Hi, I've got a process running on my Windows 2000 machine with a process name of lexbce.exe. This process tries to connect to many IP addresses on port 135. After startup, the first thing it seems to do is contact an IRC server (to ask which IP range to scan?). I've captured this exchange with the IRC server: :irc.rshp.org NOTICE AUTH :*** Looking up your hostname... :irc.rshp.org NOTICE AUTH :*** Couldn't resolve your hostname; using your IP address instead :irc.rshp.org 001 GBR|482176 :Welcome to the server.org IRC Network GBR|482176!pndupuxx@80.187.145.207 :irc.rshp.org 002 GBR|482176 :Your host is irc.rshp.org, running version Unreal3.2.3 :irc.rshp.org 003 GBR|482176 :This server was created Mon Apr 18 2005 at 17:44:58 EDT :irc.rshp.org 004 GBR|482176 irc.rshp.org Unreal3.2.3 iowghraAsORTVSxNCWqBzvdHtGp lvhopsmntikrRcaqOALQbSeIKVfMCuzNTGj :irc.rshp.org 005 GBR|482176 CMDS=KNOCK,MAP,DCCALLOW,USERIP SAFELIST HCN MAXCHANNELS=25 CHANLIMIT=#:25 MAXLIST=b:60,e:60,I:60 NICKLEN=30 CHANNELLEN=32 TOPICLEN=307 KICKLEN=307 AWAYLEN=307 MAXTARGETS=20 WALLCHOPS :are supported by this server :irc.rshp.org 005 GBR|482176 WATCH=128 SILENCE=15 MODES=12 CHANTYPES=# PREFIX=(ohv)@%+ CHANMODES=beIqa,kfL,lj,psmntirRcOAQKVGCuzNSMTG NETWORK=server.org CASEMAPPING=ascii EXTBAN=~,cqnr ELIST=MNUCT STATUSMSG=@%+ EXCEPTS INVEX :are supported by this server :irc.rshp.org 251 GBR|482176 :There are 1 users and 306 invisible on 2 servers :irc.rshp.org 252 GBR|482176 1 perator(s) onlin e :irc.rshp.org 254 GBR|482176 4 :channels formed :irc.rshp.org 255 GBR|482176 :I have 135 clients and 1 servers :irc.rshp.org 265 GBR|482176 :Current Local Users: 135 Max: 282 :irc.rshp.org 266 GBR|482176 :Current Global Users: 30 7 Max: 378 :irc.rshp.org 422 GBR|482176 :MOTD File is missing :GBR|482176 MODE GBR|482176 :+ix :GBR|482176!pndupuxx@684601C0.9BE6DA9D.AE2E9C70.IP JOIN :#root :irc.rshp.org 332 GBR|482176 #root :.ntscan 255 600 80.x.x.x :irc.rshp.org 333 GBR|482176 #root duckeiQT 1114528973 :irc.rshp.org 353 GBR|482176 @ #root :GBR|482176 :irc.rshp.org 366 GBR|482176 #root :End of /NAMES list. :irc.rshp.org 302 GBR|482176 :GBR|482176=+pndupuxx@80.187.145.207 :irc.rshp.org 404 GBR|482176 #Server :You need voice (+v) (#Server) :irc.rshp.org 482 GBR|482176 #root :You're not channel operator :irc.rshp.org 302 GBR|482176 :GBR|482176=+pndupuxx@80.187.145.207 :irc.rshp.org 482 GBR|482176 #root :You're not channel operator :irc.rshp.org 302 GBR|482176 :GBR|482176=+pndupuxx@80.187.145.207 :irc.rshp.org 482 GBR|482176 #root :You're not channel operator :irc.rshp.org 404 GBR|482176 #root :You need voice (+v) (#root) Anyone knows what this is about? Thanks, Jan
Have you perhaps a Lexmark printer? As quexx88 already posted: send it to submit(at)diamondcs.com.au In the meanwhile you could also scan it online at Jotti: http://virusscan.jotti.org/
This has nothing to do with a Lexmark printer...I connected, hassled the op in #root, and quickly got banned from the server. He's going to turn it into a warez net.
No, no need to be sorry at all! Sorry if I came off as sounding a bit blunt...been under a lot of pressure this week as a lowly high school student, I'm sure you understand I bet the trojan file was deliberately named to cause confusion with users who do have Lexmark printers...it would certainly not be the first time that a good old "masquerade" has been attempted We are all in this together, to learn as much as we can!
Thanks quexx88 !!!!! I bet you're right about that deliberately naming that file ! You're so right that it isn't the first time... Well, I hope that the original poster will send it to DCS so Gavin can have a look at it !!! Hey quexx88, I wish you ALL the best at school !!!!! Warm regards, Jan.
Thanks guys for the responses. I did the online virus scan, and it reports: lexbce.exe Status: INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database) MD5 6982ea6764ab9392132e150ad5e67e99 Packers detected: PE_PATCH.MORPHINE, MORPHINE Scanner results AntiVir Found nothing Avast Found nothing AVG Antivirus Found nothing BitDefender Found nothing ClamAV Found nothing Dr.Web Found BackDoor.IRC.Sdbot F-Prot Antivirus Found nothing Fortinet Found W32/Banker.OQ-tr Kaspersky Anti-Virus Found Trojan-Spy.Win32.Banker.oq mks_vir Found Win32.4 (probable variant) NOD32 Found probably unknown NewHeur_PE (probable variant) Norman Virus Control Found Sandbox: W32/Spybot.gen1; [ General information ] * File length: 78848 bytes. [ Changes to filesystem ] * Creates file C:\WINDOWS\SYSTEM\lexbce.exe. [ Process/window information ] * Creates a mutex unDectedver1. VBA32 Found nothing So, it seems to be a known trojan, but my virus scanner (Symantec) doesn't know about it. Also, initially I didn't use the right scan method in TDS, but now that I do it reports that it found a 'Live Trojan'. I've also got another process running (with a random name) which tries to email spam out from my machine. Perhaps it's connected. So, time to clean up... Thanks again for your help! Jan
Hi there jdo, welcome to the forum! For my understanding, how did you capture that discussion and why it is this lexbce.exe? Lexmark Printer Manager, some other processes start with lex* but you should check it with strings. http://www.sysinternals.com/ntw2k/source/misc.shtml#strings
Hi Jooske, I suddenly noticed that there was lots of network traffic on my machine when I wasn't doing anything. So, with Tcpview (Windows sysinternals) I saw that a process called lcebxe.exe was generating lots of connection attempts. Then, with Ethereal I captured the IRC conversation (I knew what to look for and used Follow TCP stream). Subsequently, I installed Kerio Personal Firewall with a rule to block and log anything coming from lexbce.exe. It shows that lexbe.exe tries to connect to the IRC server every few seconds. And I don't have a Lexmark printer Thanks, Jan
Port Explorer is a very nice tool with some more tools included. With the Sysinternals Process Explorer and TCPView i think you can expand the process and see the related dll files etc, right? Did you try Strings to see if your lex* file is original bad? In TDS are some nice plugins and other tools for that purpose too, btw.
