Serious Virus/Trojan - VSMONS.EXE Flooding Port 445

Discussion in 'malware problems & news' started by DameSlap, Jul 17, 2004.

Thread Status:
Not open for further replies.
  1. DameSlap

    DameSlap Guest

    I'm Technical Services Manager for a medium sized transport organisation (circa 300 node network over twenty sites).

    Our largest site has just been hit by a very serious, but as yet unidetifiable virus/trojan. We have scoured the net and used all our contacts to try and find someone else who has seen this, but so far no joy. Details as follows:

    >Multiple Workstations (about 30) at one subnet on our WAN are generating huge amounts of TCP traffic for port 445 on random addresses(tens of millions of packets).
    >Problem only seems to affect XP workstations
    >Patching to latest MS levels does not seem to help (I guess we may have locked the stable door a little late . . .)
    >We have found a suspicious looking process running on all the “busy” workstations, named “vsmons.exe” (we note with suspicion that this is one character different from the ZoneAlarm executable name “vsmon.exe”)
    >The executable is being told to start by five different locations in the registry
    >The executable resides as hidden, read-only file in \windows\system32\
    >If the process is running and the registry settings are removed, they are almost instantly re-written.
    >If the process is terminated (sometimes there is more than one instance of the process) and the registry settings removed, but the machine is connected to the network, it restarts a process and re-writes the registry.
    >We have managed to keep one machine “clean” by unplugging it, killing the processes and cleaning the registry. As soon as we reconnected to the LAN it re-infected.
    >Infected machines appear to lose all of their default shares (C$, ADMIN$)


    VirusScan Enterprise 7 (DAT 4377) does not show up anything, or the latest Stinger. Likewise Trend says everything is clean.

    I've written a script using kix and a few command line tools, which temporarily cleans the machines (kills any active vsmons processes, removes executable and cleans out any related registry entries). Unfortunately, give it twenty minutes left on our LAN and the machines will re-infect.

    For the time being our other sites seem to have escaped, since we have blocked all traffic for port 445 with an access list on the sites default gateway, but its just covering up the problem. Currently, we are getting 75,000 hits a minute against the blocking access list!

    Any suggestions much appreciated,

    Andy
     
  2. manuel63

    manuel63 Registered Member

    Joined:
    Jul 19, 2004
    Posts:
    1
    I found the same file on a computer today wher I was removing some virus and spyware, and as I was using Sygate Firewall, it show me that it was trying to acces the site fumado.tevichoche.com (IP address 205.209.170.150) using port 8777. I couldn´t find too some information till now, when I find this forum. I hope soon somebody could identify this problem and give us a solution.
     
  3. ...

    ... Guest

    Hi,

    I stumbled across this thread whilst looking on google.

    I have the same problem too, I cannot delete VSMONS.EXE, and it is sending a large amount of outgoing net traffic from my computer.

    I have encountered two other files, same symptoms, I cannot fix them either. They are MS32CFG.EXE and WINUP.EXE
     
  4. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
  5. DameSlap

    DameSlap Guest

    Will do, though I've got a really annoying "icing on the cake" problem at the moment. Though VirusScan7 on all our workstations will not stop this, GroupShield on our Exchange Server does, only it doesn't tell you what on Earth its detected! I'll try and find a webmail account to send it to you.

    Be careful though.

    Andy
     
  6. DameSlap

    DameSlap Guest

    Whoa!

    Yes Manuel, I see the port 8777 traffic now as well, my network's going for 205.209.170.156.

    This really is a bugger, unfortunately it doesn't look like we caught this in time. It's spread to our other sites. Thankfully we can control this with routing to some degree but I really need McAfee to come up with a fix pretty soon.

    Thanks,

    Andy
     
  7. Blackmax

    Blackmax Guest

    Hi!

    Foundthe virus all over the place in our machines.

    It is possible to kill the porcess using pskill (pstools) from SysInternals or other tool capable of killing processes.

    http://www.sysinternals.com/ntw2k/freeware/pskill.shtml

    After this delete file and clean all the registry entries.
     
  8. DameSlap

    DameSlap Guest

    Hi BlackMax,

    Yes, it is possible to clean it with PSKill, that's what I used in my script (which you can have if you want, for what it's worth), the problem is unless we can nail every last one of them at the same time, as soon as they get back on the LAN, they'll re-infect.

