Solved

Whack-A-Mole and NetBus 1.7

Posted on 2002-04-01
11
7,534 Views
Last Modified: 2012-06-27
Hello,

yesterday I decided to install the NetBus Detective utility to search my W2000 Server system for the NetBus server. My system runs SQL Server 2000, is a Primary Domain Controller, and has also Norton Antivirus 2001, updated daily.

When the system rebooted, a message popped up from NetBus Detective saying that it removed the trojan Whack-A-Mole and NetBus server 1.7.

The problem is that each time the PC is rebooted the same messages appear, although the Detective is trying to remove them, and even then, I scan my PC with Norton and McAfee, no virus is found.

I even tried the steps mentioned in this page:

http://www.commodon.com/threat/threat-wam.htm

and there are no signs of it (even if NetBus Detective is not active since reboot).

I can send you a list of ports that are listening at any given time (before personal firewall or netbus detective is executed), but nothing suspicious there as well.

This PC has an internal IP address (192.168.1.10), and gets out on the Net via a Proxy. Even if it has been compromised, would it be possible for somebody to sneak into my PC?

Additionally, how do I remove it? Could it be possible that since this is a heavy duty server, the NetBus Detective utility believes that some other application listening to a port is Whack-A-Mole, whereas it is some other app from W2000?

Thanks
0
Comment
Question by:dinosaurus
  • 6
  • 2
  • 2
  • +1
11 Comments
 
LVL 3

Expert Comment

by:FlamingSword
ID: 6914851
Answer: Give it up

1) Had you really been infected, you lost complete control of your machine and it has become 'unknown' state.

2) You already tryed removal techniques that have further joshed up your system (?Detective utility ?)

You are now:          Defective

So, give it up, and rebuild from scratch, using original hologrammed bootable MicroSoft CDs. Erase all disk.

Answer: Install clean OS
0
 
LVL 3

Expert Comment

by:FlamingSword
ID: 6914856
A simple test might work, run yourself some freeware on your 'net, such as ZoneAlarm. Print out its log of ports, both in and out, and let us know that.
0
 

Author Comment

by:dinosaurus
ID: 6915712
I wouldn't choose the drastic first solution. I will send you a log of the ports being used at any time, but will do that tomorrow.

You didn't asnwer though my main question: this "compromised" machine is on a private IP address, i.e. 192.168.1.8. Can somebody from outside contact this PC specifically, if he can pass the firewall?

Additionally, has anyone tried NetBus DEtective 5.2 on a Windows 2000 Server machine, just to see if the same message is shown?

By the way, I have never seen the game Whack-A-Mole on that PC, never in my life, and nobody else sits on it... how could it be infected?

Even when NetBus Detective removes it, Norton Antivirus cannot find it...
0
 

Author Comment

by:dinosaurus
ID: 6917538
My IP address is 192.168.10.11
I gotthe logs before and after running NetBus Detective (supposedly before running it, it is infected with Whack-A-Mole), using netstat -an.
On port 44334 is my personal firewall...

BEFORE RUNNING NETBUS DETECTIVE 5.2:
------------------------------------
Active Connections

