Solved

Whack-A-Mole and NetBus 1.7

Posted on 2002-04-01
11
7,589 Views
Last Modified: 2012-06-27
Hello,

yesterday I decided to install the NetBus Detective utility to search my W2000 Server system for the NetBus server. My system runs SQL Server 2000, is a Primary Domain Controller, and has also Norton Antivirus 2001, updated daily.

When the system rebooted, a message popped up from NetBus Detective saying that it removed the trojan Whack-A-Mole and NetBus server 1.7.

The problem is that each time the PC is rebooted the same messages appear, although the Detective is trying to remove them, and even then, I scan my PC with Norton and McAfee, no virus is found.

I even tried the steps mentioned in this page:

http://www.commodon.com/threat/threat-wam.htm

and there are no signs of it (even if NetBus Detective is not active since reboot).

I can send you a list of ports that are listening at any given time (before personal firewall or netbus detective is executed), but nothing suspicious there as well.

This PC has an internal IP address (192.168.1.10), and gets out on the Net via a Proxy. Even if it has been compromised, would it be possible for somebody to sneak into my PC?

Additionally, how do I remove it? Could it be possible that since this is a heavy duty server, the NetBus Detective utility believes that some other application listening to a port is Whack-A-Mole, whereas it is some other app from W2000?

Thanks
0
Comment
Question by:dinosaurus
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 2
  • 2
  • +1
11 Comments
 
LVL 3

Expert Comment

by:FlamingSword
ID: 6914851
Answer: Give it up

1) Had you really been infected, you lost complete control of your machine and it has become 'unknown' state.

2) You already tryed removal techniques that have further joshed up your system (?Detective utility ?)

You are now:          Defective

So, give it up, and rebuild from scratch, using original hologrammed bootable MicroSoft CDs. Erase all disk.

Answer: Install clean OS
0
 
LVL 3

Expert Comment

by:FlamingSword
ID: 6914856
A simple test might work, run yourself some freeware on your 'net, such as ZoneAlarm. Print out its log of ports, both in and out, and let us know that.
0
 

Author Comment

by:dinosaurus
ID: 6915712
I wouldn't choose the drastic first solution. I will send you a log of the ports being used at any time, but will do that tomorrow.

You didn't asnwer though my main question: this "compromised" machine is on a private IP address, i.e. 192.168.1.8. Can somebody from outside contact this PC specifically, if he can pass the firewall?

Additionally, has anyone tried NetBus DEtective 5.2 on a Windows 2000 Server machine, just to see if the same message is shown?

By the way, I have never seen the game Whack-A-Mole on that PC, never in my life, and nobody else sits on it... how could it be infected?

Even when NetBus Detective removes it, Norton Antivirus cannot find it...
0
SharePoint Admin?

Enable Your Employees To Focus On The Core With Intuitive Onscreen Guidance That is With You At The Moment of Need.

 

Author Comment

by:dinosaurus
ID: 6917538
My IP address is 192.168.10.11
I gotthe logs before and after running NetBus Detective (supposedly before running it, it is infected with Whack-A-Mole), using netstat -an.
On port 44334 is my personal firewall...

BEFORE RUNNING NETBUS DETECTIVE 5.2:
------------------------------------
Active Connections