    We are having some success with MS Patching though, just using Windows Update to get to absolutely the latest level, then cleaning it, but it's slow going.

    I've now registered to get hold of a copy of WIndows Update Services as soon as it comes out (might be another six months though yet).

    Let me know if you'd like the script, there's not much to it, just a little collection of files and a few command line tools.

    Cheers,

    Andy
     
  9. ibnot4u

    ibnot4u Guest

    How do you get rid of this trojan? my virus scan can't move it to the virus vault and when I go into the msconfig and uncheck the vsmons.exe (there are usually 2 or 3) it just comes right back. I don't understand the usage of PsKill. Please help!
    Thanks
    Dina
     
  10. DameSlap

    DameSlap Registered Member

    Joined:
    Jul 20, 2004
    Posts:
    10
    Location:
    SouthWest UK
    Dina,

    I can give you my script which will clear it (kills processes, cleans registry and removes exe), but you need to get all available Windows Updates before you run it in order to prevent it coming back.

    You should be able to send me an email with your address and I'll send it over.

    Cheers,

    Andy Platt
     
  11. ibnot4u

    ibnot4u Guest

    will it just be an .exe file that u send? or what do I do with it? Also, what is your email address?
    Thanks a bunch
    Dina
     
  12. OnePing

    OnePing Guest

    The folks at the Internet Storm Center have a malware analysis team.

    You can contact them here and submit the sample.

    They're a great resource for analyzing current security related incidents.
     
  13. DameSlap

    DameSlap Registered Member

    Joined:
    Jul 20, 2004
    Posts:
    10
    Location:
    SouthWest UK
    Sample has now been sent to SANS. Thanks for everyone's help.

    Andy Platt
     
  14. DameSlap

    DameSlap Registered Member

    Joined:
    Jul 20, 2004
    Posts:
    10
    Location:
    SouthWest UK
    Dana,

    If you register with the forum and make another post I will be able to send you an email throught the forum with the files you need and instructions.

    Cheers,

    Andy
     
  15. alien8

    alien8 Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    15
    Could you submit the file here:
    http://virusscan.jotti.dhs.org/

    Which will scan with: AntiVir, BitDefender, ClamAV, Dr.Web, F-Prot Antivirus,
    F-Secure Anti-Virus, Kaspersky Anti-Virus, McAfee VirusScan and Norman Virus Control (all in one go) :)

    Cheers,

    Steve
     
  16. DameSlap

    DameSlap Registered Member

    Joined:
    Jul 20, 2004
    Posts:
    10
    Location:
    SouthWest UK
    Potentially Identified?

    Interestingly I've had this response from NOD32 this morning:

    Hello,

    the file was a new variant belonging to a failry well-known family of Win32/Rbot Backdoors. It's been named Win32/Rbot.HF and NOD32 should detect it soon. It is a backdoor server controlled via IRC network. It has many 'features' including keylogger, file server
    or SOCKS proxy. It is able to exploit some of the recent MS Windows
    vulnerabilities for spreading, including, for example, the WebDav
    vulnerability. It doesn't seem to exploit a vulnerability that is not
    covered by Microsoft security updates. It also has a list of weak
    passwords that are tried against shares on machines on the network. Try
    to ensure that your machines have all the recent security updates from
    Microsoft. When the next update is released, NOD32 will be able to
    detect this backdoor. We will perform more detailed analysis to see why
    your machines get infected again and again.

    Best regards,

    Juraj Sarinay
    ESET s.r.o.


    Only thing is, SANS are hinting that it might be a Sasser variant. Hmm . . .
     
  17. DameSlap

    DameSlap Registered Member

    Joined:
    Jul 20, 2004
    Posts:
    10
    Location:
    SouthWest UK
    Alien8,

    I don't see any page at that link you posted?

    Andy
     
  18. alien8

    alien8 Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    15
    That's odd... looks okay from here, it's "Jotti's malware scan 2.32".

    You just click the browse button at the top and then click the submit button...

    Do you get any error messages or is it just blank?

