?
Solved

Server Virus - d.vbs, run.vbs, youtou.sys

Posted on 2009-04-24
18
Medium Priority
?
1,373 Views
Last Modified: 2013-11-22
I have a virus on a server that seems to be running somewhere on the server, accessing an external ftp site and downloading more files to the server.

Common files i find are in the system32 folder:

1.bat
2.bat
1.txt
2.txt
youtou.sys
d.vbs
run.vbs
sysme.bat
ntdos87.bat

There are more. I found a txt file called. cc1.txt that had an ftp site listed with username and password and it was getting files all.exe and 2.exe.

Anyone seen this and know how I can remove it?? I have Trend Micro Worry-free security installed, malwarebytes, spyware doctor and prevx, but none can pick it up.



0
Comment
Question by:wint100
  • 9
  • 7
  • 2
18 Comments
 
LVL 22

Expert Comment

by:Adam Leinss
ID: 24225712
Boot the server with UBCD4WIN (http://www.ubcd4win.com/), then run Sophos command line (with the latest IDEs) from here:
http://www.sophos.com/support/knowledgebase/article/13251.html
I had a piece of malware called entuala.dll that was not picked up by NOD32 or Malwarebytes, but Sophos did pick it up.
0
 
LVL 16

Expert Comment

by:warturtle
ID: 24229530
Have you done the MalwareBytes scan in safe mode?? or normal mode?? I suggest you try a scan in safe mode if you haven't already before trying out the below instructions. In safe mode, it will pick up a lot more than you would normally think. Lots of in-memory viruses are not loaded in background in safe mode and hence, can be caught by scanners. Following this, you should scan with Trend Micro scanner.

If the above doesn't work then, I would suggest downloading ComboFix from http://download.bleepingcomputer.com/sUBs/ComboFix.exe , saving it with a completely different filename like jabba.exe and then rebooting your server in safe mode. Then, disable all your antivirus, firewall and antispyware programs and run ComboFix, it will scan and create a log. After the log is created, please re-activate your security programs and send the log to us.

Further instructions are here:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

I suggest that you scan the server with MalwareBytes in safe mode right after ComboFix is done, you should see MalwareBytes picking up infections now.

Hope it helps.
0
 
LVL 1

Author Comment

by:wint100
ID: 24239515
Tried the bove solutions, it found a registry entry in image for execution option\cscript.exe. This has been removed, but the files still reappeared last night in the system32 folder.

yantou.sys
setuplp.bat
1.txt
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
LVL 16

Expert Comment

by:warturtle
ID: 24240083
Did you try ComboFix ?? If yes, can you send us the log to inspect?
0
 
LVL 1

Author Comment

by:wint100
ID: 24241123
Combofix doesn't support Windoes 2003 Server.

The infected machine is a Windiws 2003 Domain Controller.
0
 
LVL 16

Expert Comment

by:warturtle
ID: 24241287
Oops, sorry. Could you try Process Explorer and see if you see anything strange running in the background ?

http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx

Alternatively, you can send us a HijackThis log to see the background processes:
http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis

0
 
LVL 1

Author Comment

by:wint100
ID: 24242456
I tried processexplorer but didn't see anything obvious.

Hijackthis log is attached.
hijackthis.log
0
 
LVL 1

Author Comment

by:wint100
ID: 24242560
Does AutoexNT.exe need to be running or could this be a cloaked virus?
0
 
LVL 16

Expert Comment

by:warturtle
ID: 24243848
It looks like a legitimate file. I suggest that you download UnHackMe from http://www.greatis.com/unhackme/ and install and run it. It will scan your system and study the boot processes and give a report that contains the name of the suspicious programs that are running at bootup. While operating this program, please have a look at the screenshots to learn how it works:

http://www.greatis.com/unhackme/antirootkit.htm

0
 
LVL 1

Author Comment

by:wint100
ID: 24269722
I tried unhackme without much success.

I have been monitoring things with processmonitor and found 2 instances of CMD.exe running under sn sqlserver parent process. The CMD.exe were running with a command string which included the file names that kept appearing in system32 folder. It looks like something is running the command, searching forfiles on a remote ftp server, and dumping files to system32. The virus looks to be in the SQL database.

I am running MSDE, is there a way to find the files in the SQL database?

0
 
LVL 22

Accepted Solution

by:
Adam Leinss earned 1000 total points
ID: 24269782
If you still have the WinPE CD around, try downloading the Mcafee SuperDat from
http://download.nai.com/products/licensed/superdat/english/intel/sdat5600.exe
Extract the contacts by running the EXE with a "/e" switch
Scan the drive with "scan C: /clean"
I don't think the virus is in the SQL database, because the database is just flat data.  The virus is probably just hooked into the service because that's just one of the things that start with Windows.
0
 
LVL 1

Author Comment

by:wint100
ID: 24271940
What if i backed up the SQL database, unistalled MSDE and install SQL express 2008. I've been meaning to upgrade for weeks anyway to increase my database limit.
0
 
LVL 16

Assisted Solution

by:warturtle
warturtle earned 1000 total points
ID: 24272711
I suggest a full scan with Kaspersky Online Scanner based at: http://www.kaspersky.co.uk/virusscanner . This scan wouldn't remove any infections, but will detect them and report back. Do this in IE by the way, it will install an ActiveX component. After the updates are done, click on 'Scan Settings' and check 'Extended Database' and then click OK and start scanning. After the scan is done, save the scan results as a text file and post it here. Kaspersky has the highest rates of detection and should hopefully tell us what is creating those files.

If the Worm is still around and you upgrade the SQL Server, it might not really solve the problem. The worm might still connect to FTP sites and download stuff.  As far as I understand, you have this trojan - Trojan-Downloader.BAT.Ftp.ab or one of its variants( http://www.viruslist.com/en/viruses/encyclopedia?virusid=76295 ).

0
 
LVL 1

Author Comment

by:wint100
ID: 24273127
OK i'll give it a go.

I've connected to the database and 2 tables exist under the master database called:

dbo.resultcmd_cc and dbo.tmpdata.

Should these be there? I've checked another SQL server and they aren't present. All the apps using SQL are using seperate Instances.
0
 
LVL 16

Expert Comment

by:warturtle
ID: 24273423
It doesn't really ring a bell, I haven't used SQL Server much. It might be worth having a look at the data within those tables to see if its relevant to the organisation, moreover, it might also be worth having a quick look at Stored Procedures within SQL Server that use these tables. That might give a clue.
0
 
LVL 1

Author Comment

by:wint100
ID: 24273430
Will do cheers. Just running the Online scanner now so I'll view result in the morning.
0
 
LVL 1

Author Comment

by:wint100
ID: 24301877
Looks like the virus is now clean. Kaspersky online scanner found nothing after i deleted the 2 suspect tables from the SQL database.

I sent the files I found in the system32 off to Trend Micro and they confirmed it was:

dhcp.exe (799,744 bytes) as TROJ_SERVU.AK

run.vbs (1,082 bytes) as VBS_SMALL.C


Thanks
0
 
LVL 16

Expert Comment

by:warturtle
ID: 24303075
That good stuff! Its new for me to see a virus that was sort of embedded in SQL Server or atleast its information/instructions were. Do a full scan with Trend Micro antivirus as a last check and if that comes clean, then you're good to go.
0

Featured Post

New feature and membership benefit!

New feature! Upgrade and increase expert visibility of your issues with Priority Questions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

These are on the increase and getting more common these days. Users who use the Google search engine may complain of having their search redirected to unwanted sites, regardless of what browser is used. This happens when the system is infected with…
If you are like me and like multiple layers of protection, read on!
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question