dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
1594

klimax
Premium Member
join:2001-06-13
Flushing, NY

klimax

Premium Member

Help! Possible trojan/back door

This morning I found a "obs.exe" file in the root directory of my windows 2000 server machine which I had absolutely no clue about. It was dated 07/16/02, size about 23k bytes with a gray memory-module-like icon.
I got suspicious and decided to install the cleaner to check it out, and not so surprisingly, it was infected with a "YAB trojan". I've deleted that file and the registry using the cleaner, but what worries me is I still do not know how it just mysteriously appeared on C:\. I haven't installed any new software on that machine for the past couple of weeks...well except for the cleaner just now.
Here's what I got from moosoft's online database about the YAB trojan :

YAB
Created Modified
July 16th, 2002 July 16th, 2002
Aliases
None
Type
Dropper
This is a small trojan that contains another trojan. It's purpose is to hide the real trojan.

Additional Information
None

Complete system scan with the cleaner didn't indicate any other presence of trojans, and system log files appear to be normal. I am totally confused. Anybody got any ideas?

Name Game
Premium Member
join:2002-07-07
Grand Rapids, MI

Name Game

Premium Member

No..but here is another obs.exehttp://www.5fold.com/bs/bsdl.htm

Randy Bell
Premium Member
join:2002-02-24
Santa Clara, CA

Randy Bell to klimax

Premium Member

to klimax
I did an unsuccessful search for YAB on Google, and I can't seem to find any info on this trojan: there is no mention of it in TrojanHunter's current ruleset either. :)

cls2
@bconnected.net

cls2

Anon

It's also known as "Yet Another Binder" or Yabinder or Multidropper-DR.

Your software is just detecting the dropper program. You'd have to have an expert look at it to determine what it drops.

klimax
Premium Member
join:2001-06-13
Flushing, NY

klimax to Randy Bell

Premium Member

to Randy Bell
Name Game, I've downloaded that officebs.exe file and extracted it just out of curiosity, file icons and sizes are different and the cleaner doesn't find any trojans on that file... Also I've never even been to that site before. It is quite odd- thanks for the help though.

Randy, I tried to search myself but no luck. Thanks for the input.

My major concern is not the file itself, but that there might be a security hole somewhere that I don't know about. If a file could just present itself on my system without my knowledge, what else isn't a potential?

Name Game
Premium Member
join:2002-07-07
Grand Rapids, MI

Name Game to klimax

Premium Member

to klimax
We would like to tell you more about your problem but since this is a public board it is just not a good idea. What you have run into is ....

YAB V1.02

The original version of Yet Another Binder (YAB). YAB is a powerful multi-featured file binding tool that can be used to distribute a number of files to a target system very discretely.

YAB V2.00
UPDATED! A binder with a massive selection of features. All the features of before, plus many new features and improvements! The stub is now even smaller! YAB is now the smallest multi-featured binder to use compression! Additionally, YAB is the first EVER binder to have a Icon Patcher capable of changing both the small and large icons of the bound file!

klimax
Premium Member
join:2001-06-13
Flushing, NY

klimax

Premium Member

Name Game, thanks for quick responses and informations.
While I was trying to figure out the cause of all this, I happened to do a netstat -a command and found this.
TCP xxxxxxx:3175 irc.swabby.org:6667 ESTABLISHED

I only have the MSN messenger on, I don't have any IRC programs running. In fact, I never even went near IRC for quite a while. There is something definitely going on.
Maybe I should just format and reinstall...
klimax

klimax

Premium Member

Update
Rebooted windows, the connection to irc.swabby.org still remains...Not only is the connection established, it's sending and receiving packets now. I tried to close it down using active ports, but no use, it keeps on coming back up.

It's totally ruining my Sunday...

cls2
@bconnected.net

cls2

Anon

If you need an analysis of what obs.exe drops, here's a list of sample submission addresses from a post in alt.comp.virus. Most of them prefer to receive them in a ZIP file with the password "infected".

Command Software virus@commandcom.com
Computer Associates (US) virus@ca.com
Computer Associates (Vet/EZ) ipevirus@vet.com.au
DialogueScience (Dr. Web) Antivir@dials.ru
Eset (NOD32) sample@nod32.com
F-Secure Corp. samples@f-secure.com
Frisk Software (F-PROT) viruslab@f-prot.com
Grisoft (AVG) virus@grisoft.cz
H+BEDV (AntiVir): virus@antivir.de
Kaspersky Labs newvirus@kaspersky.com
Network Associates (McAfee) virus_research@nai.com
Norman (NVC) analysis@norman.no
Sophos Plc. support@sophos.com
Symantec (Norton) avsubmit@symantec.com
Trend Micro (PC-cillin) virus_doctor@trendmicro.com
(Trend may only accept files from registered users of its products)

klimax
Premium Member
join:2001-06-13
Flushing, NY

klimax

Premium Member

cls2, Thanks for the response. I just wish I had made a backup file of obs.exe. It's been deleted and there seems to be no way to restore it now.
Though I doubt that I'll find a solution, I'm gonna head off to newsgroups to search for any related posts. There seems to be no "cure" for this other than formatting...

cls2
@bconnected.net

cls2

Anon

You may want to try FPort from »www.foundstone.com/knowl ··· ort.html to see what file is holding the port open, and then submitting that file.

klimax
Premium Member
join:2001-06-13
Flushing, NY

klimax

Premium Member

This is what I got from FPort. (By the way, it's a great little program.)

