ton of outgoing TCP 3389 from svchost.exe
In a new windows 2003 R2 server, I'm noticing every few minutes, svshost.exe is opening a ton of outgoing TCP 3389 connections. I ran an a/v scanner over it and it's clean. Can it be hacked already??? has anyone seen this before?
thank you
BarrySDCA
August 25th, 2011 2:21pm
Seeing a similar issue at a client site. Any resolution? No AV scanners are detecting anything.
Free Windows Admin Tool Kit Click here and download it now
August 25th, 2011 8:01pm
I've run all the scanners over it I can think of. nothing is detecting anything. yet running netstat -ano 1 and watching it shows every 10 min or so, a flood of TCP 3389 (which is RDP) connection attempts out to seemingly random IP addresses.
Our firewall is blocking it from getting out and it keeps trying.
I would normally delete and install a new one, however this was just reinstalled yesterday new because of the same issue. I assumed it was a virus infection and something trying to brute force rdp hack out. the subscriber HAS logged into the
machine since we provisioned it, but i don't see anything unusual installed and nothing is detecting a virus or worm, etc..
BarrySDCA
August 25th, 2011 8:22pm
Have you tried applying MS11-065 yet? http://www.microsoft.com/technet/security/bulletin/ms11-065.mspx
This was released on 8/9 and addresses an RDP vulnerability.
Free Windows Admin Tool Kit Click here and download it now
August 25th, 2011 8:24pm
It's already installed. the OS is completely up to date.
this is a hosted VM. I have a feeling whatever it is, it came in over RDP disk share from the subscribers PC.
BarrySDCA
August 25th, 2011 9:29pm
In a new windows 2003 R2 server, I'm noticing every few minutes, svshost.exe is opening a ton of outgoing TCP 3389 connections. I ran an a/v scanner over it and it's clean. Can it be hacked already??? has anyone seen this before?
First of all, hope that "svshost" is a typo and you meant "svchost" otherwise that process name would be really suspicious; that said, start by downloading
this tool, extract the files from the "zip" to whatever suitable folder and then run the program; at this point locate the "svchost"
instance carrying out all those RDP connections and double click on it; in the panel which will appear, look carefully at the path for the file and ensure it's pointing to the windows folder and not elsewhere, then click on the "services" tab and check which
services are running under that instance; there may be some "strange" services there, if that's the case then you found your culprit
As for scanning/cleaning the box, my suggestion is to find another clean/trusted machine (a regular PC) with a CD-burner and use it to download the
Microsoft System Sweeper; done that, run the tool and proceed creating the CD; at that point, use the generated CD to boot the "problem
system" and proceed with a full scan/clean
Notice that, in case the scanner will find (and possibly remove) something, you must keep in mind that the system was (and is) compromised and that you can't trust it anymore; the best solution in such a case would be flattening and reinstalling the system;
I know, it sounds "hard" but there's no other way to ensure that the system is really clean; if you aren't convinced, please read
this and
this
HTH
Free Windows Admin Tool Kit Click here and download it now
August 26th, 2011 4:27am
Seeing a similar issue at a client site. Any resolution? No AV scanners are detecting anything.
If it's a "rootkit" (as I suspect) a regular scanner won't probably be able to "see" it; to scan the system you'll need a scanner running from a boot CD like the
Microsoft System Sweeper the problem is that many/most malware of this kind usually, after infecting a system, places a number of "hooks" in some calls (disk, registry) so a scanner running
inside the compromised OS (and calling the OS function) will go through such hooks and, by the way, the malware will take care of hiding itself... or even crashing the scanner in some cases; this is why running the scan from a BootCD without activating the
compromised OS is the only way to ensure to really scan the system
August 26th, 2011 6:14am
can you write complete information of packets ? from ip/port to ip/portEdoardo Benussi
Microsoft MVP - Management Infrastructure
edo[at]mvps[dot]org
Free Windows Admin Tool Kit Click here and download it now
August 26th, 2011 8:40am
can you write complete information of packets ? from ip/port to ip/port
Good point; a snippet of the output of a "netstat -ano" command would help clarify the issue !
August 26th, 2011 9:14am
I'm seeing similar issues with outbound 3389 on windows server 2003. I have it blocked in my firewall but theirs over 10,000 outbound connections to random ip address on port 3389. Any word yet on what this is?
Free Windows Admin Tool Kit Click here and download it now
August 26th, 2011 11:09am
Can anyone confirm this file and/or fix?
http://forums.majorgeeks.com/showthread.php?p=1659242
August 26th, 2011 11:12am
Can anyone confirm this file and/or fix?
http://forums.majorgeeks.com/showthread.php?p=1659242
First of all, the above thread is from 2007; second, instead of going through all that, I'd run the
Microsoft System Sweeper (as for my other messages) booting the system from its CD and proceeding with a full scan; third, given that we're talking about a server... read
this and
this - also, and since we're at it; once the issue will be fixed, it will be a good idea ensuring that all your systems are up-to-date (servicepacks, hotfixes...) and, given that you can't know which data have been stolen from the system, you'll probably
need to reset all passwords to avoid future intrusion attempts
Free Windows Admin Tool Kit Click here and download it now
August 26th, 2011 11:18am
please, post a snippet of the output of a "netstat -ano".Edoardo Benussi
Microsoft MVP - Management Infrastructure
edo[at]mvps[dot]org
August 26th, 2011 11:26am
please, post a snippet of the output of a "netstat -ano".
Yeah; asked the same; that one may help a lot... also, once having such an output, it will be easier to use "process explorer" (see my other message in this discussion) to find out, using the process ID, the process carrying out those connections and, if
it's an instance of svchost, to look at the services running under it
Free Windows Admin Tool Kit Click here and download it now
August 26th, 2011 11:33am
I keep trying to post the output but nothing happens. I guess this system doesn't let me post that many lines.
