Author Topic: U.exe and Sasser-like behaviour  (Read 13266 times)

0 Members and 1 Guest are viewing this topic.

Offline ymai

  • Jr. Member
  • **
  • Posts: 22
  • I'm a llama (mais je me soigne)!
U.exe and Sasser-like behaviour
« on: March 31, 2007, 07:16:43 PM »
Hi everybody

I've got a problem with a Sasser (or Blaster)-like malware.
A handful Win2K computers on my LAN began to shut down with the well known warning: "This shutdown was initiated by NT AUTHORITY\SYSTEM". It claims an error code 128.
Avast Antivirus is up to date on each of those computers. When scanning all the drives, Avast doesn't see any infection.
Nor the classical Sasser and Blaster removal tools see anything bad.
The common point is the presence of a U.exe file on the root of the C: drive. When deleting this file (Shift+Delete), it comes back a few minutes later or at the next login. Even if it's a local login (not on the Samba Linux NT-like domain). It doesn't seem to come back when the computer is off the LAN (RJ45 removed).
Scanning that file with Avast didn't give any result (as if it wasn't infected).
In fact, the problem seems to be nearly solved with a Windows update. I didn't notice any worm-like activity one hour after the update. It was then really late and I had to leave...

A WinXP Pro computer had the same behaviour, but I couldn't find the U.exe file on his C: drive.
Can it disappear all by himself? As I once right-clicked on the U.exe file, it vanished. The "Delete" item in the contextual menu seems to be too far below to justify it could have been activated just by right-clicking. I didn't find the U.exe file in the waste basket. I never drink beer before leaving my job  :)

My questions are:
- what is the name of that malware?
- why doesn't Avast see it?
- where does that thing reside? On a computer that triggers the worm activity on the other computers of the LAN?
- is the Windows Update enough to protect the computers?
- how can I be sure it is away from my LAN?
- some colleagues use their personnal laptop on the LAN. Shall I advise them no to use it if they didn't Update?
Any answer or comment highly appreciated.
« Last Edit: March 31, 2007, 11:08:19 PM by ymai »

Offline cogadh

  • Jr. Member
  • **
  • Posts: 28
Re: U.exe and Sasser-like behaviour
« Reply #1 on: March 31, 2007, 11:50:57 PM »
U.exe is part of a freeware/shareware keylogger from ReFog software: www.refog.com

It's probably not being detected as a virus since it actually isn't. Someone must have installed ReFog's KGB Keylogger on your system. The paid version is able to hide itself. If you press Shift+Ctrl+Alt+K on a computer with the U.exe app, it should bring up the control console. If it is password protected, then look for and delete ksp.ini and options.ini in C:\Documents and Settings\All Users\Application Data\KSP\, that will remove the password.

If you can't get to the console, then something else may have infected your system and is just using U.exe as its name (maybe to get past non-heuristic virus scanners?). Try downloading and running HijackThis! and see what it says: http://www.trendsecure.com/portal/en-US/threat_analytics/hijackthis.php (Yes, TrendMicro owns HijackThis! now).
« Last Edit: April 01, 2007, 12:21:03 AM by cogadh »
Cry 'Havoc' and let slip the dogs of War!

Offline mauserme

  • Massive Poster
  • ****
  • Posts: 2475
Re: U.exe and Sasser-like behaviour
« Reply #2 on: April 01, 2007, 12:29:49 AM »
I agree there is a commercial keylogger with a file named u.exe but there are also some trojan downloaders that could be the culprit.  I don't think a keylogger would cause the shutdown messages so even if that's what u.exe is, there may be other problems as well.

Please zip and password a sample of u.exe and email it to virus (at) avast.com.  Include the password in the body of your email with a brief explanation.

Then try scanning with AVG Antispyware and A-Squared (free versions)

http://free.grisoft.com/doc/20/lng/us/tpl/v5

http://www.emsisoft.com/en/software/free/

and post the result in your next response.

