Please help me with Backdoor.Beasty.Family

Thanks. Let's hope nothing intercepts it.

Don't worry. It's used to it.
I have a spare I use for my experiments.

It'll take a while since I can't acces that mail from here. I hope you can endure it for another day.

Regards,

Pieter

 

I don't think the fresh insatll is going to happen until Sunday or maybe even later now so we'll let you play with it a while adn see how you go. My guess is that the file i sent has nothing of interest on it. Nothing else has so far! The guys who create these things must be some sick puppies. I don't know how they get joy from it!

 

The filename matches with descriptions I found, but the size doesn't.
Nor do any of the other symptoms show up on your computer.
So it's either very new or highly "customized".

Something you could do in the meantime is search your computer for references to this file.

For the registry:
Please surf to http://www.billsway.com/vbspage/ and scroll down to
Registry Search Tool
Download, unzip and run RegSrch.vbs
Put mslg.blf in the dialog box.

After a while a prompt will come up. Click OK to write the results to wordpad and post them.

For other files:
Download and install Agent Ransack from http://www.mythicsoft.com/agentransack/pageloader.aspx?page=download

Run the program and make sure there are Checkmarks in the Expert User and Containing Text boxes on the Advanced tab.

In the bottom bar type or paste mslg.blf

Then click Start Search.

It will take quite a while before it's done.

When it is, click "Save results" (icon #4 from the left)
Choose save to clipboard and paste them into your next post.

Regards,

Pieter

 

OK, sounds like a couple of time consuming things. Really tired and heading off to bedskies but i'll do that stuff tomorrow and post the results for you Pieter.

Dan.

 

Sure is. Better to do that with a clear head.

Regards,

Pieter

 

Maybe this can help your search for registry entry's ... it's the latest version of the beast i am aware of ... this is the creators website.

~Note:....link to Beast site removed....against TOS....Bubba~

 

Beast 2.06
released February 2004

New features:
- the servers are working with restricted users on NT (XP)
- NT Services Manager
- chat
- delay execution (at a specific date or after reboots)
- ICQ2003b password support
- system time management

Improvements:
- server is packable/unpackable
- configurable SIN timeout
- support for DWORD values in the Registry Manager
- better CGI & Email notifications
- ICQ, CGI & Email notifications are working with SIN
- better DialUp password retrieval
- more reliable transfers
- better reverse connection
- view/change folder attributes (FileManager)
- 2 modes (hidden or visible) for running files (FileManager)
- etc.

Fixes:
- no more error messages with SIN and on slow connections
- GUI related
- etc.

Important:
- with beast 2.06 you can connect to 2.05 servers, but not all the functions will work properly
- on a machine is allowed only 1 beast server, doesn't matter what version

Tataye


Client:
registry added:
HKEY_CLASSES_ROOT\.bad
HKEY_CLASSES_ROOT\.bst
HKEY_CLASSES_ROOT\BeastFile
HKEY_CLASSES_ROOT\BeastFile\DefaultIcon
HKEY_CLASSES_ROOT\BeastFile\shell
HKEY_CLASSES_ROOT\BeastFile\shell\open
HKEY_CLASSES_ROOT\BeastFile\shell\open\command
HKEY_CLASSES_ROOT\BeastFile1
HKEY_CLASSES_ROOT\BeastFile1\DefaultIcon
HKEY_CLASSES_ROOT\BeastFile1\shell
HKEY_CLASSES_ROOT\BeastFile1\shell\open
HKEY_CLASSES_ROOT\BeastFile1\shell\open\command



Server:
c:\WINDOWS\svchost.exe
c:\WINDOWS\COMMAND\mslowb.com
c:\WINDOWS\SYSTEM\mswmcw.com

size: 30.805 bytes

port: 6666 TCP

startup:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "COM Service"
data: C:\WINDOWS\COMMAND\mslowb.com
HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\{42CE4021-DE03-E3CC-EA32-40BB12E6015D} "StubPath"
data: C:\WINDOWS\SYSTEM\mswmcw.com
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run "COM Service"
data: C:\WINDOWS\COMMAND\mslowb.com

dropped files:
c:\WINDOWS\svchost.exe
c:\WINDOWS\COMMAND\mslowb.com
c:\WINDOWS\SYSTEM\mslg.blf
c:\WINDOWS\SYSTEM\mswmcw.com

 

Thanks Mephisto for trying to help, but......

