Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unknown Malware on Server 2003


  • This topic is locked This topic is locked
2 replies to this topic

#1 robert069

robert069

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:06:05 PM

Posted 18 April 2011 - 06:28 PM

I have been having malware issues for the last several months on a Window Server 2003 with SP2. I have put a detailed log of events together and pasted it in below. I hope it is not too much information.

I am unsure what the root problem is, and changed my mind along the way about 6 times. I am hoping that we can get to the bottom of it.

In the description below, I refer to the "Client Install folder" on the server. This is a share on the server that contains install files for client PCs. We only need to visit this share when we are installing or reinstalling the client on user PCs. This occurs only occasionally and users never browse the share nor do they have a drive mapped to this folder.

The server runs MS SQL 2000 SP 3 and it's primary funtion is to serve data for our ERP software. It is a critical server. The server's core function (SQL server) is so far unaffected by the malware issues and business has not been affected so far.

The server is an ESX 3.5 vm, so we have good flexibility in trying solutions. I have a clone of the machine currently that we can use to test with without affecting the production environment. We can also restore back to where we started if we need to.

I've run and attached GMER below, but DDS will not run on Windows Server 2003. Please advise what further tests you'd like me to run.


***

October 2010

Files in the Client Install share are being altered. Discovered this when trying to reinstall the ERP client. On the client, Windows can't run the installer - gives the error "ClientSetup.exe is not a valid Win32 application."

Symantec logs on the server indicated that files in these folders are being flagged a virus/malware. I assumed this was a false positive on Symantec's part and requested that Corporate Security exclude the folder tree that contained these files.

At this time, I was able to fix the issue by restoring only 3 altered files from tape backup.

***

January 2011

When trying to reinstall another client, I discovered that the files in the client install share were once again corrupted/altered. I also found that other files on the server in other folders had been altered or corrupted. Some of these were in folders that are not shared. I added these folders to the exclude list on the Symantec scan.

This time, there was an additional symptom that really began to scare me: You could not run Task Manager nor could you run regedt32. If you right clicked on the task bar, Task Manager was grayed out. When trying to run regedt32, you were told that this had been prohibited by the administrator. Clearly a sign of Malware. The client PC that we were installing the ERP software on also was unable to run Task Manager or Regedt32. This was a brand new PC, so unlikely to be the source of the malware, but I can't rule it out. We have not seen the Task Manager or Regedt32 issue on either the server or client side since this incident in January.

To fix it this time, I restored the whole server from a VMWare image-level backup from 12/30/2010. I was then able to go to the client, re-install the ERP software with no issues. This seemed to do the trick and I thought all was resolved.

Unfortunately, I do not recall looking at the Symantec logs on the server, and I have deleted this copy of the vm.

***

March 14 2011

Again, when we needed to install the ERP client on a new client PC, we discovered that the files were corrupt again. This time it appeared to be only files in client install share: Task Manager and Regedt32 worked fine.

Again, I restored the whole server with the image from 12/30/2010.

Unfortunately, I do not recall looking at the Symantec logs on the server, and I have deleted this copy of the vm.


***

March 29 2011

Same thing: went to install the ERP client on another different client PC and got the error "ClientSetup.exe is not a valid Win32 application." This time, while I was staring at the screen while sitting at the client, the "Date modified" for the files in the client install share were changing to the current date/time before my eyes: To me, it was clear that Symantec or something on the local client was altering the files. Sure enough, when reviewing the Symantec logs on the client machine, Symantec had "Fixed" some of the files and "Logged" some others.

At this point I began to think that it was possible that the Symantec on the Client side had been causing this problem all along, and was hoping that perhaps the virus symptoms on the server could have been unrelated. This time, again, we did not see the server issues with Task Manager or Regedt32 like we did in January.

I changed the ERP Client re-install instructions to start with unloading the Symantec agent on the client machine.

Unfortunately, I do not recall looking at the Symantec logs on the server, and I have deleted this copy of the vm.


***

April 14 2011

Went to re-install the ERP client again on a PC. I went to the PC, unloaded Symantec, and then browsed to the ERP Client Reinstall share. Once again, I got the "ClientSetup.exe is not a valid Win32 application."

