Backdoor.Trojan / Trojan.Clampi and Trojan.Dropper

Are you also posting on the other site?  Those people could really make use of your expertise.  Here, there are only two of you discussing your problem. 

Thanks SecPro.

 

I've been working on this since early Saturday morning. I have about 1200 domain PCs, and 150 or so servers, with a mixture of NAV (I know, I know) SAV Corp, and EndPoint. Been trying to convert to SEP slowly.

 

Called Symantec on Sunday morning when I was completely stumped. They pointed me to a RapidRelase AV def file, and that started finding clampi.

 

Unfortunately, we didn't seem to start picking up the 2.exe till Monday's definition updates, so we have been scouring the network again.

 

After reading your very excellent write up, I'm going to have to get the help desk to go back through pretty well every machine again.

 

Thanks very, very much for your insight. Wrong frum or not.

 

Kyle

We had the same problems and were able to log

 connections going to China ip address 61.153.3.48.  Do you know any more?

 

I have yet to identify any addresses that look to be suspiciou, Thin.

 

My Sonicwall is not seeing any traffic to or from the address you mentioned.

 

I'm combing some logs to see if I can ID one.

Here are all the URLS that are currently being used. Keep in mind that this can auto update:

 

147.202.39.101//TCD7sC5XKwiSIhNU 195.225.236.4//iZkzNqoPiHeOQaUl 202.181.96.87//SfrN7ItOKtIg87t9 207.44.240.22//FjFcB74BmIlgzEhr 209.85.112.10//TCD7sC5XKwiSIhNU 209.85.120.100//8uZfmVuNMekCoBhZ 216.55.137.46//M1JJ9znqqoFqAKpy 216.55.190.49//KaskXXLNOPPGRZtI 66.240.226.206//5fEBBpgPFNGYGbuH 67.15.236.244//iZkzNqoPiHeOQaUl 69.57.140.18//aJdup6JXYU4LNrIo 72.29.66.235//GYflkupq9oGNoL3X 83.175.218.163//yGRkksJXDmuPPPMG 94.75.221.68//FZbD2PHaCNBhbo6Y admin.viennaweb.at// drugs4sale.loderunner.in//IFQG1NO7bKZj842i webmail.re-factoring.cn//GVuFF0aUUA3wpz2k

 

 

A complete list of current URLS can be pulled from:

HKCU\Software\Microsoft\InternetExplorer\Settings\Gatelist

 

It will be not be in plain text but it is readable or you can convert to something meanfull

 

Sorry for the delay in the response. I dont check in often as I only expect flames for helping out in the wrong forum.

 

Update: they dont like the format of the URLS, the site converted the list to something far more diffcult to read. PM and we can talk offline without the limitations.

I would be happy to jump on the other thread but I do not see any links in your post. If you could repost or pm the links to the appropriate thread I'd appreciate it.

 

 

We are having the same exact issue since last Thursday and we are using the Symantec Endpoint Protection. Can someone please put the link to the Enterprise thread in this one so we can cross reference each other? Also, Enterprise support is saying that we are clean and we should not have any more problems, even though we still have the virus bouncing around in our network, user machines are getting dos windows popping up and network issues.

 

Anyone notice that this is creating roaming profiles under the C:\Documents and Settings folders and it looks like it is grabbing active directory account login names to do so. We are currently getting approximately 50 user profiles created on a machine.

 

I have found that this is also dropping old Windows files into the c:\Document and Settings\username\Application Data folder, files like sound.exe, taskman.exe, rundll.exe, logon.exe and other files.

 

Props to SecurityPro for posting here with his valuable information. You have provided more insight into this virus that our Enterprise Support has since they say everything is clean.

 

Peace,

 

Bry

Hi in response to bdykes post, we too found this was happening, and I created a quick and dirty batch file which stops whatever process the virus is calling itself, by querying the registry under HKCU\Software\Microsoft\Windows\CurrentVersion\Run and looking for the value of the logged on users profile variable by looking for %userprofile%, copy and paste the following into a text file can call it viruskill.bat or whatever you like, once it's ran, Norton should be able to then either quarantine or heal the infected file. Hope this helps. This has been tested on XP SP2, SP3 and Vista, all utils are built in to the OS

 

@reg query hkcu\software\microsoft\windows\currentversion\run /s|find /i "%userprofile%" > reg.txt && for /f "tokens=1" %%a in (reg.txt) do echo Virus name is %%a && for /f "tokens=1-6" %%a in (reg.txt) do echo Deleting %%c %%d %%e %%f && del %%c %%d %%e %%f %%a && taskkill /fi "USERNAME eq %userdomain%\%username%" /im %%a && reg delete hkcu\software\microsoft\windows\currentversion\run /f /v %%a && del %userprofile%\startmenu\programs\startup\uninstall.exe
@reg delete "hkcu\software\microsoft\Internet Explorer\settings" /v /f Gatelist




 

Apologies

 

@reg delete "hkcu\software\microsoft\Internet Explorer\settings" /v /f Gatelist

 

Should be

 

@reg delete "hkcu\software\microsoft\Internet Explorer\settings" /f /v Gatelist

Hi All

I believe Yogesh put the link in for the enterprise forums,I have to be a bit cheeky here and say that with all your expertise you can not find the link??? Glad you can sort this problem out!

http://www.symantec.com/connect/

I think Symantec has revamped your site.Hope this helps.

