Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

FORCDOS.EXE

From: "Craig Broad" <craig () broadband-computers com>
Date: Sat, 6 Dec 2003 17:25:01 -0000
Hi ALL

        Further to my last post, it's been brought to my attension by J. that there
is at least one other instance of this trojan/dos file.  It was on a
washington uni box (also running SQL).  I have since been in contact with
the sysadmin of that box, and it has been taken off line.  I am hopeing for
some feedback from that end, or at least a copy of the file/directory.

-------------------
wurried.eprsl.wustl.edu - cpu

----------------------------------------------------------------------------
----

purple Mon Oct 20 13:19:34 CDT 2003 [WURRIED.eprsl.wustl.edu] up: 0:05, 1
users, 57 procs, load=16%, PhysicalMem: 1024MB(30%)

Machine recently rebooted



Memory Statistics
Total Physical memory: 1072705536 bytes
Available Physical memory: 748716032 bytes
Total PageFile size: 2581114880 bytes
Available PageFile size: 2353881088 bytes
Total Virtual memory size: 2147352576 bytes
Available Virtual memory size: 2121297920 bytes

Most active processes
03.34% explorer (0x15c)
03.17% mshta (0x888)
01.61% WinMgmt (0x5b0)
01.52% PPMemCheck (0x7cc)
00.93% forcdos (0x258)
00.81% System (0x8)
00.60% Icq (0x7f8)
00.43% msiexec (0x138)
00.42% Netscp (0x7e8)
00.39% sqlservr (0x400)
---------------------------------------- -----------------------------------
-----

Again, i am currently unable to local access the machine to retrieve a copy
of the file, any help in suggesting a method of getting to the file which is
in a com1 directory from within the OS woudld be much apprieated.

The box has been locked down but the file is still running within it.
Currently all non used ports have been firewalled, this has been verified
with a sniffer.  It's current ports are:

740   forcdos        ->  43958 TCP
c:\WINNT\SYSTEM32\MSAGENT\Local\com1\server\forcdos.exe
740   forcdos        ->  65302 TCP
c:\WINNT\SYSTEM32\MSAGENT\Local\com1\server\forcdos.exe

The registry keys assoisiated with the program are:


----------------------------------------------------------------------------
-----------------------

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Cryptograph Services]
"Type"=dword:00000010
"Start"=dword:00000002
"ErrorControl"=dword:00000001
"ImagePath"=hex(2):63,00,3a,00,5c,00,57,00,49,00,4e,00,4e,00,54,00,5c,00,53,
00,\

59,00,53,00,54,00,45,00,4d,00,33,00,32,00,5c,00,53,00,52,00,56,00,4e,00,59,\
  00,2e,00,45,00,58,00,45,00,00,00
"DisplayName"="Cryptograph Services"
"ObjectName"="LocalSystem"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Cryptograph
Services\parameters]
"AppDirectory"="c:\\WINNT\\SYSTEM32\\MSAGENT\\Local\\com1\\server"
"Application"="c:\\WINNT\\SYSTEM32\\MSAGENT\\Local\\com1\\server\\forcdos.ex
e c:\\WINNT\\SYSTEM32\\MSAGENT\\Local\\com1\\server\\Rhododenron.bmp"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Cryptograph
Services\Security]
"Security"=hex:01,00,14,80,a0,00,00,00,ac,00,00,00,14,00,00,00,30,00,00,00,0
2,\

00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\

00,00,02,00,70,00,04,00,00,00,00,00,18,00,fd,01,02,00,01,01,00,00,00,00,00,\

05,12,00,00,00,74,00,69,00,00,00,1c,00,ff,01,0f,00,01,02,00,00,00,00,00,05,\

20,00,00,00,20,02,00,00,76,00,65,00,00,00,18,00,8d,01,02,00,01,01,00,00,00,\

00,00,05,0b,00,00,00,20,02,00,00,00,00,1c,00,fd,01,02,00,01,02,00,00,00,00,\

00,05,20,00,00,00,23,02,00,00,76,00,65,00,01,01,00,00,00,00,00,05,12,00,00,\
  00,01,01,00,00,00,00,00,05,12,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Cryptograph Services\Enum]
"0"="Root\\LEGACY_CRYPTOGRAPH_SERVICES\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001
----------------------------------------------------------------------------
---------------------
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Cryptograph Services]
"Type"=dword:00000010
"Start"=dword:00000002
"ErrorControl"=dword:00000001
"ImagePath"=hex(2):63,00,3a,00,5c,00,57,00,49,00,4e,00,4e,00,54,00,5c,00,53,
00,\

