klimax Premium Member join:2001-06-13 Flushing, NY |
klimax
Premium Member
2002-Jul-21 7:05 am
Help! Possible trojan/back doorThis morning I found a "obs.exe" file in the root directory of my windows 2000 server machine which I had absolutely no clue about. It was dated 07/16/02, size about 23k bytes with a gray memory-module-like icon. I got suspicious and decided to install the cleaner to check it out, and not so surprisingly, it was infected with a "YAB trojan". I've deleted that file and the registry using the cleaner, but what worries me is I still do not know how it just mysteriously appeared on C:\. I haven't installed any new software on that machine for the past couple of weeks...well except for the cleaner just now. Here's what I got from moosoft's online database about the YAB trojan :
YAB Created Modified July 16th, 2002 July 16th, 2002 Aliases None Type Dropper This is a small trojan that contains another trojan. It's purpose is to hide the real trojan.
Additional Information None
Complete system scan with the cleaner didn't indicate any other presence of trojans, and system log files appear to be normal. I am totally confused. Anybody got any ideas? |
|
|
Name Game Premium Member join:2002-07-07 Grand Rapids, MI |
No..but here is another obs.exehttp://www.5fold.com/bs/bsdl.htm |
|
Randy Bell Premium Member join:2002-02-24 Santa Clara, CA |
to klimax
I did an unsuccessful search for YAB on Google, and I can't seem to find any info on this trojan: there is no mention of it in TrojanHunter's current ruleset either. :) |
|
|
cls2
Anon
2002-Jul-21 7:45 am
It's also known as "Yet Another Binder" or Yabinder or Multidropper-DR.
Your software is just detecting the dropper program. You'd have to have an expert look at it to determine what it drops. |
|
klimax Premium Member join:2001-06-13 Flushing, NY |
to Randy Bell
Name Game, I've downloaded that officebs.exe file and extracted it just out of curiosity, file icons and sizes are different and the cleaner doesn't find any trojans on that file... Also I've never even been to that site before. It is quite odd- thanks for the help though. Randy, I tried to search myself but no luck. Thanks for the input. My major concern is not the file itself, but that there might be a security hole somewhere that I don't know about. If a file could just present itself on my system without my knowledge, what else isn't a potential? |
|
Name Game Premium Member join:2002-07-07 Grand Rapids, MI |
to klimax
We would like to tell you more about your problem but since this is a public board it is just not a good idea. What you have run into is ....
YAB V1.02
The original version of Yet Another Binder (YAB). YAB is a powerful multi-featured file binding tool that can be used to distribute a number of files to a target system very discretely.
YAB V2.00 UPDATED! A binder with a massive selection of features. All the features of before, plus many new features and improvements! The stub is now even smaller! YAB is now the smallest multi-featured binder to use compression! Additionally, YAB is the first EVER binder to have a Icon Patcher capable of changing both the small and large icons of the bound file! |
|
klimax Premium Member join:2001-06-13 Flushing, NY |
klimax
Premium Member
2002-Jul-21 8:25 am
Name Game, thanks for quick responses and informations. While I was trying to figure out the cause of all this, I happened to do a netstat -a command and found this. TCP xxxxxxx:3175 irc.swabby.org:6667 ESTABLISHED
I only have the MSN messenger on, I don't have any IRC programs running. In fact, I never even went near IRC for quite a while. There is something definitely going on. Maybe I should just format and reinstall... |
|
klimax |
klimax
Premium Member
2002-Jul-21 8:49 am
Update Rebooted windows, the connection to irc.swabby.org still remains...Not only is the connection established, it's sending and receiving packets now. I tried to close it down using active ports, but no use, it keeps on coming back up.
It's totally ruining my Sunday... |
|
|
cls2
Anon
2002-Jul-21 9:02 am
If you need an analysis of what obs.exe drops, here's a list of sample submission addresses from a post in alt.comp.virus. Most of them prefer to receive them in a ZIP file with the password "infected".
Command Software virus@commandcom.com Computer Associates (US) virus@ca.com Computer Associates (Vet/EZ) ipevirus@vet.com.au DialogueScience (Dr. Web) Antivir@dials.ru Eset (NOD32) sample@nod32.com F-Secure Corp. samples@f-secure.com Frisk Software (F-PROT) viruslab@f-prot.com Grisoft (AVG) virus@grisoft.cz H+BEDV (AntiVir): virus@antivir.de Kaspersky Labs newvirus@kaspersky.com Network Associates (McAfee) virus_research@nai.com Norman (NVC) analysis@norman.no Sophos Plc. support@sophos.com Symantec (Norton) avsubmit@symantec.com Trend Micro (PC-cillin) virus_doctor@trendmicro.com (Trend may only accept files from registered users of its products) |
|
klimax Premium Member join:2001-06-13 Flushing, NY |
klimax
Premium Member
2002-Jul-21 9:20 am
cls2, Thanks for the response. I just wish I had made a backup file of obs.exe. It's been deleted and there seems to be no way to restore it now. Though I doubt that I'll find a solution, I'm gonna head off to newsgroups to search for any related posts. There seems to be no "cure" for this other than formatting... |
|
|
cls2
Anon
2002-Jul-21 9:26 am
You may want to try FPort from » www.foundstone.com/knowl ··· ort.html to see what file is holding the port open, and then submitting that file. |
|
klimax Premium Member join:2001-06-13 Flushing, NY |
klimax
Premium Member
2002-Jul-21 9:50 am
This is what I got from FPort. (By the way, it's a great little program.)