August 26th, 2011 1:16pm
Here is the netstat output. I replaced the actual IP for 1.2.3.4
Also, I already checked it with processexplorer. svchost.exe, nothing running under it
Active Connections
Proto Local Address Foreign Address State PID
TCP 0.0.0.0:80 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 708
TCP 0.0.0.0:443 0.0.0.0:0 LISTENING 2256
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:1027 0.0.0.0:0 LISTENING 464
TCP 0.0.0.0:2717 0.0.0.0:0 LISTENING 2256
TCP 1.2.3.4:139 0.0.0.0:0 LISTENING 4
TCP 1.2.3.4:2258 144.176.55.204:3389 SYN_SENT 832
TCP 1.2.3.4:2259 106.218.17.126:3389 SYN_SENT 832
TCP 1.2.3.4:2260 82.159.196.249:3389 SYN_SENT 832
TCP 1.2.3.4:2261 35.13.212.21:3389 SYN_SENT 832
TCP 1.2.3.4:2262 98.89.156.119:3389 SYN_SENT 832
TCP 1.2.3.4:2263 172.183.83.244:3389 SYN_SENT 832
TCP 1.2.3.4:2264 2.22.184.226:3389 SYN_SENT 832
TCP 1.2.3.4:2265 179.151.241.111:3389 SYN_SENT 832
TCP 1.2.3.4:2266 188.131.141.230:3389 SYN_SENT 832
TCP 1.2.3.4:2267 88.184.60.211:3389 SYN_SENT 832
TCP 1.2.3.4:2268 19.246.27.204:3389 SYN_SENT 832
TCP 1.2.3.4:2269 81.1.120.167:3389 SYN_SENT 832
TCP 1.2.3.4:2270 104.115.210.138:3389 SYN_SENT 832
TCP 1.2.3.4:2271 131.91.148.141:3389 SYN_SENT 832
TCP 1.2.3.4:2272 106.33.203.220:3389 SYN_SENT 832
TCP 1.2.3.4:2273 146.144.143.13:3389 SYN_SENT 832
TCP 1.2.3.4:2274 112.102.238.103:3389 SYN_SENT 832
TCP 1.2.3.4:2275 131.189.149.95:3389 SYN_SENT 832
TCP 1.2.3.4:2276 102.153.148.25:3389 SYN_SENT 832
TCP 1.2.3.4:2278 62.223.59.50:3389 SYN_SENT 832
TCP 1.2.3.4:2279 23.176.169.236:3389 SYN_SENT 832
TCP 1.2.3.4:2280 196.58.220.170:3389 SYN_SENT 832
TCP 1.2.3.4:2281 210.22.139.241:3389 SYN_SENT 832
TCP 1.2.3.4:2282 82.67.109.50:3389 SYN_SENT 832
TCP 1.2.3.4:2283 82.67.109.50:3389 SYN_SENT 832
TCP 1.2.3.4:2285 2.47.235.208:3389 SYN_SENT 832
TCP 1.2.3.4:2286 83.119.15.163:3389 SYN_SENT 832
TCP 1.2.3.4:2287 5.148.138.247:3389 SYN_SENT 832
TCP 1.2.3.4:2288 5.148.138.247:3389 SYN_SENT 832
TCP 1.2.3.4:2289 13.47.206.128:3389 SYN_SENT 832
TCP 1.2.3.4:2290 13.47.206.128:3389 SYN_SENT 832
TCP 1.2.3.4:2291 61.3.157.194:3389 SYN_SENT 832
TCP 1.2.3.4:2292 2.254.66.234:3389 SYN_SENT 832
TCP 1.2.3.4:2293 2.254.66.234:3389 SYN_SENT 832
TCP 1.2.3.4:2294 80.205.112.59:3389 SYN_SENT 832
TCP 1.2.3.4:2295 179.81.26.142:3389 SYN_SENT 832
TCP 1.2.3.4:2296 37.99.211.28:3389 SYN_SENT 832
TCP 1.2.3.4:2297 21.232.91.221:3389 SYN_SENT 832
TCP 1.2.3.4:2298 120.206.193.11:3389 SYN_SENT 832
TCP 1.2.3.4:2299 35.205.93.20:3389 SYN_SENT 832
TCP 1.2.3.4:4258 92.123.154.57:80 CLOSE_WAIT 3428
TCP 127.0.0.1:1547 0.0.0.0:0 LISTENING 2424
TCP 127.0.0.1:5152 0.0.0.0:0 LISTENING 1704
TCP 127.0.0.1:5152 127.0.0.1:3236 CLOSE_WAIT 1704
UDP 0.0.0.0:445 *:*
4
UDP 0.0.0.0:500 *:*
464
UDP 0.0.0.0:4500 *:*
464
UDP 1.2.3.4:123 *:*
1836
UDP 1.2.3.4:137 *:*
4
UDP 1.2.3.4:138 *:*
4
UDP 127.0.0.1:123 *:*
1836
^C
C:\
they are not actually connecting because our firewall is detecting the RDP flood and killing the IPBarrySDCA
Free Windows Admin Tool Kit Click here and download it now
August 26th, 2011 1:30pm
I have the same issue at one of my customers as well. Been on the phone with Microsoft Networking team for 3 days.
Do you have entries on your local workstations in the security logs for other computers trying to remote into them with random user accounts, and then failing? this seems to be another symptom with this issue.
August 26th, 2011 1:33pm
by the way, I used processexplorer and made a dump of svchost.exe if anyone wants to dissect it...BarrySDCA
Free Windows Admin Tool Kit Click here and download it now
August 26th, 2011 1:35pm
Hello can anyone help us? We have exactly the same issue. For three days now. We have thrown 8 different scanners and malware fixes, but NOTHING.
Windows servers 2003 and XP clients are infected and SYN FLOOD 3389 packets, which DDOS our firewall.
The Guys from Panda say it is an MBR virus. They have analysed output from a thourough scan of one of our infected servers.
In the process explorer we see: xpsp2res.dll spawning lots of UDP packets (about every 10 minutes, we use process explorer for this)
We see a lot of DNS txt queries to jifr.net and trying to connect randomly to DNS servers.
Wireshark displays many times per second the following line:
10 0.009460 192.168.1.9 111.105.166.32 TCP 66 4935 > ms-wbt-server [SYN] Seq=0 Win=65535 Len=0 MSS=1460 WS=1 SACK_PERM=1
XP users sometimes get screenlocked by some ghost user who interactively logs on.
We reveive strange emails about Xerox printers.
We are struggling big time here, any help would be appreciated!
Best regards
August 26th, 2011 1:40pm
I had to stop the server so I can put more tools on it without risk of spreading infection. booted the server again and about 10 minutes later it started. I was able to catch on the netstat output 3 connections to an IP in China, port 80.
There is no reason for this server to be contacting IP's in China. The IP is 122.228.207.69
This must be the head-end of the thing
BarrySDCA
Free Windows Admin Tool Kit Click here and download it now
August 26th, 2011 1:48pm
Just a quick update from my end:
i noticed in process monitor some read/write activity on the directory "c:\windows\offline web pages"
when viewing in explorer, the files must be hidden, but when viewed in DOS, there are quite a few files there which appear to be malicious.
I wasnt able to delete all the files from safe mode either. I am going to work on tracking the exact process thread, and end it, then i should be able to delete all the files.
let me know if you see the same in that directory as well.
thanks.
August 26th, 2011 2:06pm
Just a quick update from my end:
i noticed in process monitor some read/write activity on the directory "c:\windows\offline web pages"
when viewing in explorer, the files must be hidden, but when viewed in DOS, there are quite a few files there which appear to be malicious.
I wasnt able to delete all the files from safe mode either. I am going to work on tracking the exact process thread, and end it, then i should be able to delete all the files.
let me know if you see the same in that directory as well.
thanks.
Ignoring the obnoxious comment from ObiWan and reiterating that this thread is relevant and current (and not from 2007 as he suggested)...pleas review....http://forums.majorgeeks.com/showthread.php?p=1659242.
This seems to specifically state the problem at hand. Has anyone has success in removing these files?
Free Windows Admin Tool Kit Click here and download it now
August 26th, 2011 2:09pm
I mounted the infected OS as drive D:
Directory of D:\Windows\Offline web pages
08/26/2011 10:38 AM <DIR> .
08/26/2011 10:38 AM <DIR> ..
08/25/2011 06:30 AM 0 1.60_0824
08/24/2011 04:13 PM 0 2011-08-24 2313
02/18/2007 05:00 AM 7,184 cache.txt
08/26/2011 11:10 AM 29 MainThread.txt
08/26/2011 01:36 PM 27 MainThreadStart.txt
08/26/2011 11:10 AM 29 SHUTDOWN.txt
08/26/2011 11:10 AM 29 SHUTDOWN2.txt
08/26/2011 11:09 AM 29 ThreadProtect.txt
8 File(s) 7,327 bytes
2 Dir(s) 6,673,936,384 bytes free
C:\
these files can not be viewed by windows explorer
I'm not so much concerned with cleaning this server. I can reprovision it in a few minutes. I already did that once and the subscriber infected it again over night. I'm more concerned with identifying the infection and finding a tool to
clean it, so I can send it to the subscriber to run on their PC.
I'm not sure it's the same thing. the other thread is not saying anything about outgoing TCP 3389
thank you
BarrySDCA
August 26th, 2011 2:20pm
I was able to remove it by using process explorer to determine the PID of the process, then used process explorer to kill the process, and then used command prompt to delete everything in the Offline Web Pages directory. Looks clean for
now.
Also note that this infection appears to spread through the network. I'd recommend checking all computers for it.
Hope this helps.
