Avast WEBforum

Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: ymai on March 31, 2007, 07:16:43 PM

Title: U.exe and Sasser-like behaviour
Post by: ymai on March 31, 2007, 07:16:43 PM
Hi everybody

I've got a problem with a Sasser (or Blaster)-like malware.
A handful Win2K computers on my LAN began to shut down with the well known warning: "This shutdown was initiated by NT AUTHORITY\SYSTEM". It claims an error code 128.
Avast Antivirus is up to date on each of those computers. When scanning all the drives, Avast doesn't see any infection.
Nor the classical Sasser and Blaster removal tools see anything bad.
The common point is the presence of a U.exe file on the root of the C: drive. When deleting this file (Shift+Delete), it comes back a few minutes later or at the next login. Even if it's a local login (not on the Samba Linux NT-like domain). It doesn't seem to come back when the computer is off the LAN (RJ45 removed).
Scanning that file with Avast didn't give any result (as if it wasn't infected).
In fact, the problem seems to be nearly solved with a Windows update. I didn't notice any worm-like activity one hour after the update. It was then really late and I had to leave...

A WinXP Pro computer had the same behaviour, but I couldn't find the U.exe file on his C: drive.
Can it disappear all by himself? As I once right-clicked on the U.exe file, it vanished. The "Delete" item in the contextual menu seems to be too far below to justify it could have been activated just by right-clicking. I didn't find the U.exe file in the waste basket. I never drink beer before leaving my job  :)

My questions are:
- what is the name of that malware?
- why doesn't Avast see it?
- where does that thing reside? On a computer that triggers the worm activity on the other computers of the LAN?
- is the Windows Update enough to protect the computers?
- how can I be sure it is away from my LAN?
- some colleagues use their personnal laptop on the LAN. Shall I advise them no to use it if they didn't Update?
Any answer or comment highly appreciated.
Title: Re: U.exe and Sasser-like behaviour
Post by: cogadh on March 31, 2007, 11:50:57 PM
U.exe is part of a freeware/shareware keylogger from ReFog software: www.refog.com

It's probably not being detected as a virus since it actually isn't. Someone must have installed ReFog's KGB Keylogger on your system. The paid version is able to hide itself. If you press Shift+Ctrl+Alt+K on a computer with the U.exe app, it should bring up the control console. If it is password protected, then look for and delete ksp.ini and options.ini in C:\Documents and Settings\All Users\Application Data\KSP\, that will remove the password.

If you can't get to the console, then something else may have infected your system and is just using U.exe as its name (maybe to get past non-heuristic virus scanners?). Try downloading and running HijackThis! and see what it says: http://www.trendsecure.com/portal/en-US/threat_analytics/hijackthis.php (Yes, TrendMicro owns HijackThis! now).
Title: Re: U.exe and Sasser-like behaviour
Post by: mauserme on April 01, 2007, 12:29:49 AM
I agree there is a commercial keylogger with a file named u.exe but there are also some trojan downloaders that could be the culprit.  I don't think a keylogger would cause the shutdown messages so even if that's what u.exe is, there may be other problems as well.

Please zip and password a sample of u.exe and email it to virus (at) avast.com.  Include the password in the body of your email with a brief explanation.

Then try scanning with AVG Antispyware and A-Squared (free versions)

http://free.grisoft.com/doc/20/lng/us/tpl/v5

http://www.emsisoft.com/en/software/free/

and post the result in your next response.

Given your description of u.exe's reappearance you will obviously need to work on each computer individually.  Leave the other PCs off if you need to connect to the LAN for internet access.


EDIT:  Forgot to ask , was your computer very far behind on Windows updates?  Which update seemed to help?

- some colleagues use their personnal laptop on the LAN. Shall I advise them no to use it if they didn't Update?
Since one of them might be the source of the infection or will end up being infected themselves, I would advise them against connecting to the LAN until this is resolved (with or without updates).
Title: Re: U.exe and Sasser-like behaviour
Post by: ymai on April 01, 2007, 09:21:34 AM
Many thanks to cogadh and mauserme for their help

@cogadh
I'll make the test you suggest about the Refog Keylogger. I still have a doubt because the problematic computers lay in different rooms and different buildings not accessed by the same persons.
Then, the HijackThis! test is certainly really interesting to perform. I'll leave news as soon as possible.

