Author Topic: Unknown Worm ??  (Read 11303 times)

0 Members and 1 Guest are viewing this topic.

donna

  • Guest
Unknown Worm ??
« on: June 13, 2003, 06:56:39 PM »
This appears to be a worm and is using up mega space on the hard drive.  Here is what it looks like:

E:\Inetpub\wwwroot\_vti_log
               First Folder does not have a name
                     Second, Third, Fourth subfolders - no name
                      The Fifth Subfolder is com1
                       The Sixth Subfolder is com2, etc.

I can not delete, move or rename these files.  Have gone into command mode using dos commands to try to remove them too - no luck.        

Offline raman

  • Avast Evangelist
  • Advanced Poster
  • ***
  • Posts: 1062
Re:Unknown Worm ??
« Reply #1 on: June 13, 2003, 07:51:31 PM »
Some wild guesses:

It sounds like a Webserver is running on your Machine. Type in your Browser http://127.0.0.1 or http://127.0.0.1:555 and see whats happen.Does it show your content of drive C:?

Do you use Kazaa or other P2P Software and do you share more files which names are iso fulldownloader crack or other things? Do you get some "strange" mails the last days?
MfG Ralf

donna

  • Guest
Re:Unknown Worm ??
« Reply #2 on: June 13, 2003, 07:55:09 PM »
This is a Windows 2000 Web server.  No, we don't have any folders with the names that you listed.  We do not have email running on this Web server.

Offline raman

  • Avast Evangelist
  • Advanced Poster
  • ***
  • Posts: 1062
Re:Unknown Worm ??
« Reply #3 on: June 13, 2003, 07:57:46 PM »
If i remeber correctly than the folders belong to the Webserver.
Use Google and search for: Inetpub\wwwroot\_vti_log and studie the results. Maybe that will answer your questions.
MfG Ralf

donna

  • Guest
Re:Unknown Worm ??
« Reply #4 on: June 13, 2003, 08:11:42 PM »
The search refers to the sadmind/IIS Internet Worm - Is that the one that you are referring to?

Offline raman

  • Avast Evangelist
  • Advanced Poster
  • ***
  • Posts: 1062
Re:Unknown Worm ??
« Reply #5 on: June 13, 2003, 08:21:26 PM »
No i mean generaly. I think a so old MAlware should be picked up by avast!?
You have installed all Patches avaible for Win200 and IIS?

BTW: I have to say that i do not have so much experience with IIS, maybe one of the Avast guys can help out here?!
MfG Ralf

donna

  • Guest
Re:Unknown Worm ??
« Reply #6 on: June 13, 2003, 08:24:56 PM »
All security patches have been installed.

I did run the trial version of Avast but it did not seem to find these folders.  We have not purchased the license yet.

donna

  • Guest
Re:Unknown Worm ??
« Reply #7 on: June 13, 2003, 09:55:04 PM »
I checked with the Server techs - they had installed the demo/trial version of Avast.  When it was running, it created almost like a denial of service attack - so they uninstalled/deleted Avast.

Should we reinstall it?  If yes, does the demo work.  We can not purchase it until we are sure that it can do the job :-)

Offline raman

  • Avast Evangelist
  • Advanced Poster
  • ***
  • Posts: 1062
Re:Unknown Worm ??
« Reply #8 on: June 13, 2003, 10:25:12 PM »
Maybe this solves the "DOS" attacks.
From VLK:
---cut---
t may be caused by the "ping" command that avast uses to find out whether a connection is available. To disable this pinging, please try to insert the following 2 lines to the end of the <avast-folder>\data\avast4.ini file:

[InetWD]
AssumeAlwaysConnected=1

Then reboot, and see if anything changes.
---cut---
MfG Ralf

otis61

  • Guest
Re:Unknown Worm ??
« Reply #9 on: June 14, 2003, 01:57:24 AM »
Hello. One thing I don't see mentioned here. Generally if anyone has a Virus, Trojan, Worm, etc on their computer, its best to turn off the electricity to the computer so that the virus etc cannot continue to do damage to the software, etc. I believe this is the best thing to do until the offending virus etc is removed.
otis61

kubecj

  • Guest
Re:Unknown Worm ??
« Reply #10 on: June 14, 2003, 02:12:06 AM »
This appears to be a worm and is using up mega space on the hard drive.  Here is what it looks like:

E:\Inetpub\wwwroot\_vti_log
               First Folder does not have a name
                     Second, Third, Fourth subfolders - no name
                      The Fifth Subfolder is com1
                       The Sixth Subfolder is com2, etc.

I can not delete, move or rename these files.  Have gone into command mode using dos commands to try to remove them too - no luck.        

This is (or was) common trick of the warez guys. They create few dirs with strange names, put there some hot content and publish the full url in the warez list.

Of course these dirs/files are removable, you just have to do it from command line, escape the names with quotes etc. Or write some short script or whatever.

You should also find out how the bad guys cracked into your web/ftp server.

donna

  • Guest
Re:Unknown Worm ??
« Reply #11 on: June 14, 2003, 05:08:34 PM »
I did try to remove the folders from the command line.  Can you please give me an example to escape the names?

I can not turn off the server - this is a live, active Web site.


Also, we feel that this may have been done by a consultant that we had hired to set up routers.  He was unable to do so - we ended up doing it ourselves - we did pay him; however, the fact that he couldn't finish the project may have hurt his reputation a bit.


kubecj

  • Guest
Re:Unknown Worm ??
« Reply #12 on: June 16, 2003, 12:52:08 AM »
I did try to remove the folders from the command line.  Can you please give me an example to escape the names?

