SuS "trojan" in XP -- Changes OS and creates "virtual" remote desk

From: SRGriffin (SRGriffin_at_discussions.microsoft.com)
Date: 04/16/05

• Next message: Robert Moir: "Re: There needs to be an international policy"
• Previous message: jussi: "Re: MSN Messenger Security"
• Next in thread: redaffro: "RE: SuS "trojan" in XP -- Changes OS and creates "virtual" remote desk"
• Reply: redaffro: "RE: SuS "trojan" in XP -- Changes OS and creates "virtual" remote desk"
• Reply: SRGriffin: "RE: SuS "trojan" in XP -- Changes OS and creates "virtual" remote desk"
• Reply: andy smart: "Re: SuS "trojan" in XP -- Changes OS and creates "virtual" remote desk"
• Reply: SRGriffin: "RE: SuS "trojan" in XP -- Changes OS and creates "virtual" remote desk"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Sat, 16 Apr 2005 01:31:03 -0700

I have a small network of XP machines, mostly XP Home that appear to have an
Sus installation that propages to them. It looks like it installs an NT or
2000 headless boot (maybe XP embedded??) and gives me remote desktop that
looks exactly like XP, but has a lot of strange behavior (Looks like NT or
2000 is installed, all devices are legacy, network traffic is forwarded from
loopback to "host", don't seem too have full permissions, etc.)

I've been trying to figure this one out for months and keep thinking I'm
just paranoid. Not being an XP expert (silicon and systems design) it took
me awhile to find all the pieces I'm still sorting out.

I'm DEFINATELY on a remote desktop, SuS is installed, MMC console appears to
be modified (mmccmdmgr.dll) w/ VB6 and the CD-Rom(s) are redirected and don't
give me what's really on them or "read them". Downloaded packages are
"signed". but the time stamp is off by a year or more, and they contain
things they shouldn't.

The USB drivers I downloaded from ViaForum are filled with QFE fills for
instance.

Even a Ghost diskwipe doesn't seem to get everything (Thinking it writes
stuff into the BIOS DMI).

All virus scans and spyware come back negative, but have realized, at least
in some cases, it either kills the app I started (Norton 2005) and starts an
older version (Norton 2002) or else it scans a clean part of the disk only.
(There's some disk space I can't access and found some code that looked like
it would return a "sector error" w/o the key).

I know this sounds like the ultimate paranoid delusion, but I'm sure it's
there. Although to be fair, until December when this first started to become
obvious, my security inside the firewall was pretty terrible. Since I had
tons of development stuff -- compilers, VM Ware, bits of old OSes in archives
-- it's possible someone or some program had a lot of time to set all this
stuff up. I also had 2003 server on the network, just to install (and
thought I had remove all the others from the network), and could have done
something then..although nothing intentional and certainly not too the extent
that I see (Like NT/2000 files).

My first question is: What's the cleanest way to remove SuS and get the
correct CAT files back and being referenced on XP Home? (SFC scan asks for a
2000 disk, which I obviously don't have).

Second question: While this may be just be, I've seen similar behavior on
friends computers (although they've all had some sort of contact with my
environment). Is there a quick way to detect SuS and some boot server
running?

Last Question: Anyone EVER heard of this? Is this a know issue I just
haven't been able to find anything about?

I'm happy to share bunches of data with anyone that wants it (or thinks I'm
just paranoid;). I'm currently thinking I'll be able to hook the 2003 server
back up and fix them through group and local policy changes, but it would be
nice if there was an easier fix.

Regards,
SRGriffin

• Next message: Robert Moir: "Re: There needs to be an international policy"
• Previous message: jussi: "Re: MSN Messenger Security"
• Next in thread: redaffro: "RE: SuS "trojan" in XP -- Changes OS and creates "virtual" remote desk"
• Reply: redaffro: "RE: SuS "trojan" in XP -- Changes OS and creates "virtual" remote desk"
• Reply: SRGriffin: "RE: SuS "trojan" in XP -- Changes OS and creates "virtual" remote desk"
• Reply: andy smart: "Re: SuS "trojan" in XP -- Changes OS and creates "virtual" remote desk"
• Reply: SRGriffin: "RE: SuS "trojan" in XP -- Changes OS and creates "virtual" remote desk"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: Install 3 times (triple crown) ... With my home based business, like many, I have an SBS Network on a dynamic ... I am about to build a new server for a customer and have never ... how far can you go with the installation? ... (microsoft.public.windows.server.sbs) kickstart installations ... network, it is quite impressive to see it all work. ... gig drive in the 1st machine and a seagate barracuda 80 gig in the 2nd. ... I ran a minimum of 8 systems per server and it was interesting to see ... after the installation?" ... (Fedora) Re: SuS "trojan" in XP -- Changes OS and creates "virtual" remote desk ... SRGriffin wrote: ... > Sus installation that propages to them. ... > 2000 is installed, all devices are legacy, network traffic is forwarded from ... (microsoft.public.security) Slow networking/performance ... I've just installed deb 3.0-r2 on our office network. ... as a "headless" server for printing, email, secure shell and web access. ... I did the installation at home and moved it to work. ... I've got a switch/router acting as a DHCP server and name server. ... (Debian-User) Re: Install 3 times (triple crown) ... With my home based business, like many, I have an SBS Network on a dynamic ... I am about to build a new server for a customer and have never ... how far can you go with the installation? ... (microsoft.public.windows.server.sbs)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint