The recent port 135, 137-139, and 445 exploits have hit many organizations hard. The good folks at Purdue University have put together some guidelines for detecting and cleaning your system if you've been hit.
Exploit Variants:
------------------------------------------------------------------------
Variant 1
The following file is uploaded to vulnerable systems:
%WINDIR%\system32\NX.EXE This file is a Paquet Builder self-executing (SFX) file. When executed on the compromised machine, the SFX creates the following file structure:
%WINDIR%\system32\qossrv
- - v1.0D (Haley) -
- aysshell.exe
- cdir.txt
- csrss.exe
- FireDeamon.exe
- libeay32.dll
- mswinsck.ocx
- pskill.exe
- secure.exe
- ServUPerfCount.dll
- setup.bat
- ssleay32.dll
- wget.exe
- WinExplorer.dll
- winmgnt.exe
After uncompressing these files, the SFX file is instructed to launch the file %WINDIR%\system32\qossrv\SETUP.BAT to install additional files and services, as well as reconfigure DCOM. Even though SETUP.BAT runs from the command line, it is not seen by the user. Using the UPX unpacker the content of these files is:
winmgnt.exe -- Serv-U Mini-FTP
server csrss.exe -- pAdmin utility with H|TTP and DCC capabilities
Secure.exe -- Possibly a secure shell? No good clues from strings
output. Appears to reference VBA libraries
After SETUP.BAT executes, the following files can be found:
%WINDIR%\system32
- securedcom.reg
- securedcom.reg.1
%WINDIR%\system32\qossrv
- aysinstlog.txt
- securedcom.reg
- secure.bat
- go.bat
- SystemUptimeLog.ocx
In addition, three services are installed using aysshell.exe. This is a utility by Prism Microsystems called At Your Service that allows a user to easily run almost any executable file or script as a service.
Information on this product can be found at: (
http://www.prismmicrosys.com/atyours...vice-index.htm)
This is used to launch csrss.exe, secure.exe, and winmgnt.exe as system services. The services can be viewed in the Services Console in Windows 2000 or Windows XP are as follows:
"NTF" (this is WINMGNT.EXE)
"NTP" (this is CSRSS.EXE)
"NTS" (this is SECURE.EXE)
WINMGNT.EXE is the executable for ServU-FTP. ServU-FTP is popular for this, as it is compact, and easily portable from machine to machine. It listens on ports 5555 and 48522. Checking for connections on these ports is also recommended. What calls GO.BAT or SECURE.BAT is undetermined, but both of these batch files simply import the securedcom.reg into the local registry. This disables the DCOM service. After this is complete, the "Computer Browser" and "Server" services are no longer running. They can be manually started, but do not run as expected on system boot up.
How to clean machines infected with variant
Stop the Services:
Net Stop "NTP" Net Stop "NTS" Net Stop "NTF"
Unregister the OCX Files:
regsvr32 /u /s %WINDIR%\system32\qossrv\mswinsck.ocx
regsvr32 /u /s %WINDIR%\system32\qossrv\systemuptimelog.ocx
Delete the Files:
del %WINDIR%\system32\nx.exe
del %WINDIR%\system32\securedcom.reg
del %WINDIR%\system32\securedcom.reg.1
del %WINDIR%\system32\qossrv\*.*
Remove the Directory:
rd /s /q %WINDIR%\system32\qossrv
Delete the Registry Value:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run \NTLDM
Delete the Registry Keys:
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NTF
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NTP
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NTS
HKLM\SYSTEM\CurrentControlSet\Services\NTF
HKLM\SYSTEM\CurrentControlSet\Services\NTP
HKLM\SYSTEM\CurrentControlSet\Services\NTS
Note : Some registry entries may be installed with special permissions so that only the SYSTEM has full control. To remove them, right click on the entry, click permissions, and give everyone full control. You will then be able to delete them.
Modify the following Registry Key:
HKLM\Software\Microsoft\Ole\EnableDCOM=Y
Restart the Services:
NET START "Server"
NET START "Computer Browser"
------------------------------------------------------------------------
Variant 2
The services created by variant 2 are TCPIPenum, NTLMsDB, and IPconfig. Payload is installed in WINNT regardless of your actual Windows folder. Administrators may wish to hand clean these folders as they may contain essential items. Also Note that the folders themselves have both the hidden and system attributes. You may need deltree which is included in the cleanup package in case you don't already have it. The following files must be deleted:
C:\WINNT\system32\config\aysshell.exe
C:\WINNT\system32\dhcp\csrsslsrms.dll
C:\WINNT\system32\dhcp\explorer.exe
C:\WINNT\system32\dhcp\fport.exe
C:\WINNT\system32\dhcp\igfxtray.exe
C:\WINNT\system32\dhcp\nc.exe
C:\WINNT\system32\dhcp\ntlmconf.dll
C:\WINNT\system32\dhcp\pskill.exe
C:\WINNT\system32\dhcp\pslist.exe
C:\WINNT\system32\dhcp\rar.exe
C:\WINNT\system32\dhcp\reg.exe
C:\WINNT\system32\dhcp\rmns.exe
C:\WINNT\system32\dhcp\service.exe
C:\WINNT\system32\dhcp\SystemUptimeLog.ocx
C:\WINNT\system32\dhcp\tlister.exe
C:\WINNT\system32\dhcp\wget.exe
C:\WINNT\system32\dhcp\winexplorer.dll
C:\WINNT\system32\dhcp\home\tar.exe
C:\WINNT\system32\restore\binary.gif
C:\WINNT\system32\restore\compressed.gif
C:\WINNT\system32\restore\csrss.exe
C:\WINNT\system32\restore\del.gif
C:\WINNT\system32\restore\dir.gif
C:\WINNT\system32\restore\folder.open.gif
C:\WINNT\system32\restore\image1.gif
C:\WINNT\system32\restore\image2.gif
C:\WINNT\system32\restore\movie.gif
C:\WINNT\system32\restore\MSWINSCK.OCX
C:\WINNT\system32\restore\pdf.gif
C:\WINNT\system32\restore\pskill.exe
C:\WINNT\system32\restore\reg.exe
C:\WINNT\system32\restore\script.gif
C:\WINNT\system32\restore\service.exe
C:\WINNT\system32\restore\sound2.gif
C:\WINNT\system32\restore\tar.gif
C:\WINNT\system32\restore\text.gif
C:\WINNT\system32\restore\unknown.gif
%windir%\system32\securedcom.reg
%windir%\system32\wge.exe
The following registry entry must be removed:
Registry Value:
HKEY_LOCAL_MACHINE\software\microsoft\windows\curr ent_version\run\QoSsrv$ (runs %windir%\system32\restore\csrss.exe)
Registry Keys:
HKEY_LOCAL_MACHINE\system\CurrentControlSet\Enum\r oot\legacy_tcpipenum
HKEY_LOCAL_MACHINE\system\CurrentControlSet\Enum\r oot\legacy_ntlmsdb
HKEY_LOCAL_MACHINE\system\CurrentControlSet\servic es\ipconfig
HKEY_LOCAL_MACHINE\system\CurrentControlSet\servic es\TCPIPenum
HKEY_LOCAL_MACHINE\system\CurrentControlSet\servic es\NTLMsDB
Linear Mode
