Trojan piggybacking WindowsUpdate?

Discussion in 'malware problems & news' started by kanenas, Sep 7, 2002.

Thread Status:
Not open for further replies.
  1. kanenas

    kanenas Registered Member

    Joined:
    Sep 7, 2002
    Posts:
    14
    Hello.
    Has anybody come across a Trojan (if it is) like this?
    There are a bunch of traps in my AtGuard's log that started appearing after I installed a recent security patch for Win2K SP3.
    The traps come always in pairs and the process is always mstask32.exe.
    The first is always an HTTP call to Microsoft. Either WindowsUpdate.Microsoft.com or something like 65.54.249.62 (also Microsoft).
    The second call is to one of various sites and always at port 29374.
    These sites are the IPs for Florida State University, UCLA campus, Louisiana University and some places called getdirty1.27south.com, westside1.27south.com and such.
    What gives?
    Is that some trojan or just Microsoft tricks?
    How do you go about finding what starts up the mstask32.exe?
    Nothing shows in the startup or running processes, services, and wherever else I looked at.
    All the tools I have run haven't detected anything either. Kaspersky AVP, The Cleaner, Trojan Remover, Ad-aware, Trojan Trap.
    Any ideas?
    Thanks in advance.
     
  2. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Hi kanenas,

    Two backdoors come to mind:

    - Backdoor Farnaz AKA Zorro Trojan - seems unlikely.

    - Backdoor Zerg.15 AKA Protoss v1.5.

    specs:

    Server:
    C:\WINDOWS\mstask32.exe

    size: 60 KB

    port: 1115, 2060, 12321, 2001 TCP
    12321 UDP

    startup:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

    added:
    HKLM\Software\Microsoft\Windows\CurrentVersion "Signed"
    Type: REG_SZ
    Data: c:\windows\mstask32.exe

    KAV should catch these ones. To be on the sure side, grab a (trial) copy from TDS3 from our downloads page, update the Radius manually from the DCS downloads page, have a look at the basic configuration instructions from Jan as posted on the TDS forum, and perform a full system scan. Be sure to disable other running anti-trojan apps before running TDS.

    Keep us posted.

    regards.

    paul
     
  3. kanenas

    kanenas Registered Member

    Joined:
    Sep 7, 2002
    Posts:
    14
    Thanks for the pointers.
    I didn't have any other detectors around the office so I just deleted mstask32.exe from the running processes, hard disk and registry reference.
    The annoying outgoing calls stopped.
    That program was identified as an MS program (v.2.0.0.232) with an original filename of HOTFIX_q30098EN_i386.exe.
    It probably came as part of the security fix with same name I had installed a few days ago.
    When I got home, I found it on my own machine too (same patch was applied but I don't reboot that often so it wasn't activated earlier).
    Again none of my scanners picked it up except TDS which I just reinstalled.
    It identified it as RAT.Protoss (as you already mentioned). Suspicious Microsoft-tagged exe built with a Borland compiler.
    I deleted the relevant entries and so far so good.
    Interesting though. I'm sure thousands of people picked it up. The Hotfix was made available in a few sites (but I can't remember where I got it from).
    Thank you again for the help.
     
  4. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    My pleasure - always nice to see problems being solved.

    We could go on, questioing where you've got this "hotfix.exe" from - in case it's an email attachment, you have been tricked. MSoft never provides fixes by email. Anyway: problem solved. Did you check registry entries?

    It's the top notch anti-trojan available at the moment - no offense in regard to other fairly good ones ;).

    To my knowlegde, MSoft doesn't use a Borland compiler building executables. Protoss seemed the most obvious one to me indeed.

    That's a pitty...would be very nice in case you could provide URL(s) - using private mail preferably. It's a frightening idea, thousands have picked this one up and infected their systems.

    Take care and regards,

    paul
     
  5. kanenas

    kanenas Registered Member

    Joined:
    Sep 7, 2002
    Posts:
    14
    Hello.
    The file didn't come from an attachment. I never bother reading mail from unknown sources and delete them on the spot.
    It was small enough too and didn't bother to use Flashget so there's nothing in Flashget's history either.
    I cleaned up the registry. In the process, I found the 3271.com trojan too -- the cnsmin.dll one -- and got rid of that too. That's another one that just appeared and I might have picked it up at the same site. I'll keep an eye out for them and maybe I can find the web site that passes them on.
    For the 3271.com one, there are some instructions on Usenet that I picked up. They basically go: delete the registry RUN entry that starts it up, reboot in DOS and delete its files, reboot in Win and clear the registry.
    The first step is not really needed. If you delete the RUN entry, it gets reproduced on the spot under another name.
    Start with rebooting in DOS instead and delete its files (it's in a hidden directory and if you don't know the name -- c:\Winnt\downlo~1\ actually, a utility like the old LiST will get you there), reboot in Win (you get a message about the dll file missing) and clean up the registry. That should take care of it.
    Thanks for your time.
     
