Solved

Trojan Virus infection

Posted on 2010-08-21
25
948 Views
Last Modified: 2013-11-22
Hi,
my pc was infected by these viruses:
Win32/Netsky
Win32/Injector.BBY
Win32/Kryptik.BBD

WHAT THEY DO:
they generate .htaccess and index.php files which redirect my clients websites to infected websites (I am webhoster)

HOW I FOUND IT:
I found the viruses via nod32 online scanner, infected files were automaticaly removed by online scanner.

QUESTION: will that be enough or should I go to registry or so and do some more removals?
(Intresting thing is that I used this basic trial version of NOD32 antivirus and it did not find anything, but online scanner did.).

Background: I have XP windows 2002 sp3 home edition with nod32 antivirus installed.
0
Comment
Question by:jbmd
  • 10
  • 4
  • 4
  • +6
25 Comments
 
LVL 6

Expert Comment

by:dreamcomputer2000
Comment Utility
I would add a rootkit remover like Panda Anti-Rootkit. Combofix is a good tool too.
0
 
LVL 18

Expert Comment

by:Cluskitt
Comment Utility
Go to symantec, check the removal tool for each of them and run it. The removal tool usually fixes registry and similar options.
Netsky: http://www.symantec.com/security_response/writeup.jsp?docid=2004-021816-1759-99
Couldn't find the others right away, but try searching around.
0
 
LVL 29

Expert Comment

by:Sudeep Sharma
Comment Utility
Try hitmanpro:

32bit:

http://dl.surfright.nl/HitmanPro35.exe

64bit:
http://dl.surfright.nl/HitmanPro35_x64.exe

If it fails then I would recommend Combofix:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

And post the logs there for further analysis

Sudeep


0
 

Author Comment

by:jbmd
Comment Utility
Q1: I would like to know: is it really necessary to use additional cleaning after this infection or is it just to be sure?

Q2: is there any manual way how to remove it?

I would like to spare my pc as much as possible.Do you guarantee the software you suggest is ok?

 
0
 
LVL 18

Accepted Solution

by:
Cluskitt earned 250 total points
Comment Utility
The symantec is ok, and so is combofix. I don't know hitmanpro, so I can't tell you about it.
The good thing about the removal tools, though, is that they're specific for that kind of virus/trojan/malware. So it'll only search for it's executables, processes and registry entries. It will do nothing else (even if you have other viruses).
0
 
LVL 18

Expert Comment

by:Cluskitt
Comment Utility
As for manual ways, there are a few. Basically, you'll be doing what the removal tool does automatically. Just google for <virus name> manual removal (e.g. netsky manual removal).
0
 

Author Comment

by:jbmd
Comment Utility
would not be a problem using suggested software with nod32 antivirus installed on my pc?
0
 
LVL 18

Expert Comment

by:Cluskitt
Comment Utility
If someone here is suggesting something, it's almost sure that it's reliable. Most that can happen is that the suggested software isn't effective, or not as effective as another, but it's not likely it would be malicious. So you can go ahead and use them :)
0
 

Author Comment

by:jbmd
Comment Utility
as I mentioned before, I run eset online scan antivirus and it said this: see file
then I run symantec netsky, see bellow
Symantec W32.Netsky FixTool 1.13.0
C:\System Volume Information: (not scanned)
H:\System Volume Information: (not scanned)
I:\System Volume Information: (not scanned)
J:\System Volume Information: (not scanned)
L:\System Volume Information: (not scanned)
Z:\System Volume Information: (not scanned)
W32.Netsky has not been found on your computer.


eset-online-scanner.txt
0
 
LVL 25

Expert Comment

by:madunix
Comment Utility
look @ Bootable antivirus Rescue CD
http://www.techmixer.com/free-bootable-antivirus-rescue-cds-download-list/
Bootable antivirus Rescue CD method consider as the most effective way to remove the virus, trojan and malware because it track down some viruses, trojans and other malware are embedded so tightly into your operating system that when you boot Windows the normal way.
0
 
LVL 47

Expert Comment

by:dbrunton
Comment Utility
>> Q1: I would like to know: is it really necessary to use additional cleaning after this infection or is it just to be sure?

You can't guarantee that the clean got everything.  Most likely it did.  This is just additional checking and security.


>> Q2: is there any manual way how to remove it?

Well, first you have to find it.  And even then manual methods may not work as well as the anti-virus products.  And you have to know what manual methods to use which aren't necessarily documented.  And because of the variations in a virus the method you choose won't necessarily work.  Been there, done that.


>> Would not be a problem using suggested software with nod32 antivirus installed on my pc?

Disable your anti-virus while the other products are running.  That will stop all conflicts.  If not doing online scanning then disconnect network while running these other products.

0
 
LVL 32

Expert Comment

by:DrDamnit
Comment Utility
If you ran eset (excellent software), I would run malware bytes, and Spybot SD (from safer-networking) and ClamWin (to name free ones) if they continue to come back clean, then you are probably good to go.

