Hello all,
I would like to report malware that neither AVG's Complete Scan nor avast!'s Scan on Boot detected.
Summary
The machine runs code that connects to other machines using RAdmin. It then runs as a zombie to brute-force access to other machines. It then sends the failed/successful username/password lists to a server.
Symptoms
Computer runs slow
Outgoing connection found on port 4899, like the following:
Scanning summary: Date Protocol Port or Type/Code Dst count
2012-03-28 17:00:00 6 (TCP) 4899 (radmin-port) 142
2012-03-28 17:05:00 6 (TCP) 4899 (radmin-port) 146
2012-03-28 17:10:00 6 (TCP) 4899 (radmin-port) 148
2012-03-28 17:15:00 6 (TCP) 4899 (radmin-port) 143
Removal Instructions
1) Determine the process that has outbound connections on Port 4899 using [TCPView] (for me it was
msgsm.exe which was the fake name used for the program
lamescan3.exe).
2) Find the location of the .exe file (for me it was
C:\WINDOWS\system32\dllcache\).
3) Stop the process using Task Manager or other equivalent.
4) This malware also uses a service to start this executable on startup. Find the name of the service.
--
1) Find the batch file that starts the service (mine was
mshts.bat). Although tedious, one way to determine which file in this folder is the following:
----
1) Find all files ending in
.bat.
----
2) Open each one in a text editor and search for
curl or
wget, programs used to upload and download information from the server.
--
2) Search the batch file for a command like
sc stop MsHosts, where
MsHosts is the name of the malware service.
--
3) Search the registry for the
DisplayName of the service. Go to
Start -> Run and type
regedit. Then hit
Ctrl-F and type the name of the malware service. In that folder will be a registry key called
DisplayName. We'll use that value to find the service and disable it. For me, the
DisplayName was
Manager mapping IP addresses to hosts and the
Description was written in quite poor English...
5) Go to
Start -> Control Panels -> Administrative Tools -> Services and look for the
DisplayName that you found in the registry. Right-click it, go to
Properties, click
Stop and change the
Startup Type to Disabled.
6) In the registry (which you can open by clicking
Start -> Run and type
regedit), right-click on the malware service folder, note the name of the Path to executable (for me it was (
C:\WINDOWS\system32\dllcache\mgm.exe), select
Delete and select
Yes.
7) Delete both executables (e.g.
msgsm.exe and
mgm.exe). Then search in the batch file for any associated files (e.g.
___.dll or
___.ger) and delete those as well. Finally, delete the batch file.