Pinch.exe and SMTPScaner.exe

Pinch.exe and SMTPScaner.exe
Secure Home | Search | About
Login Password
Register Now! Lost Password?
 Microsoft Antivirus Discussions    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content add this group's latest topics to your Google content
Subject Author Date
Pinch.exe and SMTPScaner.exe it-al 04-06-2007
Posted by =?Utf-8?B?aXQtYWw=?= on April 6, 2007, 5:42 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
I recently found SMTPScaner.exe (yep, single n) running as a process under
administrator on our Win2k server. Further digging showed that our server was
constantly scanning for open smtp ports on the internet and sending out spam
(in cyrillic). I stopped the SMTPScaner process, found it and deleted it from
the WINNT folder (it looks like it is accompanied by an SSSS.exe file that I
also deleted). Symantec CE 1.0 AV logs indicate that it deleted Infostealer
trojan Pinch.exe twice at different times in past 24 hours but nothing about
SMTPScaner or SSSS.exe.

I changed the Admin pwd and made sure port 25 is closed. The following day
both SMTPScaner and SSSS.exe were back doing their thing again and Symantec
showed 2 more log entries where it found and deleted pinch.exe.

From what I gather, pinch.exe is also a trojan dropper and may be
responsible for installing and running SMTPScaner, but how does it get there?
How can it run under the Administrator account? It keeps coming back, how do
I get rid of it for good?

This server is not a mail server but IIS does have an SMTP Virtual server
that is disabled and something, pinch.exe(?) keeps opening port 25.

Thanks.

Posted by Malke on April 6, 2007, 11:05 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
it-al wrote:
> I recently found SMTPScaner.exe (yep, single n) running as a process under
> administrator on our Win2k server. Further digging showed that our server was
> constantly scanning for open smtp ports on the internet and sending out spam
> (in cyrillic). I stopped the SMTPScaner process, found it and deleted it from
> the WINNT folder (it looks like it is accompanied by an SSSS.exe file that I
> also deleted). Symantec CE 1.0 AV logs indicate that it deleted Infostealer
> trojan Pinch.exe twice at different times in past 24 hours but nothing about
> SMTPScaner or SSSS.exe.
>
> I changed the Admin pwd and made sure port 25 is closed. The following day
> both SMTPScaner and SSSS.exe were back doing their thing again and Symantec
> showed 2 more log entries where it found and deleted pinch.exe.
>
> From what I gather, pinch.exe is also a trojan dropper and may be
> responsible for installing and running SMTPScaner, but how does it get there?
> How can it run under the Administrator account? It keeps coming back, how do
> I get rid of it for good?
>
> This server is not a mail server but IIS does have an SMTP Virtual server
> that is disabled and something, pinch.exe(?) keeps opening port 25.
>
> Thanks.

Googling for "pinch.exe" brings up a lot of information about removing it:
http://www.google.com/search?hl=en&q=pinch.exe&btnG=Google+Search

You can also follow these standard malware removal steps:

Go through these general malware removal steps systematically -
http://www.elephantboycomputers.com/page2.html#Removing_Malware

Include scanning with either Sysclean or Multi_AV, plus AVG Anti-Spyware
(formerly Ewido - http://www.ewido.net/en/) and follow instructions to
do all scans in Safe Mode.

When all else fails, run HijackThis and post your log in one of the
specialty forums listed at the link above (not here, please).

Standard caveat: If the procedures look too complex - and there is no
shame in admitting this isn't your cup of tea - have a local
professional come on-site and clean up your system. This will not be
someone from BigStoreUSA.

HOWEVER - because this is a server and it has been compromised, the
smartest thing to do would be to restore your latest backup image and
start over. If you weren't taking backup images, then do a clean install
of the operating system and rethink your disaster recovery strategy. Do
not bring the server back up until it is protected by a firewall and an
antivirus program. And then you need to figure out where your security
fell down because if you don't it's just going to happen again.

Also, because you obviously have other machines connected on a network
to the server you should perform the virus/malware scans on each
workstation while it is disconnected from the network. Do not connect to
the network again until you are completely certain each workstation is
clean.

Yes, this is a lot of work. If you don't have your own skilled IT
department, have outside expert help brought in.


Malke
--
Elephant Boy Computers
www.elephantboycomputers.com
"Don't Panic!"
MS-MVP Windows - Shell/User

Posted by =?Utf-8?B?aXQtYWw=?= on April 10, 2007, 8:50 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
We took this server offline and brought up another machine as it's
replacement. This our Terminal Server so we can't lock it down as much as we
want to, but at least it's on a dmz. The only hole I can think of that
allowed this trojan to come in is through bad user surfing habits, we might
have to rethink what our TS clients are allowed to do in a TS session.

Thanks for the help Malke.


> Googling for "pinch.exe" brings up a lot of information about removing it:
> http://www.google.com/search?hl=en&q=pinch.exe&btnG=Google+Search
>
> You can also follow these standard malware removal steps:
>
> Go through these general malware removal steps systematically -
> http://www.elephantboycomputers.com/page2.html#Removing_Malware
>
> Include scanning with either Sysclean or Multi_AV, plus AVG Anti-Spyware
> (formerly Ewido - http://www.ewido.net/en/) and follow instructions to
> do all scans in Safe Mode.
>
> When all else fails, run HijackThis and post your log in one of the
> specialty forums listed at the link above (not here, please).
>
> Standard caveat: If the procedures look too complex - and there is no
> shame in admitting this isn't your cup of tea - have a local
> professional come on-site and clean up your system. This will not be
> someone from BigStoreUSA.
>
> HOWEVER - because this is a server and it has been compromised, the
> smartest thing to do would be to restore your latest backup image and
> start over. If you weren't taking backup images, then do a clean install
> of the operating system and rethink your disaster recovery strategy. Do
> not bring the server back up until it is protected by a firewall and an
> antivirus program. And then you need to figure out where your security
> fell down because if you don't it's just going to happen again.
>
> Also, because you obviously have other machines connected on a network
> to the server you should perform the virus/malware scans on each
> workstation while it is disconnected from the network. Do not connect to
> the network again until you are completely certain each workstation is
> clean.
>
> Yes, this is a lot of work. If you don't have your own skilled IT
> department, have outside expert help brought in.
>
>
> Malke
> --
> Elephant Boy Computers
> www.elephantboycomputers.com
> "Don't Panic!"
> MS-MVP Windows - Shell/User
>

Posted by Malke on April 10, 2007, 10:12 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
it-al wrote:
> We took this server offline and brought up another machine as it's
> replacement. This our Terminal Server so we can't lock it down as much as we
> want to, but at least it's on a dmz. The only hole I can think of that
> allowed this trojan to come in is through bad user surfing habits, we might
> have to rethink what our TS clients are allowed to do in a TS session.

Well, I can't imagine that letting your TS clients do anything but the
work-related job in a TS session would be A Good Thing.

I'm glad you were able to work with this, but for your company's sake
you really need to get a handle on the security. You need to make sure
that nothing can compromise your server - but you already know that, eh?

Don't forget to clean the workstations.

Best of luck to you,


Malke
--
Elephant Boy Computers
www.elephantboycomputers.com
"Don't Panic!"
MS-MVP Windows - Shell/User


The site map in XML format XML site map

Contact Us | Privacy Policy