Given your description of u.exe's reappearance you will obviously need to work on each computer individually.  Leave the other PCs off if you need to connect to the LAN for internet access.


EDIT:  Forgot to ask , was your computer very far behind on Windows updates?  Which update seemed to help?

- some colleagues use their personnal laptop on the LAN. Shall I advise them no to use it if they didn't Update?
Since one of them might be the source of the infection or will end up being infected themselves, I would advise them against connecting to the LAN until this is resolved (with or without updates).
« Last Edit: April 01, 2007, 12:40:14 AM by mauserme »
"If at first you don't succeed keep on sucking 'till you do succeed" - Curley Howard in Movie Maniacs (1935)

Offline ymai

  • Jr. Member
  • **
  • Posts: 22
  • I'm a llama (mais je me soigne)!
Re: U.exe and Sasser-like behaviour
« Reply #3 on: April 01, 2007, 09:21:34 AM »
Many thanks to cogadh and mauserme for their help

@cogadh
I'll make the test you suggest about the Refog Keylogger. I still have a doubt because the problematic computers lay in different rooms and different buildings not accessed by the same persons.
Then, the HijackThis! test is certainly really interesting to perform. I'll leave news as soon as possible.

@mauserme
I deleted all U.exe files I found. But I'll certainly fish some more  :-[ . Thanks for accepting to test it.
Didn't think to spyware because of the shutdown behavior. I usually have very good results with spysweeper. Do you think AVG or A-squared are better products?
I didn't get information on the date of the last Windows update cause I was in the hurry to find a solution. Should I install the updates one after the other and observe for, say, one hour?  ::)

Next health bulletin: probably monday

Offline mauserme

  • Massive Poster
  • ****
  • Posts: 2475
Re: U.exe and Sasser-like behaviour
« Reply #4 on: April 01, 2007, 02:49:43 PM »
I usually have very good results with spysweeper. Do you think AVG or A-squared are better products?
Not necessarily better, but each looks at things a bit differently so using multiple scanners increases your chance of identifying the problem.

Many thanks to cogadh and mauserme for their help

@cogadh
I'll make the test you suggest about the Refog Keylogger. I still have a doubt because the problematic computers lay in different rooms and different buildings not accessed by the same persons.
Then, the HijackThis! test is certainly really interesting to perform. I'll leave news as soon as possible.

@mauserme
I didn't get information on the date of the last Windows update cause I was in the hurry to find a solution. Should I install the updates one after the other and observe for, say, one hour?
Well, I was wondering if your patches were years behind because the traditional sasser and blaster exploits were patched in 2003/2004. 

Regardless of how many updates you need to install I would do them all as soon as possible and not worry about observing the effects along the way. 
"If at first you don't succeed keep on sucking 'till you do succeed" - Curley Howard in Movie Maniacs (1935)

Offline ymai

  • Jr. Member
  • **
  • Posts: 22
  • I'm a llama (mais je me soigne)!
Re: U.exe and Sasser-like behaviour
« Reply #5 on: April 03, 2007, 09:57:58 AM »
Back on business...
A zip version of the problematic U.exe file can be found at http://sio2.be/u_file/ (password: ytreza)
I joined the hijack!this.log file of a problematic computer.
Scanning with A-Squared, Spysweeper or whatelse is rather difficult because of the frequent shutdowns.

Many thanks for any help
« Last Edit: April 03, 2007, 12:58:34 PM by ymai »

Offline mauserme

  • Massive Poster
  • ****
  • Posts: 2475
Re: U.exe and Sasser-like behaviour
« Reply #6 on: April 03, 2007, 02:00:00 PM »
Upload these files to Virus Total for analysis and post the results:

C:\WINNT\system32\mpn.exe
C:\WINNT\system32\autorun.exe

What version of RealVNC are you using - 4.1.1 or something higher?

