Mystery web server trojan(?) on Windows ME

[Jeremy Anderson <jeremy () is2inc com>]

Hi folks,

One of my users is running WinME at home.  He reported that he thought his
home machine had been hacked.

Running a portscan on the machine turned up the following:

10.0.0.23           unknown            135/tcp unassigned
10.0.0.23           netbios-ssn        139/tcp # NETBIOS session server
10.0.0.23           unknown            4343/tcp unassigned

Attempting to telnet to port 4343 on this machine, I found what appeared
to be a small webserver.

Here are some samples:

----------------------------------------------------------

GET / HTTP/1.0

HTTP/1.1 400 Bad Request

----------------------------------------------------------

iojgoijtgoij

HTTP/1.1 400 Bad Request

----------------------------------------------------------

GET / HTTP/1.0
Connection: Keep-Alive
User-Agent: Mozilla/4.76 [en] (X11; U; Linux 2.2.14-5.0smp i686)
Host: 10.0.0.23:4343
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
Accept-Encoding: gzip
Accept-Language: en
Accept-Charset: iso-8859-1

HTTP/1.1 400 Bad Request

... and so on.  Not very revealing.

I attempted to run inzider (http://www.ntsecurity.nu) on the machine to
find out what was hooked up to this port (expecting a copy of Back Orifice
or similar).  While I don't have the dump from inzider, there was no
process attached to the server.

Does this sound familiar to anyone?  I have reason to believe it's a
stealth backdoor of some sort, but I don't have much information to go on.

Thanks in advance.

Jeremy Anderson                                       email: jeremy () is2inc com
Systems Administrator                                   tel: 425/775.6495
IS-Squared Inc.                                         fax: 425/774.8564