Free Windows Admin Tool Kit Click here and download it now
August 26th, 2011 2:46pm
I tried running system sweeper. It can't run. says "Microsoft Standalone System Sweeper cannot be started. Please contact support. Error code 0x8004cc05
I read on the net that I can get past the error by disabling the floppy drive in the BIOS. Only this is a hyper-v VM, and I don't think I can do that. No options to in HV VM settings. I also tried inserting a blank floppy, no luck.BarrySDCA
August 26th, 2011 3:09pm
I just tried Sophps Anti-rootkit. Near the end, the OS reboots. I'm not sure if this is normal or premature. No mention of any hits when it comes back up.BarrySDCA
Free Windows Admin Tool Kit Click here and download it now
August 26th, 2011 4:45pm
Barry,
Please follow my instructions above. They work.
August 26th, 2011 4:46pm
also regarding the PID responsible for making the connection attempt to China....
I have blocked that. so now I noticed in netstat, UDP open port 1028-1031 same PID
and the path for svchost.exe is C:\WINDOWS\system32
BarrySDCA
Free Windows Admin Tool Kit Click here and download it now
August 26th, 2011 4:59pm
norton power eraser doesn't work either. after reboot, BSOD in a loop when checking rootkit.
other norton power eraser scan returns no hits. suspicoius windump.exe file but further details show it's a popular file. odd
I already have a backup of this infected VM for further testing.
BarrySDCA
August 26th, 2011 5:55pm
I'm not so much concerned with cleaning this server. I can reprovision it in a few minutes. I already did that once and the subscriber infected it again over night. I'm more concerned with identifying the infection and finding a tool to clean it, so I
can send it to the subscriber to run on their PC. thank youBarrySDCA
Free Windows Admin Tool Kit Click here and download it now
August 26th, 2011 6:14pm
received from microsoft:
Hi Barry,
Thanks a lot you're your report -- this issue is already on the radar of the MMPC (Microsoft Malware Protection Center) and they will take the necessary action to contain this
issue.
Kind regards,
Joe
BarrySDCA
August 26th, 2011 10:18pm
After speaking with MMPC last night, and sending them the malicious files, they came back to me with this:
http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?name=Backdoor%3aWin32%2fMorto.A
I havent tried their resolution / scanners yet, but give it a shot. Just make sure you have the latest definition files.
Free Windows Admin Tool Kit Click here and download it now
August 27th, 2011 11:07am
I had to stop the server so I can put more tools on it without risk of spreading infection. booted the server again and about 10 minutes later it started. I was able to catch on the netstat output 3 connections to an IP in China, port 80.
There is no reason for this server to be contacting IP's in China. The IP is 122.228.207.69
This must be the head-end of the thing
BarrySDCA
One of my customers has a Terminal Server that a couple of their remote users RDP into using the default port of 3389. They all have relatively simple passwords and because RDP was allowed from any IP, I'm betting something scanned for public IPs with
TCP 3389 open and did dictionary attacks (I did see a slew of failed login attempts in my Security log). While they may have been opposed to it before, they have agreed to close the port and force remote connections to use their SBS Remote Web Workplace
(specifically, the terminal services proxy).
The symptoms we saw were that the Internet connection came to a crawl, and after running a packet capture on the firewall, I identified that their Terminal Server was trying to open RDP connections to seemingly random IP addresses and I also noticed several
established connections to 103.22.244.75 and 122.228.207.69 on port 80 (all from the same svchost PID as the attempted RDP connections). When I added those to my outbound deny ACL and closed the connections, the process began trying to reconnect the
HTTP connections similar to how it kept attempting the RDP connections. Then after a minute or two, it got much worse as it started opening HTTP connections to random IP addresses to the point where i just blocked all outbound network access from the
Terminal Server.
I am usually pretty good at removing malware, but this one has me stumped.Sr System Engineer
August 27th, 2011 1:25pm
Also, I noticed that the svchost with the same PID that causes all of this bizarre traffic is listening on TCP 4764, although that is not open on my firewall...not sure if this is related.Sr System Engineer
Free Windows Admin Tool Kit Click here and download it now
August 27th, 2011 1:26pm
And the plot thickens. Although the customer agreed to block 3389 at the firewall and use the terminl services gateway moving forward, that has not been done yet. After blockng all outbound access, I noticed a new user account, 'sys', was created
and an inbound RDP connection was established from 178.162.174.77, logging in as this new user!
I reset the password and took control of the session via Terminal Services Manager and there was a folder open (C:\temp\Xenu1\Xenu1\Xenu), and xenu.exe was running from this folder (which was created in the last 10 minutes). It seems that everything
I do to try and remove this infection makes the problem worse.
Although it is generally recommended not to run ComboFix on servers, I'm running out of options, so here goes...Sr System Engineer
August 27th, 2011 1:34pm
Duh, forgot Combofix won't run on Server 2003. Instead I ran Sysinternals' RootkitRevealer a few times, removed some scheduled tasks (there were two that were running executables from c:\program files\real\..., but RealPlayer was not installed.
These may or may not be related.), and rebooted. I still see attempted HTTP connections to China, but no RDP attempts. This might just be due to the fact that the HTTP connection cannot be established...Sr System Engineer
Free Windows Admin Tool Kit Click here and download it now
August 27th, 2011 2:10pm
Derek,
If you are infected with Backdoor:Win32/Morto.A, I posted manual removal instructions above. Give that a try.
I am in the middle of testing an automated removal from Microsoft. I will post up as soon as it completes to see if it works or not.
My instructions do not advise on xenu.exe issue. that is likely a seperate piece of malware.
August 27th, 2011 2:15pm
This virus is un beatable. I realy hope anyone has cleaned an infected pc/server once. I haven't and have been working non stop for four days!
This is what I found so far:
- the virus fetched pictures (jpg, png, gif) from a chinese website (looks like some kind of gaming web site):
WWW.345ZX.COM
- it does DNS queries against random DNS servers for: db1/db2/sb/fb1/fb2/fb3.jifr.net and also jaifr.com
- It hides in SVCHOST.EXE (the one with the critical windows stuff in it)
- When you shut down windows, you will get a SVCHOST.EXE proper shutdown error
- Only XP and 2003 are infected
- RDC, TCP, UDP SYN FLOODS to random public ip's
- Sometimes it is dorment but I don't know why or when;
- After a boot, the virus does a quick challenge response with 11.68.13.250 and after this the FLOOD starts. (not shure if it always uses this ip or in this fassion).
DOES ANYONE RECOGNIZE THIS DESCRIPTION?
Thanks,
Sander!
PS these gifs, jpg's are fetched by the virus:
Free Windows Admin Tool Kit Click here and download it now
August 27th, 2011 2:31pm
I also saw the DNS queries on my Server 2003 Terminal Server. The RDC, TCP, UDP SYN floods to random public IPs (and HTTP connections to China mentioned before) all come from the same svchost PID, but that PID is responsible for about a dozen Windows
services that cannot be shutdown. I remotely rebooted the server into Safe Mode with Networking and now it's not responding, so I'm assuming the malware also broke Safe Mode. I likely won't be back onsite to further troubleshoot the issue until
Monday morning.
I also found strange IE toolbars installed and some entries in Add/Remove Programs, but I removed these yesterday without documenting what they were. There were also a few local administrator accounts (test, sys, services) created, and I removed these
as well. I had the latest version of Trend Micro Worry-Free Business Security installed and it is gone now, and the installer keeps crashing, so now I have no A/V on this server.
I like a challenge as much as the next guy, but I'm sick of this malware...Sr System Engineer
August 27th, 2011 2:37pm
Update so far:
There are files in c:\windows\offline webpages which are only visible through dos box (cmd).
the fie 1.60_0823 could be the virus.
The files: cache.txt, shutdown.txt and shutdown2.txt are both part of the virus. You can delete cache.txt but it reapears in seconds. Shutdown.txt and shutdown2.txt show up after reboot.
I am now deleting the content of c:\windows\offline webpages from a boot cd. Let's see what happens.
Free Windows Admin Tool Kit Click here and download it now
August 28th, 2011 5:15am
Darn... the virus was quiet for a long time after deleting the content of windows\offline webpages. Now it's back again...
