I’ve got a problem with a Sasser (or Blaster)-like malware.
A handful Win2K computers on my LAN began to shut down with the well known warning: “This shutdown was initiated by NT AUTHORITY\SYSTEM”. It claims an error code 128.
Avast Antivirus is up to date on each of those computers. When scanning all the drives, Avast doesn’t see any infection.
Nor the classical Sasser and Blaster removal tools see anything bad.
The common point is the presence of a U.exe file on the root of the C: drive. When deleting this file (Shift+Delete), it comes back a few minutes later or at the next login. Even if it’s a local login (not on the Samba Linux NT-like domain). It doesn’t seem to come back when the computer is off the LAN (RJ45 removed).
Scanning that file with Avast didn’t give any result (as if it wasn’t infected).
In fact, the problem seems to be nearly solved with a Windows update. I didn’t notice any worm-like activity one hour after the update. It was then really late and I had to leave…
A WinXP Pro computer had the same behaviour, but I couldn’t find the U.exe file on his C: drive.
Can it disappear all by himself? As I once right-clicked on the U.exe file, it vanished. The “Delete” item in the contextual menu seems to be too far below to justify it could have been activated just by right-clicking. I didn’t find the U.exe file in the waste basket. I never drink beer before leaving my job
My questions are:
what is the name of that malware?
why doesn’t Avast see it?
where does that thing reside? On a computer that triggers the worm activity on the other computers of the LAN?
is the Windows Update enough to protect the computers?
how can I be sure it is away from my LAN?
some colleagues use their personnal laptop on the LAN. Shall I advise them no to use it if they didn’t Update?
Any answer or comment highly appreciated.
U.exe is part of a freeware/shareware keylogger from ReFog software: www.refog.com
It’s probably not being detected as a virus since it actually isn’t. Someone must have installed ReFog’s KGB Keylogger on your system. The paid version is able to hide itself. If you press Shift+Ctrl+Alt+K on a computer with the U.exe app, it should bring up the control console. If it is password protected, then look for and delete ksp.ini and options.ini in C:\Documents and Settings\All Users\Application Data\KSP, that will remove the password.
If you can’t get to the console, then something else may have infected your system and is just using U.exe as its name (maybe to get past non-heuristic virus scanners?). Try downloading and running HijackThis! and see what it says: http://www.trendsecure.com/portal/en-US/threat_analytics/hijackthis.php (Yes, TrendMicro owns HijackThis! now).
I agree there is a commercial keylogger with a file named u.exe but there are also some trojan downloaders that could be the culprit. I don’t think a keylogger would cause the shutdown messages so even if that’s what u.exe is, there may be other problems as well.
Please zip and password a sample of u.exe and email it to virus (at) avast.com. Include the password in the body of your email with a brief explanation.
Then try scanning with AVG Antispyware and A-Squared (free versions)
Given your description of u.exe’s reappearance you will obviously need to work on each computer individually. Leave the other PCs off if you need to connect to the LAN for internet access.
EDIT: Forgot to ask , was your computer very far behind on Windows updates? Which update seemed to help?
Since one of them might be the source of the infection or will end up being infected themselves, I would advise them against connecting to the LAN until this is resolved (with or without updates).
@cogadh
I’ll make the test you suggest about the Refog Keylogger. I still have a doubt because the problematic computers lay in different rooms and different buildings not accessed by the same persons.
Then, the HijackThis! test is certainly really interesting to perform. I’ll leave news as soon as possible.
@mauserme
I deleted all U.exe files I found. But I’ll certainly fish some more :-[ . Thanks for accepting to test it.
Didn’t think to spyware because of the shutdown behavior. I usually have very good results with spysweeper. Do you think AVG or A-squared are better products?
I didn’t get information on the date of the last Windows update cause I was in the hurry to find a solution. Should I install the updates one after the other and observe for, say, one hour? :
Back on business…
A zip version of the problematic U.exe file can be found at http://sio2.be/u_file/ (password: ytreza)
I joined the hijack!this.log file of a problematic computer.
