We discovered more this week. We also found a lot of Wingate proxies disguised as mmtask.exe, as well as port 113 listening along with 608. Telnet to port 608 still returned a number sequence and telnet to port 113 returned a UNIX:IDENTD name. We have had success cleaning the PCs, but we're still not sure of how the customers have gotten compromised and we've had several more customers affected since. Our suspicion is just unsafe Internet use, such as low browser security settings or lack of updating OS patches. The files were started in win.ini (run= and load=), system.ini (load=), and in the registry under hkey_local_machine\software\microsoft\windows\currentversion\run and \runservices. Some were still in use even after removing them from being run on startup and had to be deleted in MS-DOS mode or Safe Mode. The following files were involved. All PCs affected had mmtask.exe, but the rest were not all on the same PC but there was a combination of several on each: iexplorer.exe mmtask.exe mntask.exe mptask.exe snd32.exe snd32c.exe snd32r.exe fst32r.exe pgtllvabtl.exe slideshow.exe res32.reg settings.reg nbvlk32.ndr Once the known files were deleted and everything suspicious was removed from startup, we did a scan at http://housecall.antivirus.com. Housecall was never able to find Wingate, but it was able to find and delete other trojans and backdoors (subseven, latinus, sua, lithium, net-devil) now that they were not in use. Once all of this was done, port 113 and 608 were no longer listening. -----Original Message----- From: Altheide, Cory [mailto:CAltheideat_private] Sent: Saturday, September 28, 2002 1:18 PM To: Garramone, Michael (CCI-Las Vegas) Subject: Port 608/trojan/spam I do abuse work (among other things) for AT&T Broadband - and we've been seeing the same activity you described on the Incidents List back in early September. "Last week I received spam complaints against 4 different customers, all the same message and all with no knowledge of the incident. The only similarity I could find was port 608 open on each user's machine. Telnet to this port returned a number sequence, and successive telnets increased the number returned. Each customer found a trojan/backdoor installed, but not all the same one ... They included a variant of subseven, latinus, sua.a, and sua.b. McAfee and Norton did not find them, but the customers may not have had the latest virus defintion updates." I've also found WinGate installed in some of these cases - although it's not clear if that was done before or after the compromise. I'm currently investigating some of these cases in greater detail - do you have any further information on this? Thank you, Cory Altheide AT&T Broadband Legal Demands Center caltheideat_private ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Sep 30 2002 - 13:12:42 PDT