Re: Mysterious file - WINXPINIT.EXE
From: JZ (themayor_at_adelphia.net)
Date: 09/16/04
- Next message: anonymous_at_discussions.microsoft.com: "Can't delete registry references to svxhost.exe"
- Previous message: David H. Lipman: "Re: rapidblaster"
- In reply to: Jim Tompkins: "Re: Mysterious file - WINXPINIT.EXE"
- Next in thread: Jim Byrd: "Re: Mysterious file - WINXPINIT.EXE"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 15 Sep 2004 23:29:29 -0400
Thanks everyone for your input. I did find the .pif and c.bat files on the
computers.
The one additional piece that I have found on this SDBOT variant is that if
the machines (in our case Windows 2000 OS) have the latest Windows updates,
then it seems to keep the machines from getting re-infected.
I will post any new information as I get it.
"Jim Tompkins" <tompkins@oct.net> wrote in message
news:23df1c90.0409140811.48337c36@posting.google.com...
> I found yout post while performing a search on "winxpinit.exe".
> Although I have not found this file on any machines on my network, I
> found (2) batch files on my (previosly infected) server that
> referenced winxpinit. I thought you might be interested in this
> information.
>
> Let me step back a littte.
>
> Last Friday our network got hit with a virus of some type that was
> preventing web page access to the internet. We could ping outside
> addresses, but could not browse the internet. After tearing down the
> network and isolating the machines I found out that I could access web
> pages when my laptop and the router were segregated from everything
> else. In otherwords I made an isolated network with my laptop and the
> router using a hub. When I plugged our W2K Server into this network
> web page access went down. I ran Ethereal and captured the packets
> before and after plugging the server into the isolated network. The
> server was sending out tcp packets to random adddresses in the
> 192.168.x.x ranges. Each of these packets where destined for port 445.
> There were a ton of them. I am not a network guru, but I believe these
> packets were interfering with web access.
>
> After playing around I found out that these packets did not appear
> hen the server was not logged on, so I used Remote Task Manager (RTM)
> to take a snap shot of the processes running before and after loggin.
> I found a process called svhost.exe NOT svchost.exe running. I viewed
> the netstat page in RTM and saw that their were alot of ports talking
> on the server. In short, killing this process stopped the suspiscious
> packets from being transmitted on the isolated network and I web page
> access came back again.
>
> I found this same process (system32\svhost.exe) and associated
> registry entries on all the machines in our network that authenticate
> with the W2K server (DC).
> I had someone helping me during all this, and he was insistant on
> putting the network back together and installing Symantec Anivirus
> coporate on the server and dispatch it to all the machines. We did
> this after I had cleaned the server and only a couple of the other
> machines. During this process the virus (svhost.exe) had propagated
> itself back onto the server and another machine. Symantec did not find
> any virus BTW.
>
> Before calling it quites (it was 1:30am). I cleaned the server again
> (killed the process, deleted the svhost file, and removed registry
> entries) and I unplugged everything from the network. I wanted to see
> if the server would become reinfected by itself. It did not.
>
> On Sunday I individually cleaned each machine and tested them on a hub
> with my laptop for the suspiscous packets. During this process I
> copied a few of the virus files to floppy. Once I got the network back
> up I used Mcafee enterprise and scanned the disk I had made. Mcafee
> reported that the file had the W32/sdbot.worm.gen.h virus.
>
> After all this I did a search on all the machines for files created
> around the timeframe the network 1st went haywire. On each machine I
> found (3) files; "o", "debug.txt", and "DCPROMO". Each of these files
> were created within a second apart. The "o" file appears to be a batch
> file, and the debug.txt file has log entries about exploiting various
> IP address and transfering svhost.exe.
>
> On the server I found two additional files of interest to you. The 1st
> had no name or extension and had the following commands:
>
> open xxx.xxx.xxx.xxx 12895 (I left out the external IP) it appears
> to be a dsl router, maybe another customer of our isp
> user a a
> binary
> GET winxpinit.exe
> bye
>
> The second file had some ftp commands and the following line:
> winxpinit.exe
>
> Let me know if you find anything out about this file.
- Next message: anonymous_at_discussions.microsoft.com: "Can't delete registry references to svxhost.exe"
- Previous message: David H. Lipman: "Re: rapidblaster"
- In reply to: Jim Tompkins: "Re: Mysterious file - WINXPINIT.EXE"
- Next in thread: Jim Byrd: "Re: Mysterious file - WINXPINIT.EXE"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