Hi again (starting to feel like a spammer), I've added in the delete section to get rid of the GID, KeyM & KEyE entries also, I've taken out the echo part which flashed by so quick it was missed anyway

 

 

@echo off

@reg query hkcu\software\microsoft\windows\currentversion\run /s|find /i "%userprofile%" > reg.txt && for /f "tokens=1" %%a in (reg.txt) do echo Virus name is %%a && for /f "tokens=1-6" %%a in (reg.txt) do taskkill /fi "USERNAME eq %userdomain%\%username%" /im %%a && reg delete hkcu\software\microsoft\windows\currentversion\run /f /v %%a && del %userprofile%\startmenu\programs\startup\uninstall.exe

 

@reg delete "hkcu\software\microsoft\Internet Explorer\settings" /f /v Gatelist

@reg delete "hkcu\software\microsoft\Internet Explorer\settings" /f /v GID
@reg delete "hkcu\software\microsoft\Internet Explorer\settings" /f /v KeyM
@reg delete "hkcu\software\microsoft\Internet Explorer\settings" /f /v KeyE

@exit

 

bdykes wrote:

 

Anyone notice that this is creating roaming profiles under the C:\Documents and Settings folders and it looks like it is grabbing active directory account login names to do so. We are currently getting approximately 50 user profiles created on a machine.


That was one of the 1st things we did notice. We have about 20 or so profiles showing up on many, many machines.

 

I am still not finding the PsExec service on all the infected machines. Some have the uninstall.exe in the many profiles, and maybe the 2.exe, others still have the sound.exe, or some variant, as another poster mentioned.

 

However, if I run psloggedon (from sysinternals) in this context "c:\psloggedon <username>" (where <username> is one of the profile names you see frequently on infected machines), it shows me which machines that username is logged into, supposedly locally.

 

When I go to these machines, I enevitably find the PsExec service, the Gatelist registry entry, 2.exe, the whole ball of wax.

 

By eliminating these infections, as detailed by SecPro, I seem to be gaining ground on re-infections.

 

 

I was the person who posted the message originally and may have hidden the effects of the Trojan in my organisation by removing the Admin shares on all of our PC's then running full scans on each PC to remove the Trojan - since then, we have had no more instances of the 16Bit DOS Subsystem error nor any excessive network traffic.

 

What concerns me more is that I posted on Monday 2nd March AND we reported this issue to Symantec Technical Support on Tuesday 3rd March and yet Symantec don't seem to have released definition files that sort this issue out (I'm assuming they can't have if others are still experiencing this problem). Believe it or not I am still, despite chasing, waiting for Symantec Tech Support to come back to me. And believe me, when you chase that call, you are in their call queue for what seems like an hour waiting to actually talk to someone.

 

I appreciate that Symantec can only resolve an issue once it's out there but how much longer do they need?

 

Any thoughts?

 

Cheers

MG

mo, if you have not been over to the Enterprise forum yet, check it out and try to find the post we are referring to. Bet you won't fine it. Symantec has revamped their Enterprise site alright. So much so you cannot find anything or search anything. The only thing I have found over there in the last 2 days is the fact that a website can indeed induce a migraine headache. Finding a post or topic there is like finding a needle in a hay stack. It is basically an unusable forum now unlike what this forums format is.  Funny, I.T. is always under the gun to find a solution to a problem ASAP, so change the forum so that nobody can actually find something. Brilliant!

 

Support is telling us we are clean and keeps wanting to close our support calls and our Rep is saying that our problem is not virus related and that we need to get a Symantec 3rd party partner to come in and clean up!

I get your point I took one look at it and thought where do you start to look! Keep things simple eh! Welcome to ourside where we are plain old basic,no frills.

Post away my friend:smileywink:

Too funny. Symantec is sticking to their guns and saying we are clean and that this was not caused by a virus. But yet 2 other Antivirus software providers have solutions in place to clean this virus. Symantec, if they can't figure it out, it isn't a problem!

I have, unfortunately, closed my original ticket.

 

To my chagrin, after 2 weeks of chasing things down, clearing quarantines, disabling PsExec, removing registry entries, etc, imagine my dismay to find 1500 new quarantine items in my Endpoint manager this morning!

 

The trouble was 2 machines in particular, neither of which I had touched before.

 

Both had PsExec in their services, enabled but not running. I disabled it on both. Both had dozens of entries in "c:\documents and settings\application data\symantec\SYmantec Endpoint Protection\xfer" all had been quarantined, which is how I hope they got there in the 1st place.

 

I am absolutely not sure what to do next. I have probably 1200 machines to deal with, about 75% of which are still on SAV Corp 10.

 

Neither endpoint nor SAV seems to be doing a very effective job of truly cleaning this.