The search is not yet over.
August 28th, 2011 6:21am
Name of the virus most likely MORTO.A
Read this article from microsoft, posted august 28 2011.
http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Worm%3aWin32%2fMorto.A
Free Windows Admin Tool Kit Click here and download it now
August 28th, 2011 8:47am
I have a clone of the VM before Norton hosed it. Today I will load that clone and test this removal tool, and then follow-up with results. thanks muchBarrySDCA
August 28th, 2011 12:34pm
And in my current knowledge, if you get infected, it means you have way too EASY PASSWORD.- Meitzi
Free Windows Admin Tool Kit Click here and download it now
August 28th, 2011 12:55pm
Not sure about that Meitzi because I just got hit by this and my server only has 2 admin accounts and the passwords are very strong. I did fix it as far as I know by booting from a linux cd and deleting the contents of windows\offline web pages and
it appears to be fixed. The 3389 calls have stoped.
I have a 2003 server in a co-location and my provider emailed me a warning that I exceeded my bandwidth utilization by 2500% yikes. I looked at the logs and at one point this thing was uploading 8 GB an hour to my server for about 3 hours.
What the hell was it doing? I'm still not comfortable that my machine is clean and I will probably move everything off and blow it up. Does anyone know if sens32.dll is a legit file? I have it on my server but the date is 02-17-2007 37 kb
and signed by MS.
August 28th, 2011 2:55pm
I had to manually download the windows defender definitions from
http://www.microsoft.com/security/portal/Definitions/ADL.aspx because our windows update server has not yet downloaded them.
After updating the definitions to 1.111.925.0 and running a full scan, defender did not detect any issues. However, after examining the OS and waiting for it to call out again, it's not doing that either. It *may* be because I have blackholed
the domains and IP's mentioned in the MS article
http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Worm%3aWin32%2fMorto.A
A few items I should point out. This VM was not calling out to the IP's mentioned by Microsoft. It was connecting to an IP in China, which is 122.228.207.69
Also, Microsoft listed two IP's in their information page about this. they are: 210.3.38.820 & 74.125.71.104
The first IP is an invalid IP, so I assumed they meant 210.3.38.20 and have blackholed that IP.
This infected VM has some of the files Microsoft lists as a sign of infection, such as sens32.dll, so perhaps this is already a variant?
I will continue to monitor and advise if it calls out again. In the mean time, I am not certain this definition is a 100% resolution.
@Meitzi: that is correct, it very well could be due to an easy password. I suspect the subscriber changed their Administrator password, but I have not confirmed that with them yet.BarrySDCA
Free Windows Admin Tool Kit Click here and download it now
August 28th, 2011 4:16pm
I don't recall seeing outbound connection attempts to the IP's Microsoft listed, but I too saw connection attempts to 122.228.207.69, so I agree that this is probably a variant. I also saw a lot of connection attempts to 103.22.244.75 (actually,
this is what I see the most, and although I thought it was a Chinese IP, it appears to be an Australian IP). I'm going to do some more testing in the AM (Eastern time) with BartPE and some offline scanners, and I will post back with anything I find.Sr System Engineer
August 28th, 2011 4:31pm
I also notice the infected VM is listening to the following TCP ports as per netstat.
1027, 2717
BarrySDCA
Free Windows Admin Tool Kit Click here and download it now
August 28th, 2011 4:39pm
One more item to mention: the worm description says it only affects 2003 and XP. I am certain the VM was infected by a RDP disk share. The subscriber only logged into it once - and from a Win7 box. they installed one software package
that is fairly common and I have no reason to believe it is infected.
BarrySDCA
August 28th, 2011 5:34pm
By any chance is any of your Local or Domain Administrator passwords low strength, common or easy to type etc? as listed in a link SanderWeb and Barry put up?
http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Worm%3aWin32%2fMorto.A
It may not affect 2008 systems in general because the passwords are strong by default.
Free Windows Admin Tool Kit Click here and download it now
August 28th, 2011 7:53pm
the default password we issue is relatively strong. and I doubt the subscriber changed it to any on that list but I'm still waiting on confirmation. they are in Malaysia and awake different hours.BarrySDCA
August 28th, 2011 8:01pm
The particular machine I was working on was infected on Wednesday morning, 8/24, over the default RDP port of 3389. The server is 2003 Enterprise with all of the latest patches (as of that day), but yes, I can confirm it was a weak administrator password.
Although it was a weak password (6 character dictionary word comprised of only lower-case characters), it was not in the list of words in Barry's link. The compromised password is the same on some of the older PCs in the same office, on the same subnet,
but in the several hours I watched repeated outbound RDC attempts, I never once saw it try to reach another machine on the local subnet. From what I could tell, this piece of malware installed a few browser toolbars (OoVoo is the only one that stands
out in my mind) and performed a DoS attack by way of attempting dozens, if not hundreds, of RDC attempts every minute. The connection attempts saturated the Internet connection, which is what led to the discovery of this particular problem.
I saw an article on Slashdot about this problem earlier this evening which linked to an article on threatpost.com (here:
https://threatpost.com/en_us/blogs/new-worm-morto-using-rdp-infect-windows-pcs-082811), so this is turning out to be more widespread than I originally thought.Sr System Engineer
Free Windows Admin Tool Kit Click here and download it now
August 28th, 2011 8:02pm
The subscriber has responded to me and said he did not change the Administrator password from the default we issued. At the time it was infected, the Administrator password was 2o9yuWaS02
BarrySDCA
August 28th, 2011 9:07pm
Looks like we fixt it:
The virus/wrm/botnet is running in some stages.
In most active stage we cleaned the virus.
Sens32.dll is the engine in the virus we think.
Stop thet service and disable "system event Notifier" (its using sens32.dll instead of the standerd sens.dll)
Clean the registry:
Delete the complete key and everyting under it (we didn't see it on servers only on xp machines:
HKLM\SYSTEM\CurrentControlSet\Services\6to4
Clean teh keys under not the folders!
HKLM\SYSTEM\WPA\
Change key back to normal:
subkey: HKLM\SYSTEM\CurrentControlSet\Services\Sens\Parameters
Adds value: "ServiceDll"
With data: "<system folder>\sens.dll"
Restart machine:
Delete everyting underneed:
c:\windows\offline web pages\
delete c:\windows\system32\sens32.dll
if you cant delete sens32.dll repeat the steps.
enable and start "system event Notifier" again.
now we need to see if this realy fixt the worm.
we also see some (older) files that points out that this is a botnet used for ddos atacks!!!!
if we look at thhe files it has been activated for use in the botnet 27 aug 2011 but started on the 4th.
microsoft enpoint protection can detected some of it but not all. all virus scanners can't clean it!!!!
this is typed after working a realy long day ;-)
Free Windows Admin Tool Kit Click here and download it now
August 28th, 2011 11:10pm
I'm a bit concerned becuase our subscriber logged into the OS by RDP from a Win7 machine, and I'm certain it was infected by RDP disk share. There is no brute force RDP hacking in the event logs and our IPS/firewalls would kill that quick anyway,
in or out. It's how it was identified so quickly.
All the pages I'm reading on this thing say WinXP/2003 only. Sure this is a 2003 R2 OS, but the client infected it from his Win7 machine. It has got to be the case
BarrySDCA
August 29th, 2011 12:54am
Seems like there is significant awareness of this thanks to everyone's efforts here on this thread. I read coverage on F-Secure (Finland) weblog Windows
Remote Desktop worm "Morto" spreading:
"We detect Morto components as Backdoor:W32/Morto.A and Worm:W32/Morto.B"
The author, Mikko Hypponen (I hope I spelled his name correctly), provides the link returning here to Technet for full details. I even found a heads-up mention, as a possible Windows Remote Desktop Worm,
on Reddit about 18 hours ago.
Y'all worked really hard over the weekend on this. And helped lots of users. Like me. Thank you.