  Proto  Local Address          Foreign Address        State
  TCP    0.0.0.0:7              0.0.0.0:0              LISTENING
  TCP    0.0.0.0:9              0.0.0.0:0              LISTENING
  TCP    0.0.0.0:13             0.0.0.0:0              LISTENING
  TCP    0.0.0.0:17             0.0.0.0:0              LISTENING
  TCP    0.0.0.0:19             0.0.0.0:0              LISTENING
  TCP    0.0.0.0:53             0.0.0.0:0              LISTENING
  TCP    0.0.0.0:88             0.0.0.0:0              LISTENING
  TCP    0.0.0.0:135            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:389            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:445            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:464            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:593            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:636            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:1026           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:1029           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:1063           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:1065           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:1068           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:1069           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:1082           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:1085           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:1086           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:1093           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:1095           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:1106           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:1108           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:1170           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:1531           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:3268           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:3269           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:3372           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:44334          0.0.0.0:0              LISTENING
  TCP    127.0.0.1:389          127.0.0.1:1085         ESTABLISHED
  TCP    127.0.0.1:1065         127.0.0.1:389          CLOSE_WAIT
  TCP    127.0.0.1:1085         127.0.0.1:389          ESTABLISHED
  TCP    127.0.0.1:1433         0.0.0.0:0              LISTENING
  TCP    192.168.10.11:139      0.0.0.0:0              LISTENING
  TCP    192.168.10.11:139      192.168.10.13:1337     ESTABLISHED
  TCP    192.168.10.11:389      192.168.10.11:1093     ESTABLISHED
  TCP    192.168.10.11:389      192.168.10.11:1835     TIME_WAIT
  TCP    192.168.10.11:1026     192.168.10.11:1095     ESTABLISHED
  TCP    192.168.10.11:1026     192.168.10.11:1170     ESTABLISHED
  TCP    192.168.10.11:1093     192.168.10.11:389      ESTABLISHED
  TCP    192.168.10.11:1095     192.168.10.11:1026     ESTABLISHED
  TCP    192.168.10.11:1170     192.168.10.11:1026     ESTABLISHED
  TCP    192.168.10.11:1433     0.0.0.0:0              LISTENING
  TCP    192.168.10.11:1531     192.168.10.11:389      CLOSE_WAIT
  TCP    192.168.10.11:1745     192.168.10.11:445      TIME_WAIT
  TCP    192.168.10.11:1772     192.168.10.2:6588      TIME_WAIT
  TCP    192.168.10.11:1780     192.168.10.2:6588      TIME_WAIT
  UDP    0.0.0.0:7              *:*                    
  UDP    0.0.0.0:9              *:*                    
  UDP    0.0.0.0:13             *:*                    
  UDP    0.0.0.0:17             *:*                    
  UDP    0.0.0.0:19             *:*                    
  UDP    0.0.0.0:135            *:*                    
  UDP    0.0.0.0:445            *:*                    
  UDP    0.0.0.0:1028           *:*                    
  UDP    0.0.0.0:1060           *:*                    
  UDP    0.0.0.0:1064           *:*                    
  UDP    0.0.0.0:1070           *:*                    
  UDP    0.0.0.0:1083           *:*                    
  UDP    0.0.0.0:1084           *:*                    
  UDP    0.0.0.0:1092           *:*                    
  UDP    0.0.0.0:1107           *:*                    
  UDP    0.0.0.0:1212           *:*                    
  UDP    0.0.0.0:1378           *:*                    
  UDP    0.0.0.0:1434           *:*                    
  UDP    0.0.0.0:1715           *:*                    
  UDP    0.0.0.0:44334          *:*                    
  UDP    127.0.0.1:53           *:*                    
  UDP    127.0.0.1:1081         *:*                    
  UDP    192.168.10.11:53       *:*                    
  UDP    192.168.10.11:88       *:*                    
  UDP    192.168.10.11:123      *:*                    
  UDP    192.168.10.11:137      *:*                    
  UDP    192.168.10.11:138      *:*                    
  UDP    192.168.10.11:389      *:*                    
  UDP    192.168.10.11:464      *:*                    

AFTER RUNNING NETBUS DETECTIVE (and actually removing Whack-A-Mole):
--------------------------------------------------------------------
Active Connections

