Re: SuS "trojan" in XP -- Changes OS and creates "virtual" remote desk

From: andy smart (anonymus_at_discussions.microsoft.com)
Date: 04/18/05 

Date: Mon, 18 Apr 2005 15:10:05 +0100

SRGriffin wrote:
> I have a small network of XP machines, mostly XP Home that appear to have an
> Sus installation that propages to them. It looks like it installs an NT or
> 2000 headless boot (maybe XP embedded??) and gives me remote desktop that
> looks exactly like XP, but has a lot of strange behavior (Looks like NT or
> 2000 is installed, all devices are legacy, network traffic is forwarded from
> loopback to "host", don't seem too have full permissions, etc.)
>
> I've been trying to figure this one out for months and keep thinking I'm
> just paranoid. Not being an XP expert (silicon and systems design) it took
> me awhile to find all the pieces I'm still sorting out.
>
> I'm DEFINATELY on a remote desktop, SuS is installed, MMC console appears to
> be modified (mmccmdmgr.dll) w/ VB6 and the CD-Rom(s) are redirected and don't
> give me what's really on them or "read them". Downloaded packages are
> "signed". but the time stamp is off by a year or more, and they contain
> things they shouldn't.
>
> The USB drivers I downloaded from ViaForum are filled with QFE fills for
> instance.
>
> Even a Ghost diskwipe doesn't seem to get everything (Thinking it writes
> stuff into the BIOS DMI).
>
> All virus scans and spyware come back negative, but have realized, at least
> in some cases, it either kills the app I started (Norton 2005) and starts an
> older version (Norton 2002) or else it scans a clean part of the disk only.
> (There's some disk space I can't access and found some code that looked like
> it would return a "sector error" w/o the key).
>
> I know this sounds like the ultimate paranoid delusion, but I'm sure it's
> there. Although to be fair, until December when this first started to become
> obvious, my security inside the firewall was pretty terrible. Since I had
> tons of development stuff -- compilers, VM Ware, bits of old OSes in archives
> -- it's possible someone or some program had a lot of time to set all this
> stuff up. I also had 2003 server on the network, just to install (and
> thought I had remove all the others from the network), and could have done
> something then..although nothing intentional and certainly not too the extent
> that I see (Like NT/2000 files).
>
> My first question is: What's the cleanest way to remove SuS and get the
> correct CAT files back and being referenced on XP Home? (SFC scan asks for a
> 2000 disk, which I obviously don't have).
>
> Second question: While this may be just be, I've seen similar behavior on
> friends computers (although they've all had some sort of contact with my
> environment). Is there a quick way to detect SuS and some boot server
> running?
>
> Last Question: Anyone EVER heard of this? Is this a know issue I just
> haven't been able to find anything about?
>
> I'm happy to share bunches of data with anyone that wants it (or thinks I'm
> just paranoid;). I'm currently thinking I'll be able to hook the 2003 server
> back up and fix them through group and local policy changes, but it would be
> nice if there was an easier fix.
>
> Regards,
> SRGriffin
Can you boot it from a disk, and then run some scans from there?

Relevant Pages