  Proto  Local Address          Foreign Address        State
  TCP    0.0.0.0:7              0.0.0.0:0              LISTENING
  TCP    0.0.0.0:9              0.0.0.0:0              LISTENING
  TCP    0.0.0.0:13             0.0.0.0:0              LISTENING
  TCP    0.0.0.0:17             0.0.0.0:0              LISTENING
  TCP    0.0.0.0:19             0.0.0.0:0              LISTENING
  TCP    0.0.0.0:53             0.0.0.0:0              LISTENING
  TCP    0.0.0.0:88             0.0.0.0:0              LISTENING
  TCP    0.0.0.0:135            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:389            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:445            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:464            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:593            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:636            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:1026           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:1029           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:1063           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:1065           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:1068           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:1069           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:1082           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:1085           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:1086           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:1093           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:1095           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:1106           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:1108           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:1170           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:1531           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:3268           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:3269           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:3372           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:44334          0.0.0.0:0              LISTENING
  TCP    127.0.0.1:389          127.0.0.1:1085         ESTABLISHED
  TCP    127.0.0.1:1065         127.0.0.1:389          CLOSE_WAIT
  TCP    127.0.0.1:1085         127.0.0.1:389          ESTABLISHED
  TCP    127.0.0.1:1433         0.0.0.0:0              LISTENING
  TCP    192.168.10.11:139      0.0.0.0:0              LISTENING
  TCP    192.168.10.11:139      192.168.10.13:1337     ESTABLISHED
  TCP    192.168.10.11:389      192.168.10.11:1093     ESTABLISHED
  TCP    192.168.10.11:389      192.168.10.11:1835     TIME_WAIT
  TCP    192.168.10.11:1026     192.168.10.11:1095     ESTABLISHED
  TCP    192.168.10.11:1026     192.168.10.11:1170     ESTABLISHED
  TCP    192.168.10.11:1093     192.168.10.11:389      ESTABLISHED
  TCP    192.168.10.11:1095     192.168.10.11:1026     ESTABLISHED
  TCP    192.168.10.11:1170     192.168.10.11:1026     ESTABLISHED
  TCP    192.168.10.11:1433     0.0.0.0:0              LISTENING
  TCP    192.168.10.11:1531     192.168.10.11:389      CLOSE_WAIT
  TCP    192.168.10.11:1745     192.168.10.11:445      TIME_WAIT
  TCP    192.168.10.11:1772     192.168.10.2:6588      TIME_WAIT
  TCP    192.168.10.11:1780     192.168.10.2:6588      TIME_WAIT
  UDP    0.0.0.0:7              *:*                    
  UDP    0.0.0.0:9              *:*                    
  UDP    0.0.0.0:13             *:*                    
  UDP    0.0.0.0:17             *:*                    
  UDP    0.0.0.0:19             *:*                    
  UDP    0.0.0.0:135            *:*                    
  UDP    0.0.0.0:445            *:*                    
  UDP    0.0.0.0:1028           *:*                    
  UDP    0.0.0.0:1060           *:*                    
  UDP    0.0.0.0:1064           *:*                    
  UDP    0.0.0.0:1070           *:*                    
  UDP    0.0.0.0:1083           *:*                    
  UDP    0.0.0.0:1084           *:*                    
  UDP    0.0.0.0:1092           *:*                    
  UDP    0.0.0.0:1107           *:*                    
  UDP    0.0.0.0:1212           *:*                    
  UDP    0.0.0.0:1378           *:*                    
  UDP    0.0.0.0:1434           *:*                    
  UDP    0.0.0.0:1715           *:*                    
  UDP    0.0.0.0:44334          *:*                    
  UDP    127.0.0.1:53           *:*                    
  UDP    127.0.0.1:1081         *:*                    
  UDP    192.168.10.11:53       *:*                    
  UDP    192.168.10.11:88       *:*                    
  UDP    192.168.10.11:123      *:*                    
  UDP    192.168.10.11:137      *:*                    
  UDP    192.168.10.11:138      *:*                    
  UDP    192.168.10.11:389      *:*                    
  UDP    192.168.10.11:464      *:*                    

AFTER RUNNING NETBUS DETECTIVE (and actually removing Whack-A-Mole):
--------------------------------------------------------------------
Active Connections

