whodunnit?

Discussion in 'malware problems & news' started by wintomato, Jun 30, 2003.

Thread Status:
Not open for further replies.
  1. wintomato

    wintomato Registered Member

    Joined:
    Jun 30, 2003
    Posts:
    1
    Location:
    London
    Hi, new to the forum,
    anyone know if there's a way to find out if a EXPL32 mIRC virus has been used to control a certain pc.
    ie the pc is infected and has been for a while, is there anyway of telling if the software has actually been used by someone remotely?
    EXPL32 shows a UNIX username/logon
    thanks
     
  2. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hi Wintomato, welcome to the forum!
    Wait with deleting the nasty, or you might like to zip it so it can't run anymore.
    Are you on a network using unix or??
    How did you find the unix login name?

    I would not think of a virus but a keylogger or a RAT, more in the trojans area, right?
    Some descriptions say it opens a backdoor for SubSeven 22 so if you find that you can be sure it was used.
    How is it possible your AV/AT scanners didn't see and disinfect your system?
    You might like to send a sample to a trojan specialist to advice and if you want/need/like they can snipe it out to look for all there is and maybe where to look for logfiles if there are.
    Try support@diamondcs.com.au and include the link to this thread.
    Keep us informed please.
    If i'm wrong and it would be a virus, i recommend sending it to the NOD32 guys at Eset, i can't recall their samples email addy at the moment.


    Did you take any security measures since the discovery?
    You might like to grab the Irclean and Mirclean from the www.diamondcs.com.au site in the free tools area to see if there are more IRC worms on your system.
    And from there the AutoStartViewer to see if anything suspicious is starting with Windows, as the Expl32 does so, hidden and makes more changes to your registry.
    You might like to install Port Explorer to look for suspicious connections real time and you can spy into datapackets from and to your system which might spread some more light.
    TDS to scan with every option deep and thoroughly and look through the alerts list.
    Also there in Network it has the traffic bridge and port listen options to look deeper in and communicate with datapackets and change them!
    In the registered version of TDS (same as the evaluation you would just have installed but with a registration in it which unlocks a few extra options) is a script Screx with which you can do lots of extra to know about your intruder and euhmmm.. some more to get info.
    WormGuard to block suspicious files and give you the option to look into the file in the save mode. All these have a free evaluation time.

    Please keep us informed!
     
  3. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Samples to Eset
     
  4. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    The EXPL32.EXE will have a HideWindow tool hiding it and lots of other scripts.. these mIRC based trojans are IRC bots, and connect to a specified IRC channel to wait for commands.

    Email me gavin@diamondcs.com.au for more info, please let me know what folder you found the trojan file in - if it is a new folder which the trojan created such as

    c:\Winnt\web\printers\images\

    Then the entire folder contains trojan scripts, and I can tell you exactly what it does (albeit it complicated). Some of these bots have spreading capabilities, and scan for more open machines to infect (you would see a psexec.exe possibly renamed)

    If the files are spread throughout a normal folder such as the Windows\system32 folder then they will be a lot harder to locate :doubt:
     
Thread Status:
Not open for further replies.