  6. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    kanenas,

    Would be nice - could prevent countless others from getting infected.

    Thanks for the info on the 3271.com one; useful adittional info!

    regards.

    paul
     
  7. root

    root Registered Member

    Joined:
    Feb 19, 2002
    Posts:
    1,723
    Location:
    Missouri, USA
    Hmmm. Just noticed this thread. I don't install a lot of the hotfixes because half the time they are just another M$ trojan.
    It has been my experience that most of the time when hotfixes are posted at security sites, they link back to M$s website for download. I wouldn't think there are too many sites around that host the hotfix themselves, so maybe you can find that site without too much searching.
    Good reaction by using your head kanenas. Its really easy to just start deleting stuff when you find you are infected with something only to find later, you wish you would have written some details down for further investigation.
    Sure hope this isn't a new trend in social engineering by the bad guys. It could be very effective. :mad:
     
  8. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Keylog.GPKeyspy uses MsTask32.exe by default, TDS-3 will detect many if not all variants by Memory Object, Memory Space Scan, and as far as I can see, many will be detected by File signature as well :)
     
  9. crkit1

    crkit1 Registered Member

    Joined:
    Aug 31, 2002
    Posts:
    93
    Location:
    Florida
    o_O I just installed all the updates from Windows update, because I had to reinstal the Windows CD after all my stuff was eaten up by a dialer, and afterwards my system started running slow and freezing up. After reading the above, I checked startup and found these...Mxtask, Rnaapp,Wh_exec and Mxecp16. I hadn't noticed them before, but novice as I am, I wouldn't have noticed.
    o_OIs there something here I should be concerned about?



    I'll be glad when my knowledge catches up with my curiosity. :oops:
     
  10. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,876
    Location:
    New England
    Hi crkit1,

    I don't think you've picked up any Virus or Trojan from Windows Update, so I don't think you need to worry about that.

    I'm not familiar with Ontrack's System Suite myself, but, a web search shows that Mxtask and Mxecp16 are part of their tool set, so those should not be a problem. RNAAPP (Remote Network Access Application) is basically the main program associated with Windows 9x's dialup networking. If you were to kill that, your modem would hang up. I afraid I don't know what Wh_exec is.

    A quick question, how exactly were you looking at these? Was this from doing a single Ctrl/Alt/Del and seeing the running tasks or by looking elsewhere?

    As far as possible infections on your system, if you did a clean install of Windows 98 SE from your systems install CDs, then installed the Ontrack's System Suite, followed by going out to Windows Update, I don't think you should have any malware yet. Did you install anything else at all?

    For your virus scanning, does System Suite provide you with a means to download the latest virus definitions so that you are scanning with up to date information? You need to run that update feature often to stay current.

    If you are having problems with your PC being buggy, and hanging on you, you may want to start a new thread on that specifically.

    - LowWaterMark
     
  11. Primrose

    Primrose Registered Member

    Joined:
    Sep 21, 2002
    Posts:
    2,743
    3721.com Chinese Keywords browser Spyware
    http://www.gladiator-secure.de/forum/index.php?act=ST&f=6&t=183&s=d98d42e2fab70049a2fc55eaae4566c7
     
  12. crkit1

    crkit1 Registered Member

    Joined:
    Aug 31, 2002
    Posts:
    93
    Location:
    Florida
    Lowwatermark...
    1)A quick question, how exactly were you looking at these? Was this from doing a single Ctrl/Alt/Del and seeing the running tasks or by looking elsewhere?

    2)As far as possible infections on your system, if you did a clean install of Windows 98 SE from your systems install CDs, then installed the Ontrack's System Suite, followed by going out to Windows Update, I don't think you should have any malware yet. Did you install anything else at all?

    3)For your virus scanning, does System Suite provide you with a means to download the latest virus definitions so that you are scanning with up to date information? You need to run that update feature often to stay current.

    1) Yes...I just checked to see what was running fron startup.
    2) I have installed all updates, including security, patches and tools for IE 5.5. Also winamp,media player7...and the patch for media player. Nothing else yet, I'm loking for a free program that will tell me if something tries to get in.. trying to stop trojans, dialers etc. w/o limiting access.
    3) Yes. System suite has auto update, I go when it tells me to.

    Thanks1 :D
     
Loading...
Thread Status:
Not open for further replies.