Suspected trojan on my computer

  • Thread starter Thread starter User
  • Start date Start date
U

User

This morning I noticed some unusual network activity on my win2kpro system
and tracked it down.

An application that is spawned from explorer.exe is making repeated network
connections to IP 82.192.80.97:2918 which lists in my computer as
hosted-by.12servers.nl

The application name is c:/winnt/system32/systemcfg, witch was created at
10:19:52am today

Also listed in my even log are two entries from that time like this below
Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7000
Date: 7/8/2004
Time: 10:19:52 AM
User: N/A
Computer: T1001885
Description:
The rxpdn service failed to start due to the following error:
The executable program that this service is configured to run in does not implement the service.

There are other entries claiming my officescan terminated unexpectedly - though it appears to
be running now. My event logger appears to have started and stopped a few times too.

-----------
So the question is, what do I do next. I have suspended the task, but don't know where to
disable it from autostarting. Does anyone want a copy. How did I get broken into, I am
totally up to date as far as I know in all respects. I was browsing the web at the time of
"infection".

Thanks
 
From some initial web searches this appears to be a variant of the Agobot
worm/backdoor. This particular worm has many vectors of infection so it may
not be possible to say how you got it.
--
Curtis Koenig
Security Support Engineer
Product Support Services, Security Team
MCSE, MCSES, CISSP

This posting is provided "AS IS" with no warranties and confers no rights.
Please reply to the newsgroup so that others may benefit. Thanks!

--------------------
 
Indeed, the answer I recieved from the sans handler on duty was that it was
a new form of agobot that was not detected by trend,mcafee or several others.
I was fully patched, so I don't know how I got it. Later I learned that it was
running all around my company before I got it, I guess it found a hole into my
system. Last I heard the IT guys were still reading their logs trying to determine
how it got in.... Given the large number of viruses we have had in our company
in the last few weeks I am not holding out any hope of inspiration from them.
If you are interested I could put you in contact with them. I don't see that my
particular strain was important enough for trend to even make a note of it
on their webpage.
 
Thanks for the follow-up information, if you all need any assistance in
dealing with this virus the PC Safety line here at MS will be happy to
assist you all.
--
Curtis Koenig
Security Support Engineer
Product Support Services, Security Team
MCSE, MCSES, CISSP

This posting is provided "AS IS" with no warranties and confers no rights.
Please reply to the newsgroup so that others may benefit. Thanks!

--------------------
 
Back
Top