Can't stop a Zombie EMailer

Can't stop a Zombie EMailer
Secure Home | Search | About
Login Password
Register Now! Lost Password?
 Microsoft Antivirus Discussions    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content add this group's latest topics to your Google content
Subject Author Date
Can't stop a Zombie EMailer JP 08-29-2007
Posted by Dustin Cook on August 30, 2007, 5:35 pm
If you were  Registered and logged in, you could reply and use other advanced thread options

> I am assuming I am on the right Group.
> I have discovered a Zombie Emailer running on XP Home.
> It is sending enough email to bring down the LAN. Using CurrPorts
> (cports.exe) I can watch it connect to an IP address on port 80
> (probably picking up the day's email) then connect to another IP
> Address (close to the first one) on Port 25.
>
> After a few seconds, all hell breaks loose, and the computer starts
> spewing email at a great rate...stopped by pulling the Network cable.
> I have watched this, in CurrPorts, and in Process Explorer from
> Sysinternals, and it appears to be running from Services.exe PID 688,
> but from where after that is the real question.
> I have used 3 different Virus Scanners, and 2 different Rootkit
> finders. Nothing.
>
> I further checked it with HiJackThis, and with Autoruns. Seems that
> it is not something that normally shows up as an "evil doer". I am
> not sure if they have hijacked a service, or just what.
> Any suggestions.
>

I've seen this before. In my case, The rootkit itself modified a few
windows key system files. Trojanized them basically. It took a bit of
hunting to find the modified executables and replace them. I'd start by
doing a dir /o-d (date sorted) and replace the newest system dlls with
ones from a known clean backup.


--
####################################################
Dustin Cook
Author of BugHunter - MalWare Removal Tool - v2.2c
Email: bughunter.dustin@gmail.com
Web..: http://bughunter.it-mate.co.uk
Pad..: http://bughunter.it-mate.co.uk/pad.xml
####################################################

Posted by What's in a Name? on August 31, 2007, 10:47 am
If you were  Registered and logged in, you could reply and use other advanced thread options
On 8/29/2007 3:10 PM, JP after much thought,came up with this jewel:
> I have discovered a Zombie Emailer running on XP Home.
> It is sending enough email to bring down the LAN. After a few seconds, all
hell breaks loose
> I have used 3 different Virus Scanners, and 2 different Rootkit finders.
> Nothing. I further checked it with HiJackThis, and with Autoruns. Any
suggestions.

Flatten/restore clean image(you do have one,right?)
Buy a bigger rubber. What do you use now,if I may be so bold to ask?(so
I know which one I should stay away from)
max
--
Virus Removal: http://maxpro4u.freehostingnow.com/removal.html
Keep Clean: http://maxpro4u.freehostingnow.com/keepingclean.html
Tools: http://maxpro4u.freehostingnow.com/tools.html
Change nomail.afraid.org to gmail.com to reply.

Posted by What's in a Name? on August 31, 2007, 11:47 am
If you were  Registered and logged in, you could reply and use other advanced thread options
On 8/31/2007 9:24 AM, Dustin Cook after much thought,came up with this
jewel:
>
>> On 8/29/2007 3:10 PM, JP after much thought,came up with this jewel:
>>> I have discovered a Zombie Emailer running on XP Home.
>>> It is sending enough email to bring down the LAN. After a few
>>> seconds, all hell breaks loose I have used 3 different Virus
>>> Scanners, and 2 different Rootkit finders. Nothing. I further
>>> checked it with HiJackThis, and with Autoruns. Any suggestions.
>> Flatten/restore clean image(you do have one,right?)
>> Buy a bigger rubber. What do you use now,if I may be so bold to
>> ask?(so I know which one I should stay away from)
>> max
>
> He had a gaobot variant. We both know how annoying those are, and they
> stealth fairly well too.
>
That's why I said flatten/restore clean image. Some cleaning can take
hours if not days of headaches. Better spending an hour or so looking
for those restore disks!

--
Virus Removal: http://maxpro4u.freehostingnow.com/removal.html
Keep Clean: http://maxpro4u.freehostingnow.com/keepingclean.html
Tools: http://maxpro4u.freehostingnow.com/tools.html
Change nomail.afraid.org to gmail.com to reply.

Posted by Dustin Cook on September 1, 2007, 1:06 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
@aioe.org:

> On 8/31/2007 9:24 AM, Dustin Cook after much thought,came up with this
> jewel:
>>
>>> On 8/29/2007 3:10 PM, JP after much thought,came up with this jewel:
>>>> I have discovered a Zombie Emailer running on XP Home.
>>>> It is sending enough email to bring down the LAN. After a few
>>>> seconds, all hell breaks loose I have used 3 different Virus
>>>> Scanners, and 2 different Rootkit finders. Nothing. I further
>>>> checked it with HiJackThis, and with Autoruns. Any suggestions.
>>> Flatten/restore clean image(you do have one,right?)
>>> Buy a bigger rubber. What do you use now,if I may be so bold to
>>> ask?(so I know which one I should stay away from)
>>> max
>>
>> He had a gaobot variant. We both know how annoying those are, and they
>> stealth fairly well too.
>>
> That's why I said flatten/restore clean image. Some cleaning can take
> hours if not days of headaches. Better spending an hour or so looking
> for those restore disks!

It just depends on the situation. If they're just workstations and don't
contain too much customized configuration data, I'd agree. But his issue
wasn't really too big of a deal. He was already half way there to finding
the little pest anyhow; He just needed a way to be able to see what was
going on without the pest rerouting some functions and hiding.

Home computers are usually different, usually best to clean them, make
sure they are clean as best as your abilities allow for, and keep an eye
on the machine. If you have the right software (a utility similiar to
bughunter for example can tell me which if any windows main files aren't
what they should be. It'll also have information on common legitimate
installed software. The utility isn't ready for general public use yet,
but it's coming soon). I believe it'll go a long ways towards detecting
modifications made to key windows system files that allows some malware
to come back the moment a live internet connection is discovered.




--
####################################################
Dustin Cook
Author of BugHunter - MalWare Removal Tool - v2.2c
Email: bughunter.dustin@gmail.com
Web..: http://bughunter.it-mate.co.uk
Pad..: http://bughunter.it-mate.co.uk/pad.xml
####################################################

Similar ThreadsPosted
Stop error March 13, 2006, 3:59 am
how do i stop theese popups September 9, 2005, 2:59 am
Univers.exe and dingping.exe services won't stop August 6, 2005, 3:52 pm
W32.Sober-how do I stop getting infected emails? December 5, 2005, 5:39 pm
STOP what you’re doing - It doesn’t work! 900D July 28, 2006, 7:10 pm
Stop baby eating in CHINA January 29, 2008, 10:35 am
Stop Error 0x8e Mult. Machines July 11, 2005, 9:31 pm

The site map in XML format XML site map

Contact Us | Privacy Policy