- The Beastfile and Beastfile1 keys were not created in the registry
- The Windows\Command folder is not present

mslg.blf looks like the file where the keylogger writes it's data too

I'll be waiting for the logs I asked Dan1975 for.

Regards,

Pieter

 

Sorry about the link to the beast - i wasn't aware of your TOS and should have looked first. I won't post links to malicious programs again or those types of websites.

Pieter:
Your right, this definantly sounds like a modded version - i had a similiar battle with a different RAT about 4 months ago (regarding the Windows command folder)

One of my favorite tools to battle Windows trojans/virus is a live Linux CD called Knoppix- It has some very powerful tools in it and alot of ways to rescue data from locked up Windows boxes.

Just some of the things you can do:

http://www.shockfamily.net/cedric/knoppix/
http://www.linuxdevcenter.com/pub/a/linux/2004/12/02/knpxhks_1.html
http://www.oreillynet.com/pub/wlg/5118

Here is a link to Knoppix 3.7 you can either download the ISO and burn it to disc, or if your system won't allow this you can order a pre burnt disc for only $1.99 if your interested.
http://www.linuxcd.org/view_item.php?id_version=709&PHPSESSID=34ed08cee335273446e0d0b2df7d9216

Whenever i am on the net just surfing i only use live CD's nowdays ... Their is no OS installed to infect or foist spyware on ... when i turn off the PC everything is gone ... and anything i download and want to save is easily burnt to disc with K3B and a CDRW.


Good luck Dan1975

 

Hey,

Good to see more people willing to help but unfortunately i have got rid of the lot.

I reformatted today and no longer have the virus!!! Good news for me! Yeah!! but the virus is gone. Nothing left for you beloved and excellent geeks to work on. I wish i could have held out but it has been 2 weeks with this thing and i need to do stuff on the net that i didn't want to do with the virus still there.

I really didn't want to give up but i needed to be able to run my puter!! I must say though, that this seems to be an excellent forum for help and i appreciate everything that everyone has done for me. If i ever need any help, i tust that i will be able to get it here.

Although the "Beast" has won this time, i hope that you will soon be able to destroy it!

 

Dan1975,

Please change all your passwords that were stored on that computer.
The keylogger file was quite big and the person that planted this thing on your computer may have more information about you then you like.

Regards,

Pieter

 

Yeah,

Thanks for the reminder. I thought about that the other day but then forgot about it until now. I'll change them all just incase.

Thanks again for all your help, just unfortunate we couldn't get rid of that thing.

 

Read the thread with much interest as I have the same problem....no luck in removing and just as frustrated as Dan.

The symptoms are exactly the same and what I found here and on other sites isn't exactly promising. Any news on the Backdoor.Beasty.Family or is reformatting my only option as well?

thanks, t0m

 

t0m,

Can you scroll back to post 53 and follow the instructions there.
This is providing you also have the file called mslg.blf

Regards,

Pieter

 

Hello Pieter;

I was hoping you would reply...after reading how helpful you were with this thread in the past.

I might be o.k. now!
After a bad nights sleep I got onto my laptop first thing in the morning and ran a Norton Anti Virus check in safe mode > no success > Backdoor.Beagle not detected. I then thouoght I might as well try and use system restore in XP SP2.
I knew exactly when I was infected last night (afer watching the Grammy's I've downloaded a song on Limewire). And, voila...system restore seems to work.

I've also deleted the LimeWire right a way and cleaned out all reprots on Beagle in NAV activity log.

What's yourexpert opinion? Right clicking will not bring up the multiple error messages/warnings and system seems to run great now. I'm a pretty happy guy at the moment. No more P2P for me. Had viruses/trojans before but could always remove them.This was scary. So, am I o.k. now?
I'm living in a very remote location and my laptop is my only link to the outside world via two-way satelite....I depend on it for my work and communication!

