Author Topic: U.exe and Sasser-like behaviour  (Read 15994 times)

0 Members and 2 Guests are viewing this topic.

mauserme

  • Guest
Re: U.exe and Sasser-like behaviour
« Reply #15 on: April 05, 2007, 01:18:05 PM »
I asked about Mt. Pleasant High School because of this line in your hjt log

O4 - HKLM\..\Run: [MPNet] C:\WINNT\system32\mpn.exe

This is the registry entry that causes mpn.exe to load at startup.  The service name is MPNet.  Another Mt. Pleasant High School web site is

http://mpnet.esuhsd.org/

And you said you are in education.  I didn't know if there was significance or coincidence in this - I suppose the latter.

We have much work to do and we will have to be careful to not confuse one computer with another.  Generally you will need to fully update every computer (both Windows and VNC Updates) that has been connected to your LAN. 

After the updates do a boot scan with avast!, then a thourough scan with AVG Antispyware.  Quarantine whenever possible as opposed to deleting files.

I am ready to clean the first computer you posted about (the one you ran hjt on) whenever you're ready but I need the Virus Total or Jotti results on autorun.exe first.  We will use hijackthis first on this machine but please recognize that the fix for this one may not be the same for every PC globally.  Hijackthis is very powerful and can cause damage if used incorrectly, so we may need to individually analyze each machine in your LAN.

In the mean time, please email a zipped and password protected copy of mpn.exe to virus(@)avast.com and include the password in the body of your email along with a link to this thread (posting it on your web site won't help - it needs to be emailed).

EDIT:

Quote
My very own computer @home is safe: I don't leave Linux Fedora
There is no Windows partition?
« Last Edit: April 05, 2007, 02:05:49 PM by mauserme »

ymai

  • Guest
Re: U.exe and Sasser-like behaviour
« Reply #16 on: April 05, 2007, 06:29:33 PM »
And you said you are in education.  I didn't know if there was significance or coincidence in this - I suppose the latter.
The latter...
And I'm afraid mpn.exe has no relation with any school, except a piracy school.
Quote
We have much work to do and we will have to be careful to not confuse one computer with another.  Generally you will need to fully update every computer (both Windows and VNC Updates) that has been connected to your LAN.
Every computer  :o That is about 90 PC's. Fortunately, I'm on hollidays.
It's 6 PM here. A bit too late to begin the work this evening.
Quote
After the updates do a boot scan with avast!, then a thourough scan with AVG Antispyware.  Quarantine whenever possible as opposed to deleting files.

I am ready to clean the first computer you posted about (the one you ran hjt on) whenever you're ready but I need the Virus Total or Jotti results on autorun.exe first.  We will use hijackthis first on this machine but please recognize that the fix for this one may not be the same for every PC globally.  Hijackthis is very powerful and can cause damage if used incorrectly, so we may need to individually analyze each machine in your LAN.
As mpn.exe does not seem to be a regular Windows file, I thought it would be easy to recognize an infection. Bad idea.
Quote
In the mean time, please email a zipped and password protected copy of mpn.exe to virus(@)avast.com and include the password in the body of your email along with a link to this thread (posting it on your web site won't help - it needs to be emailed).
I'll do it ASAP via a gmail account. I hope it is not filtered.
Quote

EDIT:

Quote
My very own computer @home is safe: I don't leave Linux Fedora
There is no Windows partition?
There are two Windows partitions. But the virus/spywares/adwares won't be active under Linux. What a peaceful place.

mauserme

  • Guest
Re: U.exe and Sasser-like behaviour
« Reply #17 on: April 05, 2007, 11:28:42 PM »
Every computer  :o That is about 90 PC's.
Can I rethink my previous statement?   ;D

Well, if they're on the LAN they should be checked ...

There's a way to fix this manually (and quickly when its just a few computers) with HijackThis, but with that number of computers lets do an experiment to see if we can automate this process.  On the computer that the hjt log came from make sure Windows and VNC is up to date, then run an avast! boot scan.  After, rename hijackthis.exe to hijackthat.exe and generate/post a new log using the renamed executable.  If this process cleans the infection(s) we can use it on as many of the other computers simultaneously as you can handle.  If it is not successfull we will try AVG Antispyware followed by another hjt log, etc until we find the right fix..

I do still need the autorun.exe analysis when you have a chance.