@mauserme
I deleted all U.exe files I found. But I'll certainly fish some more  :-[ . Thanks for accepting to test it.
Didn't think to spyware because of the shutdown behavior. I usually have very good results with spysweeper. Do you think AVG or A-squared are better products?
I didn't get information on the date of the last Windows update cause I was in the hurry to find a solution. Should I install the updates one after the other and observe for, say, one hour?  ::)

Next health bulletin: probably monday
Title: Re: U.exe and Sasser-like behaviour
Post by: mauserme on April 01, 2007, 02:49:43 PM
I usually have very good results with spysweeper. Do you think AVG or A-squared are better products?
Not necessarily better, but each looks at things a bit differently so using multiple scanners increases your chance of identifying the problem.

Many thanks to cogadh and mauserme for their help

@cogadh
I'll make the test you suggest about the Refog Keylogger. I still have a doubt because the problematic computers lay in different rooms and different buildings not accessed by the same persons.
Then, the HijackThis! test is certainly really interesting to perform. I'll leave news as soon as possible.

@mauserme
I didn't get information on the date of the last Windows update cause I was in the hurry to find a solution. Should I install the updates one after the other and observe for, say, one hour?
Well, I was wondering if your patches were years behind because the traditional sasser and blaster exploits were patched in 2003/2004. 

Regardless of how many updates you need to install I would do them all as soon as possible and not worry about observing the effects along the way. 
Title: Re: U.exe and Sasser-like behaviour
Post by: ymai on April 03, 2007, 09:57:58 AM
Back on business...
A zip version of the problematic U.exe file can be found at http://sio2.be/u_file/ (password: ytreza)
I joined the hijack!this.log file of a problematic computer.
Scanning with A-Squared, Spysweeper or whatelse is rather difficult because of the frequent shutdowns.

Many thanks for any help
Title: Re: U.exe and Sasser-like behaviour
Post by: mauserme on April 03, 2007, 02:00:00 PM
Upload these files to Virus Total (http://www.virustotal.com/en/indexf.html) for analysis and post the results:

C:\WINNT\system32\mpn.exe
C:\WINNT\system32\autorun.exe

What version of RealVNC are you using - 4.1.1 or something higher?

Did you install SysInterenals PSTools?
Title: Re: U.exe and Sasser-like behaviour
Post by: ymai on April 03, 2007, 04:38:05 PM
Hello mauserme
Upload these files to Virus Total (http://www.virustotal.com/en/indexf.html) for analysis and post the results:

C:\WINNT\system32\mpn.exe
C:\WINNT\system32\autorun.exe
I just uploaded the U.exe file on my home personal system, protected by Avast and Spysweeper.
Spysweeper immediately detected a problem with the mpn.exe file when unzipping the U.zip file. Just unzipping.
So, that file seems to be really dangerous!! I deleted it from the place on the web.

Avast reacted too, when sent the file to virustotal.com (didn't know that tool; seems to be really interesting). Maybe just because I sent an .exe file.
I'm waiting for the result of the analysis.
Quote
What version of RealVNC are you using - 4.1.1 or something higher?
Must be 4.1.2 (not sure). I'll check this tomorrow. Is there a problem with VNC?
Quote
Did you install SysInterenals PSTools?
Yes  :)
Really fine to shutdown all the computers at the end of the work day.

Thanks a lot for your advices.

[edit]Just forgot to mention: I made the Windows Update of around 20 computers this morning. After that update, none of the computers did shutdown and restart any more. While working, there were regularly shutdowns and restart.
But I understand that the mpn.exe problem, at least, *must* be resolved.
[/edit]
Title: Re: U.exe and Sasser-like behaviour
Post by: mauserme on April 03, 2007, 04:58:59 PM
Don't forget to scan C:\WINNT\system32\autorun.exe at Virus Total too.  And for sure post the scan results showing what identifications are made for both files.

Must be 4.1.2 (not sure). I'll check this tomorrow. Is there a problem with VNC?
Please double check the version number when you can.  There is a flaw in the way v4.1.1 authenticates clients that can allow an attacker unlimited access to your server.  This was patched in v4.1.2.  Take a look at this thread

http://forum.avast.com/index.php?topic=24667


Just forgot to mention: I made the Windows Update of around 20 computers this morning. After that update, none of the computers did shutdown and restart any more. While working, there were regularly shutdowns and restart.
But I understand that the mpn.exe problem, at least, *must* be resolved.
Good - a step in the right direction  :)
Title: Re: U.exe and Sasser-like behaviour
Post by: ymai on April 03, 2007, 05:16:23 PM
Don't forget to scan C:\WINNT\system32\autorun.exe at Virus Total too.  And for sure post the scan results showing what identifications are made for both files.
Shure I'll do. But I'm home now.
Fortunately (?) the computers are not used for the moment. They are in a school and we have hollidays. Only the computer science teacher is at work  :)
Quote
Please double check the version number when you can.  There is a flaw in the way v4.1.1 authenticates clients that can allow an attacker unlimited access to your server.  This was patched in v4.1.2.
Never heard about that problem. It's on my todo list from now.