~~~~~~~ lux et veritas ~~~~~~
Free Windows Admin Tool Kit Click here and download it now
August 29th, 2011 6:06am
Looks like we repaired it:
The virus/wrm/botnet is running in some stages.
In most active stage we cleaned the virus.
Sens32.dll is the main engine in the virus when it is full active.
This is the main steps we used.
Install patch:
http://support.microsoft.com/kb/2570222
Stop and disable "system event Notifier" service. This is using sens32.dll instead of sens.dll
Clean the registry:
Delete the complete key and everyting under it (we didn't see it on servers only on xp machines)
HKLM\SYSTEM\CurrentControlSet\Services\6to4
Clean the keys under not the folders! (Look if Ias and/or 6to4 is standing in one of the keys)
HKLM\SYSTEM\WPA\
Change the next key back to normal:
subkey: HKLM\SYSTEM\CurrentControlSet\Services\Sens\Parameters
value: "ServiceDll"
data: "<system folder>\sens.dll"
Restart machine:
Delete everyting under (del *.*):
c:\windows\offline web pages\
delete c:\windows\system32\sens32.dll
if you cant delete sens32.dll repeat the steps before restart.
enable and start "system event Notifier" again.
Sometimes ther is a extra services Ias this uses chache.txt or Sens32.dll or a other morfed file.
What i Notices about this that this looks like 1 of the fases the virus goes true when it is starting up.
now we need to wait and see if this realy fixt the worm.
we also see some (older) files that points out that this is a botnet used for ddos atacks (files like 1.40 testddos)!!!!
if we look at thhe files it has been activated for use in the botnet 27 aug 2011 but started on the 4th.
IMPORTAND:
microsoft enpoint protection can detected some of it but not all. All virus scanners can't clean it!
(at the moment of writing this artical)
this is typed after working a realy long day ;-)
(edit some typo's and added extra info)
August 29th, 2011 6:07am
Some more analyzing the virus: <extended the list from microsft>
HTTP Connection:
122.228.207.69
122.228.207.68
DNS Servers used:
210.3.38.20 (removed typo)
74.125.71.104
4.2.2.2
8.8.8.8
<25 more Public DNS>
DNS queries done
ALL TXT
jaifr.com
jifr.info
jifr.co.cc
jifr.co.be
qfsl.net
qfsl.co.cc
qfsl.co.be
jifr.net
TCP 3389 Syn packets:
TCP 1.2.3.4:2258 144.176.55.204:3389 SYN_SENT 832
TCP 1.2.3.4:2259 106.218.17.126:3389 SYN_SENT 832
TCP 1.2.3.4:2260 82.159.196.249:3389 SYN_SENT 832
TCP 1.2.3.4:2261 35.13.212.21:3389 SYN_SENT 832
TCP 1.2.3.4:2262 98.89.156.119:3389 SYN_SENT 832
TCP 1.2.3.4:2263 172.183.83.244:3389 SYN_SENT 832
TCP 1.2.3.4:2264 2.22.184.226:3389 SYN_SENT 832
TCP 1.2.3.4:2265 179.151.241.111:3389 SYN_SENT 832
TCP 1.2.3.4:2266 188.131.141.230:3389 SYN_SENT 832
TCP 1.2.3.4:2267 88.184.60.211:3389 SYN_SENT 832
TCP 1.2.3.4:2268 19.246.27.204:3389 SYN_SENT 832
TCP 1.2.3.4:2269 81.1.120.167:3389 SYN_SENT 832
TCP 1.2.3.4:2270 104.115.210.138:3389 SYN_SENT 832
TCP 1.2.3.4:2271 131.91.148.141:3389 SYN_SENT 832
TCP 1.2.3.4:2272 106.33.203.220:3389 SYN_SENT 832
TCP 1.2.3.4:2273 146.144.143.13:3389 SYN_SENT 832
TCP 1.2.3.4:2274 112.102.238.103:3389 SYN_SENT 832
TCP 1.2.3.4:2275 131.189.149.95:3389 SYN_SENT 832
TCP 1.2.3.4:2276 102.153.148.25:3389 SYN_SENT 832
TCP 1.2.3.4:2278 62.223.59.50:3389 SYN_SENT 832
TCP 1.2.3.4:2279 23.176.169.236:3389 SYN_SENT 832
TCP 1.2.3.4:2280 196.58.220.170:3389 SYN_SENT 832
TCP 1.2.3.4:2281 210.22.139.241:3389 SYN_SENT 832
TCP 1.2.3.4:2282 82.67.109.50:3389 SYN_SENT 832
TCP 1.2.3.4:2283 82.67.109.50:3389 SYN_SENT 832
TCP 1.2.3.4:2285 2.47.235.208:3389 SYN_SENT 832
TCP 1.2.3.4:2286 83.119.15.163:3389 SYN_SENT 832
TCP 1.2.3.4:2287 5.148.138.247:3389 SYN_SENT 832
TCP 1.2.3.4:2288 5.148.138.247:3389 SYN_SENT 832
TCP 1.2.3.4:2289 13.47.206.128:3389 SYN_SENT 832
TCP 1.2.3.4:2290 13.47.206.128:3389 SYN_SENT 832
TCP 1.2.3.4:2291 61.3.157.194:3389 SYN_SENT 832
TCP 1.2.3.4:2292 2.254.66.234:3389 SYN_SENT 832
TCP 1.2.3.4:2293 2.254.66.234:3389 SYN_SENT 832
TCP 1.2.3.4:2294 80.205.112.59:3389 SYN_SENT 832
TCP 1.2.3.4:2295 179.81.26.142:3389 SYN_SENT 832
TCP 1.2.3.4:2296 37.99.211.28:3389 SYN_SENT 832
TCP 1.2.3.4:2297 21.232.91.221:3389 SYN_SENT 832
TCP 1.2.3.4:2298 120.206.193.11:3389 SYN_SENT 832
TCP 1.2.3.4:2299 35.205.93.20:3389 SYN_SENT 832
Sens32.dll is showing up in proccess explorer.
If you stop 'system event notification' its still not possible to delete sens32.dll
Sometimes a services 'Ias' is also active this runs to the same DLL. This can be cleaned in the registry
Under 'HKLM\SYSTEM\WPA\' its possible to see the services in use need some more exploring for it to get a final clue how that is working.
Free Windows Admin Tool Kit Click here and download it now
August 29th, 2011 7:17am
You can try downloading the Microsot Safety Scanner, it should detect/remove this.
http://www.microsoft.com/security/scanner/en-us/default.aspx
Also, if you were infected by this malware then it's likely you are using one of the passwords listed in our writeup:
http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Worm%3AWin32%2FMorto.A
If that is the case, then please change to a stronger password.
Thanks,
Faron [MSFT]Faron Faulk [MSFT]
August 29th, 2011 8:38am
Microsot Safety Scanner detects the virus but it doesn't clean the System completly so it come's back after a wile if you don't clean manualy the reg keys.
MSep doesn't clean the reg keys:
HKLM\SYSTEM\CurrentControlSet\Services\6to4
HKLM\SYSTEM\WPA\
This was still so at 29 aug 2011 around 4 AM GMT +1
Free Windows Admin Tool Kit Click here and download it now
August 29th, 2011 8:56am
Looks like we fixt it:
The virus/wrm/botnet is running in some stages.
In most active stage we cleaned the virus.
Sens32.dll is the engine in the virus we think.
Stop thet service and disable "system event Notifier" (its using sens32.dll instead of the standerd sens.dll)
Clean the registry:
Delete the complete key and everyting under it (we didn't see it on servers only on xp machines:
HKLM\SYSTEM\CurrentControlSet\Services\6to4
Clean teh keys under not the folders!