  Proto  Local Address          Foreign Address        State
  TCP    0.0.0.0:7              0.0.0.0:0              LISTENING
  TCP    0.0.0.0:9              0.0.0.0:0              LISTENING
  TCP    0.0.0.0:13             0.0.0.0:0              LISTENING
  TCP    0.0.0.0:17             0.0.0.0:0              LISTENING
  TCP    0.0.0.0:19             0.0.0.0:0              LISTENING
  TCP    0.0.0.0:53             0.0.0.0:0              LISTENING
  TCP    0.0.0.0:88             0.0.0.0:0              LISTENING
  TCP    0.0.0.0:135            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:389            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:445            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:464            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:593            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:636            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:1026           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:1029           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:1063           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:1065           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:1068           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:1069           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:1082           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:1085           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:1086           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:1093           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:1095           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:1106           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:1108           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:1170           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:1531           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:1836           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:3268           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:3269           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:3372           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:12345          0.0.0.0:0              LISTENING
  TCP    0.0.0.0:20034          0.0.0.0:0              LISTENING
  TCP    0.0.0.0:44334          0.0.0.0:0              LISTENING
  TCP    127.0.0.1:389          127.0.0.1:1085         ESTABLISHED
  TCP    127.0.0.1:1065         127.0.0.1:389          CLOSE_WAIT
  TCP    127.0.0.1:1085         127.0.0.1:389          ESTABLISHED
  TCP    127.0.0.1:1433         0.0.0.0:0              LISTENING
  TCP    192.168.10.11:139      0.0.0.0:0              LISTENING
  TCP    192.168.10.11:139      192.168.10.13:1337     ESTABLISHED
  TCP    192.168.10.11:139      192.168.10.13:1338     ESTABLISHED
  TCP    192.168.10.11:389      192.168.10.11:1093     ESTABLISHED
  TCP    192.168.10.11:389      192.168.10.11:1835     TIME_WAIT
  TCP    192.168.10.11:389      192.168.10.11:1841     TIME_WAIT
  TCP    192.168.10.11:389      192.168.10.11:1842     TIME_WAIT
  TCP    192.168.10.11:445      192.168.10.11:1836     ESTABLISHED
  TCP    192.168.10.11:1026     192.168.10.11:1095     ESTABLISHED
  TCP    192.168.10.11:1026     192.168.10.11:1170     ESTABLISHED
  TCP    192.168.10.11:1093     192.168.10.11:389      ESTABLISHED
  TCP    192.168.10.11:1095     192.168.10.11:1026     ESTABLISHED
  TCP    192.168.10.11:1170     192.168.10.11:1026     ESTABLISHED
  TCP    192.168.10.11:1433     0.0.0.0:0              LISTENING
  TCP    192.168.10.11:1531     192.168.10.11:389      CLOSE_WAIT
  TCP    192.168.10.11:1745     192.168.10.11:445      TIME_WAIT
  TCP    192.168.10.11:1772     192.168.10.2:6588      TIME_WAIT
  TCP    192.168.10.11:1780     192.168.10.2:6588      TIME_WAIT
  TCP    192.168.10.11:1836     192.168.10.11:445      ESTABLISHED
  TCP    192.168.10.11:1837     192.168.10.11:135      TIME_WAIT
  TCP    192.168.10.11:1838     192.168.10.11:1026     TIME_WAIT
  TCP    192.168.10.11:1839     192.168.10.11:135      TIME_WAIT
  TCP    192.168.10.11:1840     192.168.10.11:1026     TIME_WAIT
  UDP    0.0.0.0:7              *:*                    
  UDP    0.0.0.0:9              *:*                    
  UDP    0.0.0.0:13             *:*                    
  UDP    0.0.0.0:17             *:*                    
  UDP    0.0.0.0:19             *:*                    
  UDP    0.0.0.0:135            *:*                    
  UDP    0.0.0.0:445            *:*                    
  UDP    0.0.0.0:1028           *:*                    
  UDP    0.0.0.0:1060           *:*                    
  UDP    0.0.0.0:1064           *:*                    
  UDP    0.0.0.0:1070           *:*                    
  UDP    0.0.0.0:1083           *:*                    
  UDP    0.0.0.0:1084           *:*                    
  UDP    0.0.0.0:1092           *:*                    
  UDP    0.0.0.0:1107           *:*                    
  UDP    0.0.0.0:1212           *:*                    
  UDP    0.0.0.0:1378           *:*                    
  UDP    0.0.0.0:1434           *:*                    
  UDP    0.0.0.0:1715           *:*                    
  UDP    0.0.0.0:44334          *:*                    
  UDP    127.0.0.1:53           *:*                    
  UDP    127.0.0.1:1081         *:*                    
  UDP    192.168.10.11:53       *:*                    
  UDP    192.168.10.11:88       *:*                    
  UDP    192.168.10.11:123      *:*                    
  UDP    192.168.10.11:137      *:*                    
  UDP    192.168.10.11:138      *:*                    
  UDP    192.168.10.11:389      *:*                    
  UDP    192.168.10.11:464      *:*

So what do you think?


0
 
LVL 24

Accepted Solution

by:
SunBow earned 100 total points
ID: 6919485
> I have never seen the game Whack-A-Mole on that PC

My recollection is, that the name reference is to an eMail attachment that 'could' have been infected. Thus it is merely a file. Not a virus. If it contains a remote control program, such a program is inocuous until such time as the originally infected file is launched. If never launched, then no 'virus' (a misnomer in this case, but you know what I mean). ie, file presense does not mean virus present.

> when NetBus Detective removes it, Norton Antivirus cannot find it...

hmm, red hering. How can one find what has been removed...

> even then, I scan my PC with Norton and McAfee, no virus is found

No longer sure what this means. NetBus is not a virus. People like A/V had typed it that way, but... I think one of them, at least, has backed off from that definition, since (1) it is not a virus and (2) it has useful purposes for certain administrators

> yesterday I decided to install the NetBus Detective utility to search

begs the question:..... Why ?
What prompted this act?

> each time the PC is rebooted the same messages appear,

sounds like either a false positive, or, a successful intrusion, which means all bets off, it could be self healing, ports changed, access methods changed, etc etc. Hence, time to rebuild.

> So what do you think?

On the ports, too many. Generally, 0-100 are fine, 1000-1100 are fine, in this sense, as traditional areas for tcp and Microsoft. More often it is four-digit ones used by the_bad_guys. I'd tend to lookup first the ones outside that range, first focusing on NetBus' default. What is 6588? For example. Caring more for detail, after looking for NetBus traditional home, I'd want to know each and every port.