Did you install SysInterenals PSTools?
"If at first you don't succeed keep on sucking 'till you do succeed" - Curley Howard in Movie Maniacs (1935)

Offline ymai

  • Jr. Member
  • **
  • Posts: 22
  • I'm a llama (mais je me soigne)!
Re: U.exe and Sasser-like behaviour
« Reply #7 on: April 03, 2007, 04:38:05 PM »
Hello mauserme
Upload these files to Virus Total for analysis and post the results:

C:\WINNT\system32\mpn.exe
C:\WINNT\system32\autorun.exe
I just uploaded the U.exe file on my home personal system, protected by Avast and Spysweeper.
Spysweeper immediately detected a problem with the mpn.exe file when unzipping the U.zip file. Just unzipping.
So, that file seems to be really dangerous!! I deleted it from the place on the web.

Avast reacted too, when sent the file to virustotal.com (didn't know that tool; seems to be really interesting). Maybe just because I sent an .exe file.
I'm waiting for the result of the analysis.
Quote
What version of RealVNC are you using - 4.1.1 or something higher?
Must be 4.1.2 (not sure). I'll check this tomorrow. Is there a problem with VNC?
Quote
Did you install SysInterenals PSTools?
Yes  :)
Really fine to shutdown all the computers at the end of the work day.

Thanks a lot for your advices.

[edit]Just forgot to mention: I made the Windows Update of around 20 computers this morning. After that update, none of the computers did shutdown and restart any more. While working, there were regularly shutdowns and restart.
But I understand that the mpn.exe problem, at least, *must* be resolved.
[/edit]
« Last Edit: April 03, 2007, 04:41:19 PM by ymai »

Offline mauserme

  • Massive Poster
  • ****
  • Posts: 2475
Re: U.exe and Sasser-like behaviour
« Reply #8 on: April 03, 2007, 04:58:59 PM »
Don't forget to scan C:\WINNT\system32\autorun.exe at Virus Total too.  And for sure post the scan results showing what identifications are made for both files.

Must be 4.1.2 (not sure). I'll check this tomorrow. Is there a problem with VNC?
Please double check the version number when you can.  There is a flaw in the way v4.1.1 authenticates clients that can allow an attacker unlimited access to your server.  This was patched in v4.1.2.  Take a look at this thread

http://forum.avast.com/index.php?topic=24667


Just forgot to mention: I made the Windows Update of around 20 computers this morning. After that update, none of the computers did shutdown and restart any more. While working, there were regularly shutdowns and restart.
But I understand that the mpn.exe problem, at least, *must* be resolved.
Good - a step in the right direction  :)
« Last Edit: April 03, 2007, 05:01:44 PM by mauserme »
"If at first you don't succeed keep on sucking 'till you do succeed" - Curley Howard in Movie Maniacs (1935)

Offline ymai

  • Jr. Member
  • **
  • Posts: 22
  • I'm a llama (mais je me soigne)!
Re: U.exe and Sasser-like behaviour
« Reply #9 on: April 03, 2007, 05:16:23 PM »
Don't forget to scan C:\WINNT\system32\autorun.exe at Virus Total too.  And for sure post the scan results showing what identifications are made for both files.
Shure I'll do. But I'm home now.
Fortunately (?) the computers are not used for the moment. They are in a school and we have hollidays. Only the computer science teacher is at work  :)
Quote
Please double check the version number when you can.  There is a flaw in the way v4.1.1 authenticates clients that can allow an attacker unlimited access to your server.  This was patched in v4.1.2.
Never heard about that problem. It's on my todo list from now.

Quote
Good - a step in the right direction  :)
Many, many thanks.

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67255
Re: U.exe and Sasser-like behaviour
« Reply #10 on: April 03, 2007, 07:50:06 PM »
ymai, which version of avast are you using, the Home or the Professional?
The best things in life are free.