0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 

Author Comment

by:jbmd
Comment Utility
please what is this file? it is new from today, I erased it yesterday, the website where it generates should not create anything like that. it was generated in cache directory.

http://voda.aqualuna.cz/944eadfcb783f427c7c71d9841326205cc1ec353.zip

I zipped it, the original file is inside.
0
 
LVL 47

Expert Comment

by:dbrunton
Comment Utility
It is a text file.

Possibly an RSS file?  Looks like a list of links and descriptions what is there.  Most of it is in Czech?  Open it up in Notepad and you'll see the contents.

I've cut and pasted a small section here.

a:4:{s:8:"feedinfo";a:3:{s:4:"type";s:3:"RSS";s:7:"version";i:1;s:8:"encoding";s:5:"UTF-8";}s:4:"info";a:3:{s:4:"link";a:1:{s:9:"alternate";a:1:{i:0;s:22:"http://www.novinky.cz/";}}s:5:"title";s:29:"Novinky.cz - Hlavn+¡ str+ínka";s:11:"description";s:33:"Novinky.cz - zpravodajsk+¢ server";}s:5:"items";a:50:{i:0;O:14:"SimplePie_Item":1:{s:4:"data";a:3:/rdf/novinky.rdf";}
0
 
LVL 3

Expert Comment

by:IamnotanExpert007
Comment Utility
well my dear you can use trojan hunter or trojan remover
trojan hunter
http://www.misec.net/
trojan remover

http://www.simplysup.com/tremover/download.html
or spybot search n destroy
http://filehippo.com/download_spybot_search_destroy/

ESET iS NOT ABLE TO IDENTIFY THESE SORT OF trojan  

ESET usually identify virus


run hijackthis and paste log here
http://filehippo.com/download_hijackthis/


you can also use
malware software too
http://www.malwarebytes.org/mbam.php

well as far as i know ONLINE SCANNER Doesnot effected in such case


you can use AVIRA ANTIVIRUS

http://www.free-av.com/en/trialpay_download/1/avira_antivir_personal__free_antivirus.html


last but not least

these sort of virus hijack start up mean when you open window they start function

they automatically generate them self and transmit date
to unknown server

so in such case HiJACKTHIS software
works fine which is use to kill their functions


and the description given DBRUNTON  CLEARLY MENTION there is a link in the text this may be use to to transmit data on a server


0
 
LVL 3

Expert Comment

by:Ardiseis
Comment Utility
All the comments given deal with the virus on the system. As this is a server how did it get there and everytime you clean it does it reinfect straight away? Odds are via remote file includes attacks. you may think that only the index file and hta files were impacted.
search all the php files and odds are you will find stuff like this.

<?php
$str = 'SSBhbSBydW5uaW5nIGNvZGUgSSBkbyBub3Qgd2FudCB5b3UgdG8gc2Vl';
echo base64_decode($str);
?>

encoded base64 code in either compressed or non compressed format. you will see the php tags ahead to the orig tags in most likely every php file on the server and they run that code I enourage cleaning all your files but save some of the code and hunt it down on your server it points to a nested set of files burried someplace that is really doing the nasty.

you can find online converters that will decode your code safely so you can hunt down the source.

make sure directory browsing is off
fix file permissions on the server
folders are good at 755 and files at 644
and make sure hosted code can defend against cross server attacks and clean up query strings to defend against RFI attacks

now for the virus cleanup
down the web server services while doing the cleanup
killbox use to kill all profiles temp files
combofix
followed up with either malwarebytes or superantispyware
check the registry run keys and pull any entries that are not legit
0
 

Author Comment

by:jbmd
Comment Utility
Ardiseis, thanx for advice but it is too profesional languge for me.

1. the virus(worm, trojan) got there via infected .elm. On top of it I was manipulating with infected .elm files as my client wanted me to.

2. I did not have any reinfection. First time I had .htaccess with redirection to viral website. I replaced it with healthy .htaccess and changed passwords everywhere. But it was not enough. It hapened again and besides .htaccess injection there was also index.php injection in the roots of all websites.

3. THEN I started treated the pc with online scanner form eset and it cought the viruses and likvidated them. I also run tool from symantec against netsky but it did not find anything. So far I have no problem.

4. I am reading all advice here and try to decide what other tool I am going to use to make sure that it will not repeat again.
0
 

Author Comment

by:jbmd
Comment Utility
also, I keep checking if new files generated on my server are ok every day and do not see anything dangerous. Before I saw cca 7.000 or so new .htaccess and indexes.
0
 
LVL 3

Expert Comment

by:Ardiseis
Comment Utility
Google PHP Remote File Inclusion attacks
read up on it trust me it will help you. Until you fix that you will get hacked over and over again.

Trust me look at a few other PHP files besides the indexs I have see a good hacker add 10 lines of code to a file and not change the size so most monitoring tools missed it.

