GT Bots>>Is this an irc server trying to run?

Discussion in 'other security issues & news' started by keyser_Soze, May 11, 2004.

Thread Status:
Not open for further replies.
  1. keyser_Soze

    keyser_Soze Registered Member

    Joined:
    May 11, 2004
    Posts:
    2
    I'm pretty sure that I unknowingly granted access to a GT Bot to run some sort of virtual file system or file sharing server on my computer by accident. I downloaded a 5MB *.rar file supposedly containing a program, but soon after I unzipped it, I noticed that the contents actually contained a 800kb *.exe file, a 20kb *.nfo file and a 4.75MB file of "no type". I tried changing the file extension on the "no-type" file to *.rar and unzip but didn't work (shot in the dark). Immediately, though, Sygate prompted me to grant or deny access to a process called "Windows Explorer" that was trying to access an irc channel on the web. I hit "no", and then also noticed another process trying to squeek through my ports called "SlimFTPd" which appears to be a Virtual File System Server. I denied access to both, scanned the folder of which both were running from "C:\WINDOWS\system32\wbem\mgmt\support\drivers" but no detected viruses." (Virus defs are all up to date as is everything else...spybot, ad-aware, hijackthis, spywareblaster, etc.) My system is squeeky clean - I keep tabs on everything - but i don't know much about this GT Bot stuff.

    I'm wandering if anyone has any experience with detecting and removing malicious scripts / file servers that are undetectable by anti-virus and spyware programs relative to IRC bots or flood attacks. I could sure use some insight. Thanks
     
  2. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Hi keyser_Soze, and welcome.

    This sounds like something installed itself too, after you unzipped the files.
    You may want to consider running an anti-trojan. You can find a list here to choose from: http://www.wilders.org/anti_trojans.htm
    Both TDS-3 and TrojanHunter have 30-day trials, so you will have to bring their databases up-to-date manually.

    You could also submit the files to submit@diamondcs.com.au for analysis.

    Also, you could post your hijackthis log for a check to see if anything suspicious is running.

    Regards,

    snap

    I will probably move your thread to a more appropriate forum once we find out a bit more what these files could be.
     
  3. keyser_Soze

    keyser_Soze Registered Member

    Joined:
    May 11, 2004
    Posts:
    2
    thanks for the reply snapdragin

    here's my hijack log. I don't think you'll find too much here, but maybe you'll notice something i don't see. I've got both suspicious programs blocked by my firewall from accessing the web, and i quickly removed a startup string from the registry which i noticed that it tried to create from "hklm\...\microsoft\windows\currentversion\run\" called network printer sharing or something --- so you can obviously tell that this SlimFTPd program is sneaky as it tried to cover itself up by hiding under the network sharing printer alias. It is also tyring to use the spoolsvc service. I know for a fact the the programs themselves are trash - so its not like i'm posting because i'm scared to delete them. My question is based more around how to I know if they've created other hidden services that are allowing backdoor access that i might not recognize off the bat. I keep my system on lockdown 24/7, so i'm pretty good about recognizing sketchy processes or sneaky services, but this one is for real sneaky. Check out this hijack log and see what you think.

    Logfile of HijackThis v1.97.7
    Scan saved at 2:33:39 AM, on 5/13/2004
    Platform: Windows XP SP2, v.2096 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2096)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Sygate\SPF\smc.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
    C:\Program Files\CA\eTrust Antivirus\InoRT.exe
    C:\Program Files\CA\eTrust Antivirus\InoTask.exe
    C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\system32\nvsvc32.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Norton Password Manager\AcctMgr.exe
    C:\PROGRA~1\CA\ETRUST~1\realmon.exe
    C:\Program Files\PopNot\PopNot.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\Program Files\Crystal Internet Meter\cimeter.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\Program Files\SpywareGuard\sgbhp.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Windows Media Player\wmplayer.exe
    C:\Program Files\Trillian\trillian.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    D:\Spyware\Hijack This\HijackThis.exe

    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
    O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton Password Manager\AcctMgr.exe /startup
    O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
    O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
    O4 - HKLM\..\Run: [PopNot] C:\Program Files\PopNot\PopNot.exe auto
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - Startup: MRU-Blaster Silent Clean.lnk = C:\Program Files\MRU-Blaster\mrublaster.exe
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Allow Site's Pop-&ups - file://C:\Program Files\PopNot\trustsite.script
    O8 - Extra context menu item: Always &Kill this Pop-up - file://C:\Program Files\PopNot\blocksite.script
    O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.macromedia.com/pub/shockwave/cabs/director/swdir.cab
    O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38024.1105671296
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {F2A84794-EE6D-447B-8C21-3BA1DC77C5B4} (SDKInstall Class) - http://activex.microsoft.com/activex/controls/sdkupdate/sdkinst.cab
     
  4. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Hi keyser_Soze,

    I am not seeing anything suspicious in your log. It is a clean log.

    However, I am not familiar with SlimFTPd but did find an article where it was mentioned the program did have a security vulnerability in it back in Aug 2001, but that may have been addressed in the newer versions:
    http://www.securiteam.com/windowsntfocus/5RP0L0055O.html

    There is a worm that can drop a file with that name in the Windows system folder (doesn't mention a subfolder though) that you might want to read, if you haven't already. Not saying that this is what you have, or that your SlimFTPd is infected, but since you are still investigating whether or not other files could have been downloaded, it wouldn't hurt to read the write up here at Sophos: W32/Grez-A.

    I see you are also running Sygate, and you may have already done this, but doublecheck that the SlimFTPd doesn't have server rights since Sygate gives server rights by default to any application that connects to the internet first time.

    I would still suggest that you download a trial copy of one of the anti-trojan programs and run it as they would show you best if there is any trojan activity on your system.

    It wouldn't hurt to do an on-line scan also to get a second opinion. You can find a list of free anti-virus scanners here: Free Services

    I am sorry I could not be of more help, but maybe other's might have something to add that could be helpful.

    Regards,

    snap
     
  5. gregk707

    gregk707 Guest

    hey - sounds like it was infact a gtbot, it probally installed teh ftp server when u executed the mirc exe. the mirc exe is (usually) blue red and a splotch of yello, if u remember opening a file with this, then it was probally mirc.

    you can search your system for mirc.ini, and if u find it, delete it. that will most likey stop the gtbot from functioning properly, since it holds the settings for how the program will start & what scripts it will load (wich is what makes the bot the bot). without the modified mirc.ini file, it is just a regular program.

    if infact u can find a mirc.ini file, and mirc opens when u reboot, open the program, and type this command: //echo -s $mircdir | echo -s $mircexe

    this will make it say where the mirc exe, and mirc dir is located, then u can just go to it and delete the proper files.

    also, gtbots are usually undected because people make these bots custom.
    infact, i am making my own as we speak, and mirc is a legitimate program and will NEVER be detected as a virus, however, anti virus detectes the scripts that are used in the gtbots as the virii.

    the code below this line is detected as a virus, if u copy it, put it in a .txt file and save it, then scan the file norton will detect it as backdoor.ratsou.d

    ~malicious code snipped - this is against the board's TOS - snap~
     
    Last edited by a moderator: Jul 19, 2004
Loading...
Thread Status:
Not open for further replies.