Quote
Good - a step in the right direction  :)
Many, many thanks.
Title: Re: U.exe and Sasser-like behaviour
Post by: Lisandro on April 03, 2007, 07:50:06 PM
ymai, which version of avast are you using, the Home or the Professional?
Title: Re: U.exe and Sasser-like behaviour
Post by: ymai on April 04, 2007, 05:34:06 PM
There we are again

@mauserme: I'm afraid you were right about VNC 4.1.1 I found a PC that kept an extra-high bandwidth charge and some strange machines connected on my Samba server. When I restart Samba, they come back afer a few minutes.
I think I have isolated a second computer that causes the shutdowns.
Still a bit work for fixing the VNC failure and (probable) Windows Update on remaining workstations. But we are on the good way. Thanks to you.

@Tech: I use the Home version on my Windows workstation at home. They bought Pro Licences at school. Would you mean I'm not as well protected at home? I'm scared!!

[edit]BTW, i didn't receive any analysis from Virus Total . Some antivirus filtering on the road, maybe... [/edit]
Title: Re: U.exe and Sasser-like behaviour
Post by: mauserme on April 04, 2007, 06:04:08 PM
Hi ymai,

You need to prioritize updating vnc to  the current version.  Without it you'll constantly have new malware being downloaded.  After the update make sure to assign new user IDs and and passwords for every authorized user, and revoke any old credentials that may still be stored.

Here's one more link to a thread about the flaw I mentioned that will help you see how this was exploited in the past.  I don't know for sure but I'm guessing your file named u.exe is acting in much the same way as the file named "i" in the other thread

http://forum.avast.com/index.php?topic=25213.msg206306#msg206306

Have you had a chance to scan those two files at virus total yet.  Well, I guess we already know mpn.exe needs to go but I would still like to see the identifications for that and autorun.exe.

One more question - Are you connected to Mount Pleasant High School in any way?


[edit]BTW, i didn't receive any analysis from Virus Total . Some antivirus filtering on the road, maybe... [/edit]
Not sure what the problem is, but you could try Jotti instead

http://virusscan.jotti.org/

Just use the Browse button at the top of the page an navigate to the file.
Title: Re: U.exe and Sasser-like behaviour
Post by: Lisandro on April 04, 2007, 08:18:02 PM
Tech: I use the Home version on my Windows workstation at home. They bought Pro Licences at school. Would you mean I'm not as well protected at home? I'm scared!!
No, I'm not saying that, the Home version protects you very well. The major differences with the Professional version aren't related to protection but with features that Home version misses compared with the Pro.
Title: Re: U.exe and Sasser-like behaviour
Post by: ymai on April 05, 2007, 12:16:01 PM
Here is the result of the scan of the mpn.exe file from http://virusscan.jotti.org/
It seems that Avast doesn't see the Trojan...  :'(

 File:      mpn.exe
Status:    
INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5    d1f468970418e8c55e20ad188bc9ee6b
Packers detected:    
-
Scanner results
Scan taken on 05 Apr 2007 09:42:56 (GMT)
AntiVir    Found BDS/VanBot.BW
ArcaVir    Found Trojan.Vanbot.Bw
Avast    Found nothing
AVG Antivirus    Found Win32/CryptExe
BitDefender    Found Backdoor.VanBot.AP
ClamAV    Found Trojan.SdBot-5302
Dr.Web    Found BackDoor.IRC.Sdbot.1207
F-Prot Antivirus Found W32/Backdoor.AKSA
F-Secure Anti-Virus    Found Backdoor.Win32.VanBot.bh
Fortinet    Found W32/Delbot.W!worm
Kaspersky Anti-Virus    Found Backdoor.Win32.VanBot.bh
NOD32    Found Win32/Rinbot.W
Norman Virus Control    Found nothing
Panda Antivirus    Found W32/Rinbot.gen.worm
Rising Antivirus    Found Backdoor.Mybot.yvz
VirusBuster    Found Backdoor.Vanbot.Gen!Pac
VBA32    Found Trojan.Win32.Rinbot.W

The VirusTotal test does not look better...