HKLM\SYSTEM\WPA\
Change key back to normal:
subkey: HKLM\SYSTEM\CurrentControlSet\Services\Sens\Parameters
Adds value: "ServiceDll"
With data: "<system folder>\sens.dll"
Restart machine:
Delete everyting underneed:
c:\windows\offline web pages\
delete c:\windows\system32\sens32.dll
if you cant delete sens32.dll repeat the steps.
enable and start "system event Notifier" again.
now we need to see if this realy fixt the worm.
we also see some (older) files that points out that this is a botnet used for ddos atacks!!!!
if we look at thhe files it has been activated for use in the botnet 27 aug 2011 but started on the 4th.
microsoft enpoint protection can detected some of it but not all. all virus scanners can't clean it!!!!
this is typed after working a realy long day ;-)
I rebooted into Safe Mode, emptied the folder C:\WINDOWS\Offline Web Pages, rebooted, and the symptoms are gone. I'm reinstalling my A/V (Trend Micro Worry-Free Business Security 7, which was previously installed - this malware apparently removed it)
and I'm going to run a scan with that as well as the Microsoft Safety Scanner once it finishes. I was not able to locate sesn32.dll, did not have a "6to4" key, and the key/values for the SENS service all appear to be legit, even pointing to the correct
sens32.dll. I did have to cleanup the WPA key, remove the "NoPopUpsOnBoot" value, and add the dependency on EventSystem for the SENS service.
I know it has already been mentioned before, but Microsoft's information is incomplete, as the compromised password on my system was b**** (not a dirty word, just masked for my client's privacy), and this is not on the password list. Also, if you have
any of these symptoms, check for any HTTP connections to 122.228.207.69, as this IP was not in Microsoft's list, but was common to myself and BarrySDA (and after removing the suspect files, there are no more connections to this IP), so I'm pretty sure it is
related.Sr System Engineer
August 29th, 2011 8:58am
sens32.dll is the virus!!
needs to be sens.dll
Http to 122.228.207.68 is also used
the symptoms come back after a wile when only 'C:\WINDOWS\Offline Web Pages' is cleaned. (del *.*).
after a while chache.txt comes back and teh proccess and the symtoms come back.
Free Windows Admin Tool Kit Click here and download it now
August 29th, 2011 9:04am
sens32.dll is the virus!!
needs to be sens.dll
Http to 122.228.207.68 is also used
the symptoms come back after a wile when only 'C:\WINDOWS\Offline Web Pages' is cleaned. (del *.*).
after a while chache.txt comes back and teh proccess and the symtoms come back.
Thanks for pointing that out! I was able to move sens32.dll to the desktop and update the registry value back to sens.dll, but I cannot delete sesn32.dll (even though I could move it), as it is in use by svchost! I also double-checked everything
and saw that there was still a service called Ias with no description (trying to launch the deleted cach.txt), so I removed that as well.Sr System Engineer
August 29th, 2011 9:20am
FYI -- Encountered many of these same symptoms on a 2008 R2 system starting on Friday Aug 26th. Cleaned with MS Safety Scanner and blocked outgoing WAN traffic. Have not seen any re-occurrence as of yet.
Free Windows Admin Tool Kit Click here and download it now
August 29th, 2011 9:25am
Can anyone shed some light into how logging works for RDP on Windows 7? On my home computer, I have enabled RDP, but only allowing connections from computers running with Network Level Authentication. In Event Viewer I can find entries under "Applications
and Service logs - Microsoft - Windows - TerminalServices RemoteConnectionManager - Operational. But the entries are only "Listener RDP-Tcp received a connection". I would like to know: From where did the connection come from, which username were supplied,
etc Anyone?
August 29th, 2011 9:35am
AD, are you changing the password that is used for RDP user(s)? if it's coming back 'after a while' that sounds like the attacker is just guessing your password again, possibly.
FaronFaron Faulk [MSFT]
Free Windows Admin Tool Kit Click here and download it now
August 29th, 2011 9:44am
no its not the password. The virus it self is still running under "system event notifier" (sens32.dll).
This even happend without any network connection.
August 29th, 2011 9:58am
People keep saying "weak password" or "XP/2003". I know both of these are not the case.
The 2003 OS had a reasonably strong password, which I posted above and was infected by RDP disk share from a Win7 machine.BarrySDCA
Free Windows Admin Tool Kit Click here and download it now
August 29th, 2011 10:43am
way's off possible infection:
- weak password
- TS Client can be infected by a Infected TS server
- TS Server can be infected by a Infected TS Client
- Some kind of keylogging.
- Phishing email (most likly we got the first infection in first place)
- Infected webserver
- Weaknis that is fixt in patch (makes spreadung virus going faster)
ao there are alot off ways to get this virus.
Havent seen it on Windows 7 or server 2008 yet.
August 29th, 2011 11:25am
People keep saying "weak password" or "XP/2003". I know both of these are not the case.
The 2003 OS had a reasonably strong password, which I posted above and was infected by RDP disk share from a Win7 machine.
BarrySDCA
Barry,
I do not believe Win7 or Server 2008 can get this malware. At least I havent seen it. I saw it on a network with 2 server 2003 boxes, 10+ XP, 10+ Win7, and the only boxes infected were the 2003, and 90% of the XP ones...
I also believe it started due to a service account with a weak password, and too much privs...
Free Windows Admin Tool Kit Click here and download it now
August 29th, 2011 11:45am
Update:
Windows defender with definitions 1.111.925.0 did NOT detect this worm in the infected 2003 R2 OS
Microsoft Safety Scanner 1.0.3001.0 DID detect the worm in the infected 2003 R2 OS
In regards to how the OS was infected, here are the facts:
We noticed a bunch of outgoing RDP hits on our firewall. It was determined to be infected and reprovisioned as NEW, fully patched 2003 R2.
The subscriber logged into the VM by RDP from a Win7 box, with shared disks, and the VM was infected in under 24 hours. They have told me the only box they used to login to the VM was their Win7 PC. They installed one software package, which
I do not believe is reasonable to assume was the source of the infection.
The Administrator password of the VM at the time of infection was 2o9yuWaS02
NO RDP brute force hacking detected in event logs. Yes, event logs were configured to show this information when the VM was provisioned.BarrySDCA
August 29th, 2011 11:58am
People keep saying "weak password" or "XP/2003". I know both of these are not the case.
The 2003 OS had a reasonably strong password, which I posted above and was infected by RDP disk share from a Win7 machine.
BarrySDCA
Barry,
I do not believe Win7 or Server 2008 can get this malware. At least I havent seen it. I saw it on a network with 2 server 2003 boxes, 10+ XP, 10+ Win7, and the only boxes infected were the 2003, and 90% of the XP ones...
I also believe it started due to a service account with a weak password, and too much privs...
Ian,
I have seen firsthand (as mentioned above) that this worm CAN and DOES infect hosts running Server 2008 R2. During my investigation, I also found no evidence of brute force, but certainly infected svchost and the ntshrui.dll was attempting load at
startup. Also found multiple outbound HTTP connections to chinese IP addresses. MS Safety Scanner did detect and (seemingly) cleaned.
Free Windows Admin Tool Kit Click here and download it now
August 29th, 2011 12:23pm
BEWARE! I had ntshrui.dll running as "FastUserSwitchingCompatibility" service.
sr value under HKLM\SYSTEM\Wpa points to the service it runs as so I suspect that it can dynamically alter the service its runs as, so don't take the writeup as an absolute because the service execution is definitely not static!
netstat -nb will tell you which service its running as under svchost.exe
Also, I don't know this for certain but once this thing has infected a machine through a brute force attack it may be able to penetrate other machines by way of trusted credentials between the infected machine and the target.
-Ted-
August 29th, 2011 1:12pm
BEWARE! I had ntshrui.dll running as "FastUserSwitchingCompatibility" service.
sr value under HKLM\SYSTEM\Wpa points to the service it runs as so I suspect that it can dynamically alter the service its runs as, so don't take the writeup as an absolute because the service execution is definitely not static!
netstat -nb will tell you which service its running as under svchost.exe
Also, I don't know this for certain but once this thing has infected a machine through a brute force attack it may be able to penetrate other machines by way of trusted credentials between the infected machine and the target.
