Re: Pdmin / Trojaned csrss.exe

From: David Moisan (dmoisanat_private)
Date: Mon Aug 04 2003 - 09:57:08 PDT

  • Next message: Eric Appelboom: "DCOM95 for Windows 95"

    At 04:55 PM 8/2/2003 -0500, you wrote:
    
    >The program is run by a troan csrss.exe in C:\winnt\system32\restore and
    >is installed at the same time an FTP server is installed.  I did a strings
    >on the csrss.exe but turned up nothing that worked as a password.  Can
    >anyone tell me more about this program or what it might be.  Or the
    >password.
    
    What's the size of your csrss.exe?  There is a legitimate csrss.exe in 
    Windows;  it's a stub for the Win32 runtime service and it's 4K in size.  I 
    would *not* just delete instances of csrss.exe without further 
    investigation as Windows (NT/2K/XP) needs this to run and will bluescreen 
    if it is halted.
    
    My home system (XP Pro) does not have a system32\recover directory, nor 
    does my test SBS2000 (2K) box.  Are there any other files in 
    \winnt\system32\recover?
    
    You could try, if you have 2K or higher, the following:
    
    sfc /scannow
    
    This will scan your system and replace suspicious files;  if csrss was 
    replaced in place, this will flush it out.  I don't think this is 
    happening, though.
    
    >>One thing we are finding is a program running on port 6651 that identifies
    >>itself as  pAdmin - by: pdi in a web browser.  This interface has a place
    >>for a password.
    
    What does Task Manager tell you?  If you use Foundstone fport, it should 
    tell you exactly what executable is listening on that port;  you should run 
    that any time you suspect a trojan.
    
    Take care,
    
    Dave
    
    David Moisan, N1KGH   ARES/SKYWARN             dmoisanat_private
    Invisible Disability:  http://www.davidmoisan.org/invisible_disability.html
    ATS-909 FAQ:  http://www.davidmoisan.org/radio/sangean/ats909faq.html
    
    
    ---------------------------------------------------------------------------
    ----------------------------------------------------------------------------
    



    This archive was generated by hypermail 2b30 : Mon Aug 04 2003 - 12:10:14 PDT