  Proto  Local Address          Foreign Address        State
  TCP    0.0.0.0:7              0.0.0.0:0              LISTENING
  TCP    0.0.0.0:9              0.0.0.0:0              LISTENING
  TCP    0.0.0.0:13             0.0.0.0:0              LISTENING
  TCP    0.0.0.0:17             0.0.0.0:0              LISTENING
  TCP    0.0.0.0:19             0.0.0.0:0              LISTENING
  TCP    0.0.0.0:53             0.0.0.0:0              LISTENING
  TCP    0.0.0.0:88             0.0.0.0:0              LISTENING
  TCP    0.0.0.0:135            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:389            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:445            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:464            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:593            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:636            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:1026           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:1029           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:1063           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:1065           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:1068           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:1069           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:1082           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:1085           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:1086           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:1093           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:1095           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:1106           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:1108           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:1170           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:1531           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:1836           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:3268           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:3269           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:3372           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:12345          0.0.0.0:0              LISTENING
  TCP    0.0.0.0:20034          0.0.0.0:0              LISTENING
  TCP    0.0.0.0:44334          0.0.0.0:0              LISTENING
  TCP    127.0.0.1:389          127.0.0.1:1085         ESTABLISHED
  TCP    127.0.0.1:1065         127.0.0.1:389          CLOSE_WAIT
  TCP    127.0.0.1:1085         127.0.0.1:389          ESTABLISHED
  TCP    127.0.0.1:1433         0.0.0.0:0              LISTENING
  TCP    192.168.10.11:139      0.0.0.0:0              LISTENING
  TCP    192.168.10.11:139      192.168.10.13:1337     ESTABLISHED
  TCP    192.168.10.11:139      192.168.10.13:1338     ESTABLISHED
  TCP    192.168.10.11:389      192.168.10.11:1093     ESTABLISHED
  TCP    192.168.10.11:389      192.168.10.11:1835     TIME_WAIT
  TCP    192.168.10.11:389      192.168.10.11:1841     TIME_WAIT
  TCP    192.168.10.11:389      192.168.10.11:1842     TIME_WAIT
  TCP    192.168.10.11:445      192.168.10.11:1836     ESTABLISHED
  TCP    192.168.10.11:1026     192.168.10.11:1095     ESTABLISHED
  TCP    192.168.10.11:1026     192.168.10.11:1170     ESTABLISHED
  TCP    192.168.10.11:1093     192.168.10.11:389      ESTABLISHED
  TCP    192.168.10.11:1095     192.168.10.11:1026     ESTABLISHED
  TCP    192.168.10.11:1170     192.168.10.11:1026     ESTABLISHED
  TCP    192.168.10.11:1433     0.0.0.0:0              LISTENING
  TCP    192.168.10.11:1531     192.168.10.11:389      CLOSE_WAIT
  TCP    192.168.10.11:1745     192.168.10.11:445      TIME_WAIT
  TCP    192.168.10.11:1772     192.168.10.2:6588      TIME_WAIT
  TCP    192.168.10.11:1780     192.168.10.2:6588      TIME_WAIT
  TCP    192.168.10.11:1836     192.168.10.11:445      ESTABLISHED
  TCP    192.168.10.11:1837     192.168.10.11:135      TIME_WAIT
  TCP    192.168.10.11:1838     192.168.10.11:1026     TIME_WAIT
  TCP    192.168.10.11:1839     192.168.10.11:135      TIME_WAIT
  TCP    192.168.10.11:1840     192.168.10.11:1026     TIME_WAIT
  UDP    0.0.0.0:7              *:*                    
  UDP    0.0.0.0:9              *:*                    
  UDP    0.0.0.0:13             *:*                    
  UDP    0.0.0.0:17             *:*                    
  UDP    0.0.0.0:19             *:*                    
  UDP    0.0.0.0:135            *:*                    
  UDP    0.0.0.0:445            *:*                    
  UDP    0.0.0.0:1028           *:*                    
  UDP    0.0.0.0:1060           *:*                    
  UDP    0.0.0.0:1064           *:*                    
  UDP    0.0.0.0:1070           *:*                    
  UDP    0.0.0.0:1083           *:*                    
  UDP    0.0.0.0:1084           *:*                    
  UDP    0.0.0.0:1092           *:*                    
  UDP    0.0.0.0:1107           *:*                    
  UDP    0.0.0.0:1212           *:*                    
  UDP    0.0.0.0:1378           *:*                    
  UDP    0.0.0.0:1434           *:*                    
  UDP    0.0.0.0:1715           *:*                    
  UDP    0.0.0.0:44334          *:*                    
  UDP    127.0.0.1:53           *:*                    
  UDP    127.0.0.1:1081         *:*                    
  UDP    192.168.10.11:53       *:*                    
  UDP    192.168.10.11:88       *:*                    
  UDP    192.168.10.11:123      *:*                    
  UDP    192.168.10.11:137      *:*                    
  UDP    192.168.10.11:138      *:*                    
  UDP    192.168.10.11:389      *:*                    
  UDP    192.168.10.11:464      *:*