-Ted-
It runs as svchost, but under different/random PID's with services attached. in fact, i saw it move to another process after i stopped the current process it was running as!
Free Windows Admin Tool Kit Click here and download it now
August 29th, 2011 1:35pm
After running this fix, have you seen the issue return? Also, did you script any of this?
August 29th, 2011 1:47pm
Try to suspend the process if possible using process explorer, if they have a "buddy" process that watch each other they will notice the terminated one and start another.
Free Windows Admin Tool Kit Click here and download it now
August 29th, 2011 1:50pm
It runs as svchost, but under different/random PID's with services attached. in fact, i saw it move to another process after i stopped the current process it was running as!
svchost is basically a container for services. You'll notice many svchost processes running in order to host various services, inculding the service that Morto is running as. If you look closely at an netstat -nb you will not only see the svchost.exe process
but YOU WILL ALSO SEE THE SERVICE NAME that Morto is running as on the line above. netstat -nb CAN be used to find the SERVICE Morto is running as. The service NAME in not different/random in my experience, although the name I've seen differs from the names(s)
I have thus far seen published elsewhere. Almost ALL PIDs are assigned dynamically every time a machine restarts or a process goes through its full life cycle, no surprise here.
August 29th, 2011 2:05pm
It runs as svchost, but under different/random PID's with services attached. in fact, i saw it move to another process after i stopped the current process it was running as!
svchost is basically a container for services. You'll notice many svchost processes running in order to host various services, inculding the service that Morto is running as. If you look closely at an netstat -nb you will not only see the svchost.exe process
but YOU WILL ALSO SEE THE SERVICE NAME that Morto is running as on the line above. netstat -nb CAN be used to find the SERVICE Morto is running as. The service NAME in not different/random in my experience, although the name I've seen differs from the names(s)
I have thus far seen published elsewhere. Almost ALL PIDs are assigned dynamically every time a machine restarts or a process goes through its full life cycle, no surprise here.
Yes, of course.
Free Windows Admin Tool Kit Click here and download it now
August 29th, 2011 2:20pm
Try to suspend the process if possible using process explorer, if they have a "buddy" process that watch each other they will notice the terminated one and start another.
From what I understand sens32.dll is the loader. It instantiates this thing as a service. Then the service actually runs the worm code. If you kill it another gets started. While the articles are calling the service
"6to4" I've had it running as "FastUserSwitchingCompatibility" on a Windows 7 client.
Unfortunately, mine accidentally got cleaned so I don't have that copy to research any more. :-(
August 29th, 2011 2:36pm
SOS!!!
My system can not running normally, after the hardware detection, the screen will black. but the "safe mode" can access, I have clear the Sens32.dll and contents of offiline web pages, is anybody have the solution to resolve it?
Free Windows Admin Tool Kit Click here and download it now
August 31st, 2011 8:02am
After a few day's we haven't seen the virus back on our systems with the resolution mentiond above.
August 31st, 2011 9:02am
same here. I had the subscriber run Microsoft Safety Scanner 1.0.3001.0 on their Win7 box and they told me that it detected 1 infection. They did not confim what it was. I also ran it in their 2003 VM. It's been running a few days
and no signs of infection.
Looking at our incoming firewall logs, that is an entirely different story. All 3 datacenters are pretty much showing a constant incoming storm of RDP scanning from all over the net. much higher than normal. It's being filtered out
with the other 'noise'
I consider the issue to be resolved. thank you everyone for your assistance.BarrySDCA
Free Windows Admin Tool Kit Click here and download it now
August 31st, 2011 10:47am
We have a Server 2003 R2 infected with that. After following AD van Dijk's instructions where I stopped and disabled system event notification service, not being able to find the 6to4 key and deleted the Ias in System\WPA, pointed the sens.dll back to normal
and rebooted the system totally crashed. I couldnt start it neither normally nor safe mode not even last known good configuration. I had to go through backup restore as windows repair wouldn't work either. After restoring the server I tried Microsoft's Safety
Scanner which supposed to get rid of the threat. Well, it didn't. The only thing it din't like was VNC.Running netstat -nb tells me that one of the established connections is by svchost using RemoteAccess but I compared that with a healthy server and it looks
to be OK. I understand that when I notice svchost connecting on 3389 that's morto. I run Symantec's PowerEraser but it did nothing. Still stuck with it as I'm writing this message
BTW I wanted to add that the server has a very complex password and there is no other user with administrative priviliges on it.
yaro
September 1st, 2011 10:55am
Strange the server didn't start up.
I assume the files %windows%\offline web pages\chache.txt and %system%\sens32.dll excist on you machine.
you can do what i posted earlyer or:
Start in safe mode.
-Delete the files under %windows%\offline web pages\
-Delete sens32.dll
Regedit:
change back:
subkey: HKLM\SYSTEM\CurrentControlSet\Services\Sens\Parameters
value: "ServiceDll"
data: "<system folder>\sens.dll"
Delete the complete key and everyting under it (we didn't see it on servers only on xp machines)
HKLM\SYSTEM\CurrentControlSet\Services\6to4
Clean the keys under not the folders! (Look if Ias and/or 6to4 is standing in one of the keys)
HKLM\SYSTEM\WPA\
services:
If the serice Ias excist disable this. you can try to remove it.
Free Windows Admin Tool Kit Click here and download it now
September 1st, 2011 5:16pm
After a complete restore I went through your procedure again in safe mode. So far it looks like it works. Many thanksyaro
September 4th, 2011 1:53pm
Ignoring the obnoxious comment from ObiWan and reiterating that this thread is relevant and current (and not from 2007 as he suggested)...pleas review....http://forums.majorgeeks.com/showthread.php?p=1659242.
This seems to specifically state the problem at hand. Has anyone has success in removing these files?
Yes, sorry for the error, I overlooked that; on the other hand, removing the files isn't a solution; the box has been compromised and has a rootkit installed, this means that even if you remove those files, the attacker may have installed some backdoor on
the system and may still be able to regain access to it; the only real way to trust such a compromised machine would be bringing it offline, cleaning it as much as possible, backing up whatever relevant data and then flattening it and rebuilding it from scratch
but... paying attention to properly lock it down to avoid another attack leveraging the same "security hole" which was used for the current attack
Free Windows Admin Tool Kit Click here and download it now
September 5th, 2011 3:51am
And the plot thickens. Although the customer agreed to block 3389 at the firewall and use the terminl services gateway moving forward, that has not been done yet. After blockng all outbound access, I noticed a new user account, 'sys', was created
and an inbound RDP connection was established from 178.162.174.77, logging in as this new user!
Which means that the attacker has access to the system; again, bring the system offline, use a boot-cd
like this one to run a general cleanup, proceed backing up whatever relevant data and then flatten the box and rebuild it from scratch; there's NO OTHER way to fix the issue and just removing some files or firewalling some ports won't allow you to TRUST
that system
September 5th, 2011 3:59am
SOS!!!
My system can not running normally, after the hardware detection, the screen will black. but the "safe mode" can access, I have clear the Sens32.dll and contents of offiline web pages, is anybody have the solution to resolve it?
Read the following ... and no, it's not a joke, it's the ONLY way to really solve the issue
http://technet.microsoft.com/en-us/library/cc512587.aspx
http://technet.microsoft.com/en-us/library/cc512595.aspx
Free Windows Admin Tool Kit Click here and download it now
September 5th, 2011 4:04am
Microsot Safety Scanner detects the virus but it doesn't clean the System completly so it come's back after a wile if you don't clean manualy the reg keys.
