RE: [IMail Forum] Strange Registry Key - SMTPWIN - appears to be a hack / trojan / ...

[Mike Wiegers]

Don,   Are you running Declude also? If so:   http://www.mail-archive.com/declude.virus@declude.com/msg12814.html From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Monday, January 02, 2006 4:20 AM To: IMail_Forum@list.ipswitch.com Subject: Re: [IMail Forum] Strange Registry Key - SMTPWIN - appears to be a hack / trojan / ... I have been seeing this for a while but only here and there.  Recently I have noticed an increase in these registry keys.   When I see this happen, a username from one domain will appear in several other unrelated domains in the registry.  It is usually one or two usernames one time and a different set of username others.  As reported by others, there is only a single SMTPWIN key.  I am not convince it is a hack or a trojan.  My gut tells me that there is a problem with IMail but I don't have anything to substantiate that claim.   I am running RegMon and will report back with any results.   Has anyone else gotten anywhere in tracking down this issue?  I did find a new article in the knowledge base (http://support.ipswitch.com/kb/IM-20051229-DM03.htm) that describes in general what this key is used for but does not address it as a problem.   TIA, Don   ----- Original Message ----- From: Chris Ulrich To: IMail_Forum@list.ipswitch.com Sent: Tuesday, November 29, 2005 5:03 PM Subject: [IMail Forum] Strange Registry Key - SMTPWIN - appears to be a hack / trojan / ... As a follow up to the earlier problem we went through the registry cleaner tool to identify any possible cross-linked accounts, etc.  We cleaned up a few problems.  However, what we did find is that a half dozen user accounts (ie., mine, "culrich") now appeared under 20 different domains that it should appear in.  We went into the registry and found that there was a single registry entry for my account: SMTPWIN    reg_sz  20,20,524,350 We saw this repeated not only for my account but a half dozen others under 20 or so domains.  We also saw that same key associated with the "USERS" folder in the registry under many domains (not necessarily the same ones) and as an entry in a handful of "valid" user accounts (ie. 30 other keys under the user PLUS this one key). Is anyone familiar with it?  I've been looking for info on it, can't find anything.  I wonder if it is a form of exploit, etc.... I found the thread in June 04 discussing this: [IMail Forum] Possible Imail Hack?? http://www.mail-archive.com/imail_forum@list.ipswitch.com/msg85375.html as well as:  [IMail Forum] "Double Root" problem... (FYI ???) http://www.mail-archive.com/imail_forum@list.ipswitch.com/msg26363.htmlbut I did not find any resolution there. I searched Google and got a link to warex.mdb.  I pulled it down but couldn't open it...  Nothing in the Ipswitch base either. Since I started writing this, a couple of more popped back into the registry, same users, wrong domains. AND there are 5 copies of IMail1.exe running in task manager (one of the postings asked this question). Any suggestions? At 03:25 PM 11/29/2005, you wrote: I don't think so, but we'll go through and double check.  Good tip.  Thanks At 02:51 PM 11/29/2005, you wrote: The admin account may have been compromised. Through webmail. Does an account have domain admin access and web access??? Kevin > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]]On Behalf Of Chris Ulrich > Sent: Tuesday, November 29, 2005 11:36 AM > To: IMail_Forum@list.ipswitch.com > Subject: [IMail Forum] Phantom Postmaster accounts? > > > We checked two of the domains on our server and, under USERS, we see: > > p > po > pos > post > postm > postma > postmas > postmast > postmaste > postmaster > > as POP accounts....   I don't know if this is the result of a > hack attempt, > a glitch in IMail or something else. > > Has anyone seen this previously?  Our mail server is behind a firewall, > only HTTP, Port 25 and 110 access, so I'm not *overly* concerned that > someone is terminal servicing in to the box.  But I use "overly" pretty > losely right now.... > > Has anyone seen anything like this previously? > > Thanks > > > > To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html > List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ > Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/ > --- > [This E-mail scanned for viruses by Declude Virus] > > > --- [This E-mail scanned for viruses by Declude Virus] To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/ To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/