So what do you think?


0
 
LVL 24

Accepted Solution

by:
SunBow earned 100 total points
ID: 6919485
> I have never seen the game Whack-A-Mole on that PC

My recollection is, that the name reference is to an eMail attachment that 'could' have been infected. Thus it is merely a file. Not a virus. If it contains a remote control program, such a program is inocuous until such time as the originally infected file is launched. If never launched, then no 'virus' (a misnomer in this case, but you know what I mean). ie, file presense does not mean virus present.

> when NetBus Detective removes it, Norton Antivirus cannot find it...

hmm, red hering. How can one find what has been removed...

> even then, I scan my PC with Norton and McAfee, no virus is found

No longer sure what this means. NetBus is not a virus. People like A/V had typed it that way, but... I think one of them, at least, has backed off from that definition, since (1) it is not a virus and (2) it has useful purposes for certain administrators

> yesterday I decided to install the NetBus Detective utility to search

begs the question:..... Why ?
What prompted this act?

> each time the PC is rebooted the same messages appear,

sounds like either a false positive, or, a successful intrusion, which means all bets off, it could be self healing, ports changed, access methods changed, etc etc. Hence, time to rebuild.

> So what do you think?

On the ports, too many. Generally, 0-100 are fine, 1000-1100 are fine, in this sense, as traditional areas for tcp and Microsoft. More often it is four-digit ones used by the_bad_guys. I'd tend to lookup first the ones outside that range, first focusing on NetBus' default. What is 6588? For example. Caring more for detail, after looking for NetBus traditional home, I'd want to know each and every port.

You seem to have plenty listed, as in 'production server' so I'd also guess a reluctance to do anything leading to downtime.
         -...more...(later)-
0
 
LVL 3

Expert Comment

by:FlamingSword
ID: 6919586
0
 
LVL 3

Expert Comment

by:FlamingSword
ID: 6919589
Want to try Nuke Nabber? NetBuster? instead?:
http://www.davidm.8m.com/netbus/programs.html

"Netbus Detective http://csk.norberg.se/Detective/

Does the same job as netbuster, more emphasis on cleaning. I haven't tried this particular one very much, and I am not sure if it is subject to the same sort of attacks that Netbuster is.
I've actully had alot of positive reports on Netbus Detective. It seems to be quite a good little program. :). (link is dead, if i can find a copy i'll put it on this site, if anyone has a copy, drop me an email, or if you know the new address :) ). "

-
IMO, dead links are not a sign of quality product to place much faith in, knowing each OS and each server may be dissimilar
0
 
LVL 3

Expert Comment

by:FlamingSword
ID: 6919606
"Good old NukeNabber, which tells you when someone tries to attack you. Just set it up to listen on any port you like, and it will tell you who's attacking you (for netbus, its port 12345). "

> AFTER RUNNING NETBUS DETECTIVE (and actually removing Whack-A-Mole):
>--------------------------------------------------------------------
Active Connections

...
 TCP    0.0.0.0:12345          0.0.0.0:0              LISTENING
...

So, what is it you are doing? Adding a live scanner to see if anyone is seeking to NetBus You?

