I couldn't specifically identify it with my quick review, but it does have hints of being a SubSeven-like trojan as three of the file names indicate. The serv.exe is a bit big for most of the Sub7 trojans I've found, but otherwise there are some similiar mechanisms. It's packed so it wasn't as easy reviewing the code quickly.
How did it autorun? From the registry? Did it run from using the %1 trick in HKEY_Classes_Root\exefile\shell\open\command? Roger **************************************************************************** **** *Roger A. Grimes, Computer Security Consultant *CPA, MCSE (NT/2000), CNE (3/4), A+ *email: [EMAIL PROTECTED] *cell: 757-615-3355 *Author of Malicious Mobile Code: Virus Protection for Windows by O'Reilly *http://www.oreilly.com/catalog/malmobcode **************************************************************************** ************* ----- Original Message ----- From: "Michael Dorsey" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Saturday, June 14, 2003 9:18 PM Subject: Help on malicious program rpcxserv.exe > I was looking at the open ports on a server at one of my clients and noticed > the server had a TCP connection that it opened to 63.98.19.244:6667. The > offending program was "C:\WINNT\System32\rpcxserv.exe". It was also > listening on 20+ other ports. > > It's registered as a service called "RPC Interface" with a description of > "Provides Interface to remote call services over the network". > > There was another file called "SUB0T.dll", which had the same date and time > as rpcxserv.exe of 2/11/03 at 18:46. Two additional files of "SUB0T.ini" and > "SUB0T.log" were also there. The ini looks like instructions for logging > into an IRC server. All of the files had the system and hidden attributes > set. > > I'm guessing this is some kind of bot for a DoS attack and was curious if > anyone else had seen it or knows it's infection method. > > The server is a basic W2K, running Exchange 2000, GFI Faxmaker and Backup > Exec. > > I haven't been able to find anything on the search engines or antivirus > sites. > > Anyone that wants to look at the files can get them by anonymous ftp here. > ftp://advent.gotdns.com. The filename is "rpcxserv.zip". > > Thanks for any info, > > > Michael Dorsey > > > -------------------------------------------------------------------------- - > Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts! > The Gartner Group just put Neoteris in the top of its Magic Quadrant, > while InStat has confirmed Neoteris as the leader in marketshare. > > Find out why, and see how you can get plug-n-play secure remote access in > about an hour, with no client, server changes, or ongoing maintenance. > > Visit us at: http://www.neoteris.com/promos/sf-6-9.htm > -------------------------------------------------------------------------- -- > > --------------------------------------------------------------------------- Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts! The Gartner Group just put Neoteris in the top of its Magic Quadrant, while InStat has confirmed Neoteris as the leader in marketshare. Find out why, and see how you can get plug-n-play secure remote access in about an hour, with no client, server changes, or ongoing maintenance. Visit us at: http://www.neoteris.com/promos/sf-6-9.htm ----------------------------------------------------------------------------
