Re: netbuie.exe, scorpionsearch.com and fastcounter.bcentral.com

From: Nick FitzGerald (nick@virus-l.demon.co.uk)
Date: 05/08/02


Date: Wed, 08 May 2002 13:19:27 +1200
From: Nick FitzGerald <nick@virus-l.demon.co.uk>
To: incidents@securityfocus.com


"Edwards, David (JTS)" <Edwards.Dave@saugov.sa.gov.au> wrote:

> We've just found some instances of "netbuie.exe" running in some terminal
> server sessions here. The file was written to the Winnt\system32 directory
> about 6:00pm on Sunday and registry entries made in:
>
> HKLM/Software\Microsoft\windows\current version\run
> HKLM/Software\Microsoft\windows\run

First, why do non-admin users even have write access to these keys?

If they don't, you clearly need to revise your site's judgments about
who is worthy of having admin (equivalent) passwords.

> It seems to be a Vb 5 PE that hits on two web sites, scorpionsearch.com and
> fastcounter.bcentral.com when run. Possibly just generating revenue for
> some bod somewhere.

It wouldn't be the first...

> Looks like the server wasn't fully patched, hfnetchk showed 6 Win2k Server
> patches missing and 2 IE6.
>
> This sounded familiar (when I first saw it) but I haven't been able to find
> any other references so I thought I'd make one :-) The worry is (of
> course) that the server is further compromised. Anyone seen this before?

Can't help you on the likely entry point, but given that non-admin
users can change crucial registry key contents or that some of your
admins are incompetent, I'm not sure that compromise via open
security vulnerabilities is the most obvious path of entry...

Anyway, aside from resolving how it got on your machines, please send
samples to your preferred antivirus developers. If this thing is
being actively spread (regardless of how) getting detection of it
into virus scanners is the best technique to reduce its continued
spread. To save you digging them out, here are the sample submission
addresses of the better-known AV developers:

   Command Software <virus@commandcom.com>
   Computer Associates (US) <virus@ca.com>
   Computer Associates (Vet/EZ) <ipevirus@vet.com.au>
   DialogueScience (Dr. Web) <Antivir@dials.ru>
   Eset (NOD32) <trnka@eset.sk>
   F-Secure Corp. <samples@f-secure.com>
   Frisk Software (F-PROT) <viruslab@f-prot.com>
   Grisoft (AVG) <virus@grisoft.cz>
   Kaspersky Labs <newvirus@kaspersky.com>
   Network Associates (McAfee) <virus_research@nai.com>
   Norman (NVC) <analysis@norman.no>
   Sophos Plc. <support@sophos.com>
   Symantec (Norton) <avsubmit@symantec.com>
   Trend Micro (PC-cillin) <virus_doctor@trendmicro.com>
     (Trend may only accept files from registered users of its
     products)

-- 
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854

---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com



Relevant Pages

  • RE: issues authentication w/2003 server AND SP1, IIS 6, FPSE 2002
    ... Server 2003 with Service Pack 1. ... In Registry Editor, locate and then click the following registry key: ... > following article number to view the article in the Microsoft Knowledge Base: ...
    (microsoft.public.frontpage.extensions.windowsnt)
  • Re: ISA and IIS services getting confused
    ... the ServicePackNumber is set to 1 in the registry. ... you need to verify that you had applied SBS 2003 ... On the SBS server, click Start, click Run, type "regedit" (without ... To successfully install SBS 2003 SP1, ...
    (microsoft.public.windows.server.sbs)
  • RE: I cant run the routing and remote access wizard
    ... Since i sent you the emails - hope you received them - I have run a registry ... http://localhost on the server box. ... Please enable IIS logging and reproduced the issue and collect IIS log ... Microsoft CSS Online Newsgroup Support ...
    (microsoft.public.windows.server.sbs)
  • RE: SBS 2003 SP1 Upgrade - MSDE 2000 Service Pack 4 did not instal
    ... This newsgroup only focuses on SBS technical issues. ... before I can down the SBS Server and complete this procedure. ... SBSISA2K4SETUP: Entering LaunchMsdeSp4 ... wanted in the Registry. ...
    (microsoft.public.windows.server.sbs)
  • RE: SBS 2003 SP1 Upgrade - MSDE 2000 Service Pack 4 did not instal
    ... C:\Program Files\Microsoft SQL Server ... you can directly insert the ISA 2004 installation CD ... import the ISA configuration information to restore back all configurations. ... following registry subkey on the server, ...
    (microsoft.public.windows.server.sbs)