Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected Servers bloodhound.exploit.343 & setup50045.fon


  • Please log in to reply
6 replies to this topic

#1 thomasp94

thomasp94

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:11:49 AM

Posted 25 March 2011 - 10:39 PM

I have spent the last several hours trying to remove bloodhound.exploit.343 from two Windows 2003 servers with no luck. I have been using Malwarebytes as well as Symantec Endpoint 11. The same three infections keep coming back.

Basically Malwarebytes will find the same exact infections over and over again even though I do the delete and restart at the end of the scan. The files it keep finding are all setup50045.fon files. They are always in the same location and always the same ones. When I search for the files and manually go to where they should be, they are never there. I delete the files from quarantine and they come back again when I do another scan.

Symantec finds two other types of files over and over. They are bloodhound.exploit.343 and W32.SillyFDC.BDP. They appear in quarantine usually after I restart the server to conclude the Malwarebytes scan. I delete the files from quarantine each time but they come back as well.

I have done manual searches for .lnk files as suggested in other posts on the internet. Only once did I actually find any .lnk files and I manually deleted them. Since then the searches never find any even though the infection still exists. I have tried rkill before running scans as well. Nothing seems to work. The only thing I have not tried is booting into safe mode and this is simply because I'm not at the same location as the servers and I am using Microsoft Remote Desktop to do all this.

Any one have any ideas??? I'm really at my wits end here.

BC AdBot (Login to Remove)

 


#2 SeRo82

SeRo82

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:04:49 PM

Posted 28 March 2011 - 06:20 AM

Hi Thomas,

I have got the same problem, and i found that the virus spreads trough shares on your network.
So if you have other computers on your network that have "open" shares they probably will be infected as well.
So you have to tighten the security on the shares or unshare to stop the virus from spreading and then remove it from each computer individually.

I hope this helps.

Edited by SeRo82, 28 March 2011 - 06:22 AM.


#3 RU469

RU469

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:10:49 AM

Posted 29 March 2011 - 03:06 PM

I have he same exact problem as Thomas. What do you mena by open shares? Read only or write access? Is there a tool to remove it

#4 Mr. Thomas

Mr. Thomas

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:10:49 AM

Posted 30 March 2011 - 09:30 AM

I believe this bug is Worm:Win32/Rorpian.gen!A. The school network I maintain caught it yesterday. Came in on an e-mail claiming to be from USPS. Once it infected the computer, it copied five files to our PublicFiles directory (on a linux server) and continued to do so every 30 minutes. Autorun.inf, setup50045.fon, setup50045.lnk, myporno.avi.lnk and pornmovs.lnk were the files created. If you delete them, they will return from the infected computer. I stopped the spreading by creating a blank autorun.inf file and locking it on the server. This seem to stop it from spreading. I managed to clean it from 2 of the 5 computers it had spread to, I don't know why the other 3 won't clean. I can tell it is still active by looking at the Samba logs and seeing the "nobody" logons when it tries to copy itself. Hope this info help anybody else dealing with this one.

#5 whit3y

whit3y

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:10:49 AM

Posted 11 April 2011 - 10:48 AM

I just finished cleaning a network of this worm. 8 servers, and about 100 workstations. had to clean each computer manually off the network, and used a microsoft article as help http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Worm:Win32/Rorpian.A&ThreatID=-2147323067

cleaning this in safe mode, does help, but you still need need to manually kill one "svchost" process (usually the one using the most memory appox 20mb) before being able to delete the tmp file located in %systemroot%\temp (C:\Windows\Temp\)

after i did that i ran ComboFix http://www.bleepingcomputer.com/download/anti-virus/combofix which detected a rootkit virus in almost all the machine.

it been running for a few days now with no issues, hope this help

#6 cboothe

cboothe

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:10:49 AM

Posted 13 April 2011 - 08:33 AM

Whit3y, can you provide some details on the rootkit found by combofix? I'm dealing with this infection at the moment. A server will scan clean (symantec endpoint) but later in the day I'll see a pop for bloodhound.exploit.343 (as user "system" in the c:\windows\temp folder. I run another scan and it shows clean. My impression is the box is still infected, but Symantec AV isn't catching it. I cranked up heuristic scanning to high, but that hasn't ID'd anything new.

Thanks,
Chris

#7 Bob_T

Bob_T

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:09:49 AM

Posted 11 August 2011 - 02:49 PM

You can right-click and go to the properties of one of the files. On the security tab you will see permissions being given to a user that is actually the name of a computer with $ sign after it.
This is the computer with the service running that is deploying the files to other computers. Go to that computer and check the Services. One will be named "srv(random#). You may find the ini file in the C:\Docume~\username\local settings\temp\srv(random#) It will be somewhere on that machine. Cut and paste this file out to the desktop. Reboot and you should now be able to delete the ini file. Open a command prompt and type in: sc delete srv(random#). The service should now be gone and should stop deploying the files to the rest of your machines.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users