Antivirus   Version   Update   Result
AhnLab-V3   2007.4.5.0   04.05.2007   Win32/IRCBot.worm.213504.D
AntiVir   7.3.1.48   04.05.2007   BDS/VanBot.BW
Authentium   4.93.8   04.04.2007   W32/Backdoor.AKSA
Avast   4.7.936.0   04.04.2007   no virus found
AVG   7.5.0.447   04.04.2007   Win32/CryptExe
BitDefender   7.2   04.05.2007   Backdoor.VanBot.AP
CAT-QuickHeal   9.00   04.04.2007   no virus found
ClamAV   devel-20070312   04.05.2007   Trojan.SdBot-5302
DrWeb   4.33   04.05.2007   BackDoor.IRC.Sdbot.1207
eSafe   7.0.15.0   04.04.2007   Win32.VanBot.bw
eTrust-Vet   30.7.3544   04.05.2007   Win32/Nirbot.AF
Ewido   4.0   04.04.2007   Backdoor.VanBot.bw
FileAdvisor   1   04.05.2007   no virus found
Fortinet   2.85.0.0   04.05.2007   W32/Delbot.W!worm
F-Prot   4.3.1.45   04.04.2007   W32/Backdoor.AKSA
F-Secure   6.70.13030.0   04.05.2007   Backdoor.Win32.VanBot.bh
Ikarus   T3.1.1.3   04.05.2007   Backdoor.Win32.VanBot.bh
Kaspersky   4.0.2.24   04.05.2007   Backdoor.Win32.VanBot.bh
McAfee   5001   04.04.2007   W32/Nirbot.worm
Microsoft   1.2405   04.05.2007   no virus found
NOD32v2   2168   04.04.2007   Win32/Rinbot.W
Norman   5.80.02   04.05.2007   no virus found
Panda   9.0.0.4   04.05.2007   W32/Rinbot.gen.worm
Prevx1   V2   04.05.2007   Covert.Sys.Exec
Sophos   4.16.0   03.30.2007   W32/Delbot-W
Sunbelt   2.2.907.0   04.03.2007   no virus found

No autorun.exe available at home. I'll check it on my workplace.

Some more information. I found the U.exe file on my daughter's Win2k computer (protected ? by Avast Home). Furthermore, I found a M.exe file that made Avast react!!!
Here is the log file:
5/04/2007 11:19:31   Sandrine   552   Sign of "Win32:Agent-DDN [Trj]" has been found in "C:\Documents and Settings\Sandrine\Local Settings\Temporary Internet Files\Content.IE5\LBQOLI8D\m[1].exe\[CExe]" file. 

5/04/2007 11:21:53   Sandrine   552   Sign of "Win32:Agent-DDN [Trj]" has been found in "C:\m.exe\[CExe]" file. 

5/04/2007 11:43:45   Sandrine   552   Sign of "Win32:Agent-DDN [Trj]" has been found in "C:\Documents and Settings\Administrateur\Local Settings\Temporary Internet Files\Content.IE5\41234567\m[1].exe\[CExe]" file. 

5/04/2007 11:43:57   Sandrine   552   Sign of "Win32:Agent-DDN [Trj]" has been found in "C:\m.exe\[CExe]" file. 

I'll have to format that computer as I notice a very high trafic on my router.
My very own computer @home is safe: I don't leave Linux Fedora  ;D
These were the fresh news from the day.


PS: http://www.mphsknights.com/ looks like a cool place. But I've never been in the US. :)
Title: Re: U.exe and Sasser-like behaviour
Post by: mauserme on April 05, 2007, 01:18:05 PM
I asked about Mt. Pleasant High School because of this line in your hjt log

O4 - HKLM\..\Run: [MPNet] C:\WINNT\system32\mpn.exe

This is the registry entry that causes mpn.exe to load at startup.  The service name is MPNet.  Another Mt. Pleasant High School web site is

http://mpnet.esuhsd.org/

And you said you are in education.  I didn't know if there was significance or coincidence in this - I suppose the latter.

We have much work to do and we will have to be careful to not confuse one computer with another.  Generally you will need to fully update every computer (both Windows and VNC Updates) that has been connected to your LAN. 

After the updates do a boot scan with avast!, then a thourough scan with AVG Antispyware.  Quarantine whenever possible as opposed to deleting files.

I am ready to clean the first computer you posted about (the one you ran hjt on) whenever you're ready but I need the Virus Total or Jotti results on autorun.exe first.  We will use hijackthis first on this machine but please recognize that the fix for this one may not be the same for every PC globally.  Hijackthis is very powerful and can cause damage if used incorrectly, so we may need to individually analyze each machine in your LAN.