Scanning with A-Squared, Spysweeper or whatelse is rather difficult because of the frequent shutdowns.
I just uploaded the U.exe file on my home personal system, protected by Avast and Spysweeper.
Spysweeper immediately detected a problem with the mpn.exe file when unzipping the U.zip file. Just unzipping.
So, that file seems to be really dangerous!! I deleted it from the place on the web.
Avast reacted too, when sent the file to virustotal.com (didn’t know that tool; seems to be really interesting). Maybe just because I sent an .exe file.
I’m waiting for the result of the analysis.
What version of RealVNC are you using - 4.1.1 or something higher?
Must be 4.1.2 (not sure). I'll check this tomorrow. Is there a problem with VNC?
Did you install SysInterenals PSTools?
Yes :)
Really fine to shutdown all the computers at the end of the work day.
Thanks a lot for your advices.
[edit]Just forgot to mention: I made the Windows Update of around 20 computers this morning. After that update, none of the computers did shutdown and restart any more. While working, there were regularly shutdowns and restart.
But I understand that the mpn.exe problem, at least, must be resolved.
[/edit]
Don’t forget to scan C:\WINNT\system32\autorun.exe at Virus Total too. And for sure post the scan results showing what identifications are made for both files.
Please double check the version number when you can. There is a flaw in the way v4.1.1 authenticates clients that can allow an attacker unlimited access to your server. This was patched in v4.1.2. Take a look at this thread
Shure I’ll do. But I’m home now.
Fortunately (?) the computers are not used for the moment. They are in a school and we have hollidays. Only the computer science teacher is at work
Please double check the version number when you can. There is a flaw in the way v4.1.1 authenticates clients that can allow an attacker unlimited access to your server. This was patched in v4.1.2.
Never heard about that problem. It's on my todo list from now.
@mauserme: I’m afraid you were right about VNC 4.1.1 I found a PC that kept an extra-high bandwidth charge and some strange machines connected on my Samba server. When I restart Samba, they come back afer a few minutes.
I think I have isolated a second computer that causes the shutdowns.
Still a bit work for fixing the VNC failure and (probable) Windows Update on remaining workstations. But we are on the good way. Thanks to you.
@Tech: I use the Home version on my Windows workstation at home. They bought Pro Licences at school. Would you mean I’m not as well protected at home? I’m scared!!
[edit]BTW, i didn’t receive any analysis from Virus Total . Some antivirus filtering on the road, maybe… [/edit]
You need to prioritize updating vnc to the current version. Without it you’ll constantly have new malware being downloaded. After the update make sure to assign new user IDs and and passwords for every authorized user, and revoke any old credentials that may still be stored.
Here’s one more link to a thread about the flaw I mentioned that will help you see how this was exploited in the past. I don’t know for sure but I’m guessing your file named u.exe is acting in much the same way as the file named “i” in the other thread
Have you had a chance to scan those two files at virus total yet. Well, I guess we already know mpn.exe needs to go but I would still like to see the identifications for that and autorun.exe.
One more question - Are you connected to Mount Pleasant High School in any way?
Not sure what the problem is, but you could try Jotti instead
No, I’m not saying that, the Home version protects you very well. The major differences with the Professional version aren’t related to protection but with features that Home version misses compared with the Pro.
