Trojan/Virus Hit - What went wrong?

Discussion in 'Trojan Defence Suite' started by 2cpus4me, Feb 29, 2004.

Thread Status:
Not open for further replies.
  1. 2cpus4me

    2cpus4me Registered Member

    Joined:
    Feb 20, 2004
    Posts:
    6
    Here's the scenario:

    15:56:30 [Radius Update] Database already up-to-date - transfer aborted.
    17:23:01 [ExecProt] WARNING: e:\_downloads\utils\john-16w\john-16\run\john.exe has been blocked from executing

    I apparently didn't notice the warning and nothing popped up on my screen. Next thing you know, there are new icons on the desktop that looked fishy. One was called Deploy.exe and I immediately deleted them suspecting they were hostile, and things began to go downhill from there.

    I launched a full virus scan and it finds no virus, but does flag some odd things in the log like boot sector 1 and 2 unreadable and a number of files in the windows\temp directory are unreadable (oh, oh). A full TDS-3 scan shows a $hitload of Trojan trace files in the alarm section, most in the windows\temp directory and some messages like please submit these in the TDS-3 status window... (double oh,oh)

    Being new to TDS-3, I panicked and started yanking network cables out of the hub to prevent other workstation infections via shared drives.

    I tried to open the windows\temp directory but it says it didn't exist (yea, right). Next got a weird Firewall message like 'you don't have permissions to...' Quickly I check the firewall (Blackice) and to my horror find out it has been disabled to allow all inbound traffic :(

    Quickly realizing I am in deep $hit, I rebooted, went to recovery console and rewrote the boot sectors with the command line utility, and while I was there I purged the nasty windows\temp directory of 5 or 6 hostile folders. Logged back in, relaunched a full virus scan, reinstalled the Blackice firewall (I also have a hardware firewall). TDS-3 found the file listed at the top as a trojan and I submitted it.

    When the virus scan finished, it flagged an errorin the log saying can't find Deploy.exe. I searched for this file and it doesn't exist on physical drives. Search of the registry found an entry listed in the Virus Scanner registry section (oh, oh). Went back and looked at the virus scanner configuration and the dang thing had inserted itself into the virus scanner settings as an excluded file. I was worried up to this point, but now I am in paranoia mode.

    I have run Pestpatrol, Ad-Aware, Spy-bot, TDS-3, multiple full system virus scans, as well has having worm-guard resident in addition to a basic hardware firewall in the router. I think I contained the immediate threat, but holy $hit, it took out my firewall and inserted an entry into the virus scanner config. That's pretty sophisticated IMHO, and now I don't trust my system.

    Also, TDS-3 has no entries in the logs for all those Trojan traces that it found initially (the ones that I didn't submit when I panicked and rebooted at first). Where did those go? Lost in the reboot?

    Any advice? I thought running a hardware and software firewall along with TDS-3, Wormguard, PestPatrol, and Spy-Bot resident backed with the NOD32 virus scanner would keep me safe...
     
  2. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hello 2cpus4me ...........
    sounds serious.
    First using XP? possible to use older system restore point?
    When this all happened, were you in user mode or admin?
    In case of infections please try to avoid reboot if anyhow possible unless adviced differently by somebody who really knows what he's advicing.
    If something appears on your desktop while online, could it be on a malicious website you got infected?
    If so, are you updated with all the security patches and updates?

    There must have been more the matter. Has anybody access to your computer, like you are on a network i understand. Deploy could be part of a commercial spyagent, keylogger. But there happens too much, as such a thing works silently hidden in the background.
    Are you working on that computer now or did you stop it for further advice first?

    The full virus scan, was that with TDS or NOD32?

    You have fine tools, but something important is too our behavior of course, wehat we do with them, how we prevent nasties --where did the download file come from? the john.exe?
    You did at least one very important thing immediately which was isolating the system.

    Waiting for more advanced advices.
     
  3. Bowserman

    Bowserman Infrequent Poster

    Joined:
    Apr 15, 2003
    Posts:
    510
    Location:
    South Australia
    I believe that john.exe is a password cracker from the program john-16w (John the Ripper) - http://www.securiteam.com/tools/3X5QLPPNFE.html

    Deploy.exe is a part of NTRootkit I believe. But it could also be the keylogger SpyAgent as Jooske said.


    Download ASViewer from here and run it - make sure to select Show Services, Show Drivers and Show Active Setup Components. Then save and post the results here for the DiamondCS lads to look at.


    Regards,
    Jade.
     
  4. 2cpus4me

    2cpus4me Registered Member

    Joined:
    Feb 20, 2004
    Posts:
    6
    The Asviewer results are attached.

    Yes, all the software was complete updated. I spent the last week cleaning out junk so I don't want to go to last week's backup if I don't have to.

    I was logged in as admin equivalent when the event occured. I did open the zip file with winzip and I think it was in 'checkout' mode so it extracted the files to the disk.

    Workstation is XPpro. I use remote desktop to connect to a w2k3 server to manage that. I was logged in locally at the time and not into active directory.

    Yes the program is a password cracking utility, I have some old NT4 mail files I am trying to recover that are protected (yes, they are my own as I am not a hacker)

    Full scan was done with NOD32 and a full system scan with TDS-3. Wormguard was also active.

    I am trying to locate the websource of the hostile file and will report it here once I find it.
     

    Attached Files:

  5. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi 2cpus4me, I've had a quick look through your AS.txt file and nothing stands out but it will need an expert to make sure.

    The trouble is that Deploy.exe is also used to install non-malware programmes and possibly deletes itself once run.

    Hopefullt DCS will look tomorrow after their public holiday today :D
     
  6. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    If you remember the zip file, hunt for that and you'll probably be able to rightclick on it to extract, click 1 time extract, and after "cancel" so most probably you will see displayed all the file names in the zip window without actually extracting them, so you are still safe, and you know what to look for on your system.
    If it is a self extracting thing it is a different story, for even if you would tell it to extract to a certain folder, there might still be files extracted/ionstalled in other parts like the windows directiries and folders, root, etc.
    Maybe others have a good tip to look inside self extractors in a safe way?


    For the mail files: if you drag them to notepad, can you see enough to remember the contents of the emails or is it still a problem?
    You know with passwords, people are tend to forget them so write them on a yellow sticker on their monitor!
    If you get to the passwordpart of the files, do you see ***** or empty space? With the asterixes you might be lucky with one of the DCS console tools (free products on the site) , with an empty space ..... hmm isn't your windows passwordfile readable somewhere/somehow?
     
Thread Status:
Not open for further replies.