This is more or less an FYI on how I removed the variant Malware/Trojan. Since I am new to this forum and do not have the Qualifications to help those ifected with this worm, I would highly suggest that any advise from this taken as is and to use your judment with someone on this board that is qualified to help with malware infections.
This infection came to my attention on June 1st 2009 from one of my customers Domain Servers. I do not have any Hijack logs or screenshots of the infection. but I do know that it was residing in the "Windows\system32\Drivers" folder as degcs.exe I ended up manually removing the bug with the asistance of ultamate boot cd. Basically you need a file explorer that can see all hidden files including those that can cloak themselves.
Degcs.exe was discovered by running a "netstat -b" in the command line. This confimed that the degcs.exe proccess was doing a DOS syle attack on many IP address most of which were random private 192.168.x.x addresses. This variant also (I belive) changed the Local policy (in this case the domain server policy) and prevented any PC's access to the servers network shares.
It took 9 hours of reasearch and loss of hair to finnaly kick this thing in the butt.
The following is an exerpt from my blog, again AS-IS
"On June 1st 2009 I got a call from a customer that their server was not accessable. I had them reboot the 2003 server and thats when all the problems started hapening. Once the server was restarted the customer was unable to log in under administrator getting the "not enough server storage is available to process this command" I imediatly thought that this was due to the server running out of storage space. I ended up going over to the customer site and troubleshooted the problem. First I checked storage space by login in with safe mode. There was plenty of space left......
degcs.exe was found to be the culprit problem by running "netstat -b" in the command line. It showed degcs.exe running multiple connections to many private ip addresses out in the world. it was also causing excessive network traffic and was tying up the internet connection. Norton was installed on the server but not suprising it did not detect the variant, I used ultimate boot cd and the registry editor to remove the troubled program. After the server was back online or at least I thought, it still was broke to the network. no one could access the server. they were getting
"The user has not been granted the requested logon.."
I am not sure if the virus caused this problem but it appears that somthing at the same time of the infection (either the infection or a improper shutdown) had removed an important Domain Policy that prevented any PC from accessing the file shares of the server. So I figured that putting bag the domain policy or restoring the users/groups that should have access to the policy would be a sinch, nope it was PITA. after hours of research I ended up finnaly getting the problem resolved.
First make sure you have gpmc.msc (type it in the command prompt) THis is for 2003 servers, if you dont have it you can download it from microsoft (google it)
Once you have the GPMC.msc then go and change the order of your adapter binding in the Network Connections Screen. From there go to advanced > advanced settings > adapters and bindings > and connections. Just move one of the adapters up (you may have to change this back later) For some reason this seams to fix the log on security that was preventing any changes to the Group Policy. Until I did this I was unable to make any changes to the Group Policy. I kept on getting errors on that I did not have access to make the changes (alt hoe I was signed in under administrator)......
The policy that was affected was "access this computer from the network". The malware removed every group and userid preventing access. If you click on the info tab of the policy it will have suggestions on what groups or userid's shoul have access to the policy
Once the Domain policy was successfully reset (would only work after changing adapter priority - odd) then Clients were able to access the file shares to the server.....
AGAIN WARNING if you have this infection on a domain server you must be extreamly carefull on on editing or reseting a policy and making any changes to the registry and settings. You could render your server useless if you are not carefull. Its best to consult an expert on 2003 domain servers if you have this infection. I only am referencing this information so hopfully those who are qualified can use it for what its worth. I see several posts (one including on this forum) that have no solution.
Hope this helps someone out there
Edited by Mr. Rees, 05 June 2009 - 04:29 PM.