Pid Process Port Protocol Path 1316 svshost -> 3053 TCP C:\WINNT\System32\svshost.exe
Date on that file shows 07/21/2002 which means that it's been modified? Shouldn't it be the date when I first installed windows? Well, I copied svshost.exe to a temp folder and scanned it with NAV & The Cleaner, nothing came up. Strange...strange... |
|
|
cls2
Anon
2002-Jul-21 9:59 am
Sounds like a very suspicious file. It's pretending to be the legitimate svchost.exe file. Send it off to the sample submission addreses. |
|
Occasu$ join:2001-07-20 North Vancouver, BC |
to klimax
what kind of firewall do you have? If it is rule based try creating a general rule that blocks all outgoing traffic to remote port 6667 |
|
Vampirefo Premium Member join:2000-12-11 Huntington, WV |
to klimax
Get active ports from here » www.protect-me.com/freeware.html install it, run it, and it will show the app and the connection, somethings just don't add up in this thread. I got to go, but post a pic of active ports, showing the app connected to port 6667. |
|
Name Game Premium Member join:2002-07-07 Grand Rapids, MI |
to klimax
Hi klimax, Vampirefo has the same info I Im'ed you... so you might want to follow his lead..I am sure he will help get to the bottom of this with you. Sorry your Sunday turned into a fishing expedition you did not sign up for this weekend. |
|
klimax Premium Member join:2001-06-13 Flushing, NY
|
klimax
Premium Member
2002-Jul-21 1:05 pm
svshost.exe won't delete. It's understandable assuming that it's in use. This computer is on a shared connection through a router and I don't use any software firewalls. I came up with two "temporary" solutions, to try and delete svshost.exe in safe mode, and/or adding a filter on my router. Either way, I won't be 100% relieved knowing that it might happen again since I don't even know the cause of all this. *sigh One more symptom I'm starting to notice, is all these command prompt windows flickering every now and then. Well, if nothing works I'll just give up my day out and format+reinstall windows. Thanks you guys, you've been great as always! Oh, One more thing. I did send an email to NAV with svshost.exe and samples of YAB(with the help of Name Game) as attachments earlier. I certainly do hope no one else gets in this situation in the future. [text was edited by author 2002-07-21 13:30:04] |
|
Occasu$ join:2001-07-20 North Vancouver, BC
|
its unfortunate you dont have a software firewall, you might have been able to nip this in the bud. Have you tried downloading any anti trojan software? TDS-3 » tds.diamondcs.com.au/ (30 day free trial) Tauscan » www.agnitum.com/download ··· can.html (free trial also available) Trojan Hunter » www.mischel.dhs.org/troj ··· nter.jsp (30 day free trial) Edit: Ok N/M lol you use the cleaner :D[text was edited by author 2002-07-21 13:37:03] |
|
Zupe MVM join:2001-11-29 New York, NY
|
to klimax
I did a search for SVSHost, and it does appear to be an IRC related command "SVSHOST - to change peoples hostnames", but I think that would be used in an IRC client, not as a separate Executable file.
I would definitely try downloading and scanning with another Anti-trojan program. I'd recommend either TDS-3 or Trojan Hunter, both of which Occasu linked to above. |
|
Vampirefo Premium Member join:2000-12-11 Huntington, WV |
to klimax
Re: Help! Possible Trojan/back doorCan you send it to me at vampirefo@myrealbox.com, you should be able to delete it in safe mode, I need to run it, and see how it starts.
Detecting it should be easy enough though, and If TH doesn't detect it, I can write rules for TH so TH will find it and kill it, on any pc. |
|
Vampirefo |
Ok TH fully detects and deletes it now with my rules, If you don't have TH, first thing to do is Alt+Ctrl+delete, now kill svshost.exe process, now go to system32 and delete svshost.exe. Now open regedit, and got to these two entries and delete them. [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices] "Microsoft IPC"="svshost.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Microsoft IPC"="svshost.exe" Get TH rules here, extract to TH folder, if you don't want to get rid of the Trojan yourself, download TH, and extract these files to TH directory, run TH and it will find a kill this Trojan for you. http://vampirefo.can.com/svshost.zip |
|
klimax Premium Member join:2001-06-13 Flushing, NY |
klimax
Premium Member
2002-Jul-21 8:40 pm
problem solved!said by Vampirefo: Get TH rules here, extract to TH folder, if you don't want to get rid of the Trojan yourself, download TH, and extract these files to TH directory, run TH and it will find a kill this Trojan for you.
