Join Us!

When thing goes str...
 
Notifications
Clear all

When thing goes strange... "Possession" 😛  

  RSS
LonelyWolf
(@lonelywolf)
Junior Member

Hi,
before post here i've tried a lot of things, and searched google but there is something that i don't see…

well, we're in a windows network, with a Win2K3 (not yet SP1, it's not my pc's 😀 ) and some client win xp/2k (more or less updated…..)
however, sistematically they find on their 2K3 fileserver their archive files deleted/renamed with strange name, sometime with [pcname] f**k YOU BY [email protected][filename.mdb]" where that mdb is a really file…or "I HAVE A DREAM" or "@@@@@@@@@@@@@@@@@@@@@" or "[email protected]@YOU" or "[dnsaddress]@[email protected][gwaddress]" and files too, recycled dir renamed too…

well, they work with a very old software written in clipper and access97 app (….too old for me…)

problems appear on server (and sometimes disapper file client side, it seems only when they use access97 prog) "only" when they're working with clipper old program. they have this strange problem from 2 year ago.

it's a very strange incident this…

what i've done?
i've start with Helix and Erd to see if something strange could appear, in the "classical" regkey for process or services ..\currentcontrolsetn.."
but driver and services seems to be ok. we performed AV scan (fprot and clam) OFFLINE, but no virus found.
so we reboot system, check for processess in execution with more than one process tool, nothing strange…McAffee Stinger, nothing, i've just looked in the prefetch but nothing strange, i've looking for ads but nothing strange (with crucialsecurity scanner).
I've tried rootkit revealer and fsecure blacklight (do you know? very interesting) tried kproccheck that make "differential analysis" with low level structure…nothing strange.
so, at this point i've start with our dear friend Filemon, running on fileserver 2k3, just to start.
i log all the "bad" operations and i saw that all are performed from System PID 4.
This let suppose me that problem resides in client, when they, with their old clipper program access to that network unit (they create a unit letter to access to hd on fileserver), "something" and all the request were performed by \device\lanmanredirector and for this reason i saw system PID 4…with filemon i saw IRP that delete files…

my first hypothesis is: the clipper program is too old, there is something that goes wrong with file management or with file locking or opening/closing file…so some parameter became wrong during activity and file were deleted…
What do u think? how i can analyze this in depth? debugging clipper application??????? (tomorrow i'll put filemon on every clientand compare log)

but, just suppose that this my hypothesis it's true.
what the h**l .. why create file/dir with that name that remember me nothing good?
"..f**k YOU BY NETSKY" but there is no track of netsky, AV don't found anything! why/HOW reads/create file/dir with dnsaddress or gw address? attacched with @?

i've search on the net, but on AV vendor i don't found ANYTHING malicious with that string..and this is strange…isn't it?

it SEEMS that without internet connection things goes ok…in this moment we're analyziong network traffic…but it's all so strange…

i've installed too the m$ portrptr (a service that works as a sort of netstat logger and log newly process that opens connection)..but when disaster occours..no remote connection it's detected…

Any suggest/advice?
how i can filter/log/watch better lanmanredirector to see form "where" arrive "things" to the driver? clipper? known issues about access97?

Thanks

Lonely Wolf

Quote
Posted : 05/04/2005 4:04 pm
keydet89
(@keydet89)
Community Legend

LW,

Your post is really hard to follow, but it does sound like you have a virus or worm issue.

H. Carvey
"Windows Forensics and Incident Recovery"
http://www.windows-ir.com
http://windowsir.blogspot.com

ReplyQuote
Posted : 05/04/2005 7:30 pm
LonelyWolf
(@lonelywolf)
Junior Member

sorry…

i try again..

they use an old program to do their work written in clipper and another piece in Access97.

it seems that when they connected to internet AND using the old program in clipper, their archive files on a 2k3 server are deleted or renamed in strange ways, by creating folder (for example) with the dns or gateway address, or with clientname f**k YOU BY NETSKY …

i've performed offline AntiVirus scan, watch registry offline, and online process are clean, i can't find anything…i've tried mcaffee Stinger too, it' s very strange.

ReplyQuote
Posted : 05/04/2005 8:11 pm
Andy
 Andy
(@andy)
Active Member

It does sound like you have a virus or worm. The hint is the NETSKY reference.

http://securityresponse.symantec.com/avcenter/venc/data/[email protected]

I am not too sure about fprot. Try using AVG by Grisoft, http://www.grisoft.com/doc/1 its free and updated regularly.

Andy

ReplyQuote
Posted : 05/04/2005 9:05 pm
LonelyWolf
(@lonelywolf)
Junior Member

thanks andy,
i've already check this type of hint on that site, but we performed AV scans too, or i've used a netsky cleaner tool from nod32 but nothing found.

👿

i wanna try to log \lanmanredirector … do u know something useful, just to see who talk with him, at this lowlevel?

till now, i can see IRP issued by system PID 4 to delete folders for example…but how i can track the source, who "tell" to our server to delete some file/folders? filemon or filespy tell me only the local "process", but the request start elsewhere…

i hope u understand what i'm trying to explain..

thanks

ReplyQuote
Posted : 05/04/2005 9:28 pm
andy1500mac
(@andy1500mac)
Member

I can't say I'm familair with the full extent of "malicious marcos" but this might be something to look into seeing as you seem to have tried many of the other venues. Althought the mention of netsky does seem suspicious..(was it around two years ago-NETSKY..?)

I'm mentioning macros only because you indicated it ONLY happens when you run ACCESS..

Andrew-

ReplyQuote
Posted : 06/04/2005 8:57 am
Share: