serverNet.exe - Virus?

Discussion in 'malware problems & news' started by naivel, Mar 31, 2008.

Thread Status:
Not open for further replies.
  1. naivel

    naivel Registered Member

    Joined:
    Mar 31, 2008
    Posts:
    5
    Hello,

    I've searched on google for ServerNet.exe and only found this forum thread.

    serverNet.exe was in all my root drives, including an autorun.inf file. I didn't notice it until I tried to double click on one of my drives (it wouldn't open unless I right-click > Open).

    I opened autorun.inf in notepad and here's what was inside:
    There was also a serverNet.exe file in C:\Program Files\Common Files\Microsoft Shared\MSInfo

    Something else I noticed: mspaint.exe was running in my task manager. Even if I tried to end the process, it would appear again.

    How did it get there? Well, there's a high possibility that my friend's usb flash drive spreaded the 'virus' in my computer. Since everything was ok until I had to use his usb flash drive. (His computer is also infected)

    His Kaspersky found that ServerNet.exe was trying to access mspaint.exe or something every 5 seconds.

    So I tried to fix it by removing autorun.inf, then restore my computer to an earlier time.
    Somehow, everything seems to be fixed, except there's a few SERVERNET.pf files remaining in C:\WINDOWS\Prefetch

    Basically... I'm just trying to find informations about this serverNet.exe and what it does exactly.

    Thank you

    (I'm using NOD32 between :) )
     
  2. lodore

    lodore Registered Member

    Joined:
    Jun 22, 2006
    Posts:
    9,006
    Last edited: Apr 1, 2008
  3. naivel

    naivel Registered Member

    Joined:
    Mar 31, 2008
    Posts:
    5
    Thanks for the link :)
     
  4. NiQuebec

    NiQuebec Registered Member

    Joined:
    Apr 3, 2008
    Posts:
    1
    I remove SERVERNET.EXE like follows.

    1)Show all hiding files by reset view folder setting
    2)Delete all SERVERNET.EXE and Autorun.inf in every disk(C.D.E.....)
    3)CMD-REGEDIT SEARCHING SERVERNET ..., DELETE ALL KEYS RELATED TO SERVERNET IN REGESITRY
    4)RESTAR COMPUTER
    5)SEARCHING FILE SERVERNET, DELETE SERVERNET.EXE IN C:\Program Files\Common Files\Microsoft Shared\MSInfo,DELETE _SERVERNET IN SYSTEM32.
    6)EMPTY RECYCLE BIN.

    SEEMS EVERY THING IS FINE, IF YOU LIKE , YOU CAN TURN OFF AUTOPLAY FUNCTION.
    7)GO TO CONTROL PANEL, REMOVE MSPAINT FROM SYSTEM ACCESSORIES, GO DELETE ALL MSPAINT.EXE AND REINSTALL IT AGAIN.

    HOPE IT CAN WORK IN YOUR COMPUTER TOO.

    I HAVE TRIED RUN SYSTEM32\_SERVERNET IN MY COMPUTER, IT INSTALLS SERVERNET.EXE+AUTORUN.INF TO ALL MY LOGICAL DISKS AND ADD REGESITRY AND TRY TO CONTACT A IP 117.23.134.204
    SOME BODY EVEN HAS ADDED SERVERNET AS A SERVICE OF MY COMPUTER.

    I HAVE COMPRESS "_SERVERNET" INTO RAR FILE.

    IF ANY BODY CAN HELP TO ANALYS THIS FILE, LEAVE YOUR EMAIL ADDRESS, I WILL SEND THIS FILE TO YOU.
     
  5. naivel

    naivel Registered Member

    Joined:
    Mar 31, 2008
    Posts:
    5
    Thanks for the help.

    Here's what they told me when I sent a sample to ESET

     
    Last edited: Apr 3, 2008
  6. lodore

    lodore Registered Member

    Joined:
    Jun 22, 2006
    Posts:
    9,006
    did you send it to anyone else other than eset?
     
  7. naivel

    naivel Registered Member

    Joined:
    Mar 31, 2008
    Posts:
    5
    I also sent one recently to Kaspersky... Still waiting to see what they'll say.
     
  8. lodore

    lodore Registered Member

    Joined:
    Jun 22, 2006
    Posts:
    9,006
    tell me when you get an update.
     
  9. naivel

    naivel Registered Member

    Joined:
    Mar 31, 2008
    Posts:
    5
    From Kaspersky:

    I guess it is indeed Win32/Hupigon backdoor.
     
  10. Ravage

    Ravage Registered Member

    Joined:
    Jul 20, 2008
    Posts:
    1
    Since you guys posted this thread in March/April 2008, it seems to me that this backdoor has become more popular now that I search on Google, there are more that showed up.

    I was infected by this backdoor, and I believe that someone was in my computer and deleted all my secondary drive word and excel files. I got my friend to help recover and format the computer for me, hoping that the virus or whatever was on the C: drive instead.

    When I got home and installed an AV program, it tells me that Servernet.exe was trying to run! Then I noticed that my D: was also infected.

    In my honest opinion, the virus/backdoor isn't all that important to me, is the fact that my sensitive information was erased and I can't seem to recover it.
     
  11. RunScanner

    RunScanner Registered Member

    Joined:
    Feb 27, 2007
    Posts:
    58
    The file does not have a companyname or description embedded, this is always suspicious.

    Could you try a scan with Runscanner to see from which locations it starts?
     
  12. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Seems u formatted C but virus had copies with autorun on D and other partitions/ hard drives as well.
     
Loading...
Thread Status:
Not open for further replies.