MSep doesn't clean the reg keys:
HKLM\SYSTEM\CurrentControlSet\Services\6to4
HKLM\SYSTEM\WPA\
This was still so at 29 aug 2011 around 4 AM GMT +1
Again, scanning the system that way is just one step; the scan/clean you can perform by running the MS Safety Scanner will just allow you to bring "down" the malware for a while... the time needed to backup whatever relevant data; then, to really cleanup
the system you will need to perform a total reinstall from scratch, there's no other way to solve it and even if you'll remove files and stuff, you won't be able to tell if the system will be totally and really clean nor to trust it
September 5th, 2011 4:12am
A heads-up to everyone:
Over the weekend, we detected another subscriber infected with Morto. This was a BRAND NEW VM, 2003 R2 and fully patched with a very strong password. The subscriber I believe has Win7.
MS Safety Scanner DID NOT return any infection
I verified tons of outgoing RDP, same symptoms. This one also had an open port 80 connection to 208.92.165.96
BarrySDCA
Free Windows Admin Tool Kit Click here and download it now
September 6th, 2011 12:11pm
A heads-up to everyone:
Over the weekend, we detected another subscriber infected with Morto. This was a BRAND NEW VM, 2003 R2 and fully patched with a very strong password. The subscriber I believe has Win7.
MS Safety Scanner DID NOT return any infection
I verified tons of outgoing RDP, same symptoms. This one also had an open port 80 connection to 208.92.165.96
What do you mean with "subscriber" ? Was that VM brought up on the same network on which the other compromised system was ?
Again, if you didn't flatten/rebuild the compromised system and didn't check the other systems reachable on that network then there are probabilities that the malware is still sitting on your network and infecting new boxes as soon as they get connected,
this may happen (for example) if the initial password used for the VM setup is a common one; the malware may be able to hit and infect the VM before you get in and change the password to a strong one
September 6th, 2011 12:28pm
the previous system was reprovisioned as-new. it's not spreading on our network. we detect rdp floods very quickly and kill the IP.
subscriber - we are an online service provider
follow-up to new infection: subscriber says they did indeed login one time from an XP machine.
MS safety scanner did NOT detect this one
BarrySDCA
Free Windows Admin Tool Kit Click here and download it now
September 6th, 2011 3:53pm
the previous system was reprovisioned as-new. it's not spreading on our network. we detect rdp floods very quickly and kill the IP.
I see... I just wonder if the reprovisioning also meant resetting the initial accounts/passwords to some "default", that
may be the cause of the reinfection (just guessing, don't get me wrong)
subscriber - we are an online service provider
Got it, in such a case, also given that the MS Safety scanner was unable to flag the malware, I think you'd better directly contact Microsoft and have them work with you to investigate the issue and help you fixing it
As for the issue and contacts, here are some resources
http://blogs.technet.com/b/mmpc/archive/2011/08/28/new-worm-targeting-weak-passwords-on-remote-desktop-connections-port-3389.aspx
http://blogs.technet.com/b/mmpc/archive/2011/08/29/more-on-morto.aspx
http://technet.microsoft.com/en-US/security/default.aspx
http://blogs.technet.com/b/mmpc/
which may be useful
HTH
September 7th, 2011 4:40am
the previous system was reprovisioned as-new. it's not spreading on our network. we detect rdp floods very quickly and kill the IP.
Forgot (sorry), a quick workaround to stop worm spreading could be adding a new RDP listener as described
here and using whatever port (e.g. 50183) next, after checking that the RDP connection on the alt-port is working, filtering out (using the system firewall) port 3389/TCP so that the "blind-scan" from the worm will hit a closed port and the malware won't
be able to spread; notice though that the above is just a workaround useful to prevent attacks from such "blind-scanners / bruteforcers" but it won't add any kind of security, if a machine has weak passwords, the security issues will still be present
Free Windows Admin Tool Kit Click here and download it now
September 7th, 2011 6:05am
you seriously don't think I am aware of changing the port option? we do not have that luxury as a service provider. And do you really think we would keep the same password? As I demonstrated before, our passwords are reasonably strong
and the VM was infected by RDP disk share. As I said earlier, our network QUICKLY detects RDP hacking and kills the remote IP. That is not a real problem here.
I'm not asking you for help, I'm simply updating the community that there is a new one out there undetected by safety scanner. The first subscriber's VM was detected by safety scanner. not the second.
thank you
BarrySDCA
September 7th, 2011 11:05am
you seriously don't think I am aware of changing the port option? we do not have that luxury as a service provider.
Well, that's up to you, if your customers are using weak passwords on some machines, that worm may hit them and the option of changing port is the only workaround you have at the moment, that's why I suggested it... and not just for you, but for anyone else
reading this and trying to find a way to quickly patch the issue (again, not a definitive solution, that would be forcing complex password policy on all the boxes and also revising existing accounts and double checking credentials and permissions, but that
would take time... and changing the port would give one some time to do it)
And do you really think we would keep the same password?
As I demonstrated before, our passwords are reasonably strong and the VM was infected by RDP disk share.
I don't know, you may or may not, I'm not saying you're using the same password but then I can't know if you, in effect, do that; also, what makes you think that the VM was infected by RDP disk share and not by some other mean ?
As I said earlier, our network QUICKLY detects RDP hacking and kills the remote IP. That is not a real problem here.
Which is good, having IDS/IPS in place helps, but given the fact that systems compromised by such a critter also contain backdoors (see that "sys account creation" in this discussion) allowing an attacker to regain access to the boxes, killing outbound RDP
connection won't be a cure, you'll just be trying to deal with the effects but that won't have any impact on the cause
I'm not asking you for help, I'm simply updating the community that there is a new one out there undetected by safety scanner. The first subscriber's VM was detected by safety scanner. not the second.
Maybe you aren't, but again, I wrote the other message to try helping other people with the same issue quickly "plugging" the hole until they won't have time to perform a deep revision of their accounts
All the best
Free Windows Admin Tool Kit Click here and download it now
September 7th, 2011 11:33am
Hi...
I´m From Brazil and we have the same problem.
First symptom:
we note that the Internet bandwidth was being
consumed, and it was necessary to reboot the
Web server.
After that we began to
check the network machine
infected with a virus. We Turn each
machine (60) of the switchs.
Isolates the server (Windows Server
2003 R2) and the Internet server in the Switch.
After that, and nothing solved, we turned off the
2003 Server. Bandwidth consumption
was normal.
Turning on back
the Windows Server, the use of
internet has increased dramatically.
Then we used
a port scan and noticed that there are several
attempts to connect to multiple servers
on the Internet over port 3389. In one case,
unable to access a Windows 2003 Server
Enterprise which was being attacked by our server.
Connect it via Terminal Service.
So we changed our
connection port Terminal Service to a
higher (over 10,000).
Virus stopped trying to leave by 3389
and began to walk out the door 80, consuming
the entire Internet bandwidth.
We started to kill
all processes that were trying out the door
80, one by one, in certain
ip to kill the process restarted
the server alone. It happened 3
times. After restart, it
began again to attack the port 3389.
After that, to avoid
formatting the server, did the procedure
described by A D van Dijk (some
posts ago).
Everything is running smoothly
so far... But
we still plan to format the
server.
We still have a copy of SENS32.dll
if someone wants to study.
That's all
September 15th, 2011 8:07pm
We still have a copy of
SENS32.dll if someone wants to
study.
If possible, create a passworded zip containing the file (use "infected" as the password), upload the zip to some online storage and post the link; I'm curious to have a look at the critter ... even if it's just the "main payload" and not the whole malware
Free Windows Admin Tool Kit Click here and download it now
September 16th, 2011 4:07am
I sent some suspicious files to Symantec using their tool do you think they will come up with a solution for this w32.morto worm?
September 21st, 2011 11:12am
malware byte might do the trick. Run the scanner and use Fileassassin to remove sens32.dll. Then reboot the server.
Free Windows Admin Tool Kit Click here and download it now
September 23rd, 2011 2:51am
Please check out the following link
http://about-threats.trendmicro.com/Malware.aspx?id=8901&name=WORM_MORTO.SMA&language=en
September 23rd, 2011 5:12pm