In the mean time, please email a zipped and password protected copy of mpn.exe to virus(@)avast.com and include the password in the body of your email along with a link to this thread (posting it on your web site won't help - it needs to be emailed).

EDIT:

Quote
My very own computer @home is safe: I don't leave Linux Fedora
There is no Windows partition?
Title: Re: U.exe and Sasser-like behaviour
Post by: ymai on April 05, 2007, 06:29:33 PM
And you said you are in education.  I didn't know if there was significance or coincidence in this - I suppose the latter.
The latter...
And I'm afraid mpn.exe has no relation with any school, except a piracy school.
Quote
We have much work to do and we will have to be careful to not confuse one computer with another.  Generally you will need to fully update every computer (both Windows and VNC Updates) that has been connected to your LAN.
Every computer  :o That is about 90 PC's. Fortunately, I'm on hollidays.
It's 6 PM here. A bit too late to begin the work this evening.
Quote
After the updates do a boot scan with avast!, then a thourough scan with AVG Antispyware.  Quarantine whenever possible as opposed to deleting files.

I am ready to clean the first computer you posted about (the one you ran hjt on) whenever you're ready but I need the Virus Total or Jotti results on autorun.exe first.  We will use hijackthis first on this machine but please recognize that the fix for this one may not be the same for every PC globally.  Hijackthis is very powerful and can cause damage if used incorrectly, so we may need to individually analyze each machine in your LAN.
As mpn.exe does not seem to be a regular Windows file, I thought it would be easy to recognize an infection. Bad idea.
Quote
In the mean time, please email a zipped and password protected copy of mpn.exe to virus(@)avast.com and include the password in the body of your email along with a link to this thread (posting it on your web site won't help - it needs to be emailed).
I'll do it ASAP via a gmail account. I hope it is not filtered.
Quote

EDIT:

Quote
My very own computer @home is safe: I don't leave Linux Fedora
There is no Windows partition?
There are two Windows partitions. But the virus/spywares/adwares won't be active under Linux. What a peaceful place.
Title: Re: U.exe and Sasser-like behaviour
Post by: mauserme on April 05, 2007, 11:28:42 PM
Every computer  :o That is about 90 PC's.
Can I rethink my previous statement?   ;D

Well, if they're on the LAN they should be checked ...

There's a way to fix this manually (and quickly when its just a few computers) with HijackThis, but with that number of computers lets do an experiment to see if we can automate this process.  On the computer that the hjt log came from make sure Windows and VNC is up to date, then run an avast! boot scan.  After, rename hijackthis.exe to hijackthat.exe and generate/post a new log using the renamed executable.  If this process cleans the infection(s) we can use it on as many of the other computers simultaneously as you can handle.  If it is not successfull we will try AVG Antispyware followed by another hjt log, etc until we find the right fix..

I do still need the autorun.exe analysis when you have a chance.



There are two Windows partitions. But the virus/spywares/adwares won't be active under Linux. What a peaceful place.
Kaspersky has developed a proof-of-concept cross platform virus able to infect both Linux and Windows.  It's capabilities are limited on the Linux side, of course, but it shows that assumptions should no longer be made with dual boot set ups.

Its up to you, but given the amount of time you're going to devote to cleaning this up I would give my own computer the 20 minutes it needs to be checked  :)
Title: Re: U.exe and Sasser-like behaviour
Post by: Lisandro on April 06, 2007, 02:34:23 PM
ymai, do you use avast! ADNM version?
How did you deploy avast to that 90 machines?
Title: Re: U.exe and Sasser-like behaviour
Post by: ymai on April 06, 2007, 03:09:28 PM
I've just send the two files: mpn.exe and autorun.exe to virus_[at]_avast.com
Wasn't easy because Gmail does not admit executable (even zipped) files. They were renamed as *.txt.
Title: Re: U.exe and Sasser-like behaviour
Post by: ymai on April 06, 2007, 03:21:41 PM
ymai, do you use avast! ADNM version?
How did you deploy avast to that 90 machines?
I did deploy Avast with my very own two hands and ten fingers...
In our country, computer science teachers do everything; as you probably noticed, I'm just an "amateur". I have a tiny education in Computer Science. I studied Chemistry at the university; in the late 70's, when the computers were just an idea...
Your Distributed Network Manager look like a great software. I didn't see the prices.
We have  no Windows Server (just Samba Linux PDC) and Win2k/XP workstations. Should it work?
Title: Re: U.exe and Sasser-like behaviour
Post by: ymai on April 06, 2007, 03:24:32 PM
Autorun.exe analysis by Virustotal:

Code: [Select]
Complete scanning result of "Autorun.exe", received in VirusTotal at 04.06.2007, 14:49:14 (CET).

