On 06/06/06, Patrick Beam <patrick.beam (at) gmail (dot) com [email concealed]> wrote:
> Came in this morning to find a windows 2003 server I manage scanning the
> Internet for machines listening on tcp 139 and 445. While looking at the
> machine I noticed the following processes running.
>
> Mwvsta.exe found in c:\windows\system32
> rundll16.exe c:\windows\system23
> Ponoas.exe c:\windows\system32
>
> I believe that the ponoas.exe is some sort of rootkit although searching on
> google for this file name returns nothing. Also searching
> mwvsta.exereturns nothing. At this point I have removed these files
> from the system and registry but am weary that the server will get hit again.

To be sure, you need to re-install from known-good media.

> Has anyone had an experience with the following file or have any idea what rookkit of
> virus they are associated with?

Some viruses use random filenames. If you've deleted them then there's
no way to tell for sure what they were - if you do have them, send the
files to http://www.virustotal.com/ for a diagnosis - though I would
still re-install the box.

cheers,
Jamie
--
Jamie Riden / jamesr (at) europe (dot) com [email concealed] / jamie.riden (at) computer (dot) org [email concealed]
NZ Honeynet project - http://www.nz-honeynet.org/

------------------------------------------------------------------------
------
This List Sponsored by: Black Hat

Attend the Black Hat Briefings & Training USA, July 29. August 3 in Las Vegas.
World renowned security experts reveal tomorrow.s threats today. Free of
vendor pitches, the Briefings are designed to be pragmatic regardless of your
security environment. Featuring 36 hands-on training courses and 10 conference
tracks, networking opportunities with over 2,500 delegates from 40+ nations.

http://www.blackhat.com
------------------------------------------------------------------------
------

[ reply ]