Here is the result of the scan of the mpn.exe file from http://virusscan.jotti.org/
It seems that Avast doesn’t see the Trojan…
File: mpn.exe
Status:
INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file’s scan results will not be stored in the database)
MD5 d1f468970418e8c55e20ad188bc9ee6b
Packers detected:
Scanner results
Scan taken on 05 Apr 2007 09:42:56 (GMT)
AntiVir Found BDS/VanBot.BW
ArcaVir Found Trojan.Vanbot.Bw
Avast Found nothing
AVG Antivirus Found Win32/CryptExe
BitDefender Found Backdoor.VanBot.AP
ClamAV Found Trojan.SdBot-5302
Dr.Web Found BackDoor.IRC.Sdbot.1207
F-Prot Antivirus Found W32/Backdoor.AKSA
F-Secure Anti-Virus Found Backdoor.Win32.VanBot.bh
Fortinet Found W32/Delbot.W!worm
Kaspersky Anti-Virus Found Backdoor.Win32.VanBot.bh
NOD32 Found Win32/Rinbot.W
Norman Virus Control Found nothing
Panda Antivirus Found W32/Rinbot.gen.worm
Rising Antivirus Found Backdoor.Mybot.yvz
VirusBuster Found Backdoor.Vanbot.Gen!Pac
VBA32 Found Trojan.Win32.Rinbot.W
The VirusTotal test does not look better…
Antivirus Version Update Result
AhnLab-V3 2007.4.5.0 04.05.2007 Win32/IRCBot.worm.213504.D
AntiVir 7.3.1.48 04.05.2007 BDS/VanBot.BW
Authentium 4.93.8 04.04.2007 W32/Backdoor.AKSA
Avast 4.7.936.0 04.04.2007 no virus found
AVG 7.5.0.447 04.04.2007 Win32/CryptExe
BitDefender 7.2 04.05.2007 Backdoor.VanBot.AP
CAT-QuickHeal 9.00 04.04.2007 no virus found
ClamAV devel-20070312 04.05.2007 Trojan.SdBot-5302
DrWeb 4.33 04.05.2007 BackDoor.IRC.Sdbot.1207
eSafe 7.0.15.0 04.04.2007 Win32.VanBot.bw
eTrust-Vet 30.7.3544 04.05.2007 Win32/Nirbot.AF
Ewido 4.0 04.04.2007 Backdoor.VanBot.bw
FileAdvisor 1 04.05.2007 no virus found
Fortinet 2.85.0.0 04.05.2007 W32/Delbot.W!worm
F-Prot 4.3.1.45 04.04.2007 W32/Backdoor.AKSA
F-Secure 6.70.13030.0 04.05.2007 Backdoor.Win32.VanBot.bh
Ikarus T3.1.1.3 04.05.2007 Backdoor.Win32.VanBot.bh
Kaspersky 4.0.2.24 04.05.2007 Backdoor.Win32.VanBot.bh
McAfee 5001 04.04.2007 W32/Nirbot.worm
Microsoft 1.2405 04.05.2007 no virus found
NOD32v2 2168 04.04.2007 Win32/Rinbot.W
Norman 5.80.02 04.05.2007 no virus found
Panda 9.0.0.4 04.05.2007 W32/Rinbot.gen.worm
Prevx1 V2 04.05.2007 Covert.Sys.Exec
Sophos 4.16.0 03.30.2007 W32/Delbot-W
Sunbelt 2.2.907.0 04.03.2007 no virus found
No autorun.exe available at home. I’ll check it on my workplace.
Some more information. I found the U.exe file on my daughter’s Win2k computer (protected ? by Avast Home). Furthermore, I found a M.exe file that made Avast react!!!
Here is the log file:
5/04/2007 11:19:31 Sandrine 552 Sign of “Win32:Agent-DDN [Trj]” has been found in “C:\Documents and Settings\Sandrine\Local Settings\Temporary Internet Files\Content.IE5\LBQOLI8D\m[1].exe[CExe]” file.
5/04/2007 11:21:53 Sandrine 552 Sign of “Win32:Agent-DDN [Trj]” has been found in “C:\m.exe[CExe]” file.
5/04/2007 11:43:45 Sandrine 552 Sign of “Win32:Agent-DDN [Trj]” has been found in “C:\Documents and Settings\Administrateur\Local Settings\Temporary Internet Files\Content.IE5\41234567\m[1].exe[CExe]” file.
5/04/2007 11:43:57 Sandrine 552 Sign of “Win32:Agent-DDN [Trj]” has been found in “C:\m.exe[CExe]” file.
