To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
----------
Additional information regarding the IRC server mentioned below:
>From Norman's Sandbox:
[ Network services ]
* Connects to "comto.mybizz.info" on port 1560 (TCP).
* Connects to IRC Server.
* IRC: Uses nickname oo38045.
* IRC: Uses username oo38045.
* IRC: Joins channel #un.
* IRC: Sets the usermode for user oo38045 to +i.
* IRC: Sets the channel mode for channel #un to +mntsu.
-------- Original Message --------
Subject: Re: Compromised Windows Server
Date: Tue, 06 Jun 2006 10:09:47 +0200
From: Axel Pettinger <[EMAIL PROTECTED]>
Organization: API
To: [email protected]
References: <[EMAIL PROTECTED]>
Patrick Beam wrote:
>
> Came in this morning to find a windows 2003 server I manage scanning
> the Internet for machines listening on tcp 139 and 445. While
> looking at the machine I noticed the following processes running.
>
> Mwvsta.exe found in c:\windows\system32
>From my own collection ...
[\winnt\system32\mwvsta.exe]
MD5 : 0fa478b74b1f64f09044df8f6b5703bb
SHA1 : 7083ec98d4997a9700f7e97aa62c1c07c02e7bef
Kaspersky : Backdoor.Win32.SdBot.gen (packed: PE_Patch, UPack)
McAfee : New Malware.aj (heuristic detection)
Norman Sandbox: http://sandbox.norman.no/live_2.html?logfile=927525
According to the Sandbox results "mwvsta.exe" connects to
"comto.mybizz.info" [206.53.51.108] on port 1560 (TCP).
> rundll16.exe c:\windows\system23
>
> Ponoas.exe c:\windows\system32
Again from my own collection ...
[\winnt\system32\ponoas.exe]
MD5 : eddf174b022954589e2d423da9b7791d
SHA1 : 162b17c5be842458f0fdffa2ccff4e8f97b6a0ff
Kaspersky : Trojan-Proxy.Win32.Ranky.gen (packed: PE_Patch, UPack)
McAfee : W32/Sdbot.worm.gen.h
Norman Sandbox: http://sandbox.norman.no/live_2.html?logfile=927526
> I believe that the ponoas.exe is some sort of rootkit although
> searching on google for this file name returns nothing.
"My" ponoas.exe certainly isn't rootkit related but comes as one of two
files in a SFX RAR archive. Such RAR archives usually contain a trojan
(i.e. SdBot variant) and a trojan proxy (often a variant of Ranky
- McAfee's name for it is "Proxy-FBSR trojan").
> Also searching mwvsta.exereturns nothing. At this point I have
> removed these files from the system
> and registry but am weary that the server will get hit again.
I recommend following the steps mentioned here - @Wes: especially if it
is a mission critical system!:
http://www.cert.org/tech_tips/win-UNIX-system_compromise.html#E
> Has anyone had an experience with the following file or have any idea
> what rookkit of virus they are associated with?
Maybe you should re-read the definition of a "rootkit":
http://en.wikipedia.org/wiki/Rootkit
Regards,
Axel Pettinger
_______________________________________________
To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
All list and server information are public and available to law enforcement
upon request.
http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
