DDos.RAT.Rbot

Discussion in 'Trojan Defence Suite' started by sailorsam, Jan 5, 2005.

Thread Status:
Not open for further replies.
  1. sailorsam

    sailorsam Registered Member

    Joined:
    Dec 13, 2004
    Posts:
    8
    Hi all,
    TDS has found a trace of DDos.RAT.Rbot in my wins.exe file. I have emailed the file to DiamondCS for advice on what to do, however as they are taking a no doubt well earned break, I am wondering, whilst I am awaiting their reply, if anyone can tell me if this is a particularly nasty beast or an ordinary nuisance.

    Thanks in advance *puppy*
     
  2. frogfoot

    frogfoot Registered Member

    Joined:
    Aug 8, 2004
    Posts:
    116
    Location:
    Yeovil UK
    could be this one here
     
  3. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi SailorSam, When rbot traces are found and shown in the lower console window you should be able to right click and then delete.

    HTH Pilli
     
  4. sailorsam

    sailorsam Registered Member

    Joined:
    Dec 13, 2004
    Posts:
    8
    Hi Philli,
    I originally tried deleting the file through TDS window. However it wouldn't delete wins.exe. Checking the size of the file against a clean version it is one kb larger. I also tried renaming the file to .old and replacing it with the clean one. This also failed to work. The same trace was found by TDS. Should I have made this change in "safe mode"

    Thanks for your help,
     
  5. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Yes, doing this would make sense as the file might be locked by another process, so rescan in safe mode and let us know how you get on.

    Thanks. Pilli
     
  6. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    What operating system are you using

    Don't delete the wins file yet I suspect you might be trying to delete the wrong wins.exe file

    SomeO/S have a genuine version and this trojan doewsn't overwrite it usually but drops a different one in a diferent folder

    please do this go to here and download 'Hijack This!'. double click on the file and it will self extract to C:\program files\hijackthis.
    Go to that folder then doubleclick the Hijackthis.exe
    Click the "Scan" button, when the scan is finished the scan button will become "Save Log" click that and save the log.
    Go to where you saved the log and click on "Edit > Select All" then click on "Edit > Copy" then Paste the log back here in a reply.
    It will possibly show issues deserving our attention, but most of what it lists will be harmless or even required,
    so do NOT fix anything yet.
    Someone here will be happy to help you analyze the results.
     