Offline ymai

  • Jr. Member
  • **
  • Posts: 22
  • I'm a llama (mais je me soigne)!
Re: U.exe and Sasser-like behaviour
« Reply #11 on: April 04, 2007, 05:34:06 PM »
There we are again

@mauserme: I'm afraid you were right about VNC 4.1.1 I found a PC that kept an extra-high bandwidth charge and some strange machines connected on my Samba server. When I restart Samba, they come back afer a few minutes.
I think I have isolated a second computer that causes the shutdowns.
Still a bit work for fixing the VNC failure and (probable) Windows Update on remaining workstations. But we are on the good way. Thanks to you.

@Tech: I use the Home version on my Windows workstation at home. They bought Pro Licences at school. Would you mean I'm not as well protected at home? I'm scared!!

[edit]BTW, i didn't receive any analysis from Virus Total . Some antivirus filtering on the road, maybe... [/edit]
« Last Edit: April 04, 2007, 05:40:26 PM by ymai »

Offline mauserme

  • Massive Poster
  • ****
  • Posts: 2475
Re: U.exe and Sasser-like behaviour
« Reply #12 on: April 04, 2007, 06:04:08 PM »
Hi ymai,

You need to prioritize updating vnc to  the current version.  Without it you'll constantly have new malware being downloaded.  After the update make sure to assign new user IDs and and passwords for every authorized user, and revoke any old credentials that may still be stored.

Here's one more link to a thread about the flaw I mentioned that will help you see how this was exploited in the past.  I don't know for sure but I'm guessing your file named u.exe is acting in much the same way as the file named "i" in the other thread

http://forum.avast.com/index.php?topic=25213.msg206306#msg206306

Have you had a chance to scan those two files at virus total yet.  Well, I guess we already know mpn.exe needs to go but I would still like to see the identifications for that and autorun.exe.

One more question - Are you connected to Mount Pleasant High School in any way?


[edit]BTW, i didn't receive any analysis from Virus Total . Some antivirus filtering on the road, maybe... [/edit]
Not sure what the problem is, but you could try Jotti instead

http://virusscan.jotti.org/

Just use the Browse button at the top of the page an navigate to the file.
« Last Edit: April 04, 2007, 06:16:58 PM by mauserme »
"If at first you don't succeed keep on sucking 'till you do succeed" - Curley Howard in Movie Maniacs (1935)

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67255
Re: U.exe and Sasser-like behaviour
« Reply #13 on: April 04, 2007, 08:18:02 PM »
Tech: I use the Home version on my Windows workstation at home. They bought Pro Licences at school. Would you mean I'm not as well protected at home? I'm scared!!
No, I'm not saying that, the Home version protects you very well. The major differences with the Professional version aren't related to protection but with features that Home version misses compared with the Pro.
The best things in life are free.

Offline ymai

  • Jr. Member
  • **
  • Posts: 22
  • I'm a llama (mais je me soigne)!
Re: U.exe and Sasser-like behaviour
« Reply #14 on: April 05, 2007, 12:16:01 PM »
Here is the result of the scan of the mpn.exe file from http://virusscan.jotti.org/
It seems that Avast doesn't see the Trojan...  :'(

 File:      mpn.exe
Status:    
INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5    d1f468970418e8c55e20ad188bc9ee6b
Packers detected:    
-
Scanner results
Scan taken on 05 Apr 2007 09:42:56 (GMT)
AntiVir    Found BDS/VanBot.BW
ArcaVir    Found Trojan.Vanbot.Bw
Avast    Found nothing
AVG Antivirus    Found Win32/CryptExe
BitDefender    Found Backdoor.VanBot.AP
ClamAV    Found Trojan.SdBot-5302
Dr.Web    Found BackDoor.IRC.Sdbot.1207
F-Prot Antivirus Found W32/Backdoor.AKSA
F-Secure Anti-Virus    Found Backdoor.Win32.VanBot.bh
Fortinet    Found W32/Delbot.W!worm
Kaspersky Anti-Virus    Found Backdoor.Win32.VanBot.bh
NOD32    Found Win32/Rinbot.W
Norman Virus Control    Found nothing
Panda Antivirus    Found W32/Rinbot.gen.worm
Rising Antivirus    Found Backdoor.Mybot.yvz
VirusBuster    Found Backdoor.Vanbot.Gen!Pac
VBA32    Found Trojan.Win32.Rinbot.W

The VirusTotal test does not look better...

