Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Strange Trojan Infection


  • Please log in to reply
3 replies to this topic

#1 Mr Kidd

Mr Kidd

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:09:37 AM

Posted 16 November 2006 - 12:08 PM

I am the administrator for a network with a Windows Server 2003, and Windows XP workstations, all on private IPs behind a router/firewall. A couple days ago we were stricken by a virus or trojan which AVG Antivirus calls Trojan Proxy.25.D and many other of its variants all recognized as "Trojan Proxy.xx.letter" where “xx” is a number and "letter" an alphabet letter. The infected files are detected and eliminated by the antivirus and they can also be eliminated manually, but the files reapear soon after over and over again. This trojan also spreads to all shares on all computers on the network. It drops a couple of files to all shares on the network, these files are “setup.exe” (38kb) and “autorun.inf” (1kb). On the server itself there are some other .exe files created in the current logged on user's temp folder along with text files containing domain list, first name list, and last name list. At some point there is a srvhosts process that kicks in and takes up almost all the CPU time considerably slowing down the server. It seem like an attempt to use my server as a relay. Other than AVG antivirus, I have ran Hijackthis, Microsoft’s Malicious Software Removal Tool, and Spybot S&D without finding anything that could be causing this to reinstall. Any body can tell me how to get rid of this for good.

Your Help is appreciated...

Mr. Kidd

BC AdBot (Login to Remove)

 


m

#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,388 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:37 AM

Posted 16 November 2006 - 01:30 PM

You are not going to like this answer, but in a corporate environment with many networked computers, your best solution in cleaning up a self-propogating malware is to power off the hub and then quickly hit each of the machines to clean them.

What is happening is that between the time you clean one machine, other machines are infecting each other starting the cycle all over again.

Is the filename always the same or are they random? Can you see the files on an infected computer when running msconfig or hijackthis on it? The quickest and easiest solution if they run from an msconfig related entry. Is to disconnect the hub, reboot each computer into safe mode, disable the entry in msconfig, reboot and delete the file. Rine and repeat.

#3 Mr Kidd

Mr Kidd
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:09:37 AM

Posted 16 November 2006 - 02:00 PM

The files are always the same (setup.exe, 38 KB) and they actually do nothing on the workstations, neither are they reported on the logs of Hijackthis for example. They are only detected repeatedly by the antivirus as they reapear. There is nothing associated to them that you can find in the startups, services, or runnning processes. In the Server however, they are other executables downloaded and a seemingly malicious process that runs or attempts to run when connected to the internet just as I described in my first post. This process under svchosts name.

#4 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,388 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:37 AM

Posted 16 November 2006 - 02:04 PM

Submit some samples of these files to http://www.bleepingcomputer.com/submit-malware.php and i will see if I can figure out what they are doing.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users