As this is hosted on a xp box home at that you are going to have a hell of a time with secure folder and file permissions if you are to stay wth windows I strongly encourage you move to Server 2003 or if that is not an option follow this link

http://www.wikihow.com/Disable-Simple-File-Sharing-in-Windows-XP-Home-Edition

Due to serious limitations in XP home native security you should not be using it as a publicly exposed web server.

In order of the worst to the best apache web servers
XP Home <--Not a server OS and no Security
XP Pro < Not a server OS
Server 2003 <-  Server OS and Can be secured Costs money
Linux patched and secured look into precompiled LAMP Distros < Why you are in technology learn something and best part it is FREE Open source for the WIN! as I am guessing that you have some serious budget concerns.

Dont get me wrong as an IT Director for my day job 99% of my systems are windows I only have 3 linux servers in my enviroment vs 20+ windows servers and several hundred XP Pro, and Win 7 Pro workstations(Hangs head in shame to 3 Vista Business still deployed)
0
 

Author Comment

by:jbmd
Comment Utility
Ardiseis,

1) in here  they describe these attacks: http://www.sans.org/reading_room/whitepapers/detection/multi-perspective-view-php-remote-file-include-attacks_33229

However, I was affected also on non php non mysql websites. I had my original .htaccess and index.php file from hacker placed in all directories where I have my web server document root. These htaccess and index.php files were also in image folders and many other folders where these files are not supposed to be.

2) I did check for othe php files and found nothing new inside of them.

3) I fully recognize you as an expert, however you gave me instructions I would have to google to be able to follow.


OUESTIONS FOR Ardiseis:

Example:

QUESTION A)
your link http://www.wikihow.com/Disable-Simple-File-Sharing-in-Windows-XP-Home-Edition finally says that I can change all permissions and I should pick the folder. I DO NOT KNOW what to exactly change and do not know what folder to pick (www?, Inetpub? or whole J:?)?  

QUESTION B)
where and how can I change directory browsing - on apache config. level or on folder level?
0
 

Author Comment

by:jbmd
Comment Utility
to be more specific: hacker gave me his files not a part of the code inside of my files.
0
 

Author Comment

by:jbmd
Comment Utility
.. and hacker¨s files (.htaccess and index.php) contained only simple redirection to his web, no other code  was inside of these files.
0
 
LVL 3

Assisted Solution

by:Ardiseis
Ardiseis earned 250 total points
Comment Utility
If they did not infect any of your other files you are lucky.

On the permissions if it were me I would create a user account say web-service
change the apache service to use that new user as the startup account
then make the path to any apache site read only to web-service

Ok so now for steps this is not 100% as I could not put my hands on a xp system that has not been joined to a domain.

~~~Create new User for Service Account~~~
open control panel
users
create new user
standard user
password protected

~~~Change service Account~~~
Now depending on which version of apache or tomcat your are running this could be different

Start | Run | Services.msc

Find web serivce hopefully it is just Apache but see this link for more information
http://httpd.apache.org/docs/2.1/platform/windows.html

open the service and click on the log on tab
change to this account and enter the user you just created in here
restart service to test all is well

~~~Set Web Folder Security~~~
open your root folder for your website or sites hosted by apache
proceed to the security tab and change permissions
System - Full Control
Administrators - Full Control
Web-Serivce (or whatever you named the new user used above) - Read & Execute, List Folder Contents and Read is all that should be checked

~~~Block web service from loggin into desktop~~~
Control Panel | Administrative Tools | Local Security Policy |  
Local Policies | User Rights Assignment

Add the service account to the following (All may not be an option on XP Home)
Deny Log on Locally
Deny log on through remote desktops
Deny access to this computer from the network

Restart and you should be good you may want to think about doing something like this to mysql service as well

lastly Disable the user guest account and make sure there is a password on the administrator account or that it also disabled I think in xp home it is disabled by default.
0
 
LVL 3

Assisted Solution

by:Ardiseis
Ardiseis earned 250 total points
Comment Utility
Sorry I forgot the directory browsing
This can be done for the server or in each site config file I like the latter as it overrides the server setting
See this link
http://www.techiecorner.com/106/how-to-disable-directory-browsing-using-htaccess-apache-web-server/
 
0
 

Author Closing Comment

by:jbmd
Comment Utility
thankx to all
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

Suggested Solutions

If your system is showing symptoms of browser hijacks or 'google search redirects' check out my other article (http://rdsrc.us/u3GP7A) first and run the tool TDSSKiller (http://rdsrc.us/GDBBs4) to get rid of the infection. Once done, and if the …
Today, still in the boom of Apple, PC's and products, nearly 50% of the computer users use Windows as graphical operating systems. If you are among those users who love windows, but are grappling to keep the system's hard drive optimized, then you s…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

6 Experts available now in Live!

Get 1:1 Help Now