Katherine, I don't know what nimreg is but your system seems compromised. I wouldn't trust a "fix" rebuild and be more careful. Greg Name: BLA trojan Aliases: N/A Ports: 666, 1042, 20331 Files: Dbla.zip - 307,489 bytes Bla.zip - 305,115 bytes Bla1.0.zip - 310,684 bytes Bla20.zip - 615,572 bytes Bla40.zip - 603,821 bytes Bla5.01.zip - Bla502.zip - Bla503.zip - 838,477 bytes Bla51.zip - Trojan.exe - 64,658 bytes Trojan.exe - 91,032 bytes Blaclient.exe - 1,359,360 bytes Bla(client).exe - 1,342,976 bytes Bla501 tcp proxy.exe - Bla501trojan.exe - Blaclient.exe - Blaclient2.exe - Blaaaaa.exe - 1,284,096 bytes Blaaaaa.exe - 1,330,688 bytes Msv32.dll - 64,658 bytes Msv32.dll - 144,896 bytes Msv32-1.dll - Scanirc.exe - 303,616 bytes "renamed server".exe - 217,600 bytes Mprdll.exe - Asian trojan.exe - 192,512 bytes Tcpload.exe - 255,488 bytes Tcpproxy.exe - 32,768 bytes Module.ini - 78 bytes Normal trojan.exe - 217,088 bytes Salope trojan.exe - 229,376 bytes Self extract.exe - 94,208 bytes Log.txt - ??? bytes Created: Mar 1999 Requires: N/A Actions: Remote Access / Steals passwords The client also drops a server! The hacker could choose to log passwords only or all text written. One of the functions is to kill antivirus software. Versions: 1.0, 1.1, 2.0, 4.0, 5.01, 5.02, 5.03, 5.1, Registers: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\ Notes: Works on Windows 95 and 98. Country: written in France Program: N/A Katherine Ogden <kogdenat_private> wrote: We began having trouble with our exchange server. For no reason we could pin down the OWA would throw up an error and stop the www service. Being the slightly paranoid sort I downloaded Retina and ran it against the email server. It showed the usual things but it also showed Port 1058 - Nim Port 1090 - Xtreme Two other exchange servers show these ports open. Port 1042 - Bla Port 1059 - Nimreg Two questions. Does anybody know what these are? And am I right in assuming that these machines have been compromised and will need to be rebuilt? Thank you for the help. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Jan 09 2002 - 15:25:28 PST