Then, Scanning yourself and finding that you are the scanner? Hmmm?

Looks like your own 3rd party add-on is what did you in, making you take time-out for red herrings and false positives through contorted marketeering techniques.
0
 
LVL 24

Expert Comment

by:SunBow
ID: 6926277
done?
0
 
LVL 3

Expert Comment

by:FlamingSword
ID: 6946319
TCP    0.0.0.0:12345          0.0.0.0:0              LISTENING
0
 
LVL 1

Expert Comment

by:Moondancer
ID: 6974106
ADMINISTRATION WILL BE CONTACTING YOU SHORTLY.  Moderators Computer101 or Netminder will return to finalize these if they are still open in 14 days.  Experts, please post closing recommendations before that time.

Below are your open questions as of today.  Questions which have been inactive for 21 days or longer are considered to be abandoned and for those, your options are:
1. Accept a Comment As Answer (use the button next to the Expert's name).
2. Close the question if the information was not useful to you, but may help others. You must tell the participants why you wish to do this, and allow for Expert response.  This choice will include a refund to you, and will move this question to our PAQ (Previously Asked Question) database.  If you found information outside this question thread, please add it.
3. Ask Community Support to help split points between participating experts, or just comment here with details and we'll respond with the process.
4. Delete the question (if it has no potential value for others).
   --> Post comments for expert of your intention to delete and why
   --> YOU CANNOT DELETE A QUESTION with comments; special handling by a Moderator is required.

For special handling needs, please post a zero point question in the link below and include the URL (question QID/link) that it regards with details.
http://www.experts-exchange.com/jsp/qList.jsp?ta=commspt
 
Please click this link for Help Desk, Guidelines/Member Agreement and the Question/Answer process.  http://www.experts-exchange.com/jsp/cmtyHelpDesk.jsp

Click you Member Profile to view your question history and please keep them updated. If you are a KnowledgePro user, use the Power Search option to find them.  

Questions which are LOCKED with a Proposed Answer but do not help you, should be rejected with comments added.  When you grade the question less than an A, please comment as to why.  This helps all involved, as well as others who may access this item in the future.  PLEASE DO NOT AWARD POINTS TO ME.

To view your open questions, please click the following link(s) and keep them all current with updates.
http://www.experts-exchange.com/questions/Q.20183616.html
http://www.experts-exchange.com/questions/Q.20269383.html
http://www.experts-exchange.com/questions/Q.20271588.html
http://www.experts-exchange.com/questions/Q.20283883.html
http://www.experts-exchange.com/questions/Q.20281731.html



*****  E X P E R T S    P L E A S E  ******  Leave your closing recommendations.
If you are interested in the cleanup effort, please click this link
http://www.experts-exchange.com/jsp/qManageQuestion.jsp?ta=commspt&qid=20274643 
POINTS FOR EXPERTS awaiting comments are listed in the link below
http://www.experts-exchange.com/commspt/Q.20277028.html
 
Moderators will finalize this question if in @14 days Asker has not responded.  This will be moved to the PAQ (Previously Asked Questions) at zero points, deleted or awarded.
 
Thanks everyone.
Moondancer
Moderator @ Experts Exchange
0

Featured Post

SharePoint Admin?

Enable Your Employees To Focus On The Core With Intuitive Onscreen Guidance That is With You At The Moment of Need.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Zepto Ransomware - Decrypt/Restore files 5 285
Is CCleaner a virus?  Do you use CCleaner? 18 787
WinZIp - quick question 8 44
Symantec Endpoint Production 14 Questions 3 53
So you got the Conficker. You could go to each machine and run the eye chart test (http://www.confickerworkinggroup.org/infection_test/cfeyechart.html), but in a bigger environment, or if you prefer to work smarter and not harder, you need some …
An introduction to the wonderful sport of Scam Baiting.  Learn how to help fight scammers by beating them at their own game. This great pass time helps the world, while providing an endless source of entertainment. Enjoy!
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

710 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question