First, you have to find out their 'real' filenames.
So do something like dir /s /b *.* >some.lst

Then read it in hex-capable editor, you'll see they may not be spaces, but for example 0xFF's.

Then try to reproduce them on the command line, enclosed in parentheses. On nt based system you may try del /s on the first directory.

BTW: Can you tell us what 0day warez you've got there?  8)

Quote
I can not turn off the server - this is a live, active Web site.
You should at least change all the passwords and check if there are no additional unknown users, or if some default users hasn't got some new privileges.

« Last Edit: June 16, 2003, 12:54:57 AM by kubecj »

donna

  • Guest
Re:Unknown Worm ??
« Reply #13 on: June 16, 2003, 07:29:35 PM »
This is what I have from the dir /s /b command - How do I change to a directory that I do not have a name for?   I also tried the aswclnru.exe - that did not find anything.

E:\INETPUB\WWWROOT\   \         \  
E:\INETPUB\WWWROOT\   \         \    
E:\INETPUB\WWWROOT\   \         \    
E:\INETPUB\WWWROOT\   \         \    \  
E:\INETPUB\WWWROOT\   \         \    \  \com1
E:\INETPUB\WWWROOT\   \         \    \  \com2
E:\INETPUB\WWWROOT\   \         \    \  \com3
E:\INETPUB\WWWROOT\   \         \    \  \com4
E:\INETPUB\WWWROOT\   \         \    \  \com5
E:\INETPUB\WWWROOT\   \         \    \  \com6
E:\INETPUB\WWWROOT\   \         \    \  \com7
E:\INETPUB\WWWROOT\   \         \    \  \com8
E:\INETPUB\WWWROOT\   \         \    \  \com9
E:\INETPUB\WWWROOT\   \         \    \  \com1 \com1
E:\INETPUB\WWWROOT\   \         \    \  \com1 \com2
E:\INETPUB\WWWROOT\   \         \    \  \com1 \com3
E:\INETPUB\WWWROOT\   \         \    \  \com1 \com4
E:\INETPUB\WWWROOT\   \         \    \  \com1 \com5
E:\INETPUB\WWWROOT\   \         \    \  \com1 \com6
E:\INETPUB\WWWROOT\   \         \    \  \com1 \com7
E:\INETPUB\WWWROOT\   \         \    \  \com1 \com8
E:\INETPUB\WWWROOT\   \         \    \  \com1 \com9
E:\INETPUB\WWWROOT\   \         \    \  \com2 \com1
E:\INETPUB\WWWROOT\   \         \    \  \com2 \com2
E:\INETPUB\WWWROOT\   \         \    \  \com2 \com3
E:\INETPUB\WWWROOT\   \         \    \  \com2 \com4
E:\INETPUB\WWWROOT\   \         \    \  \com2 \com5
E:\INETPUB\WWWROOT\   \         \    \  \com2 \com6
E:\INETPUB\WWWROOT\   \         \    \  \com2 \com7
E:\INETPUB\WWWROOT\   \         \    \  \com2 \com8
E:\INETPUB\WWWROOT\   \         \    \  \com2 \com9
E:\INETPUB\WWWROOT\   \         \    \  \com3 \com1
E:\INETPUB\WWWROOT\   \         \    \  \com3 \com2
E:\INETPUB\WWWROOT\   \         \    \  \com3 \com3
E:\INETPUB\WWWROOT\   \         \    \  \com3 \com4
E:\INETPUB\WWWROOT\   \         \    \  \com3 \com5
E:\INETPUB\WWWROOT\   \         \    \  \com3 \com6
E:\INETPUB\WWWROOT\   \         \    \  \com3 \com7
E:\INETPUB\WWWROOT\   \         \    \  \com3 \com8
E:\INETPUB\WWWROOT\   \         \    \  \com3 \com9
E:\INETPUB\WWWROOT\   \         \    \  \com4 \com1
E:\INETPUB\WWWROOT\   \         \    \  \com4 \com2
E:\INETPUB\WWWROOT\   \         \    \  \com4 \com3
E:\INETPUB\WWWROOT\   \         \    \  \com4 \com4
E:\INETPUB\WWWROOT\   \         \    \  \com4 \com5
E:\INETPUB\WWWROOT\   \         \    \  \com4 \com6
E:\INETPUB\WWWROOT\   \         \    \  \com4 \com7
E:\INETPUB\WWWROOT\   \         \    \  \com4 \com8
E:\INETPUB\WWWROOT\   \         \    \  \com4 \com9
E:\INETPUB\WWWROOT\   \         \    \  \com5 \com1
E:\INETPUB\WWWROOT\   \         \    \  \com5 \com2
E:\INETPUB\WWWROOT\   \         \    \  \com5 \com3
E:\INETPUB\WWWROOT\   \         \    \  \com5 \com4
E:\INETPUB\WWWROOT\   \         \    \  \com5 \com5

kubecj

  • Guest
Re:Unknown Worm ??
« Reply #14 on: June 17, 2003, 01:20:08 AM »
Re-read my previous message. Every directory has its name. If you redirect the output to the text file and the view it in a hexadecimal editor, you'll be able to see what the actual name of the directory is. Then simply delete it using del "something" command, where 'something' is the actual name of the directory.

I'm afraid I can't be much of help, maybe you should find some technician nearby who'll be able to do that.