Re: [Think I've got trouble]

From: Greg Dotoli (gdotoliat_private)
Date: Wed Jan 09 2002 - 13:56:22 PST

  • Next message: Kester, Kelly: "RE: Name that Trojan"

    Katherine,
    
    I don't know what nimreg is but your system seems compromised. I wouldn't
    trust a "fix" rebuild and be more careful.
    
    Greg
    
    
    Name: BLA trojan 
    Aliases: N/A 
    Ports: 666, 1042, 20331 
    Files: Dbla.zip - 307,489 bytes Bla.zip - 305,115 bytes Bla1.0.zip - 310,684
    bytes Bla20.zip - 615,572 bytes Bla40.zip - 603,821 bytes Bla5.01.zip -
    Bla502.zip - Bla503.zip - 838,477 bytes Bla51.zip - Trojan.exe - 64,658 bytes
    Trojan.exe - 91,032 bytes Blaclient.exe - 1,359,360 bytes Bla(client).exe -
    1,342,976 bytes Bla501 tcp proxy.exe - Bla501trojan.exe - Blaclient.exe -
    Blaclient2.exe - Blaaaaa.exe - 1,284,096 bytes Blaaaaa.exe - 1,330,688 bytes
    Msv32.dll - 64,658 bytes Msv32.dll - 144,896 bytes Msv32-1.dll - Scanirc.exe
    -
    303,616 bytes "renamed server".exe - 217,600 bytes Mprdll.exe - Asian
    trojan.exe - 192,512 bytes Tcpload.exe - 255,488 bytes Tcpproxy.exe - 32,768
    bytes Module.ini - 78 bytes Normal trojan.exe - 217,088 bytes Salope
    trojan.exe - 229,376 bytes Self extract.exe - 94,208 bytes Log.txt - ???
    bytes
    
    Created: Mar 1999 
    Requires: N/A 
    Actions: Remote Access / Steals passwords 
    The client also drops a server! The hacker could choose to log passwords only
    or all text written. One of the functions is to kill antivirus software. 
    Versions: 1.0, 1.1, 2.0, 4.0, 5.01, 5.02, 5.03, 5.1, 
    Registers: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\
    
    Notes: Works on Windows 95 and 98. 
    Country: written in France 
    Program: N/A 
    
    
    
    Katherine Ogden <kogdenat_private> wrote:
    
    
    We began having trouble with our exchange server. 
    For no reason we could pin down the OWA would 
    throw up an error and stop the www service.  Being 
    the slightly paranoid sort I downloaded Retina and ran 
    it against the email server.  It showed the usual things 
    but it also showed
    Port 1058 - Nim
    Port 1090 - Xtreme
    
    Two other exchange servers show these ports open.
    Port 1042 - Bla
    Port 1059 - Nimreg
    
    Two questions.  Does anybody know what these
    are?  And am I right in assuming that these machines 
    have been compromised and will need to be rebuilt?
    
    Thank you for the help.
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    
    
    
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Wed Jan 09 2002 - 15:25:28 PST