You seem to have plenty listed, as in 'production server' so I'd also guess a reluctance to do anything leading to downtime.
         -...more...(later)-
0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 
LVL 3

Expert Comment

by:FlamingSword
ID: 6919586
0
 
LVL 3

Expert Comment

by:FlamingSword
ID: 6919589
Want to try Nuke Nabber? NetBuster? instead?:
http://www.davidm.8m.com/netbus/programs.html

"Netbus Detective http://csk.norberg.se/Detective/

Does the same job as netbuster, more emphasis on cleaning. I haven't tried this particular one very much, and I am not sure if it is subject to the same sort of attacks that Netbuster is.
I've actully had alot of positive reports on Netbus Detective. It seems to be quite a good little program. :). (link is dead, if i can find a copy i'll put it on this site, if anyone has a copy, drop me an email, or if you know the new address :) ). "

-
IMO, dead links are not a sign of quality product to place much faith in, knowing each OS and each server may be dissimilar
0
 
LVL 3

Expert Comment

by:FlamingSword
ID: 6919606
"Good old NukeNabber, which tells you when someone tries to attack you. Just set it up to listen on any port you like, and it will tell you who's attacking you (for netbus, its port 12345). "

> AFTER RUNNING NETBUS DETECTIVE (and actually removing Whack-A-Mole):
>--------------------------------------------------------------------
Active Connections

...
 TCP    0.0.0.0:12345          0.0.0.0:0              LISTENING
...

So, what is it you are doing? Adding a live scanner to see if anyone is seeking to NetBus You?

Then, Scanning yourself and finding that you are the scanner? Hmmm?

Looks like your own 3rd party add-on is what did you in, making you take time-out for red herrings and false positives through contorted marketeering techniques.
0
 
LVL 24

Expert Comment

by:SunBow
ID: 6926277
done?
0
 
LVL 3

Expert Comment

by:FlamingSword
ID: 6946319
TCP    0.0.0.0:12345          0.0.0.0:0              LISTENING
0
 
LVL 1

Expert Comment

by:Moondancer
ID: 6974106
ADMINISTRATION WILL BE CONTACTING YOU SHORTLY.  Moderators Computer101 or Netminder will return to finalize these if they are still open in 14 days.  Experts, please post closing recommendations before that time.

Below are your open questions as of today.  Questions which have been inactive for 21 days or longer are considered to be abandoned and for those, your options are:
1. Accept a Comment As Answer (use the button next to the Expert's name).
2. Close the question if the information was not useful to you, but may help others. You must tell the participants why you wish to do this, and allow for Expert response.  This choice will include a refund to you, and will move this question to our PAQ (Previously Asked Question) database.  If you found information outside this question thread, please add it.
3. Ask Community Support to help split points between participating experts, or just comment here with details and we'll respond with the process.
4. Delete the question (if it has no potential value for others).
   --> Post comments for expert of your intention to delete and why
   --> YOU CANNOT DELETE A QUESTION with comments; special handling by a Moderator is required.

For special handling needs, please post a zero point question in the link below and include the URL (question QID/link) that it regards with details.
http://www.experts-exchange.com/jsp/qList.jsp?ta=commspt
 
Please click this link for Help Desk, Guidelines/Member Agreement and the Question/Answer process.  http://www.experts-exchange.com/jsp/cmtyHelpDesk.jsp

Click you Member Profile to view your question history and please keep them updated. If you are a KnowledgePro user, use the Power Search option to find them.  

Questions which are LOCKED with a Proposed Answer but do not help you, should be rejected with comments added.  When you grade the question less than an A, please comment as to why.  This helps all involved, as well as others who may access this item in the future.  PLEASE DO NOT AWARD POINTS TO ME.

To view your open questions, please click the following link(s) and keep them all current with updates.
http://www.experts-exchange.com/questions/Q.20183616.html
http://www.experts-exchange.com/questions/Q.20269383.html
http://www.experts-exchange.com/questions/Q.20271588.html
http://www.experts-exchange.com/questions/Q.20283883.html
http://www.experts-exchange.com/questions/Q.20281731.html



*****  E X P E R T S    P L E A S E  ******  Leave your closing recommendations.
If you are interested in the cleanup effort, please click this link
http://www.experts-exchange.com/jsp/qManageQuestion.jsp?ta=commspt&qid=20274643
POINTS FOR EXPERTS awaiting comments are listed in the link below
http://www.experts-exchange.com/commspt/Q.20277028.html
 
Moderators will finalize this question if in @14 days Asker has not responded.  This will be moved to the PAQ (Previously Asked Questions) at zero points, deleted or awarded.
 
Thanks everyone.
Moondancer
Moderator @ Experts Exchange
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

PREFACE The purpose of this guide is to explain what the SEPC Status Utility is and how it works. I have written the utility using AutoIt and have included the source code for your review. You are welcome to modify the code to your liking, but I wi…
HOW TO REMOTELY CLEAN MEROND.O WITH ESET SILENTLY PROBLEM       If you have the fortunate luck to contract the Merond.O virus on your network, it can be quite troublesome to remove as it propagates to network shares on your network. In my case, the …
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now