Antivirus Version Update Result
AhnLab-V3 2007.4.5.0 04.06.2007 no virus found
AntiVir 7.3.1.48 04.06.2007 no virus found
Authentium 4.93.8 04.06.2007 no virus found
Avast 4.7.936.0 04.05.2007 no virus found
AVG 7.5.0.447 04.05.2007 no virus found
BitDefender 7.2 04.06.2007 no virus found
CAT-QuickHeal 9.00 04.05.2007 no virus found
ClamAV devel-20070312 04.06.2007 no virus found
DrWeb 4.33 04.06.2007 no virus found
eSafe 7.0.15.0 04.06.2007 no virus found
eTrust-Vet 30.7.3546 04.06.2007 no virus found
Ewido 4.0 04.06.2007 no virus found
FileAdvisor 1 04.06.2007 No threat detected
Fortinet 2.85.0.0 04.06.2007 no virus found
F-Prot 4.3.1.45 04.04.2007 no virus found
F-Secure 6.70.13030.0 04.06.2007 no virus found
Ikarus T3.1.1.3 04.06.2007 Trojan-PWS.Legmir
Kaspersky 4.0.2.24 04.06.2007 no virus found
McAfee 5002 04.05.2007 no virus found
Microsoft 1.2405 04.06.2007 no virus found
NOD32v2 2171 04.06.2007 no virus found
Norman 5.80.02 04.05.2007 no virus found
Panda 9.0.0.4 04.06.2007 no virus found
Prevx1 V2 04.06.2007 no virus found
Sophos 4.16.0 04.06.2007 no virus found
Sunbelt 2.2.907.0 04.03.2007 no virus found
Symantec 10 04.06.2007 no virus found
TheHacker 6.1.6.085 04.04.2007 no virus found
VBA32 3.11.3 04.04.2007 Trojan.PWS.Legmir
VirusBuster 4.3.7:9 04.05.2007 no virus found
Webwasher-Gateway 6.0.1 04.06.2007 no virus found
Title: Re: U.exe and Sasser-like behaviour
Post by: Lisandro on April 06, 2007, 03:27:49 PM
Your Distributed Network Manager look like a great software. I didn't see the prices.
But... 90 Professional versions bought?

We have  no Windows Server (just Samba Linux PDC) and Win2k/XP workstations. Should it work?
The ADNM has the necessary tools to deploy avast installation in a network of workstations without server.
Title: Re: U.exe and Sasser-like behaviour
Post by: mauserme on April 06, 2007, 05:03:10 PM
I'm sorry this is taking so long, ymai.  If this was a single computer or two we would be done already.

I think the Virus Total detections for autorun.exe are false positives, especially so if you have a Soltek motherboard or video card.  Do you know if either of these are present?

There is one more scan I would like to see that may give us a clue about autorun.exe based on file creation dates.  This will also do on more check for malware.

Download ComboFix from Here (http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe) or Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop.

Double click combofix.exe and follow the prompts.

When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall.

After this scan we should be able to proceed with cleaning.
Title: Re: U.exe and Sasser-like behaviour
Post by: ymai on April 06, 2007, 08:58:42 PM
I'm sorry this is taking so long, ymai.  If this was a single computer or two we would be done already.
Please don't. I have been at work the whole afternoon. The Internet connexion was really awful. It was not possible to come back here.
Quote
I think the Virus Total detections for autorun.exe are false positives, especially so if you have a Soltek motherboard or video card.  Do you know if either of these are present?
You hit it!! This is my only workstation with a Soltek motherboard. The original motherboard has gone out of use two years ago. It was then replaced.
I didn't find any other autorun.exe file on any other computer.
Quote
There is one more scan I would like to see that may give us a clue about autorun.exe based on file creation dates.  This will also do on more check for malware.

Download ComboFix from Here (http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe) or Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop.
I'm afraid my wife won't let me go to school during the easter weekend. You'll have a rest.

