Re: WINSSH.EXE and WINSRT.EXE SQL Virus

From: <xphile2k@xxxxxxxxxxx>

| Hello,
| Has anyone else been attacked by this w32.spybot variant(s) ?
|
| Symantec is our AV protection and as of 12.20.2005 only catches
| winssh.exe.
|
| It's apparently using the MSSQLSERVER service on systems with unpatched
| SQL v7 or SQL 2000.
|
| We have the manual clean (stop process / clean registry / patch SQL)
| but are still having some issues.
|
| A cleaning utility is not present and Symantec doesn't even have an
| update on the product.
|
| Anyone else seeing this? If so, how are you reacting (automation of
| removal is our goal).
|
| Thanks,
| Mike
| xphile2k at hot mail dot com

I was not aware that the SpyBot worm was using SQL ports as a vector of infection. I know
it was using TCP ports 135, 139 and 445 to exploit weak security settings and to exploit
LSASS and RPC vulnerabilities.
http://www.microsoft.com/technet/security/bulletin/MS03-026.mspx

http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx

A search as Symantec for spybot and SQL did derive...
W32.Spybot.IVQ --
http://securityresponse.symantec.com/avcenter/venc/data/w32.spybot.ivq.html
Which is almost a year old so it is nothing new.

McAfee yields a what it McAfee calls a SDbot variant.
W32/Sdbot.worm!166912 -- http://vil.nai.com/vil/content/v_131354.htm

* propagates to machines vulnerable to the following exploiting RPC/RPCSS DCOM and LSASS
vulnerabilities
* propagates to machines with poorly secured network shares (weak username/password
combinations)
* propagates to MySQL and Microsoft SQL servers that are poorly secured (again weak
username/password combinations)
* propagates to remote machines (it generates random IPs) by attempting to copy itself to a
number of shares
* provides a backdoor to the victim machine, thereby compromising data on that machine
(significant remote access functionality is availble to the hacker)


You need to downlaad the following tool to all infected computers and download the needed
signature files for Mcafee, Sophos and Trend Micro. Then disconnect the PC from the network
and then scan the computer. The infected computer(s) must them be examined with an eys for
securing it. So you need to make sure that all PCs are properly secured with strong
passwords (10 digits that include; 2 uppercase, 2 lowercase, 2 numbers and 2 special chars.)
and all security patches installed paying attention to those associated with RPC/RPCSS DCOM,
LSASS and MySQL.

Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file. http://www.ik-cs.com/multi-av.htm


* * * Please report back your results * * *


--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm


.

Relevant Pages

  • Re: Spyware.Apropos.C Watch for it!
    ... Our SAVCE 9.0, Ad-Aware, Microsoft ... Windows wanated to be activated on the machines as well. ... FireWall to allow it to download the needed AV vendor related files. ... This will bring up the initial menu of choices and should be executed in Normal Mode. ...
    (microsoft.public.security.virus)
  • Re: Problem with a service running on xp
    ... | Running as standalone application, on a winxp pro sp2 machine, can be ... | not from remote machines: the service program is never reached, ... FireWall to allow it to download the needed AV vendor related files. ... This will bring up the initial menu of choices and should be executed in Normal Mode. ...
    (microsoft.public.windowsxp.security_admin)
  • Re: alcan A or a dropper?
    ... I've never had a virus this bad. ... Download Adware-Virtumundo Removal Tool -- ... It would be best to scan in both Safe Mode and in Normal Mode and save a copy of the HTML ...
    (microsoft.public.windowsxp.general)
  • Re: alcan A or a dropper?
    ... Download Adware-Virtumundo Removal Tool -- ... Information on the Adware-Virtumundo Removal Tool: ... It would be best to scan in both Safe Mode and in Normal Mode and save a copy of the HTML ...
    (microsoft.public.windowsxp.general)
  • Re: Need some help with Alcan Worm... Please help!
    ... will make the PPPoE connection. ... a utility that provides 3 different anti virus scanners from; ... This will bring up the initial menu of choices and should be executed in Normal Mode. ... You can choose to go to each menu item and just download the needed files or you can ...
    (alt.comp.anti-virus)