klimax
Premium
join:2001-06-13
Flushing, NY
clubs:
| Help! Possible trojan/back door
This morning I found a "obs.exe" file in the root directory of my windows 2000 server machine which I had absolutely no clue about. It was dated 07/16/02, size about 23k bytes with a gray memory-module-like icon.
I got suspicious and decided to install the cleaner to check it out, and not so surprisingly, it was infected with a "YAB trojan". I've deleted that file and the registry using the cleaner, but what worries me is I still do not know how it just mysteriously appeared on C:\. I haven't installed any new software on that machine for the past couple of weeks...well except for the cleaner just now.
Here's what I got from moosoft's online database about the YAB trojan :
YAB
Created Modified
July 16th, 2002 July 16th, 2002
Aliases
None
Type
Dropper
This is a small trojan that contains another trojan. It's purpose is to hide the real trojan.
Additional Information
None
Complete system scan with the cleaner didn't indicate any other presence of trojans, and system log files appear to be normal. I am totally confused. Anybody got any ideas? |
|
Name Game
Premium
join:2002-07-07
North Myrtle Beach, SC | No..but here is another obs.exehttp://www.5fold.com/bs/bsdl.htm |
|
Randy Bell
Premium
join:2002-02-24
Santa Clara, CA | reply to klimax
I did an unsuccessful search for YAB on Google, and I can't seem to find any info on this trojan: there is no mention of it in TrojanHunter's current ruleset either.  :) |
|
cls2
@bconnected.net | It's also known as "Yet Another Binder" or Yabinder or Multidropper-DR.
Your software is just detecting the dropper program. You'd have to have an expert look at it to determine what it drops. |
|
klimax
Premium
join:2001-06-13
Flushing, NY
clubs:
| reply to Randy Bell
Name Game, I've downloaded that officebs.exe file and extracted it just out of curiosity, file icons and sizes are different and the cleaner doesn't find any trojans on that file... Also I've never even been to that site before. It is quite odd- thanks for the help though.
Randy, I tried to search myself but no luck. Thanks for the input.
My major concern is not the file itself, but that there might be a security hole somewhere that I don't know about. If a file could just present itself on my system without my knowledge, what else isn't a potential? |
|
Name Game
Premium
join:2002-07-07
North Myrtle Beach, SC
| reply to klimax
We would like to tell you more about your problem but since this is a public board it is just not a good idea. What you have run into is ....
YAB V1.02
The original version of Yet Another Binder (YAB). YAB is a powerful multi-featured file binding tool that can be used to distribute a number of files to a target system very discretely.
YAB V2.00
UPDATED! A binder with a massive selection of features. All the features of before, plus many new features and improvements! The stub is now even smaller! YAB is now the smallest multi-featured binder to use compression! Additionally, YAB is the first EVER binder to have a Icon Patcher capable of changing both the small and large icons of the bound file! |
|
klimax
Premium
join:2001-06-13
Flushing, NY
clubs:
| Name Game, thanks for quick responses and informations.
While I was trying to figure out the cause of all this, I happened to do a netstat -a command and found this.
TCP xxxxxxx:3175 irc.swabby.org:6667 ESTABLISHED
I only have the MSN messenger on, I don't have any IRC programs running. In fact, I never even went near IRC for quite a while. There is something definitely going on.
Maybe I should just format and reinstall... |
|
klimax
Premium
join:2001-06-13
Flushing, NY
clubs:
|  Update
Rebooted windows, the connection to irc.swabby.org still remains...Not only is the connection established, it's sending and receiving packets now. I tried to close it down using active ports, but no use, it keeps on coming back up.
It's totally ruining my Sunday... |
|
cls2
@bconnected.net
| If you need an analysis of what obs.exe drops, here's a list of sample submission addresses from a post in alt.comp.virus. Most of them prefer to receive them in a ZIP file with the password "infected".
Command Software virus@commandcom.com
Computer Associates (US) virus@ca.com
Computer Associates (Vet/EZ) ipevirus@vet.com.au
DialogueScience (Dr. Web) Antivir@dials.ru
Eset (NOD32) sample@nod32.com
F-Secure Corp. samples@f-secure.com
Frisk Software (F-PROT) viruslab@f-prot.com
Grisoft (AVG) virus@grisoft.cz
H+BEDV (AntiVir): virus@antivir.de
Kaspersky Labs newvirus@kaspersky.com
Network Associates (McAfee) virus_research@nai.com
Norman (NVC) analysis@norman.no
Sophos Plc. support@sophos.com
Symantec (Norton) avsubmit@symantec.com
Trend Micro (PC-cillin) virus_doctor@trendmicro.com
(Trend may only accept files from registered users of its products) |
|
klimax
Premium
join:2001-06-13
Flushing, NY
clubs:
| cls2, Thanks for the response. I just wish I had made a backup file of obs.exe. It's been deleted and there seems to be no way to restore it now.
