Incidents
Compromised Windows Server Jun 05 2006 07:27PM
Patrick Beam (patrick beam gmail com) (8 replies)
Re: Compromised Windows Server Jun 07 2006 02:19AM
Macleonard Starkey (macleonard auscert org au)
Re: Compromised Windows Server Jun 06 2006 03:20PM
Isaac Perez (suscripcions tsolucio com)
Re: Compromised Windows Server Jun 06 2006 03:09PM
Patrick Beam (patrick beam gmail com) (1 replies)
Re: Compromised Windows Server Jun 07 2006 02:10PM
Kees Leune (C J Leune uvt nl)
Re: Compromised Windows Server Jun 06 2006 11:32AM
Harlan Carvey (keydet89 yahoo com)
Re: Compromised Windows Server Jun 06 2006 08:09AM
Axel Pettinger (api worldonline de)
Patrick Beam wrote:
>
> Came in this morning to find a windows 2003 server I manage scanning
> the Internet for machines listening on tcp 139 and 445. While
> looking at the machine I noticed the following processes running.
>
> Mwvsta.exe found in c:\windows\system32

From my own collection ...

[\winnt\system32\mwvsta.exe]
MD5 : 0fa478b74b1f64f09044df8f6b5703bb
SHA1 : 7083ec98d4997a9700f7e97aa62c1c07c02e7bef

Kaspersky : Backdoor.Win32.SdBot.gen (packed: PE_Patch, UPack)
McAfee : New Malware.aj (heuristic detection)
Norman Sandbox: http://sandbox.norman.no/live_2.html?logfile=927525

According to the Sandbox results "mwvsta.exe" connects to
"comto.mybizz.info" [206.53.51.108] on port 1560 (TCP).

> rundll16.exe c:\windows\system23
>
> Ponoas.exe c:\windows\system32

Again from my own collection ...

[\winnt\system32\ponoas.exe]
MD5 : eddf174b022954589e2d423da9b7791d
SHA1 : 162b17c5be842458f0fdffa2ccff4e8f97b6a0ff

Kaspersky : Trojan-Proxy.Win32.Ranky.gen (packed: PE_Patch, UPack)
McAfee : W32/Sdbot.worm.gen.h
Norman Sandbox: http://sandbox.norman.no/live_2.html?logfile=927526

> I believe that the ponoas.exe is some sort of rootkit although
> searching on google for this file name returns nothing.

"My" ponoas.exe certainly isn't rootkit related but comes as one of two
files in a SFX RAR archive. Such RAR archives usually contain a trojan
(i.e. SdBot variant) and a trojan proxy (often a variant of Ranky
- McAfee's name for it is "Proxy-FBSR trojan").

> Also searching mwvsta.exereturns nothing. At this point I have
> removed these files from the system
> and registry but am weary that the server will get hit again.

I recommend following the steps mentioned here - @Wes: especially if it
is a mission critical system!:
http://www.cert.org/tech_tips/win-UNIX-system_compromise.html#E

> Has anyone had an experience with the following file or have any idea
> what rookkit of virus they are associated with?

Maybe you should re-read the definition of a "rootkit":
http://en.wikipedia.org/wiki/Rootkit

Regards,
Axel Pettinger

------------------------------------------------------------------------
------
This List Sponsored by: Black Hat

Attend the Black Hat Briefings & Training USA, July 29. August 3 in Las Vegas.
World renowned security experts reveal tomorrow.s threats today. Free of
vendor pitches, the Briefings are designed to be pragmatic regardless of your
security environment. Featuring 36 hands-on training courses and 10 conference
tracks, networking opportunities with over 2,500 delegates from 40+ nations.

http://www.blackhat.com
------------------------------------------------------------------------
------

[ reply ]
Re: Compromised Windows Server Jun 06 2006 02:39AM
Jason Ross (algorythm gmail com)
Re: Compromised Windows Server Jun 06 2006 02:38AM
pauls utdallas edu
Re: Compromised Windows Server Jun 06 2006 02:12AM
Jamie Riden (jamesr europe com)


 

Privacy Statement
Copyright 2010, SecurityFocus