Thanks again and greetings to the Netherlands from British Columbia.

 

If you went back sucessfully with System Restore the trojan will be gone completely. No worries there. Were you running a firewall or anything that would have prevented this Backdoor from informing it's creator that it was installed?

Regards,

Pieter

 

Great, that's good news. Just backed up my entire system and all is going well...

I think so....I have NAV Auto protect enabled and I'm on a LinkSys wireless router. I believe the router also acts as a firewall? Sorry for my ignorance...

Symantec system info:
An upgraded and full application-based firewall is now installed and running on your computer.

Superior to Internet Worm Protection (which provided inbound-only port blocking protection against incoming worm activity), your upgraded firewall now offers protection from both inbound and outbound Internet activity.

Your upgraded firewall also safeguards your computer from such common security problems as unauthorized connection attempts, port scans, security attacks, and privacy intrusions.


If I check my "Connections Log Viewer" I can't see anything suspicious. Is that the right place to look?

Thanks, cheers....t0m

 

Hard to tell for sure. Wouldn't the entries in the log made by the trojan (if present) be gone due to the System Restore?
But from the rest of your post, I'd say you were protected well enough.

Regards,

Pieter

 

Hi,

I am new to this forum, but I saw this thread and this problem is exactly what I have. It was recommended to the previous person to run that scripting program, the "Agent" one, which I tried, but I received a warning from Norton 05 that a malicious code has been detected in the file and that it recommends not to continue with the scripting, so I cancelled it.
As to other interesting aspects: I tried to do a system restore but I have no restore points although i have had my computer for about 7 months, so maybe this virus also deletes restore points.
Besides this, I have all other IDENTICAL symptoms as Dan (the previous member who posted on this thread).
I am hoping that maybe someone has some energy left with this issue to troubleshoot a little further?
And also, how can I find out whether the tojan has saved any of my keystrokes so that the hacker might have some information about passwords, etc.?
Thanks in advance
- Aaron (aaronk55ATyahooDOTcom)

 

Just came back into the forum to see what was happening and i see that this thread is still active. Sounds like I was one of the first to get this strain of the Beast but it is getting a lot more widespread now.

I hope you are able to find some way of getting rid of it but for me the only option was reformatting. Good Luck!!

 

Norton will flag the vbs script just because it is a script. No malicious code in there. I have had Agent Ransack and NAV together on my computer for ages and never even received a warning.
Could it be you have those mixed up?

You can tell if the keylogger has been activated by the size of mslg.blf
(Anything more then 43 bytes is data that has been written to it)
It is very hard to tell if those data were actually sent out.

I will really need to see those logs to be able to help, so I'm afraid you'll have to rust the programs I recommended.

Regards,

Pieter

 

Hi,

Thank you for being willing to work on this again. I did actually confuse the two programs on my previous post. The one that triggered the warning was the registry search tool, but I still ran it. Here is the log from it:

REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "mslg.blf" 2/17/2005 2:43:03 AM

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)


[HKEY_USERS\S-1-5-21-3652230635-1024195562-1483509141-1005\Software\Agent_EXE\Agent Ransack\RecentContains]
"1"="mslg.blf"

[HKEY_USERS\S-1-5-21-3652230635-1024195562-1483509141-1005\Software\Microsoft\Search Assistant\ACMru\5603]
"005"="mslg.blf"

[HKEY_USERS\S-1-5-21-3652230635-1024195562-1483509141-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\*]
"d"="C:\\!Submit\\02-16-2005\\mslg.blf"

[HKEY_USERS\S-1-5-21-3652230635-1024195562-1483509141-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\blf]
"a"="C:\\!Submit\\02-16-2005\\mslg.blf"

------------------------------------------------------------------

As to the the "Agent" program, no instances of the file were found by it. This might be because I deleted the file mslg.blf with KillBot, taking one of your earlier posted recommendations. So now the file is no longer in the system32 folder but instead in a !Submit folder.

Please advice if you would like me to do anything else that might lead to elminination of this nuisance.
Thank you
-- Aaron

 

The results in the registry reflect your actions with the file, nothing else.