59,00,53,00,54,00,45,00,4d,00,33,00,32,00,5c,00,53,00,52,00,56,00,4e,00,59,\
  00,2e,00,45,00,58,00,45,00,00,00
"DisplayName"="Cryptograph Services"
"ObjectName"="LocalSystem"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Cryptograph
Services\parameters]
"AppDirectory"="c:\\WINNT\\SYSTEM32\\MSAGENT\\Local\\com1\\server"
"Application"="c:\\WINNT\\SYSTEM32\\MSAGENT\\Local\\com1\\server\\forcdos.ex
e c:\\WINNT\\SYSTEM32\\MSAGENT\\Local\\com1\\server\\Rhododenron.bmp"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Cryptograph
Services\Security]
"Security"=hex:01,00,14,80,a0,00,00,00,ac,00,00,00,14,00,00,00,30,00,00,00,0
2,\

00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\

00,00,02,00,70,00,04,00,00,00,00,00,18,00,fd,01,02,00,01,01,00,00,00,00,00,\

05,12,00,00,00,74,00,69,00,00,00,1c,00,ff,01,0f,00,01,02,00,00,00,00,00,05,\

20,00,00,00,20,02,00,00,76,00,65,00,00,00,18,00,8d,01,02,00,01,01,00,00,00,\

00,00,05,0b,00,00,00,20,02,00,00,00,00,1c,00,fd,01,02,00,01,02,00,00,00,00,\

00,05,20,00,00,00,23,02,00,00,76,00,65,00,01,01,00,00,00,00,00,05,12,00,00,\
  00,01,01,00,00,00,00,00,05,12,00,00,00
----------------------------------------------------------------------------
----------------------
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cryptograph Services]
"Type"=dword:00000010
"Start"=dword:00000002
"ErrorControl"=dword:00000001
"ImagePath"=hex(2):63,00,3a,00,5c,00,57,00,49,00,4e,00,4e,00,54,00,5c,00,53,
00,\

59,00,53,00,54,00,45,00,4d,00,33,00,32,00,5c,00,53,00,52,00,56,00,4e,00,59,\
  00,2e,00,45,00,58,00,45,00,00,00
"DisplayName"="Cryptograph Services"
"ObjectName"="LocalSystem"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cryptograph
Services\parameters]
"AppDirectory"="c:\\WINNT\\SYSTEM32\\MSAGENT\\Local\\com1\\server"
"Application"="c:\\WINNT\\SYSTEM32\\MSAGENT\\Local\\com1\\server\\forcdos.ex
e c:\\WINNT\\SYSTEM32\\MSAGENT\\Local\\com1\\server\\Rhododenron.bmp"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cryptograph
Services\Security]
"Security"=hex:01,00,14,80,a0,00,00,00,ac,00,00,00,14,00,00,00,30,00,00,00,0
2,\

00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\

00,00,02,00,70,00,04,00,00,00,00,00,18,00,fd,01,02,00,01,01,00,00,00,00,00,\

05,12,00,00,00,74,00,69,00,00,00,1c,00,ff,01,0f,00,01,02,00,00,00,00,00,05,\

20,00,00,00,20,02,00,00,76,00,65,00,00,00,18,00,8d,01,02,00,01,01,00,00,00,\

00,00,05,0b,00,00,00,20,02,00,00,00,00,1c,00,fd,01,02,00,01,02,00,00,00,00,\

00,05,20,00,00,00,23,02,00,00,76,00,65,00,01,01,00,00,00,00,00,05,12,00,00,\
  00,01,01,00,00,00,00,00,05,12,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cryptograph
Services\Enum]
"0"="Root\\LEGACY_CRYPTOGRAPH_SERVICES\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001
----------------------------------------------------------------------------
------------------

can i safely remove these keys?

any help with accessing ( i will have local access within the week, but
prefer to get asap) the com1 directory from within the OS itself, and info
on file, and possibly what are the latest SQL exploits which would give
write permission to the subdirectory.

Many thanks all.




-----------
Craig Broad


---------------------------------------------------------------------------
----------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: