A giant thankyou to Alex!
Gurdip
You're infected with a variation of what McAfee calls the "IRC/Flood"
trojan: http://vil.nai.com/vil/content/v_98936.htm
Nowadays it's a trojan package which consists of a IRC bot, a flooder, a
DoS program and a package to install a web or ftp server (i.e. to use
your server as warez server or for movie files).
I found the following files in the SYSTEM32 directory which I identified
as part of the trojan package or which look at least suspicious to me.
As I'm always interested to have a closer look at such files I'd ask
you to send me these files (preferably packed with something like
WinZip or Rar) - they have all a newer time stamp:
nt32.ini 'suspicious - but if you know it, no need to send it
nt16.ini 'suspicious - but if you know it, no need to send it
445.txt 'part of the trojan
tcpdll.exe 'highly suspicious
dll32nt.hlp 'suspicious - but if you know it, no need to send it
winhelp.exe 'suspicious - but if you know it, no need to send it
ggp.bat 'highly suspicious
ocxdll.exe 'part of the trojan
dll16.ini 'suspicious - but if you know it, no need to send it
gg.bat 'highly suspicious
tftp8675 'highly suspicious
taskmngr.exe 'suspicious - but if you know it, no need to send it
xvpll.hlp 'suspicious - but if you know it, no need to send it
dll32.hlp 'suspicious - but if you know it, no need to send it
gates.txt 'part of the trojan
mdm.scr 'suspicious - but if you know it, no need to send it
mwdm.exe 'suspicious - but if you know it, no need to send it
httpsear.ini 'suspicious - but if you know it, no need to send it
httpsearch.ini 'suspicious - but if you know it, no need to send it
mt.exe 'part of the trojan
ncp.exe 'suspicious - but if you know it, no need to send it
w217.35.124.104.ini 'suspicious - but if you know it, no need to send it
kill.exe 'part of the trojan
v.exe 'part of the trojan
psexec.exe 'part of the trojan
<DIR> -o 'highly suspicious
The sub directory "-o" looks suspicious to me to. Have a look at it and
if it contains suspicious files then I'd want to look at them too.
When I had a look at the files the I can confirm whether the suspicious
files are really part of the trojan or not. To make sure that your
system is clean I'd recommend a check with McAfee's VirusScan and/or
Kaspersky Anti-Virus (www.kav.ch). A check with the DOS versions is
enough.
Regards,
Axel Pettinger
Axel Pettinger
> >
> > Hi, We have a 2000 server which acts as our webserver and arbitary
> > fileshare.
> > I have noticed that a mirc pop up appears when the machine is
> > rebooted. This has scared me as I have never used MIRC or IRC
> > before.
> >
> > The machine is connected to the internet.
> > Can anyone help.
> >
> > Gurdip
... and quoted my private reply in
<news:4e7f5c14.02082...@posting.google.com>:
For those who want to know how the server became infected in the first
place ..., read Brian McWilliams' article "Windows 2000 Port Invites
Intruders":
http://www.pc-radio.com/Windows%202000%20Port%20Invites%20Intruders.htm
Gurdip sent three minor TXT/INI files - what a pity that I couldn't have
a look at the other files -, but the INI files contain entries for the
files mdm.exe, ggp.bat, nt32.ini, nt16.ini, dll32nt.hlp, xvpll.hlp,
dll32.hlp, and httpsearch.ini. Therefore it's very likely that they
belong to the trojan package.
And just to mention this ..., file names are *not* enough for an exact
identification of a virus, trojan, or whatever else. Even when somebody
with experience regarding malicious files can tell you after a look at a
list of files which files do not belong to your system ..., this
shouldn't be misunderstood as a call to delete these files without a
final confirmation that the files are indeed malicious! <grrr>
Regards,
Axel Pettinger