Can you run Agent Ransack again and this time use upx! as the argument to look for?

(One of the features of Beast 2.06 was the ability to UPX-pack the server, so it may show up in that list of files)

Regards,

Pieter

 

Thanks for your further suggestions once again.
I ran AgentRansack on the upx! search. The results are posted below. In saving the results, I only selected "save file name" becuase when I also saved the contents it came to 101 pages in Word. But if the contents are important as well, then please let me know and I will also post them.

C:\ARCSOFT\data2.cab (535206 KB, 9/9/2003 3:51:54 AM)
C:\Documents and Settings\AaronK\Desktop\Finding Nemo.avi (708862 KB, 1/16/2005 1:43:27 AM)
C:\Documents and Settings\AaronK\Desktop\Downloads\Family Guy - Stewie vs Eminem and 50 cent.wmv (3832 KB, 11/24/2004 3:36:50 PM)
C:\Documents and Settings\AaronK\Desktop\Downloads\Family Guy- Lois runs for school board.mpeg (65686 KB, 11/21/2004 4:57:11 PM)
C:\Documents and Settings\AaronK\My Documents\My Pictures\Olympus\CamediaImages\Album\Home FL\New Years 04-05\PC310054.JPG (680 KB, 12/31/2004 7:38:38 PM)
C:\Program Files\Adobe\Photoshop Album Starter Edition\2.0\Apps\ADB2.EXE (414 KB, 4/16/2004 3:10:22 PM)
C:\Program Files\ArcSoft\Software Suite\PhotoBase\PhotoBase.exe (2576 KB, 8/26/2003 5:02:14 PM)
C:\Program Files\Common Files\Nullsoft\Video\ActiveX\plugins\nsvplayx_vp5_mp3.dll (173 KB, 8/11/2003 2:18:50 AM)
C:\Program Files\Common Files\Symantec Shared\VirusDefs\20040811.020\VIRSCAN9.DAT (1480 KB, 8/11/2004 2:00:00 AM)
C:\Program Files\Common Files\Symantec Shared\VirusDefs\20041208.018\VIRSCAN9.DAT (1758 KB, 12/8/2004 4:00:00 AM)
C:\Program Files\Common Files\Symantec Shared\VirusDefs\20050216.007\VIRSCAN9.DAT (1932 KB, 2/16/2005 4:00:00 AM)
C:\Program Files\Common Files\Symantec Shared\VirusDefs\20050216.032\VIRSCAN9.DAT (1932 KB, 2/16/2005 4:00:00 AM)
C:\Program Files\Common Files\Symantec Shared\VirusDefs\BinHub\virscan9.dat (1693 KB, 11/10/2004 4:00:00 AM)
C:\Program Files\eFax Messenger Plus 3.3\J2GSetup.exe (3938 KB, 9/19/2004 6:56:06 PM)
C:\Program Files\eFax Messenger Plus 3.3\J2GView.exe (405 KB, 7/22/2004 11:44:18 PM)
C:\Program Files\eFax Messenger Plus 3.3\Uninstall.exe (521 KB, 9/19/2004 6:56:06 PM)
C:\Program Files\Lexmark 510 Series\Drivers\lxbzjsw.dl_ (44 KB, 2/26/2004 8:58:12 AM)
C:\Program Files\Microsoft Office\Office\Business Planner\MSBP.FTI (14357 KB, 11/3/1998 3:05:28 PM)
C:\Program Files\Sonic\RecordNow!\Tutorial\ENU\TutorialENU.exe (1453 KB, 2/24/2004 4:48:28 PM)
C:\Program Files\Sonic\RecordNow!\Tutorial\Movies\movies.exe (2082 KB, 2/24/2004 4:44:24 PM)
C:\Program Files\TrojanHunter 4.1\Gen.dll (214 KB, 2/4/2005 5:12:00 PM)