Looking at the "Date Modified" value of "ClientSetup.exe" it was 4/4/2011, so clearly, the client PC that I was on at that moment was not responsible. The Symantec "Risk" log shows multiple files as "W32Sality.AE" and "W32.SillyFDC.BDP". Symantec appears to have fixed one of these files and logged others, even though I 'disabled' Symantec.

Scariest of all - two new shortcuts are in the Client Install folder that don't belong there:
myporno.avi
pornmovs

***

April 15 2011

Decided to leave the production server alone and not restore it for now. I cloned the production server so I could run a full scan with Symantec. It came up 100% clean. I also restored the server image from 12/30 one more time and ran a full scan with Symantec: also clean.

***

Today

Here's where I stand: I have a clone of the server made on 4/14 that we can work with. I've done nothing to the clone except run the Symantec scan and GMER. We can use this clone to do whatever testing you want to do.

I've also requested from Corporate copies of the last 60 days of Symantec logs on the server and several of the client PCs. 60 days is all they keep.


**********************
GMER Log
**********************
GMER 1.0.15.15570 - http://www.gmer.net
Rootkit scan 2011-04-15 19:05:51
Windows 5.2.3790 Service Pack 2 Harddisk0\DR0 -> \Device\Scsi\symmpi1Port1Path0Target0Lun0 VMware__ rev.1.0_
Running: gmer.exe; Driver: C:\DOCUME~1\ADMINI~1.ERP\LOCALS~1\Temp\1\fxlyraow.sys


---- System - GMER 1.0.15 ----

SSDT 864F2E48 ZwAlertResumeThread
SSDT 864F2F28 ZwAlertThread
SSDT 86340E00 ZwAllocateVirtualMemory
SSDT 8633F8B0 ZwCreateMutant
SSDT 8634F170 ZwCreateThread
SSDT 86653A78 ZwFreeVirtualMemory
SSDT 8633F9A0 ZwImpersonateAnonymousToken
SSDT 864F2D68 ZwImpersonateThread
SSDT 8650BD00 ZwMapViewOfSection
SSDT 8633F7D0 ZwOpenEvent
SSDT 8661BFD0 ZwOpenProcessToken
SSDT 8633FC40 ZwOpenThreadToken
SSDT 8650B960 ZwResumeThread
SSDT 865170C0 ZwSetContextThread
SSDT 8633FD30 ZwSetInformationProcess
SSDT 8634DC08 ZwSetInformationThread
SSDT 8633F6F0 ZwSuspendProcess
SSDT 8634DA48 ZwSuspendThread
SSDT 86653800 ZwTerminateProcess
SSDT 8634DB28 ZwTerminateThread
SSDT 865008E0 ZwUnmapViewOfSection
SSDT 86508258 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!KeQuerySystemTime + 60 8083E5FC 8 Bytes [48, 2E, 4F, 86, 28, 2F, 4F, ...]
.text ntoskrnl.exe!KeQuerySystemTime + 74 8083E610 4 Bytes [00, 0E, 34, 86] {ADD [ESI], CL; XOR AL, 0x86}
.text ntoskrnl.exe!KeQuerySystemTime + E0 8083E67C 4 Bytes [B0, F8, 33, 86]
.text ntoskrnl.exe!KeQuerySystemTime + 108 8083E6A4 4 Bytes [70, F1, 34, 86] {JO 0xfffffffffffffff3; XOR AL, 0x86}
.text ntoskrnl.exe!KeQuerySystemTime + 188 8083E724 4 Bytes [78, 3A, 65, 86]
.text ...

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Program Files\LANDesk\LDClient\LocalSch.EXE[1672] @ C:\WINDOWS\system32\iphlpapi.dll [PSAPI.DLL!GetModuleBaseNameW] [76BF20DD] C:\Program Files\LANDesk\LDClient\PSAPI.DLL (Process Status Helper/Microsoft Corporation)
IAT C:\Program Files\LANDesk\LDClient\LocalSch.EXE[1672] @ C:\WINDOWS\system32\iphlpapi.dll [PSAPI.DLL!GetModuleFileNameExW] [76BF1777] C:\Program Files\LANDesk\LDClient\PSAPI.DLL (Process Status Helper/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat Dfs.sys (Distributed File System Filter Driver/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:05 AM

Posted 29 April 2011 - 06:39 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. Click the Watch This Topic button at the top on the right.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#3 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:05 AM

Posted 04 May 2011 - 06:35 PM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users