to be disabled after about 10 seconds of launching (even with current signatures). If I relaunched it, it would scan for about 10 seconds and again be stopped with the E toolbar icon removed at the same time. AD-Aware SE with current signatures did not find the problem. The SYSS.txt appears to be some sort of script setting my machine as a server. SEX.BAT was found which appeared to automatically edit the registry and XFKS.EXE was present but I do not know whether this was part of the Malware.

Eventually I threw the towel in and off-line reverted the machine by some two weeks. All now seems OK.

ystem was a Centrino running XP prof.

 

i have the same problem and i can't get it off, very offending that it sliped through everything I have tried, aslo not good to log on while somone's standing there and this to come up, makes me look kind of bad.
please send any info to email address, it would be appreciated.

 

Have you tried downloading and running the Trial Version of TDS3?

Hope this helps...

Let us know how you go...

Cheers

 

nope, still having the same problem...it found some stuff, but nto enough to clean up my pc. there's some sort of connection from my pc to the internet that hampers everything else I do, It cancels downloads, resets my connection, all sorts of stuff...
Can't download anything at over 30 kb/s when I'm suposed to get 128+
i could use some help...

 

Im having trouble too with vsmons.exe, i know this is an old post but i havent found any help in other sites. Its vsmons.exe and ISA5S.EXE. According to Norton Corporate Editions its a W32.Spybot.Worm, but it cant remove it. Ive read in this post someone has a script to use with a program that will remove this, if you can send it please my email is ~snip~ @gmail.com, im desperate, Im blocking it on my firewall but still my internet connection is unstable at times and it has nothing to do with my isp. Thanks in advanced

Mod Note: Removed personal email so the spam bots won't harvest it - snap

 

Like davewarde, I had massive traffic on port 445 associated with explorer.exe.

Having done all scans for viruses, trojans & adware, and updating to Windows XP Service Pack 2, I was extremely desparate! All the firewalls and programs in the world weren't stopping this: rules to block port 445 still had no effect. Disabling Netbios, File & Printer Sharing, and ending various processes didn't help.

Then I realised, there was one process after all this time I hadn't ended: Synaptics Touchpad (for my laptop) - running two processes SynTP*

Ending these immediately cured the problem, much to my surprise. I promptly deleted them and hey presto everything is ok.

I can't find any mention of this anywhere, but for anyone with similar difficulties - look for this first, and for anyone who can shed any light on the matter please do!

 

Correct me if I'm wrong, but like peter2150 said, these guys are gunning for ZoneAlarm users (isn't port 445 one of the holes they've never managed to completely plug, and wasn't port 445 stealthed by SP1 along with 135 ... so to have a backdoor installed on a stealthed port is pretty amazing).
BTW... did anyone try to end-task this vsmons.exe file? ZA's own service can't be ended even as an admin (I think they don't want trojans to kill it)

 

hi everybody (esp chris),
i've just found this site through google after typing
Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Update
as it is within your entry. the address came up as i did spyware scan on my pc. could you give any tips re sorting it? will write more if you could help. cheers. will appreciate any reply..