Antivirus   Version   Update   Result
AhnLab-V3   2007.4.5.0   04.05.2007   Win32/IRCBot.worm.213504.D
AntiVir   7.3.1.48   04.05.2007   BDS/VanBot.BW
Authentium   4.93.8   04.04.2007   W32/Backdoor.AKSA
Avast   4.7.936.0   04.04.2007   no virus found
AVG   7.5.0.447   04.04.2007   Win32/CryptExe
BitDefender   7.2   04.05.2007   Backdoor.VanBot.AP
CAT-QuickHeal   9.00   04.04.2007   no virus found
ClamAV   devel-20070312   04.05.2007   Trojan.SdBot-5302
DrWeb   4.33   04.05.2007   BackDoor.IRC.Sdbot.1207
eSafe   7.0.15.0   04.04.2007   Win32.VanBot.bw
eTrust-Vet   30.7.3544   04.05.2007   Win32/Nirbot.AF
Ewido   4.0   04.04.2007   Backdoor.VanBot.bw
FileAdvisor   1   04.05.2007   no virus found
Fortinet   2.85.0.0   04.05.2007   W32/Delbot.W!worm
F-Prot   4.3.1.45   04.04.2007   W32/Backdoor.AKSA
F-Secure   6.70.13030.0   04.05.2007   Backdoor.Win32.VanBot.bh
Ikarus   T3.1.1.3   04.05.2007   Backdoor.Win32.VanBot.bh
Kaspersky   4.0.2.24   04.05.2007   Backdoor.Win32.VanBot.bh
McAfee   5001   04.04.2007   W32/Nirbot.worm
Microsoft   1.2405   04.05.2007   no virus found
NOD32v2   2168   04.04.2007   Win32/Rinbot.W
Norman   5.80.02   04.05.2007   no virus found
Panda   9.0.0.4   04.05.2007   W32/Rinbot.gen.worm
Prevx1   V2   04.05.2007   Covert.Sys.Exec
Sophos   4.16.0   03.30.2007   W32/Delbot-W
Sunbelt   2.2.907.0   04.03.2007   no virus found

No autorun.exe available at home. I'll check it on my workplace.

Some more information. I found the U.exe file on my daughter's Win2k computer (protected ? by Avast Home). Furthermore, I found a M.exe file that made Avast react!!!
Here is the log file:
5/04/2007 11:19:31   Sandrine   552   Sign of "Win32:Agent-DDN [Trj]" has been found in "C:\Documents and Settings\Sandrine\Local Settings\Temporary Internet Files\Content.IE5\LBQOLI8D\m[1].exe\[CExe]" file. 

5/04/2007 11:21:53   Sandrine   552   Sign of "Win32:Agent-DDN [Trj]" has been found in "C:\m.exe\[CExe]" file. 

5/04/2007 11:43:45   Sandrine   552   Sign of "Win32:Agent-DDN [Trj]" has been found in "C:\Documents and Settings\Administrateur\Local Settings\Temporary Internet Files\Content.IE5\41234567\m[1].exe\[CExe]" file. 

5/04/2007 11:43:57   Sandrine   552   Sign of "Win32:Agent-DDN [Trj]" has been found in "C:\m.exe\[CExe]" file. 

I'll have to format that computer as I notice a very high trafic on my router.
My very own computer @home is safe: I don't leave Linux Fedora  ;D
These were the fresh news from the day.


PS: http://www.mphsknights.com/ looks like a cool place. But I've never been in the US. :)