Though I doubt that I'll find a solution, I'm gonna head off to newsgroups to search for any related posts. There seems to be no "cure" for this other than formatting... |
|
cls2
@bconnected.net | You may want to try FPort from »www.foundstone.com/knowledge/pro···ort.html to see what file is holding the port open, and then submitting that file. |
|
klimax
Premium
join:2001-06-13
Flushing, NY
clubs:
|  This is what I got from FPort. (By the way, it's a great little program.)
Pid Process Port Protocol Path
1316 svshost -> 3053 TCP C:\WINNT\System32\svshost.exe
Date on that file shows 07/21/2002 which means that it's been modified? Shouldn't it be the date when I first installed windows?
Well, I copied svshost.exe to a temp folder and scanned it with NAV & The Cleaner, nothing came up. Strange...strange... |
|
cls2
@bconnected.net | Sounds like a very suspicious file. It's pretending to be the legitimate svchost.exe file. Send it off to the sample submission addreses. |
|
Occasu$
join:2001-07-20
North Vancouver, BC | reply to klimax
what kind of firewall do you have? If it is rule based try creating a general rule that blocks all outgoing traffic to remote port 6667 |
|
Vampirefo
Premium,MVM
join:2000-12-11
Huntington, WV
 ·Comcast
| reply to klimax
Get active ports from here »www.protect-me.com/freeware.html install it, run it, and it will show the app and the connection, somethings just don't add up in this thread.
I got to go, but post a pic of active ports, showing the app connected to port 6667.
--
TrojanHunter Stands For Privacy!!!!!!! |
|
Name Game
Premium
join:2002-07-07
North Myrtle Beach, SC | reply to klimax
Hi klimax,
Vampirefo has the same info I Im'ed you... so you might want to follow his lead..I am sure he will help get to the bottom of this with you. Sorry your Sunday turned into a fishing expedition you did not sign up for this weekend. |
|
klimax
Premium
join:2001-06-13
Flushing, NY
clubs:
| svshost.exe won't delete. It's understandable assuming that it's in use. This computer is on a shared connection through a router and I don't use any software firewalls.
I came up with two "temporary" solutions, to try and delete svshost.exe in safe mode, and/or adding a filter on my router. Either way, I won't be 100% relieved knowing that it might happen again since I don't even know the cause of all this. *sigh
One more symptom I'm starting to notice, is all these command prompt windows flickering every now and then.
Well, if nothing works I'll just give up my day out and format+reinstall windows.
Thanks you guys, you've been great as always!
Oh, One more thing. I did send an email to NAV with svshost.exe and samples of YAB(with the help of Name Game) as attachments earlier. I certainly do hope no one else gets in this situation in the future.
[text was edited by author 2002-07-21 13:30:04] |
|
Occasu$
join:2001-07-20
North Vancouver, BC
| its unfortunate you dont have a software firewall, you might have been able to nip this in the bud. Have you tried downloading any anti trojan software?
TDS-3 »tds.diamondcs.com.au/ (30 day free trial)
Tauscan »www.agnitum.com/download/tauscan.html (free trial also available)
Trojan Hunter »www.mischel.dhs.org/trojanhunter.jsp (30 day free trial)
Edit: Ok N/M lol you use the cleaner  :D
[text was edited by author 2002-07-21 13:37:03] |
|
Zupe
Premium,MVM
join:2001-11-29
New York, NY
clubs:
| reply to klimax
I did a search for SVSHost, and it does appear to be an IRC related command "SVSHOST - to change peoples hostnames", but I think that would be used in an IRC client, not as a separate Executable file.
I would definitely try downloading and scanning with another Anti-trojan program. I'd recommend either TDS-3 or Trojan Hunter, both of which Occasu linked to above.
--
Pinky: I think so Brain, but shouldn't the bat boy be wearing a cape?
[text was edited by author 2002-07-21 13:34:45] |
|
Vampirefo
Premium,MVM
join:2000-12-11
Huntington, WV
·Comcast
| reply to klimax
Re: Help! Possible Trojan/back door
Can you send it to me at vampirefo@myrealbox.com, you should be able to delete it in safe mode, I need to run it, and see how it starts.
Detecting it should be easy enough though, and If TH doesn't detect it, I can write rules for TH so TH will find it and kill it, on any pc.
--
TrojanHunter Stands For Privacy!!!!!!! |
|