There are two Windows partitions. But the virus/spywares/adwares won't be active under Linux. What a peaceful place.
Kaspersky has developed a proof-of-concept cross platform virus able to infect both Linux and Windows.  It's capabilities are limited on the Linux side, of course, but it shows that assumptions should no longer be made with dual boot set ups.

Its up to you, but given the amount of time you're going to devote to cleaning this up I would give my own computer the 20 minutes it needs to be checked  :)

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67195
Re: U.exe and Sasser-like behaviour
« Reply #18 on: April 06, 2007, 02:34:23 PM »
ymai, do you use avast! ADNM version?
How did you deploy avast to that 90 machines?
The best things in life are free.

ymai

  • Guest
Re: U.exe and Sasser-like behaviour
« Reply #19 on: April 06, 2007, 03:09:28 PM »
I've just send the two files: mpn.exe and autorun.exe to virus_[at]_avast.com
Wasn't easy because Gmail does not admit executable (even zipped) files. They were renamed as *.txt.

ymai

  • Guest
Re: U.exe and Sasser-like behaviour
« Reply #20 on: April 06, 2007, 03:21:41 PM »
ymai, do you use avast! ADNM version?
How did you deploy avast to that 90 machines?
I did deploy Avast with my very own two hands and ten fingers...
In our country, computer science teachers do everything; as you probably noticed, I'm just an "amateur". I have a tiny education in Computer Science. I studied Chemistry at the university; in the late 70's, when the computers were just an idea...
Your Distributed Network Manager look like a great software. I didn't see the prices.
We have  no Windows Server (just Samba Linux PDC) and Win2k/XP workstations. Should it work?

ymai

  • Guest
Re: U.exe and Sasser-like behaviour
« Reply #21 on: April 06, 2007, 03:24:32 PM »
Autorun.exe analysis by Virustotal:

Code: [Select]
Complete scanning result of "Autorun.exe", received in VirusTotal at 04.06.2007, 14:49:14 (CET).

Antivirus Version Update Result
AhnLab-V3 2007.4.5.0 04.06.2007 no virus found
AntiVir 7.3.1.48 04.06.2007 no virus found
Authentium 4.93.8 04.06.2007 no virus found
Avast 4.7.936.0 04.05.2007 no virus found
AVG 7.5.0.447 04.05.2007 no virus found
BitDefender 7.2 04.06.2007 no virus found
CAT-QuickHeal 9.00 04.05.2007 no virus found
ClamAV devel-20070312 04.06.2007 no virus found
DrWeb 4.33 04.06.2007 no virus found
eSafe 7.0.15.0 04.06.2007 no virus found
eTrust-Vet 30.7.3546 04.06.2007 no virus found
Ewido 4.0 04.06.2007 no virus found
FileAdvisor 1 04.06.2007 No threat detected
Fortinet 2.85.0.0 04.06.2007 no virus found
F-Prot 4.3.1.45 04.04.2007 no virus found
F-Secure 6.70.13030.0 04.06.2007 no virus found
Ikarus T3.1.1.3 04.06.2007 Trojan-PWS.Legmir
Kaspersky 4.0.2.24 04.06.2007 no virus found
McAfee 5002 04.05.2007 no virus found
Microsoft 1.2405 04.06.2007 no virus found
NOD32v2 2171 04.06.2007 no virus found
Norman 5.80.02 04.05.2007 no virus found
Panda 9.0.0.4 04.06.2007 no virus found
Prevx1 V2 04.06.2007 no virus found
Sophos 4.16.0 04.06.2007 no virus found
Sunbelt 2.2.907.0 04.03.2007 no virus found
Symantec 10 04.06.2007 no virus found
TheHacker 6.1.6.085 04.04.2007 no virus found
VBA32 3.11.3 04.04.2007 Trojan.PWS.Legmir
VirusBuster 4.3.7:9 04.05.2007 no virus found
Webwasher-Gateway 6.0.1 04.06.2007 no virus found

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67195
Re: U.exe and Sasser-like behaviour
« Reply #22 on: April 06, 2007, 03:27:49 PM »
Your Distributed Network Manager look like a great software. I didn't see the prices.
But... 90 Professional versions bought?

We have  no Windows Server (just Samba Linux PDC) and Win2k/XP workstations. Should it work?
The ADNM has the necessary tools to deploy avast installation in a network of workstations without server.
The best things in life are free.

mauserme

  • Guest
Re: U.exe and Sasser-like behaviour
« Reply #23 on: April 06, 2007, 05:03:10 PM »
I'm sorry this is taking so long, ymai.  If this was a single computer or two we would be done already.