I’ll have to format that computer as I notice a very high trafic on my router.
My very own computer @home is safe: I don’t leave Linux Fedora ;D
These were the fresh news from the day.
This is the registry entry that causes mpn.exe to load at startup. The service name is MPNet. Another Mt. Pleasant High School web site is
http://mpnet.esuhsd.org/
And you said you are in education. I didn’t know if there was significance or coincidence in this - I suppose the latter.
We have much work to do and we will have to be careful to not confuse one computer with another. Generally you will need to fully update every computer (both Windows and VNC Updates) that has been connected to your LAN.
After the updates do a boot scan with avast!, then a thourough scan with AVG Antispyware. Quarantine whenever possible as opposed to deleting files.
I am ready to clean the first computer you posted about (the one you ran hjt on) whenever you’re ready but I need the Virus Total or Jotti results on autorun.exe first. We will use hijackthis first on this machine but please recognize that the fix for this one may not be the same for every PC globally. Hijackthis is very powerful and can cause damage if used incorrectly, so we may need to individually analyze each machine in your LAN.
In the mean time, please email a zipped and password protected copy of mpn.exe to virus(@)avast.com and include the password in the body of your email along with a link to this thread (posting it on your web site won’t help - it needs to be emailed).
EDIT:
My very own computer @home is safe: I don't leave Linux Fedora
The latter…
And I’m afraid mpn.exe has no relation with any school, except a piracy school.
We have much work to do and we will have to be careful to not confuse one computer with another. Generally you will need to fully update every computer (both Windows and VNC Updates) that has been connected to your LAN.
Every computer :o That is about 90 PC's. Fortunately, I'm on hollidays.
It's 6 PM here. A bit too late to begin the work this evening.
After the updates do a boot scan with avast!, then a thourough scan with AVG Antispyware. Quarantine whenever possible as opposed to deleting files.
I am ready to clean the first computer you posted about (the one you ran hjt on) whenever you’re ready but I need the Virus Total or Jotti results on autorun.exe first. We will use hijackthis first on this machine but please recognize that the fix for this one may not be the same for every PC globally. Hijackthis is very powerful and can cause damage if used incorrectly, so we may need to individually analyze each machine in your LAN.
As mpn.exe does not seem to be a regular Windows file, I thought it would be easy to recognize an infection. Bad idea.
In the mean time, please email a zipped and password protected copy of mpn.exe to virus(@)avast.com and include the password in the body of your email along with a link to this thread (posting it on your web site won't help - it needs to be emailed).
I'll do it ASAP via a gmail account. I hope it is not filtered.
[b]EDIT:[/b]
My very own computer @home is safe: I don't leave Linux Fedora
There is no Windows partition?
There are two Windows partitions. But the virus/spywares/adwares won't be active under Linux. What a peaceful place.
Well, if they’re on the LAN they should be checked …
There’s a way to fix this manually (and quickly when its just a few computers) with HijackThis, but with that number of computers lets do an experiment to see if we can automate this process. On the computer that the hjt log came from make sure Windows and VNC is up to date, then run an avast! boot scan. After, rename hijackthis.exe to hijackthat.exe and generate/post a new log using the renamed executable. If this process cleans the infection(s) we can use it on as many of the other computers simultaneously as you can handle. If it is not successfull we will try AVG Antispyware followed by another hjt log, etc until we find the right fix…
I do still need the autorun.exe analysis when you have a chance.
Kaspersky has developed a proof-of-concept cross platform virus able to infect both Linux and Windows. It’s capabilities are limited on the Linux side, of course, but it shows that assumptions should no longer be made with dual boot set ups.
Its up to you, but given the amount of time you’re going to devote to cleaning this up I would give my own computer the 20 minutes it needs to be checked
I’ve just send the two files: mpn.exe and autorun.exe to virus_[at]_avast.com
Wasn’t easy because Gmail does not admit executable (even zipped) files. They were renamed as *.txt.