I think I've got a virus...

  • Thread starter Thread starter bryan
  • Start date Start date
B

bryan

Ugh. I think I've got a virus on my Windows 2003 Small Business Server.

I found KILL.EXE running (twice) and it was taking up a TON of CPU.

A quick search found that it was stored in the C:\WINDOWS\rewt folder.

The folder contains these files:

avicap32.dll
batur.bat
fport.exe
kill.exe
lsass.exe
root.exe
ServUStartUpLog.txt
tlist.exe

I also noticed that the C:\WINDOWS folder has these four files with the
same date and time as the "rewt" folder:

shellhost32.exe
shelllib.dll
shellconfig.oxc
shellsuccesslog.oxc

Nothing I can find in the registry, at least in the Run keys.

This looks bad to me, but I can't find anything on this on any of the
major security web sites (Symantec, Mcaffee, etc..)

Any ideas?
 
From: <[email protected]>

| Ugh. I think I've got a virus on my Windows 2003 Small Business Server.
|
| I found KILL.EXE running (twice) and it was taking up a TON of CPU.
|
| A quick search found that it was stored in the C:\WINDOWS\rewt folder.
|
| The folder contains these files:
|
| avicap32.dll
| batur.bat
| fport.exe
| kill.exe
| lsass.exe
| root.exe
| ServUStartUpLog.txt
| tlist.exe
|
| I also noticed that the C:\WINDOWS folder has these four files with the
| same date and time as the "rewt" folder:
|
| shellhost32.exe
| shelllib.dll
| shellconfig.oxc
| shellsuccesslog.oxc
|
| Nothing I can find in the registry, at least in the Run keys.
|
| This looks bad to me, but I can't find anything on this on any of the
| major security web sites (Symantec, Mcaffee, etc..)
|
| Any ideas?


1) Download the following three items...

McAfee Stinger
http://vil.nai.com/vil/stinger/

Trend Sysclean Package
http://www.trendmicro.com/download/dcs.asp

Latest Trend signature files.
http://www.trendmicro.com/download/pattern.asp

Create a directory.
On drive "C:\"
(e.g., "c:\New Folder")
or the desktop
(e.g., "C:\Documents and Settings\lipman\Desktop\New Folder")

Download SYSCLEAN.COM and place it in that directory.
Download the signature files (pattern files) by obtaining the ZIP file.
For example; lpt478.zip

Extract the contents of the ZIP file and place the contents in the same directory as
SYSCLEAN.COM.

2) Reboot your server into Safe Mode and shutdown as many applications as possible
3) Using both the Trend Sysclean utility and Stinger, perform a Full Scan of your
platform and clean/delete any infectors found
4) Restart your server and perform a "final" Full Scan of your platform using both.

* * Please report back your results * *
 
Ugh. I think I've got a virus on my Windows 2003 Small Business Server.

I found KILL.EXE running (twice) and it was taking up a TON of CPU.

A quick search found that it was stored in the C:\WINDOWS\rewt folder.

The folder contains these files:

avicap32.dll
batur.bat
fport.exe
kill.exe
lsass.exe
root.exe
ServUStartUpLog.txt
tlist.exe

I also noticed that the C:\WINDOWS folder has these four files with the
same date and time as the "rewt" folder:

shellhost32.exe
shelllib.dll
shellconfig.oxc
shellsuccesslog.oxc

Nothing I can find in the registry, at least in the Run keys.

This looks bad to me, but I can't find anything on this on any of the
major security web sites (Symantec, Mcaffee, etc..)

Any ideas?
Click to expand...

Try finding information about this by searching "rewt", or anything else on
Google. "REWT" is a Trojan and "kill.exe" is a small application for
immediately shutting down a process. Plenty of methods for removal.
As for "this looks bad...", the real security issue here is how it came to
be on your system in the first place. What else did you download or install
on the same date or near to? I'd suggest tightening your discipline on
downloading applications and scanning them for spyware as well as viruses.
HTH
 
DANG said:
As for "this looks bad...", the real security issue here is
how it came to be on your system in the first place. What
else did you download or install on the same date or near to?
Click to expand...

The OP said the machine was running Win 03 server. Does anyone use
that machine as their work terminal, or does it sit un-attended most
of the time?

Is e-mail read on it? Is web surfing done on it?

Does Win-03 server have the same default admin shares that win 2k/XP
have?

Does Win-03 server run netbios over TCP as default?

What are the permissions set to for c$, d$, c:\winnt, etc? Is the
"whole world" (everyone) allowed to see shared directories?

Has the name of the default administrator account been changed?

Has the guest account been re-named and disabled?

Is the machine behind a hardware NAT router/firewall?

Most likely, some other machine on your local network has been
infected with something and that's how it got onto your win-03
machine.

From your Win-03 machine, go to shields up and see how vulnerable it
is from the internet:

https://www.grc.com/x/ne.dll?bh0bkyd2
(if that doesn't work, go to http://www.grc.com/default.htm and click
on Shields UP!).

If shields up says that it can't access any shared resources or ports,
then your infection happened locally.

Stop sharing the default admin shares, change admin and guest account
names, disable guest, look at your permission structure and remove
"everyone", "anonymous", etc.

If you want to convince yourself that your machine is clean, then shut
it down, use something like norton ghost (boot from floppy) and make
an exact duplicate of the drive. Then take either the original or
duplicate drive and slave it to another computer that you trust
(running XP or 2003) and scan the drive in slave mode. If the drive
is a slave, it won't have any protection from root kits that may be on
it, and your scanning software running on the trusted PC will have
full access to the entire drive, recycler, etc. Download and run "The
Cleaner" on the trusted PC (30 day trial version).
 
"the real security issue here is how it came to
be on your system in the first place. What else did you download or
install
on the same date or near to? I'd suggest tightening your discipline on
downloading applications and scanning them for spyware as well as
viruses."

See, that's the scary part. This is a server. No one works on the
machine. I'm the only one with access to it, and I was in Florida on
vacation when the infection happened!

I'm trying to find out how the virus got on the machine now. Since
it's a server, ports 80 and 25 are open. Maybe there's a vulnarability
there somewhere, though I keep up to date on patches from Microsoft.

What a joy this whole process is....
 
Back
Top