Pid Process Port Protocol Path
1316 svshost -> 3053 TCP C:\WINNT\System32\svshost.exe

Date on that file shows 07/21/2002 which means that it's been modified? Shouldn't it be the date when I first installed windows?
Well, I copied svshost.exe to a temp folder and scanned it with NAV & The Cleaner, nothing came up. Strange...strange...

cls2
@bconnected.net

cls2

Anon

Sounds like a very suspicious file. It's pretending to be the legitimate svchost.exe file. Send it off to the sample submission addreses.

Occasu$
join:2001-07-20
North Vancouver, BC

Occasu$ to klimax

Member

to klimax
what kind of firewall do you have? If it is rule based try creating a general rule that blocks all outgoing traffic to remote port 6667

Vampirefo
Premium Member
join:2000-12-11
Huntington, WV

Vampirefo to klimax

Premium Member

to klimax
Get active ports from here »www.protect-me.com/freeware.html install it, run it, and it will show the app and the connection, somethings just don't add up in this thread.

I got to go, but post a pic of active ports, showing the app connected to port 6667.

Name Game
Premium Member
join:2002-07-07
Grand Rapids, MI

Name Game to klimax

Premium Member

to klimax
Hi klimax,
Vampirefo has the same info I Im'ed you... so you might want to follow his lead..I am sure he will help get to the bottom of this with you. Sorry your Sunday turned into a fishing expedition you did not sign up for this weekend.

klimax
Premium Member
join:2001-06-13
Flushing, NY

klimax

Premium Member

Click for full size
Click for full size
svshost.exe won't delete. It's understandable assuming that it's in use. This computer is on a shared connection through a router and I don't use any software firewalls.

I came up with two "temporary" solutions, to try and delete svshost.exe in safe mode, and/or adding a filter on my router. Either way, I won't be 100% relieved knowing that it might happen again since I don't even know the cause of all this. *sigh
One more symptom I'm starting to notice, is all these command prompt windows flickering every now and then.
Well, if nothing works I'll just give up my day out and format+reinstall windows.

Thanks you guys, you've been great as always!

Oh, One more thing. I did send an email to NAV with svshost.exe and samples of YAB(with the help of Name Game) as attachments earlier. I certainly do hope no one else gets in this situation in the future.
[text was edited by author 2002-07-21 13:30:04]

Occasu$
join:2001-07-20
North Vancouver, BC

Occasu$

Member

its unfortunate you dont have a software firewall, you might have been able to nip this in the bud. Have you tried downloading any anti trojan software?

TDS-3 »tds.diamondcs.com.au/ (30 day free trial)
Tauscan »www.agnitum.com/download ··· can.html (free trial also available)
Trojan Hunter »www.mischel.dhs.org/troj ··· nter.jsp (30 day free trial)

Edit: Ok N/M lol you use the cleaner :D

[text was edited by author 2002-07-21 13:37:03]

Zupe
MVM
join:2001-11-29
New York, NY

Zupe to klimax

MVM

to klimax
I did a search for SVSHost, and it does appear to be an IRC related command "SVSHOST - to change peoples hostnames", but I think that would be used in an IRC client, not as a separate Executable file.

I would definitely try downloading and scanning with another Anti-trojan program. I'd recommend either TDS-3 or Trojan Hunter, both of which Occasu linked to above.

Vampirefo
Premium Member
join:2000-12-11
Huntington, WV

Vampirefo to klimax

Premium Member

to klimax

Re: Help! Possible Trojan/back door

Can you send it to me at vampirefo@myrealbox.com, you should be able to delete it in safe mode, I need to run it, and see how it starts.

Detecting it should be easy enough though, and If TH doesn't detect it, I can write rules for TH so TH will find it and kill it, on any pc.
Vampirefo

Vampirefo

Premium Member

Click for full size
Ok TH fully detects and deletes it now with my rules, If you don't have TH, first thing to do is Alt+Ctrl+delete, now kill svshost.exe process, now go to system32 and delete svshost.exe. Now open regedit, and got to these two entries and delete them. [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"Microsoft IPC"="svshost.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Microsoft IPC"="svshost.exe"

Get TH rules here, extract to TH folder, if you don't want to get rid of the Trojan yourself, download TH, and extract these files to TH directory, run TH and it will find a kill this Trojan for you.

http://vampirefo.can.com/svshost.zip

klimax
Premium Member
join:2001-06-13
Flushing, NY

klimax

Premium Member

problem solved!

said by Vampirefo:
Get TH rules here, extract to TH folder, if you don't want to get rid of the Trojan yourself, download TH, and extract these files to TH directory, run TH and it will find a kill this Trojan for you.