I think the Virus Total detections for autorun.exe are false positives, especially so if you have a Soltek motherboard or video card.  Do you know if either of these are present?

There is one more scan I would like to see that may give us a clue about autorun.exe based on file creation dates.  This will also do on more check for malware.

Download ComboFix from Here or Here to your Desktop.

Double click combofix.exe and follow the prompts.

When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall.

After this scan we should be able to proceed with cleaning.

ymai

  • Guest
Re: U.exe and Sasser-like behaviour
« Reply #24 on: April 06, 2007, 08:58:42 PM »
I'm sorry this is taking so long, ymai.  If this was a single computer or two we would be done already.
Please don't. I have been at work the whole afternoon. The Internet connexion was really awful. It was not possible to come back here.
Quote
I think the Virus Total detections for autorun.exe are false positives, especially so if you have a Soltek motherboard or video card.  Do you know if either of these are present?
You hit it!! This is my only workstation with a Soltek motherboard. The original motherboard has gone out of use two years ago. It was then replaced.
I didn't find any other autorun.exe file on any other computer.
Quote
There is one more scan I would like to see that may give us a clue about autorun.exe based on file creation dates.  This will also do on more check for malware.

Download ComboFix from Here or Here to your Desktop.
I'm afraid my wife won't let me go to school during the easter weekend. You'll have a rest.

I have good news. It seems that the infection is rather recent as computers that have not been used during the week between march 19 and march 23 are out of problem. That's a huge number: around 35-40 workstations.
HijackThis find the mpn.exe in the register on most other computers. No real difficulty to get rid of it. Then, reboot the computer and rename the mpn.exe to mpn.exe.bak
I had one really resistant computer that freezed when I tried to launch any program. Fortunately, I have a Ghost image dating from February! I used it. I'll just have to look twice for the Windows and Avast updates.
I didn't have time enough to perform an Avast boot scan on all the "cured" PC's.
The only question, for the moment, seems to be: where does that mpn.exe come from? Is the source still somewhere on the LAN. Is an Avast scan able to find it?
I have three days to think and search for the answer.

Many, many thanks again for your work.

ymai

  • Guest
Re: U.exe and Sasser-like behaviour
« Reply #25 on: April 06, 2007, 09:03:09 PM »
Your Distributed Network Manager look like a great software. I didn't see the prices.
But... 90 Professional versions bought?
Certainly not. The Linux workstations are protected with ClamAv.
The windows workstations that are not connected to the Internet are protected with ClamWin.
Some others use another commercial antivirus. But Avast is our favorite.
We have  no Windows Server (just Samba Linux PDC) and Win2k/XP workstations. Should it work?
The ADNM has the necessary tools to deploy avast installation in a network of workstations without server.
[/quote]
Good to know that.

mauserme

  • Guest
Re: U.exe and Sasser-like behaviour
« Reply #26 on: April 06, 2007, 10:10:13 PM »
I'm afraid my wife won't let me go to school during the easter weekend.
Good for her.  Easter should be a time of rest.

The only question, for the moment, seems to be: where does that mpn.exe come from? Is the source still somewhere on the LAN. Is an Avast scan able to find it?
This is something of a guess but it seems logical to me.  The entry point was the old version of VNC -  this allowed a hacker into the LAN.  The u.exe file (or m.exe in some cases) was downloaded and, as you saw on your own computer, u.exe acted as either an installer or downloader for mpn.exe.   I suspect if you had not caught this when you did additional files would have been downloaded as well.

Is the source still on your computer(s)?  If you have updated VNC on all the computers and removed u.exe (or possibly other single-letter.exe files) I think not.

I will give you two fixes that you can choose from.  I tend to favor automatic (program based) fixes over manual but, as you said,  with the number of computers you're working with the manual option may be the way to go.

Option 1

Schedule an avast! boot scan, including archives.  Reboot and let the scan run, putting in quarantine anything found. 

When done make sure your folder options are set to Show Hidden Files and Folders.  Then check your root directory for u.exe and m.exe.  Delete these if present.

If there are any other unusual files in the root upload to Virus Total to determine if they too should be deleted.


Option 2

This method poses some risk if done incorrectly but I'm sure you are capable of using it safely.  Keep in mind that this is specific to the exact hijackthis line listed below - if you see lines that differ post a copy so I can look at it.

