First of all I'd like to report that this mailing list is behaving
strangely. I get the same mail 3 or 4 times at different times and I get all
kind of messages like "Inbox full, couldn't send the message" or "I am out
of the city, I don't reply to emails" and stuff like that. I don't even have
a proper filter rule to put all the messages from forensics in a separate
folder. Rather annoying.
Ok, then. The backdoor. The only thing that found the files used by the
backdoor (AND NOTHING ELSE) was BlackLight from F-secure. It found i368p.sys
in System32/drivers and msctl32.dll in system32. It seems those were the
culprits after all.
I couldn't remove the files (or see them for that matter) from WindowsXP
(at least not in normal mode). Just for safety I used win98 and found and
removed the files. The system worked perfectly after that with no more
attempts to access https.manwithnoname.biz.
It is interesting that I couldn't see the files OR the winlogon notify
registry entry that they used to start themselves until I removed the
backdoor. i386p.sys was loaded as a service and I am not sure if I could see
it as a service before the clean up.
Searching the net I've found out that there are a lot of people that have
this but don't yet know it. Take notice of all the people that show
msctl32.dll in their Winlogon notify list in the HiJackThis logs and marked
with (file missing). It is curious that they see the notify entry, though.
It may be an older variant of what I've got.
All people that requested the files for analysis will get them this evening.
Thanks for all the messages and ideas you guys gave me.
Death to the Evil Spyware! :)
____________
Costin Manda
ECRM Europe