  7. sailorsam

    sailorsam Registered Member

    Joined:
    Dec 13, 2004
    Posts:
    8
    Hi Philli & Derek,

    Here is the hackthis log.
    Logfile of HijackThis v1.98.2
    Scan saved at 6:07:25 AM, on 7/01/2005
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\System32\termsrv.exe
    C:\WINNT\system32\Ati2evxx.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\msdtc.exe
    C:\WINNT\system32\crypserv.exe
    C:\Program Files\ProcessGuard\dcsuserprot.exe
    C:\WINNT\System32\tcpsvcs.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\hidserv.exe
    C:\WINNT\System32\llssrv.exe
    C:\WINNT\system32\mgabg.exe
    E:\Program Files\Protector Plus\PPAVMon.exe
    E:\Program Files\Protector Plus\PPServ.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\system32\slserv.exe
    C:\WINNT\System32\snmp.exe
    C:\WINNT\system32\stisvc.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\System32\lserver.exe
    C:\WINNT\system32\ZoneLabs\vsmon.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\System32\wins.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\Dfssvc.exe
    C:\WINNT\System32\dns.exe
    C:\WINNT\System32\inetsrv\inetinfo.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\Ati2evxx.exe
    C:\WINNT\Explorer.EXE
    E:\Keyboard\SpeedKey.exe
    E:\PROGRA~1\PROTEC~1\PPTbc.EXE
    E:\PROGRA~1\PROTEC~1\PPInupdt.exe
    C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
    E:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe
    C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    E:\Zone Labs\ZoneAlarm\zlclient.exe
    E:\Program Files\Protector Plus\POPSCAN.EXE
    C:\Program Files\ProcessGuard\pgaccount.exe
    C:\Program Files\ProcessGuard\procguard.exe
    C:\Program Files\Logitech\MouseWare\system\em_exec.exe
    C:\Program Files\Windows Media Player\wmplayer.exe
    C:\WINNT\system32\QuickTime\QuickTimeUpdateHelper.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Mozilla Thunderbird\thunderbird.exe
    E:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
    E:\Hackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://hww.melbpc.org.au/motd/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://hww.melbpc.org.au/search/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.google.com.au/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://pcworld.idg.com.au
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://hww.melbpc.org.au/search/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://hww.melbpc.org.au/search/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\WINNT\system32\inetsrv\iisadmin\blank.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://news.google.com.au/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: NTIECatcher Class - {C56CB6B0-0D96-11D6-8C65-B2868B609932} - e:\Program Files\Xi\NetTransport 2\NTIEHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
    O4 - HKLM\..\Run: [Microsoft IntelliType Pro] "e:\Keyboard\SpeedKey.exe"
    O4 - HKLM\..\Run: [PP2000 Taskbar Control] E:\PROGRA~1\PROTEC~1\PPTbc.EXE
    O4 - HKLM\..\Run: [PP2000 InstaUpdate] E:\PROGRA~1\PROTEC~1\PPInupdt.exe
    O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
    O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
    O4 - HKLM\..\Run: [TDS3] E:\Program Files\TDS3\TDS-3.exe
    O4 - HKLM\..\Run: [SBAutoUpdate] "E:\Program Files\SpywareBlaster\sbautoupdate.exe"
    O4 - HKLM\..\Run: [Zone Labs Client] "E:\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
    O4 - HKLM\..\Run: [!1_pgaccount] "C:\Program Files\ProcessGuard\pgaccount.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "e:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKCU\..\Run: [!1_ProcessGuard_Startup] "C:\Program Files\ProcessGuard\procguard.exe" -minimize
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: Add to filterlist (WebWasher) - http://-Web.Washer-/ie_add
    O8 - Extra context menu item: Download all by Net Transport - E:\Program Files\Xi\NetTransport 2\NTAddList.html
    O8 - Extra context menu item: Download by Net Transport - E:\Program Files\Xi\NetTransport 2\NTAddLink.html
    O8 - Extra context menu item: Download using LeechGet - file://E:\Program Files\LeechGet 2004\\AddUrl.html
    O8 - Extra context menu item: Download using LeechGet Wizard - file://E:\Program Files\LeechGet 2004\\Wizard.html
    O8 - Extra context menu item: Parse with LeechGet - file://E:\Program Files\LeechGet 2004\\Parser.html
    O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
    O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_42.cab
    O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://e:\AUTOCADLT02\AcDcToday.ocx
    O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://e:\AUTOCADLT02\InstBanr.ocx
    O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://e:\AUTOCADLT02\InstFred.ocx
    O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://e:\AUTOCADLT02\AcPreview.ocx


    Thanks for your help,


    Ian
     
  8. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    I can't see any start up for the wins.exe so it is likely it's the genuine version you have running

    I would like to see a hjt log from the latest version 1.99 though to check

    and please send me a copy of the wins.exe so I can check it out for you

    send to submit@thespykiller.co.uk preferably zipped so the mail servers won't reject it

    It is unusual for the wins.exe to be overwritten or infected but it might have happened but because you are having problems deleting it, it suggets that it is the genuine windows version
     
  9. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    That wins appears to be the genuine wins.exe from M$

    I can't see any malicious code inside it

    No antivirus or anmtitrojan flags it and it doesn't look like it's been altered in any way

    It is ususal to have 2 copies as you say in the email

    C:\winnt\system32 is it's normal place but a back up copy is always kept in C:\winnt\system32\dllcache so that the Windows file protection system can replace the original copy if it ever detects anything wrong with it

    I can only assume that the tds detection was a flase positive

    If you have the tds scan log please either post it or send me a copy by email and I'll see what I think
     
  10. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    The only thing I find slightly disturbing about it is the file date of it's creation and modified of 2 december 2004

    did you install w2K on that date

    I will have the file examined by Kapersky and see what they come up with just in case

    Unfortunately I use XP so don't have a wins file to compare it to as XP doesn't use it
     
