RE: Port 608/trojan/spam

["Garramone, Michael (CCI-Las Vegas)" <Michael.Garramone () cox com>]

We discovered more this week.  We also found a lot of Wingate proxies disguised as mmtask.exe, as well as port 113 
listening along with 608.  Telnet to port 608 still returned a number sequence and telnet to port 113 returned a 
UNIX:IDENTD name.

We have had success cleaning the PCs, but we're still not sure of how the customers have gotten compromised and we've 
had several more customers affected since.  Our suspicion is just unsafe Internet use, such as low browser security 
settings or lack of updating OS patches.

The files were started in win.ini (run= and load=), system.ini (load=), and in the registry under 
hkey_local_machine\software\microsoft\windows\currentversion\run and \runservices.  Some were still in use even after 
removing them from being run on startup and had to be deleted in MS-DOS mode or Safe Mode.

The following files were involved.  All PCs affected had mmtask.exe, but the rest were not all on the same PC but there 
was a combination of several on each:

iexplorer.exe
mmtask.exe
mntask.exe
mptask.exe
snd32.exe
snd32c.exe
snd32r.exe
fst32r.exe
pgtllvabtl.exe
slideshow.exe
res32.reg
settings.reg
nbvlk32.ndr

Once the known files were deleted and everything suspicious was removed from startup, we did a scan at 
http://housecall.antivirus.com.  Housecall was never able to find Wingate, but it was able to find and delete other 
trojans and backdoors (subseven, latinus, sua, lithium, net-devil) now that they were not in use.  Once all of this was 
done, port 113 and 608 were no longer listening.

-----Original Message-----
From: Altheide, Cory [mailto:CAltheide () broadband att com]
Sent: Saturday, September 28, 2002 1:18 PM
To: Garramone, Michael (CCI-Las Vegas)
Subject: Port 608/trojan/spam


I do abuse work (among other things) for AT&T Broadband - and we've been
seeing the same activity you described on the Incidents List back in early
September.

"Last week I received spam complaints against 4 different customers, all the
same message and all with no knowledge of the incident. The only similarity
I could find was port 608 open on each user's machine. Telnet to this port
returned a number sequence, and successive telnets increased the number
returned. Each customer found a trojan/backdoor installed, but not all the
same one ... They included a variant of subseven, latinus, sua.a, and sua.b.
McAfee and Norton did not find them, but the customers may not have had the
latest virus defintion updates."

I've also found WinGate installed in some of these cases - although it's not
clear if that was done before or after the compromise.

I'm currently investigating some of these cases in greater detail - do you
have any further information on this?

Thank you,

Cory Altheide
AT&T Broadband Legal Demands Center
caltheide () broadband att com



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com