    Cheers,

    Steve
     
  19. DameSlap

    DameSlap Registered Member

    Joined:
    Jul 20, 2004
    Posts:
    10
    Location:
    SouthWest UK
    Looks like RBot

    Alien8,

    Sorry about that, seems to be working now. Dunno, maybe I'm just a bit tired.

    Well, Jotti seems to confirm what NOD32 are saying, here's the result:

    Service load: 0% 100%

    File: vsmons.exe
    Status: INFECTED/MALWARE
    Packers detected:

    AntiVir No viruses found (1.33 seconds taken)
    BitDefender No viruses found (3.99 seconds taken)
    ClamAV No viruses found (4.89 seconds taken)
    Dr.Web No viruses found (5.61 seconds taken)
    F-Prot Antivirus No viruses found (0.32 seconds taken)
    F-Secure Anti-Virus Backdoor.Rbot.gen (3.68 seconds taken)
    Kaspersky Anti-Virus Backdoor.Rbot.gen (3.80 seconds taken)
    McAfee VirusScan No viruses found (1.85 seconds taken)
    Norman Virus Control No viruses found (37.24 seconds taken)



    RBot it is then, thing is, I think I'm going to have to wait for McAfee to get their arse in gear and identify this variant (seen as that's what we have installed on our 300 workstations). Otherwise I'm going to have to buy and install 300 copies of Kaspersky or F-Secure.

    Thanks for pointing me at Jotti though, that's really useful.

    Andy
     
  20. alien8

    alien8 Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    15
    Hi Andy,

    Looks like the some of the vendors need to play catch up with NOD and Kaspersky ;)

    I've sent you a pm...

    Cheers,

    Steve
     
  21. rcdata

    rcdata Registered Member

    Joined:
    Jul 21, 2004
    Posts:
    2
    Anyone have an idea how it go on to your system?
     
  22. DameSlap

    DameSlap Registered Member

    Joined:
    Jul 20, 2004
    Posts:
    10
    Location:
    SouthWest UK
    As far as how it got on to our system, well . . . there's a world of opportunities here.

    I think the source was one machine which picked up Morphine just over a week ago. I've seen a post that said Morphine can carry RBot, so that sounds like a reasonable suspect, though it was picked up and deleted by VirusScan 7 (supposedly).

    As to how that got on to our system.

    Well, we have a lot of suppliers and customers who just breeze into our building and hook up to our LAN. I used to get quite upset at first, but after you get overruled for the umpteenth time, you kind of get used to it. ;-)

    Hey-ho,

    Andy
     
  23. davewarde

    davewarde Registered Member

    Joined:
    Jul 21, 2004
    Posts:
    1
    We have seen an unidentified virus/trojan which behaves exactly as you describe, sending out huge numbers of packets on port 445. However, unlike yours, the connections mapped to one PID which was associated with explorer.exe. I scanned it with multiple products and even uploaded it to our AV vendor which declared it clean. Needless to say, I am not buying it.

    On the one system we were able to personally examine, there were a 13 patches which needed to be applied. The patches were applied but did not resolve the issue. We ended up rebuilding that system.

    I have heard reports indicating that applying patches on other systems fixed it, but I think folks may be reporting on a different virus which has been forcing reboots.
     
  24. rcdata

    rcdata Registered Member

    Joined:
    Jul 21, 2004
    Posts:
    2
    I guess then the only thing you can do to prevent this is to filter or close the ports, so when the vendor or customer plugs in you can limit the exposure of re-infection..which I am sure you have already done.
     
  25. amoscosop

    amoscosop Registered Member

    Joined:
    Jul 21, 2004
    Posts:
    1
    Hi guys:

    I'm Nework Manager at an ISP, and my IDS shows a huge of 445 port traffic, usually we filter that port. I heard (and i've read) that such traffic is generated by XP and W2000 machines mainly. BUT now we are facing several claims regarding to troubles with XP and W2000, from that platforms, despite those are connected (this means be able to resolve DNS and perform ping test successfuly), can't navigate from the web browser.

    The only way to re-establish the Internet navigation is by restarting the PC.

    I remark that during that trouble the user can perform PING test to hostnames (i.e. ping www.cisco.com) perfectly, but they can't navigate


    Does somebody knows why this issue happeno_O
     
Loading...
Thread Status:
Not open for further replies.