C:\Program Files\TrojanHunter 4.1\InstallLicense.exe (200 KB, 11/23/2004 1:40:58 PM)
C:\Program Files\TrojanHunter 4.1\InstTimeUpdater.exe (208 KB, 9/5/2004 12:07:26 AM)
C:\Program Files\TrojanHunter 4.1\TrojanHunter.exe (2292 KB, 1/7/2005 5:58:36 PM)
C:\Program Files\TrojanHunter 4.1\UninstCheck.exe (140 KB, 8/23/2004 4:00:58 PM)
C:\Program Files\TrojanHunter 4.1\UnUpx.dll (46 KB, 10/1/2004 7:00:02 PM)
C:\Program Files\TrojanHunter 4.1\SubmitFiles\SubmitFiles.exe (253 KB, 8/26/2004 4:16:18 PM)
C:\Program Files\TrojanHunter 4.1\Tools\Autostart Explorer\AutostartExplorer.exe (243 KB, 9/4/2004 1:21:40 PM)
C:\Program Files\TrojanHunter 4.1\Tools\LiveUpdate\LiveUpdate.exe (305 KB, 11/2/2004 10:40:30 PM)
C:\Program Files\TrojanHunter 4.1\Tools\MemString\MemString.exe (159 KB, 8/4/2003 5:33:44 PM)
C:\Program Files\TrojanHunter 4.1\Tools\Process Viewer\ProcessViewer.exe (311 KB, 9/25/2003 8:36:36 PM)
C:\Program Files\TrojanHunter 4.1\Tools\Window List\WindowList.exe (153 KB, 8/4/2003 5:34:36 PM)
C:\Program Files\Webroot\Spy Sweeper\Bt01.exe (257 KB, 5/16/2003 7:12:10 AM)
C:\Program Files\Webroot\Spy Sweeper\ndn01.exe (155 KB, 7/18/2003 10:15:52 AM)
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe (652 KB, 5/28/2004 1:08:14 PM)
C:\Program Files\WinRAR\Default.SFX (52 KB, 11/2/2004 4:56:48 PM)
C:\Program Files\WinRAR\Dos.SFX (95 KB, 11/2/2004 4:56:26 PM)
C:\Program Files\WinRAR\WinCon.SFX (39 KB, 11/2/2004 4:56:10 PM)
C:\Program Files\WinRAR\Zip.SFX (35 KB, 11/2/2004 4:56:54 PM)
C:\Program Files\XviD\MiniCalc.exe (23 KB, 6/12/2002 3:52:02 PM)
C:\Program Files\XviD\OGMCalc.exe (9 KB, 12/26/2003 6:26:36 PM)
C:\Program Files\XviD\StatsReader.exe (14 KB, 11/24/2003 7:28:40 AM)
C:\Program Files\XviD\vidccleaner.exe (9 KB, 3/9/2004 9:39:28 AM)
C:\WINDOWS\unSpySweeper.exe (147 KB, 10/15/2003 10:42:16 PM)
C:\WINDOWS\Driver Cache\i386\sp2.cab (21724 KB, 9/14/2004 2:50:12 PM)
C:\WINDOWS\ime\CHTIME\Applets\HWXCHT.DLL (9860 KB, 3/31/2003 7:00:00 AM)
C:\WINDOWS\ime\imkr6_1\applets\hwxkor.dll (9892 KB, 3/31/2003 7:00:00 AM)
C:\WINDOWS\ServicePackFiles\i386\sp2.cab (21724 KB, 9/14/2004 2:50:12 PM)
C:\WINDOWS\system32\dllcache\hwxcht.dll (9860 KB, 3/31/2003 7:00:00 AM)
C:\WINDOWS\system32\dllcache\hwxkor.dll (9892 KB, 3/31/2003 7:00:00 AM)

 

Hi again,

Although I mentioned earlier that when I ran AgentRansack on mslg.blf it did not find anything since I deleted that file...I decided to give it another try. So I ran the Agent on the file again and two results came up. They are below. Maybe they will mean something as well.
Thanks
-- aaron

C:\Documents and Settings\AaronK\Desktop\KillBox\kill.bak (1 KB, 2/16/2005 3:03:44 PM)
C:\Documents and Settings\AaronK\Local Settings\Temp\sOutTmp154230.tmp (1 KB, 2/16/2005 3:43:30 PM)