  11. sailorsam

    sailorsam Registered Member

    Joined:
    Dec 13, 2004
    Posts:
    8
    Hi Derek,

    Attached is the log file from TDS3

    08:26:21 [Init] Trojan Defence Suite v3.2.0 - Registered to *****
    08:26:21 [Init] Started 07-01-05 08:26:21 AUS Eastern Standard Time (UTC: -10), Internet Time @934.97
    08:26:21 [Init] Loading TDS-3 Systems ...
    08:26:21 [Init] • Priority : OK.
    08:26:21 [Init] Token successfully adjusted.
    08:26:21 [Init] • TDS Privileges : OK. Adjusted TDS-3 token privileges to maximum
    08:26:21 [Init] • Plugins : OK. Loaded 13
    08:26:21 [Init] • Exec Protection : OK. Installed
    08:26:21 [Init] Loading Radius Advanced Scanning Systems ... <R3 Engine, DCS Labs>
    08:26:25 [Init] • Radius Advanced Specialist Extensions on standby for 13 trojan families
    08:26:25 [Init] • Systems Initialised [44216 references - 20387 primaries/11695 traces/12134 variants/other]
    08:26:25 [Init] Radius Systems loaded. <Databases updated 07-01-2005>
    08:26:25 [Init] TDS-3 Ready. <Administrator@210.49.113.47, 127.0.0.1 - Australia>
    08:26:25 [Tip Of The Day] Shopping for DiamondCS services and software is easy! Simply visit http://www.diamondcs.com.au/shop.php
    08:26:25 [TDS] Good morning Administrator.
    08:26:28 [Mutex Memory Scan] Started...
    08:26:30 [Mutex Memory Scan] Finished (no trojan mutexes found).
    08:26:30 [Trace Scan] Started...
    08:26:44 [Trace Scan] Finished.
    08:26:45 [CRC32] Started - verifying 29 files ...
    08:26:45 [CRC32] File doesn't exist: C:\autoexec.bat
    08:26:46 [CRC32] Test finished.
    08:26:56 [Screen Text] Saved to E:\Program Files\TDS3\scr1.txt

    In the alarm window below the main scan control window is:

    Scan Control Dumped @ 08:30:28 07-01-05
    File Trace: Default trojan filename: DDoS.RAT.rBot
    File: C:\WINNT\System32\wins.exe


    I am happy to hear that it is probably a false positive.

    Thanks again

    Cheers,

    Ian
     
    Last edited by a moderator: Jan 6, 2005
  12. sailorsam

    sailorsam Registered Member

    Joined:
    Dec 13, 2004
    Posts:
    8
    I missed the question on the date of the windows installation. Windows was installed a few years ago. I first noticed the alarm on or around the 22nd December. If my memory serves me correctly zone alarm asked for permission for WINS.exe to access the internet (with a particular IP address - didn't take much notice at the time). I granted permission and I think that the next scan picked up the trace. These two matters could be unrelated.

    Cheers,


    Ian
     
  13. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    Ah

    File Trace: Default trojan filename: DDoS.RAT.rBot
    File: C:\WINNT\System32\wins.exe

    It isn't saying that the file is infected just that it has the same name as a known trojan that runs from that location in other versions of windows

    I think it's because one version of DDoS.RAT.rBot does use the name wins.exe and as only WIN2000 use wins.exe legitimately and runs it from system32 folder it's a reasonable detection

    I hope when Gavin comes back from holidays he will try and alter the detection to exclude win2000 but how I don't know
     
  14. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    I have just heard back from Kapersky that the wins.exe is completely clean and IS the standard windows file and not a trojan one
     
  15. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Thanks ! I have removed this trace for the next update, which should be out very soon
     
  16. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    Nice to see you back Gavin

    Hopefully refreshed from a nice break and ready for another year of battles against the baddies
     
  17. Cybervato

    Cybervato Guest

    Well,

    I found out I also got this trojan/worm, and I fixed it by removing the WINS service and rebooting the server then I re-installing WINS service and its seems to have fixed this issue, Don't know how it got loaded in the first place.

    Hope this helps..!
     
Thread Status:
Not open for further replies.