I have good news. It seems that the infection is rather recent as computers that have not been used during the week between march 19 and march 23 are out of problem. That's a huge number: around 35-40 workstations.
HijackThis find the mpn.exe in the register on most other computers. No real difficulty to get rid of it. Then, reboot the computer and rename the mpn.exe to mpn.exe.bak
I had one really resistant computer that freezed when I tried to launch any program. Fortunately, I have a Ghost image dating from February! I used it. I'll just have to look twice for the Windows and Avast updates.
I didn't have time enough to perform an Avast boot scan on all the "cured" PC's.
The only question, for the moment, seems to be: where does that mpn.exe come from? Is the source still somewhere on the LAN. Is an Avast scan able to find it?
I have three days to think and search for the answer.

Many, many thanks again for your work.
Title: Re: U.exe and Sasser-like behaviour
Post by: ymai on April 06, 2007, 09:03:09 PM
Your Distributed Network Manager look like a great software. I didn't see the prices.
But... 90 Professional versions bought?
Certainly not. The Linux workstations are protected with ClamAv.
The windows workstations that are not connected to the Internet are protected with ClamWin.
Some others use another commercial antivirus. But Avast is our favorite.
We have  no Windows Server (just Samba Linux PDC) and Win2k/XP workstations. Should it work?
The ADNM has the necessary tools to deploy avast installation in a network of workstations without server.
[/quote]
Good to know that.
Title: Re: U.exe and Sasser-like behaviour
Post by: mauserme on April 06, 2007, 10:10:13 PM
I'm afraid my wife won't let me go to school during the easter weekend.
Good for her.  Easter should be a time of rest.

The only question, for the moment, seems to be: where does that mpn.exe come from? Is the source still somewhere on the LAN. Is an Avast scan able to find it?
This is something of a guess but it seems logical to me.  The entry point was the old version of VNC -  this allowed a hacker into the LAN.  The u.exe file (or m.exe in some cases) was downloaded and, as you saw on your own computer, u.exe acted as either an installer or downloader for mpn.exe.   I suspect if you had not caught this when you did additional files would have been downloaded as well.

Is the source still on your computer(s)?  If you have updated VNC on all the computers and removed u.exe (or possibly other single-letter.exe files) I think not.

I will give you two fixes that you can choose from.  I tend to favor automatic (program based) fixes over manual but, as you said,  with the number of computers you're working with the manual option may be the way to go.

Option 1

Schedule an avast! boot scan, including archives.  Reboot and let the scan run, putting in quarantine anything found. 

When done make sure your folder options are set to Show Hidden Files and Folders.  Then check your root directory for u.exe and m.exe.  Delete these if present.

If there are any other unusual files in the root upload to Virus Total to determine if they too should be deleted.


Option 2

This method poses some risk if done incorrectly but I'm sure you are capable of using it safely.  Keep in mind that this is specific to the exact hijackthis line listed below - if you see lines that differ post a copy so I can look at it.

Open Hijackthis and click the button labled Do a System Scan Only.  When the scan is finished place a check mark next to this line

O4 - HKLM\..\Run: [MPNet] C:\WINNT\system32\mpn.exe

Then click the button labled Fix Checked.  This will remove the start up entry from the registry but the file will still be present.

Next, boot into safe mode and delete this file

C:\WINNT\system32\mpn.exe

Finally, make sure your folder options are set to show Hidden Files and Folders and check your root directory for u.exe and m.exe.  Delete these if present.

If there are any other unusual files in the root upload them to Virus Total to determine if they too should be deleted.


If you run into any other unusual circumstances or suspect files please feel free to post again.  I would also be very interested in occasional progress reports if you don't mind.

Also keep in mind the laptops you mentioned may have been compromised as well.  They should be checked before they are allowed back on the LAN.
Title: Re: U.exe and Sasser-like behaviour
Post by: ymai on April 06, 2007, 11:29:45 PM
mauserme, you're really a saver. Thanks to you, the solution arises...
I'm afraid my wife won't let me go to school during the easter weekend.
Good for her.  Easter should be a time of rest.
Unfortunately, not for lambs we are used to eat for easter in our tradition.
Quote
The entry point was the old version of VNC -  this allowed a hacker into the LAN.
So, first of all, I'll update VNC. I saw the installed version is 4.1.0 almost everywhere. But I certainly installed several 4.1.1 versions recently, as I found that installation file version on my installation directory.
Quote
When done make sure your folder options are set to Show Hidden Files and Folders.
It's the default situation.
Quote
Then check your root directory for u.exe and m.exe.  Delete these if present.
Just what I did this afternoon.
Quote
O4 - HKLM\..\Run: [MPNet] C:\WINNT\system32\mpn.exe
I feel like a 04 - HKLM... killer. That's what i made before deleting u.exe files (no m.exe files found on my LAN; I found it @home)
Quote
If you run into any other unusual circumstances or suspect files please feel free to post again.
Great! You are great.
Quote
I would also be very interested in occasional progress reports if you don't mind.
It will be my pleasure. But next week.
Quote
Also keep in mind the laptops you mentioned may have been compromised as well.  They should be checked before they are allowed back on the LAN.
I'll send a mail to all my colleagues, for Merry Easter and  Happy Malware Fighting.
Merry Easter to you.
Title: Re: U.exe and Sasser-like behaviour
Post by: mauserme on April 07, 2007, 01:03:04 AM
Unfortunately, not for lambs we are used to eat for easter in our tradition.
Nor for the cooks, but that effort is excusable :)

