Re: Mysterious file - WINXPINIT.EXE
From: Lance (lltbhill_at_link_earth.net)
Date: 09/14/04
- Next message: RA: "Re: notice of problem with new Ad-Aware version 1.04"
- Previous message: doc: "Also..."
- In reply to: Jim Tompkins: "Re: Mysterious file - WINXPINIT.EXE"
- Next in thread: Malke: "Re: Mysterious file - WINXPINIT.EXE"
- Reply: Malke: "Re: Mysterious file - WINXPINIT.EXE"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 14 Sep 2004 12:06:54 -0700
New Spybot variant. Symantec has released new virus defs on Sep 13:
<http://securityresponse.symantec.com/avcenter/venc/data/w32.spybot.dnb.html>
<http://securityresponse.symantec.com/avcenter/venc/data/w32.spybot.dnc.html>
Someone else ran into something very similar, here's the Google:
http://tinyurl.com/4sg4x
He had a problem with a file named bling.exe, but I see some of the
other files are similar to yours.
Also, look here for a bit more info:
http://isc.sans.org/diary.php?date=2004-09-12
Lance
*****
Jim Tompkins said the following on 9/14/2004 8:45 AM:
> I found yout post while performing a search on "winxpinit.exe".
> Although I have not found this file on any machines on my network, I
> found (2) batch files on my (previosly infected) server that
> referenced winxpinit. I thought you might be interested in this
> information.
>
> Let me step back a littte.
>
> Last Friday our network got hit with a virus of some type that was
> preventing web page access to the internet. We could ping outside
> addresses, but could not browse the internet. After tearing down the
> network and isolating the machines I found out that I could access web
> pages when my laptop and the router were segregated from everything
> else. In otherwords I made an isolated network with my laptop and the
> router using a hub. When I plugged our W2K Server into this network
> web page access went down. I ran Ethereal and captured the packets
> before and after plugging the server into the isolated network. The
> server was sending out tcp packets to random adddresses in the
> 192.168.x.x ranges. Each of these packets where destined for port 445.
> There were a ton of them. I am not a network guru, but I believe these
> packets were interfering with web access.
>
> After playing around I found out that these packets did not appear
> when the server was not logged on, so I used Remote Task Manager (RTM)
> to take a snap shot of the processes running before and after loggin.
> I found a process called svhost.exe NOT svchost.exe running. I viewed
> the netstat page in RTM and saw that their were alot of ports talking
> on the server. In short, killing this process stopped the suspiscious
> packets from being transmitted on the isolated network and I web page
> access came back again.
>
> I found this same process (system32\svhost.exe) and associated
> registry entries on all the machines in our network that authenticate
> with the W2K server (DC).
> I had someone helping me during all this, and he was insistant on
> putting the network back together and installing Symantec Anivirus
> coporate on the server and dispatch it to all the machines. We did
> this after I had cleaned the server and only a couple of the other
> machines. During this process the virus (svhost.exe) had propagated
> itself back onto the server and another machine. Symantec did not find
> any virus BTW.
>
> Before calling it quites (it was 1:30am). I cleaned the server again
> (killed the process, deleted the svhost file, and removed registry
> entries) and I unplugged everything from the network. I wanted to see
> if the server would become reinfected by itself. It did not.
>
> On Sunday I individually cleaned each machine and tested them on a hub
> with my laptop for the suspiscous packets. During this process I
> copied a few of the virus files to floppy. Once I got the network back
> up I used Mcafee enterprise and scanned the disk I had made. Mcafee
> reported that the file had the W32/sdbot.worm.gen.h virus.
>
> After all this I did a search on all the machines for files created
> around the timeframe the network 1st went haywire. On each machine I
> found (3) files; "o", "debug.txt", and "DCPROMO". Each of these files
> were created within a second apart. The "o" file appears to be a batch
> file, and the debug.txt file has log entries about exploiting various
> IP address and transfering svhost.exe.
>
> On the server I found two additional files of interest to you. The 1st
> had no name or extension and had the following commands:
>
> open xxx.xxx.xxx.xxx 12895 (I left out the external IP) it appears
> to be a dsl router, maybe another customer of our isp)
> user a a
> binary
> GET winxpinit.exe
> bye
>
> The second file had some ftp commands and the following line:
> winxpinit.exe
>
> Let me know if you find anything out about this file.
- Next message: RA: "Re: notice of problem with new Ad-Aware version 1.04"
- Previous message: doc: "Also..."
- In reply to: Jim Tompkins: "Re: Mysterious file - WINXPINIT.EXE"
- Next in thread: Malke: "Re: Mysterious file - WINXPINIT.EXE"
- Reply: Malke: "Re: Mysterious file - WINXPINIT.EXE"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
