Can't Pin Down a Zombie

[Axman]

I've got a machine on our network that's got a spam-factory on it. Unfortunately, it's the mail/ web server. To boot, it's got a possibly separate flaw on it that prevents Active X from running. Windiz update aside, I can't run utilities like Housecall on it. And we've got delays getting our Antivirus license finalized. So I'm running AVG Free (which is against the rules but they've got our money, I'm going to be OK with it) which, while otherwise quite adequate, won't find my bug. Hijack this and Spybot come up broke, too.

I was, in the meanwhile, thinking of some port-management and firewall trickery to let us use Exchange while not giving the machine direct access to SMTP outbound.

However, that is not a solution. Any good ideas out there? If you want a log:

2005-11-10 07:30:57 1EaBZx-0007LJ-I9 <= bpxwedqgmflobnmta@ms22.hinet.net
H=(net.gs-school.local) [69.15.95.70]:9846 I=[10.50.1.49]:25 P=esmtp
S=1545 id=TBOCGKXXMXXPDRBPWFHKJMJT@ms28.hinet.net
T="\241L~\266R\244F\244\243\245\316\301\331~\244\361\257\262\252\272\301
\331\253K\251ykmcdw" from <bpxwedqgmflobnmta@ms22.hinet.net> for
protech@protech.net.tw kuolh@mail.darharnq.com.tw jackyshu@dsc.com.tw
gmelove52@iclubs.com.tw asia.ken@gigigaga.com chiton_1110@pchome.com.tw
vivian_chan@uuu.com.tw a02021688@yahoo.com.tw a1106125@yahoo.com.tw
cold790129@yahoo.com.tw a22122b22122g@yahoo.com.tw
cindyang@love.url.com.tw ellie@mail.chinesebank.com.tw
sales-ems@mail.eec.com.tw gmarket@mail.nethotel.com.tw
2005-11-10 07:28:33 1EaBXc-0006Pk-Vp <= qosawozya@pmail.com
H=(net.gs-school.local) [69.15.95.70]:9802 I=[10.50.1.49]:25 P=esmtp
S=987 id=NETXpGRWvUbLkiChiwV000058ad@net.gs-school.local
T="\271\332\267Q\246V\253e\254\335" from <qosawozya@pmail.com> for
doolanking@yahoo.com.tw
2005-11-10 07:28:32 1EaBXc-0006Pk-Py <= cmleelusw@pmail.com
H=(net.gs-school.local) [69.15.95.70]:9802 I=[10.50.1.49]:25 P=esmtp
S=1055 id=NETDfrwV0JmFS7kqQHF000058ac@net.gs-school.local
T="\244\265\246~\263\314\273\305\252\272\246\250\244H\274v\244\371\244W\
263\365\253\243\241I" from <cmleelusw@pmail.com> for
goddiedd0120@yahoo.com.tw
2005-11-10 07:28:32 1EaBXc-0006Pk-KA <= modruituv@pmail.com
H=(net.gs-school.local) [69.15.95.70]:9802 I=[10.50.1.49]:25 P=esmtp
S=1012 id=NETNzFiPNl4iZWw8gRz000058ab@net.gs-school.local
T="\262\263\251\322\264\301\253\335\263n\305\351\246X\277\350" from
<modruituv@pmail.com> for f126551526@yahoo.com.tw
2005-11-10 07:27:14 1EaBWM-0005nh-3A <= bronuwxji@pmail.com
H=(net.gs-school.local) [69.15.95.70]:9776 I=[10.50.1.49]:25 P=esmtp
S=1218 id=NETfJV3uS1Mbysbcq3100005893@net.gs-school.local
T="\244\255\252\341\244K\252\371\252\272\271C\300\270" from
<bronuwxji@pmail.com> for suhsiaochi@yahoo.com.tw

Axman

 

[hokatichenci]

Er, is there some doubt in your mind about starting clean? If all that other software is borked then its probably something pretty deep in the system, your best bet might be to yank the drive and hooked it up as an aux drive to another system and scan it from there?

 

[ekliptikz]

Er, is there some doubt in your mind about starting clean? If all that other software is borked then its probably something pretty deep in the system, your best bet might be to yank the drive and hooked it up as an aux drive to another system and scan it from there?

I share a similar thought. It looks like you're going to want to prepare for some exchange downtime. If you need to and you got an extra box lying around, just get a temporary mail server running on.

+5 points for most awesome thread title ever

 

[YeOldeStonecat]

Agree with above...when the 5 oclock whistle blows...drop the server. Slave the drive, and scan it with a GOOD antivirus product. Only 2 I trust, Kapersky, and NOD32.

Now....other things to look at, what's the setup of this mail server? What version of Exchange? Is she a multi-homed server? What firewall protection?

Have you locked down relay? Accept only from?

Where you running an Exchange module with your antivirus package?

 

[DESmack]

Mate,

Try a little Regedit work.. If the 'Zombie' is starting up on boot, its got to be getting its command somewhere... in regedit its here..

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

This is where all your TSR's are started from, Google every .exe in there and get rid of anything that should not be there.. like real schedule(real player crap) , or QTasks(Quick time crap) for example.

Before you reboot, also check what’s running in task manager.. once again Google
each process and make sure its what you want running... If you find the culprit.... you may have trouble trying to 'stop it' That’s no sweat, once you have the name search your drives, for the .exe and then rename it to virus.exe.getnicked when you reboot it wont be running and you can then go and delete the files.

Finally, the reason why your 'AV' is not finding anything is that there a gang scripts that virus writers include with their packages that are designed to 'Knock out' all of the most popular windows firewalls, IDS's, and AV apps. A quick browse of Astalavista.com will back this up.


Now go kick some zombie ass!

 

[Axman]

Just a follow up on all this:

After making sure that the registry was clean, I gave Nod32 a shot.

Picked it off on the first try. Also, the interface is magnificent. I think it will be the first antivirus that I will ever pay for at home. (Avast is such a memory hog, anyway.)

So thanks for the advice; the machine still has problems with ActiveX but I think it will hold out until summer vacation. (We're a Catholic school. Uh, five years' less purgatory to you all, I'm sure.) (I'm not even a Christmas and Easter Catholic; I wouldn't take my word for it. . .)

Next time any of you is in Denver, a pint is on me.

 

[PanzerBoxb]

Axman,

Glad to hear that you got it nailed. Out of curiosity, what did NOD32 detect it as?

-PzB

 

[Axman]

While not at work, I can't look at my records, though I remember it being an mIRC/ backdoor.irc family of trojan. It seemed to have been modified from it's original trojan, as it didn't have any of the registry keys that the Kaspersky encyclopedia said that it should.