Quote
... no m.exe files found on my LAN; I found it @home
The m.exe file is probably a different situation on your daughter's computer.  I hadn't given it much thought since you said you would reformat that one, but if you want to avoid that I would be happy to look at her Hijackthis log.

Quote
Merry Easter to you.
And to you ymai.  See you next week  :)
Title: Re: U.exe and Sasser-like behaviour
Post by: ymai on April 10, 2007, 09:46:31 PM
I promised to come back. So, there am I.
Unfortunately, I don't have good news.
I scratched all the VNC 4.1.0 (yes, 4.1.0) and installed 4.1.2 versions instead.
I tried to update Windows. Some PC's don't seem to want updating. Maybe because of a too narrow Internet bandwidth. Not sure because of an hyperactive worm activity: the router doesn't look too busy.

Nevertheless, I tried to cure each computer with HijackThis for the mpn.exe key. I halted all mpn.exe processes in the taskmanager (sometimes one occurrence, sometimes two). Then, I shift+Deleted the mpn.exe in the System32 directory and any U.exe file.
A few minutes later, they are all back: in the registry, in the taskmanager and in the System32 directory.
I tried to reboot the computers just after the cleaning. They are always back with that #@%!!$@ mpn.exe  :)

There must be some kind of zombie on the LAN waiting for infecting other computers.

Because we must be back to business next monday, I'm afraid I won't be able to solve the problem by myself, even with your invaluable help. I need a professional with hands on my LAN.

One more time, many, many thanks for your help.
Title: Re: U.exe and Sasser-like behaviour
Post by: mauserme on April 10, 2007, 11:46:54 PM
So many computers ... So little time ...

I think deleting from safe mode might have worked as they wouldn't have loaded into memory but I understand  the constraints you're under.  I will miss the challenge :)
Title: Re: U.exe and Sasser-like behaviour
Post by: ymai on April 10, 2007, 11:58:56 PM
So many computers ... So little time ...

I think deleting from safe mode might have worked as they wouldn't have loaded into memory but I understand  the constraints you're under.  I will miss the challenge :)
Mmmmhhhh.... You'd better bet on a good horse.
I'll try, but if the Windows update doesn't work, I'm afraid the worm will come back at the first boot on the LAN.
I shall come back.
Title: Re: U.exe and Sasser-like behaviour
Post by: mauserme on April 11, 2007, 12:00:25 AM
Keep the computers isolated - all turned off except the one you are working on.
Title: Re: U.exe and Sasser-like behaviour
Post by: ymai on April 17, 2007, 11:37:45 PM
For all those who are still interested for this topic...
We found that the
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5
subdirectories of the infected computers contains plenty of copies of the mpn.exe file. We just Shift+Deleted them.

We have been working one day and a half with a professional tech to cure about 30 computers. For some of them, it was rather difficult to eliminate the mpn.exe file. Coming back again and again and again.
The advices of Mauserme work (For he's a jolly good fellow).  :)

At the present moment, the mpn.exe doesn't seem to come back after:
- kill mpn.exe in the task manager
- shift+delete mpn.exe in the system32 directory
- when present, shift+delete U.exe file in the c:\ directory
- eliminate mpn.exe in the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run key of the registry
- shift+delete the subdirectories of C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5
- reboot
- update Windows

Still superinfection problems (DriveCleaner or other commercial popups) on some computers. But I think this will be rather easy to eliminate.
Title: Re: U.exe and Sasser-like behaviour
Post by: mauserme on April 18, 2007, 02:19:20 AM
Thanks for the update ymai.  I wish I was able to be there helping  :)

When you have things well under control you may want to try running Rogue Remover against your Drive Cleaner problem.  It may help

http://www.malwarebytes.org/rogueremover.php