Security Incidents mailing list archives
FORCDOS.EXE
From: "Craig Broad" <craig () broadband-computers com>
Date: Sat, 6 Dec 2003 17:25:01 -0000
Hi ALL Further to my last post, it's been brought to my attension by J. that there is at least one other instance of this trojan/dos file. It was on a washington uni box (also running SQL). I have since been in contact with the sysadmin of that box, and it has been taken off line. I am hopeing for some feedback from that end, or at least a copy of the file/directory. ------------------- wurried.eprsl.wustl.edu - cpu ---------------------------------------------------------------------------- ---- purple Mon Oct 20 13:19:34 CDT 2003 [WURRIED.eprsl.wustl.edu] up: 0:05, 1 users, 57 procs, load=16%, PhysicalMem: 1024MB(30%) Machine recently rebooted Memory Statistics Total Physical memory: 1072705536 bytes Available Physical memory: 748716032 bytes Total PageFile size: 2581114880 bytes Available PageFile size: 2353881088 bytes Total Virtual memory size: 2147352576 bytes Available Virtual memory size: 2121297920 bytes Most active processes 03.34% explorer (0x15c) 03.17% mshta (0x888) 01.61% WinMgmt (0x5b0) 01.52% PPMemCheck (0x7cc) 00.93% forcdos (0x258) 00.81% System (0x8) 00.60% Icq (0x7f8) 00.43% msiexec (0x138) 00.42% Netscp (0x7e8) 00.39% sqlservr (0x400) ---------------------------------------- ----------------------------------- ----- Again, i am currently unable to local access the machine to retrieve a copy of the file, any help in suggesting a method of getting to the file which is in a com1 directory from within the OS woudld be much apprieated. The box has been locked down but the file is still running within it. Currently all non used ports have been firewalled, this has been verified with a sniffer. It's current ports are: 740 forcdos -> 43958 TCP c:\WINNT\SYSTEM32\MSAGENT\Local\com1\server\forcdos.exe 740 forcdos -> 65302 TCP c:\WINNT\SYSTEM32\MSAGENT\Local\com1\server\forcdos.exe The registry keys assoisiated with the program are: ---------------------------------------------------------------------------- ----------------------- Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Cryptograph Services] "Type"=dword:00000010 "Start"=dword:00000002 "ErrorControl"=dword:00000001 "ImagePath"=hex(2):63,00,3a,00,5c,00,57,00,49,00,4e,00,4e,00,54,00,5c,00,53, 00,\ 59,00,53,00,54,00,45,00,4d,00,33,00,32,00,5c,00,53,00,52,00,56,00,4e,00,59,\ 00,2e,00,45,00,58,00,45,00,00,00 "DisplayName"="Cryptograph Services" "ObjectName"="LocalSystem" [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Cryptograph Services\parameters] "AppDirectory"="c:\\WINNT\\SYSTEM32\\MSAGENT\\Local\\com1\\server" "Application"="c:\\WINNT\\SYSTEM32\\MSAGENT\\Local\\com1\\server\\forcdos.ex e c:\\WINNT\\SYSTEM32\\MSAGENT\\Local\\com1\\server\\Rhododenron.bmp" [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Cryptograph Services\Security] "Security"=hex:01,00,14,80,a0,00,00,00,ac,00,00,00,14,00,00,00,30,00,00,00,0 2,\ 00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\ 00,00,02,00,70,00,04,00,00,00,00,00,18,00,fd,01,02,00,01,01,00,00,00,00,00,\ 05,12,00,00,00,74,00,69,00,00,00,1c,00,ff,01,0f,00,01,02,00,00,00,00,00,05,\ 20,00,00,00,20,02,00,00,76,00,65,00,00,00,18,00,8d,01,02,00,01,01,00,00,00,\ 00,00,05,0b,00,00,00,20,02,00,00,00,00,1c,00,fd,01,02,00,01,02,00,00,00,00,\ 00,05,20,00,00,00,23,02,00,00,76,00,65,00,01,01,00,00,00,00,00,05,12,00,00,\ 00,01,01,00,00,00,00,00,05,12,00,00,00 [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Cryptograph Services\Enum] "0"="Root\\LEGACY_CRYPTOGRAPH_SERVICES\\0000" "Count"=dword:00000001 "NextInstance"=dword:00000001 ---------------------------------------------------------------------------- --------------------- Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Cryptograph Services] "Type"=dword:00000010 "Start"=dword:00000002 "ErrorControl"=dword:00000001 "ImagePath"=hex(2):63,00,3a,00,5c,00,57,00,49,00,4e,00,4e,00,54,00,5c,00,53, 00,\ 59,00,53,00,54,00,45,00,4d,00,33,00,32,00,5c,00,53,00,52,00,56,00,4e,00,59,\ 00,2e,00,45,00,58,00,45,00,00,00 "DisplayName"="Cryptograph Services" "ObjectName"="LocalSystem" [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Cryptograph Services\parameters] "AppDirectory"="c:\\WINNT\\SYSTEM32\\MSAGENT\\Local\\com1\\server" "Application"="c:\\WINNT\\SYSTEM32\\MSAGENT\\Local\\com1\\server\\forcdos.ex e c:\\WINNT\\SYSTEM32\\MSAGENT\\Local\\com1\\server\\Rhododenron.bmp" [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Cryptograph Services\Security] "Security"=hex:01,00,14,80,a0,00,00,00,ac,00,00,00,14,00,00,00,30,00,00,00,0 2,\ 00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\ 00,00,02,00,70,00,04,00,00,00,00,00,18,00,fd,01,02,00,01,01,00,00,00,00,00,\ 05,12,00,00,00,74,00,69,00,00,00,1c,00,ff,01,0f,00,01,02,00,00,00,00,00,05,\ 20,00,00,00,20,02,00,00,76,00,65,00,00,00,18,00,8d,01,02,00,01,01,00,00,00,\ 00,00,05,0b,00,00,00,20,02,00,00,00,00,1c,00,fd,01,02,00,01,02,00,00,00,00,\ 00,05,20,00,00,00,23,02,00,00,76,00,65,00,01,01,00,00,00,00,00,05,12,00,00,\ 00,01,01,00,00,00,00,00,05,12,00,00,00 ---------------------------------------------------------------------------- ---------------------- Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cryptograph Services] "Type"=dword:00000010 "Start"=dword:00000002 "ErrorControl"=dword:00000001 "ImagePath"=hex(2):63,00,3a,00,5c,00,57,00,49,00,4e,00,4e,00,54,00,5c,00,53, 00,\ 59,00,53,00,54,00,45,00,4d,00,33,00,32,00,5c,00,53,00,52,00,56,00,4e,00,59,\ 00,2e,00,45,00,58,00,45,00,00,00 "DisplayName"="Cryptograph Services" "ObjectName"="LocalSystem" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cryptograph Services\parameters] "AppDirectory"="c:\\WINNT\\SYSTEM32\\MSAGENT\\Local\\com1\\server" "Application"="c:\\WINNT\\SYSTEM32\\MSAGENT\\Local\\com1\\server\\forcdos.ex e c:\\WINNT\\SYSTEM32\\MSAGENT\\Local\\com1\\server\\Rhododenron.bmp" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cryptograph Services\Security] "Security"=hex:01,00,14,80,a0,00,00,00,ac,00,00,00,14,00,00,00,30,00,00,00,0 2,\ 00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\ 00,00,02,00,70,00,04,00,00,00,00,00,18,00,fd,01,02,00,01,01,00,00,00,00,00,\ 05,12,00,00,00,74,00,69,00,00,00,1c,00,ff,01,0f,00,01,02,00,00,00,00,00,05,\ 20,00,00,00,20,02,00,00,76,00,65,00,00,00,18,00,8d,01,02,00,01,01,00,00,00,\ 00,00,05,0b,00,00,00,20,02,00,00,00,00,1c,00,fd,01,02,00,01,02,00,00,00,00,\ 00,05,20,00,00,00,23,02,00,00,76,00,65,00,01,01,00,00,00,00,00,05,12,00,00,\ 00,01,01,00,00,00,00,00,05,12,00,00,00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cryptograph Services\Enum] "0"="Root\\LEGACY_CRYPTOGRAPH_SERVICES\\0000" "Count"=dword:00000001 "NextInstance"=dword:00000001 ---------------------------------------------------------------------------- ------------------ can i safely remove these keys? any help with accessing ( i will have local access within the week, but prefer to get asap) the com1 directory from within the OS itself, and info on file, and possibly what are the latest SQL exploits which would give write permission to the subdirectory. Many thanks all. ----------- Craig Broad --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- FORCDOS.EXE Craig Broad (Dec 07)