Wow, you saved me from yet another format and reinstall. Thanks Vampirefo, I just installed TH, ran the scan with your rules, it did exactly that! I'm also very impressed with Trojan Hunter. I find it a lot better than The Cleaner in many ways. It'll definitely be my number one choice for an anti-trojan software from now on. Thanks again everyone. What would I have done without dslreports... |
|
|
cls2
Anon
2002-Jul-21 9:24 pm
So, did you find out what trojan it was? |
|
Name Game Premium Member join:2002-07-07 Grand Rapids, MI |
said by cls2: So, did you find out what trojan it was?
We are going to name it Vamp3 Thanks again for your time Vampirefo. Have a good week, John |
|
SpectralLikes Cookies Premium Member join:2002-05-03 Salem, OR |
Spectral
Premium Member
2002-Jul-21 10:10 pm
Hi,
Klimax I hope ya don't mind me chiming in on your thread, but the mention of netstat reminded me of a ? lol. I have windows 98, if I run netstat it runs like superfast and the window disappears again. The only way I can get a decent look at any of it is quick tappin on the pause key. Can anyone tell me how to fix it? And does anyone know of progs like the ones mentioned in this thread that are supported on 98?(to find whats using what port)
TIA ~Spectral |
|
Vampirefo Premium Member join:2000-12-11 Huntington, WV |
Vampirefo
Premium Member
2002-Jul-21 10:19 pm
said by Spectral: Hi,
Klimax I hope ya don't mind me chiming in on your thread, but the mention of netstat reminded me of a ? lol. I have windows 98, if I run netstat it runs like superfast and the window disappears again. The only way I can get a decent look at any of it is quick tappin on the pause key. Can anyone tell me how to fix it? And does anyone know of progs like the ones mentioned in this thread that are supported on 98?(to find whats using what port)
TIA ~Spectral
Type netstat -an this will allow you to see everything. |
|
Vampirefo |
to Name Game
said by Name Game:
said by cls2: So, did you find out what trojan it was?
We are going to name it Vamp3
Thanks again for your time Vampirefo. Have a good week, John
Glad to help, Have a good week also. Best Regards Vampirefo |
|
Name Game Premium Member join:2002-07-07 Grand Rapids, MI
|
to Vampirefo
Spectral Both of these are free...and will work with win98 Netmon is a compact, easy-to-use network information utility. It displays infomation pertaining to the IP, TCP, UDP and ICMP protocols. It's main purpose is viewing connections made using TCP and UDP protocols from or to your computer. This information may prove very useful in hunting trojans (or other suspicious activity) present in your system. Netmon is a graphical conversion of the "netstat" utility shipped with Windows. It's main advantages over the console based version, is the graphical user interface (GUI), the database of common trojan ports and the complete list of well-known ports (the ports that are numbered below 1024 and reserved for different applications). Users familiar with the netstat utility should feel at home with the GUI and the information presented. Copyright (c) 1999-2001 Johan Samuelson You can download it here. NetMon160.exe 105 K » nidaho.net/1way/files/files.htmTHEN>>>>> Do yourself a favor and download this tool and you will not have to fool around with CTRL+ALT+DEL any more and you will be able to see everything that is really running on your PC. The way you are doing it you will not see the everything. » www.turboware.com/WhatsH ··· ning.htmWe are now distributing the Freeware version of What's Happening - A handy utility that displays all of the programs and dll's running on your system (and more). The current version is 1.02. What's Happening is also being distributed on the companion diskette for "Microsoft Windows 2000 Professional Expert Companion," a book to be published this summer by Microsoft Press. The author is Carl Siechert. [text was edited by author 2002-07-21 22:32:56] |
|
Lurkers incDon't Call Me Doink join:2001-10-13 Seattle, WA
|
to Spectral
said by Spectral: if I run netstat it runs like superfast and the window disappears again. The only way I can get a decent look at any of it is quick tappin on the pause key. Can anyone tell me how to fix it?
Going a bit of topic to answer but run it from the dos window instead of the run command. You could also pipe it to a txt file by adding a "> netstat.txt" to the end of the command. Then you just have to figure out where it is or how to direct it to be placed where you want it. The Ports Traffic Analyzer from » atelierweb.com/PTA/index.htm is the only similar product I know of that maps apps to ports and the good news is it does even more and works on Win 9x systems. Bad news is it is not free but has a short trial period. Paul, [text was edited by author 2002-07-21 22:40:59] |
|
SpectralLikes Cookies Premium Member join:2002-05-03 Salem, OR |
to Name Game
Hi,
Thanks all for the links:) |
|