Patrick Beam wrote: > > Came in this morning to find a windows 2003 server I manage scanning > the Internet for machines listening on tcp 139 and 445. While > looking at the machine I noticed the following processes running. > > Mwvsta.exe found in c:\windows\system32
>From my own collection ... [\winnt\system32\mwvsta.exe] MD5 : 0fa478b74b1f64f09044df8f6b5703bb SHA1 : 7083ec98d4997a9700f7e97aa62c1c07c02e7bef Kaspersky : Backdoor.Win32.SdBot.gen (packed: PE_Patch, UPack) McAfee : New Malware.aj (heuristic detection) Norman Sandbox: http://sandbox.norman.no/live_2.html?logfile=927525 According to the Sandbox results "mwvsta.exe" connects to "comto.mybizz.info" [206.53.51.108] on port 1560 (TCP). > rundll16.exe c:\windows\system23 > > Ponoas.exe c:\windows\system32 Again from my own collection ... [\winnt\system32\ponoas.exe] MD5 : eddf174b022954589e2d423da9b7791d SHA1 : 162b17c5be842458f0fdffa2ccff4e8f97b6a0ff Kaspersky : Trojan-Proxy.Win32.Ranky.gen (packed: PE_Patch, UPack) McAfee : W32/Sdbot.worm.gen.h Norman Sandbox: http://sandbox.norman.no/live_2.html?logfile=927526 > I believe that the ponoas.exe is some sort of rootkit although > searching on google for this file name returns nothing. "My" ponoas.exe certainly isn't rootkit related but comes as one of two files in a SFX RAR archive. Such RAR archives usually contain a trojan (i.e. SdBot variant) and a trojan proxy (often a variant of Ranky - McAfee's name for it is "Proxy-FBSR trojan"). > Also searching mwvsta.exereturns nothing. At this point I have > removed these files from the system > and registry but am weary that the server will get hit again. I recommend following the steps mentioned here - @Wes: especially if it is a mission critical system!: http://www.cert.org/tech_tips/win-UNIX-system_compromise.html#E > Has anyone had an experience with the following file or have any idea > what rookkit of virus they are associated with? Maybe you should re-read the definition of a "rootkit": http://en.wikipedia.org/wiki/Rootkit Regards, Axel Pettinger ------------------------------------------------------------------------------ This List Sponsored by: Black Hat Attend the Black Hat Briefings & Training USA, July 29. August 3 in Las Vegas. World renowned security experts reveal tomorrow.s threats today. Free of vendor pitches, the Briefings are designed to be pragmatic regardless of your security environment. Featuring 36 hands-on training courses and 10 conference tracks, networking opportunities with over 2,500 delegates from 40+ nations. http://www.blackhat.com ------------------------------------------------------------------------------
