Posted 15 July 2011 - 08:21 AM
We have a Windows 2003 server that is a Terminal Server for branch office and home/remote use. A month or so ago I got a warning from our ISP that somebody had detected remote desktop attempts from our IP address. I ran our virus scanner (Vipre Enterprise) and found nothing, didn't see anything unusual. That weekend, the "deep scan" found something it called "HackTool.Win32.BruteForce" in notepad.exe, "Packed.Win32.Upack(v)" in ippipi.exe, and "Trojan.Win32.Meredrop" in csrss.exe, all in the C:\Windows\system32\ras folder. It also found vnc.exe in that folder.
I looked at the folder and found this: bad.txt, config.ini, FAQ.txt, good.txt, 1321s.txt, 1321s.zip, IP.rar, IP.txt, ipippipi.txt, IPs.zip, libeay32.dll, lo.txt, msvcr71.dll, NEN.txt, p.txt, QTCore3.dll, QTGui4.dll, ras.zip, source.txt, ssleay32.dll, start.bat, vnc.exe, VNC_bypauth.txt, and Winlogo.zip. There was also a Winlogo folder containing: 2Winlogo.zip, Hookmsgina.dll, install.bat, jks.dat, On.reg, pass.txt, ReadLog.bat, readme.txt, Un.reg, Uninstall.bat, and wminotify.dll.
The ".txt" files are mostly either lists of IP addresses, or lists of logon names (admin and variants) and password guesses. Start.bat is hundreds of lines like: vnc.exe -i 126.96.36.199-188.8.131.52 -p 3389 -cT -T 500" I could delete (I copied first) the entire thing except wminotify.dll.
@regedit -s Un.reg
I ran it, and it said that wminotify.dll was 'access denied'. Since Un.reg was "[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wminotify]", I restarted the machine (at night, remotely), and ran unistall again. It said that jks.dat was not found. I thought it was unusual for malware to have an uninstall, but thought I got lucky (ever the blind optimist). A few days later, everything was back. It has reappeared several times, sometimes in the \Help\Tours folder, sometimes in \Dell\Drivers. I'm assuming there's something running in there that keeps putting it back, but the virus scanner can't find it. I'm not sure what else to try, as I suspect that many of the scanners/tools commonly used for this kind of thing aren't meant for servers.
Any suggestions would be greatly appreciated. I'll also need to know, if you suggest a tool to run, if it is background/reporting, or disruptive. If it's report only, I can do it anytime, if it's going to disrupt stuff (like combofix, where it cuts off network and shuts down processes, etc.), I obviously need to avoid doing that during the day.