Wow, you saved me from yet another format and reinstall. Thanks Vampirefo, I just installed TH, ran the scan with your rules, it did exactly that!
I'm also very impressed with Trojan Hunter. I find it a lot better than The Cleaner in many ways. It'll definitely be my number one choice for an anti-trojan software from now on.
Thanks again everyone. What would I have done without dslreports...

cls2
@bconnected.net

cls2

Anon

So, did you find out what trojan it was?

Name Game
Premium Member
join:2002-07-07
Grand Rapids, MI

Name Game

Premium Member

said by cls2:
So, did you find out what trojan it was?
We are going to name it Vamp3

Thanks again for your time Vampirefo.
Have a good week,
John

Spectral
Likes Cookies
Premium Member
join:2002-05-03
Salem, OR

Spectral

Premium Member

Hi,

Klimax I hope ya don't mind me chiming in on your thread, but the mention of netstat reminded me of a ? lol. I have windows 98, if I run netstat it runs like superfast and the window disappears again. The only way I can get a decent look at any of it is quick tappin on the pause key. Can anyone tell me how to fix it? And does anyone know of progs like the ones mentioned in this thread that are supported on 98?(to find whats using what port)

TIA
~Spectral

Vampirefo
Premium Member
join:2000-12-11
Huntington, WV

Vampirefo

Premium Member

said by Spectral:
Hi,

Klimax I hope ya don't mind me chiming in on your thread, but the mention of netstat reminded me of a ? lol. I have windows 98, if I run netstat it runs like superfast and the window disappears again. The only way I can get a decent look at any of it is quick tappin on the pause key. Can anyone tell me how to fix it? And does anyone know of progs like the ones mentioned in this thread that are supported on 98?(to find whats using what port)

TIA
~Spectral
Type netstat -an this will allow you to see everything.
Vampirefo

Vampirefo to Name Game

Premium Member

to Name Game
said by Name Game:
said by cls2:
So, did you find out what trojan it was?
We are going to name it Vamp3

Thanks again for your time Vampirefo.
Have a good week,
John
Glad to help,
Have a good week also.

Best Regards

Vampirefo

Name Game
Premium Member
join:2002-07-07
Grand Rapids, MI

Name Game to Vampirefo

Premium Member

to Vampirefo
Spectral

Both of these are free...and will work with win98

Netmon is a compact, easy-to-use network information utility. It displays infomation pertaining to the IP, TCP, UDP and ICMP protocols. It's main purpose is viewing connections made using TCP and UDP protocols from or to your computer. This information may prove very useful in hunting trojans (or other suspicious activity) present in your system.
Netmon is a graphical conversion of the "netstat" utility shipped with Windows. It's main advantages over the console based version, is the graphical user interface (GUI), the database of common trojan ports and the complete list of well-known ports (the ports that are numbered below 1024 and reserved for different applications).

Users familiar with the netstat utility should feel at home with the GUI and the information presented.

Copyright (c) 1999-2001 Johan Samuelson

You can download it here.
NetMon160.exe 105 K

»nidaho.net/1way/files/files.htm

THEN>>>>>

Do yourself a favor and download this tool and you will not have to fool around with CTRL+ALT+DEL any more and you will be able to see everything that is really running on your PC. The way you are doing it you will not see the everything.

»www.turboware.com/WhatsH ··· ning.htm

We are now distributing the Freeware version of What's Happening - A handy utility that displays all of the programs and dll's running on your system (and more). The current version is 1.02. What's Happening is also being distributed on the companion diskette for "Microsoft Windows 2000 Professional Expert Companion," a book to be published this summer by Microsoft Press. The author is Carl Siechert.
[text was edited by author 2002-07-21 22:32:56]

Lurkers inc
Don't Call Me Doink
join:2001-10-13
Seattle, WA

Lurkers inc to Spectral

Member

to Spectral
said by Spectral:
if I run netstat it runs like superfast and the window disappears again. The only way I can get a decent look at any of it is quick tappin on the pause key. Can anyone tell me how to fix it?
Going a bit of topic to answer but run it from the dos window instead of the run command. You could also pipe it to a txt file by adding a "> netstat.txt" to the end of the command. Then you just have to figure out where it is or how to direct it to be placed where you want it.

The Ports Traffic Analyzer from »atelierweb.com/PTA/index.htm is the only similar product I know of that maps apps to ports and the good news is it does even more and works on Win 9x systems. Bad news is it is not free but has a short trial period.

Paul,
[text was edited by author 2002-07-21 22:40:59]

Spectral
Likes Cookies
Premium Member
join:2002-05-03
Salem, OR

Spectral to Name Game

Premium Member

to Name Game
Hi,

Thanks all for the links:)