?
Solved

virus problem Mirc

Posted on 2006-07-18
5
Medium Priority
?
218 Views
Last Modified: 2013-12-04
Hi guys!

I have a possible hacking problem.  I have a windows server 2003 (upgraded from 2000).

I have detected a folder in C:\WINNT\system32\Macromed\Flash\Microsoft\Data containing strange information with mIRC port, remote port, ....

There is a file in there Isass.exe (not the one in the SYSTEM32 forlder).  I'm unable to delete it (The file is in use).

What can I do?

Thanks!
0
Comment
Question by:polycorjsp
  • 3
5 Comments
 
LVL 2

Accepted Solution

by:
ch0wn earned 1200 total points
ID: 17133502
Sounds like you have a Backdoor.Futro Trojan.  It usually opens TCP ports 666, 6665 and 6664.  

Is this a production webserver that cant be restarted?
Do you have a current Anti-Virus on the server?

Removal:
1 - You really need to have an Anti-Virus on the server with all of the current Windows updates.  
2 - Run a full scan of your updated Anti-Virus program.
3 - Backup your registry
4 - Delete the value from the registry
   1. Click Start > Run.
   2. Type regedit
      Then click OK.
   3. Navigate to the key:
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   4. In the right pane, delete the value:
      "Isass" = "%System%\Isass.exe"
   5. Exit the Registry Editor.
5 - Restart the server and make sure infection is no longer present

Ch0wn
0
 
LVL 32

Assisted Solution

by:r-k
r-k earned 800 total points
ID: 17133539
You need to figure out where the malware is starting from, and disable it, then delete it.

Here is what I suggest:

(1) Download Autoruns from: http://www.sysinternals.com/Utilities/Autoruns.html

(2) Run the program. It lists a bunch of things that start when Windows starts.

(3) [Important] From the menu bar, select Options, and uncheck "Include Empty Locations" and "check" "Hide Microsoft Entries"
    Then click the Refresh button in the toolbar.

(4) This will give you a shorter, more meaningful list.

If you can clearly identify the problem items, then un-check them and reboot. Then you should be able to delete the malware - though I would sugest saving them in a new folder temporarily for further study.

A better option might be to post the results of Autoruns here (after saving to a text file and copy-and-paste) so we can review what might be at fault.

AFTER everything is cleaned up, you should review all passwords for Admin accounts and make sure they are changed to something longer, plus run MBSA (http://www.microsoft.com/technet/security/tools/mbsahome.mspx) and follow the steps there to apply all patches.

0
 

Author Comment

by:polycorjsp
ID: 17133649
Why change admin password?  Do you think that they have been sent to someone?

Thanks!
0
 
LVL 32

Expert Comment

by:r-k
ID: 17134136
"Why change admin password?"

In this case we are not sure what means were used to hack your system. Compromised passwords is a real possibility. Changing them would make sense.

In my view it better to have long passwords (10 chars minimum) and not worry so much about using tricky combinations of case and letters. Just avoid proper names and dictionary words.
0
 
LVL 32

Expert Comment

by:r-k
ID: 17134153
Another common thing in such cases is for the hackers to create dummy user accounts which they can use to log-in later. Review all user accounts in case that happened.

Once you identify the time of the break-in, review all files created on your system since that time.

Another good program to run as a safelty measure is RootkitRevealer: http://www.sysinternals.com/Utilities/RootkitRevealer.html
in case they installed a rootkit.
0

Featured Post

What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In today's information driven age, entrepreneurs have so many great tools and options at their disposal to help turn good ideas into a thriving business. With cloud-based online services, such as Amazon's Web Services (AWS) or Microsoft's Azure, bus…
No security measures warrant 100% as a "silver bullet". The truth is we also cannot assume anything but a defensive and vigilance posture. Adopt no trust by default and reveal in assumption. Only assume anonymity or invisibility in the reverse. Safe…
Screencast - Getting to Know the Pipeline
Is your OST file inaccessible, Need to transfer OST file from one computer to another? Want to convert OST file to PST? If the answer to any of the above question is yes, then look no further. With the help of Stellar OST to PST Converter, you can e…
Suggested Courses
Course of the Month14 days, 21 hours left to enroll

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question