Open Hijackthis and click the button labled Do a System Scan Only.  When the scan is finished place a check mark next to this line

O4 - HKLM\..\Run: [MPNet] C:\WINNT\system32\mpn.exe

Then click the button labled Fix Checked.  This will remove the start up entry from the registry but the file will still be present.

Next, boot into safe mode and delete this file

C:\WINNT\system32\mpn.exe

Finally, make sure your folder options are set to show Hidden Files and Folders and check your root directory for u.exe and m.exe.  Delete these if present.

If there are any other unusual files in the root upload them to Virus Total to determine if they too should be deleted.



If you run into any other unusual circumstances or suspect files please feel free to post again.  I would also be very interested in occasional progress reports if you don't mind.

Also keep in mind the laptops you mentioned may have been compromised as well.  They should be checked before they are allowed back on the LAN.
« Last Edit: April 06, 2007, 10:35:20 PM by mauserme »

ymai

  • Guest
Re: U.exe and Sasser-like behaviour
« Reply #27 on: April 06, 2007, 11:29:45 PM »
mauserme, you're really a saver. Thanks to you, the solution arises...
I'm afraid my wife won't let me go to school during the easter weekend.
Good for her.  Easter should be a time of rest.
Unfortunately, not for lambs we are used to eat for easter in our tradition.
Quote
The entry point was the old version of VNC -  this allowed a hacker into the LAN.
So, first of all, I'll update VNC. I saw the installed version is 4.1.0 almost everywhere. But I certainly installed several 4.1.1 versions recently, as I found that installation file version on my installation directory.
Quote
When done make sure your folder options are set to Show Hidden Files and Folders.
It's the default situation.
Quote
Then check your root directory for u.exe and m.exe.  Delete these if present.
Just what I did this afternoon.
Quote
O4 - HKLM\..\Run: [MPNet] C:\WINNT\system32\mpn.exe
I feel like a 04 - HKLM... killer. That's what i made before deleting u.exe files (no m.exe files found on my LAN; I found it @home)
Quote
If you run into any other unusual circumstances or suspect files please feel free to post again.
Great! You are great.
Quote
I would also be very interested in occasional progress reports if you don't mind.
It will be my pleasure. But next week.
Quote
Also keep in mind the laptops you mentioned may have been compromised as well.  They should be checked before they are allowed back on the LAN.
I'll send a mail to all my colleagues, for Merry Easter and  Happy Malware Fighting.
Merry Easter to you.

mauserme

  • Guest
Re: U.exe and Sasser-like behaviour
« Reply #28 on: April 07, 2007, 01:03:04 AM »
Unfortunately, not for lambs we are used to eat for easter in our tradition.
Nor for the cooks, but that effort is excusable :)

Quote
... no m.exe files found on my LAN; I found it @home
The m.exe file is probably a different situation on your daughter's computer.  I hadn't given it much thought since you said you would reformat that one, but if you want to avoid that I would be happy to look at her Hijackthis log.

Quote
Merry Easter to you.
And to you ymai.  See you next week  :)
« Last Edit: April 07, 2007, 02:00:45 AM by mauserme »

ymai

  • Guest
Re: U.exe and Sasser-like behaviour
« Reply #29 on: April 10, 2007, 09:46:31 PM »
I promised to come back. So, there am I.
Unfortunately, I don't have good news.
I scratched all the VNC 4.1.0 (yes, 4.1.0) and installed 4.1.2 versions instead.
I tried to update Windows. Some PC's don't seem to want updating. Maybe because of a too narrow Internet bandwidth. Not sure because of an hyperactive worm activity: the router doesn't look too busy.

Nevertheless, I tried to cure each computer with HijackThis for the mpn.exe key. I halted all mpn.exe processes in the taskmanager (sometimes one occurrence, sometimes two). Then, I shift+Deleted the mpn.exe in the System32 directory and any U.exe file.
A few minutes later, they are all back: in the registry, in the taskmanager and in the System32 directory.
I tried to reboot the computers just after the cleaning. They are always back with that #@%!!$@ mpn.exe  :)

There must be some kind of zombie on the LAN waiting for infecting other computers.

Because we must be back to business next monday, I'm afraid I won't be able to solve the problem by myself, even with your invaluable help. I need a professional with hands on my LAN.

One more time, many, many thanks for your help.