General discussion

Locked

Cloaking Worm on Windows 2000 SBS

By mikennedy13 ·
We just got through cleaning up a mess on our server. Some sort of code got in there and made several Windows system files invisible to the GUI. They were present in a DOS window using the DIR command. This code, however it was inserted or executed, made the wins.exe file disappear. We couldn't even copy it back on from a backup.

Here is the log file that was generated by F-Secure Blacklite to find the hidden files:
05/18/05 08:38:22 [Info]: *** F-Secure BlackLight Beta 1.5.1002 started
05/18/05 08:38:22 [Info]: OS version: 5.0 build 2195 (Service Pack 4)
05/18/05 08:38:30 [Info]: User initiated system scan
05/18/05 08:38:30 [Info]: Process scan started
05/18/05 08:38:30 [Hidden process]: C:\WINNT\system32\wins\$MssRk\HxDef\$MssRk.exe
05/18/05 08:38:30 [Info]: Process scan done
05/18/05 08:38:30 [Info]: Filesystem scan started
05/18/05 08:38:30 [Info]: Filesystem scan engine version: 1.7 (build 100
05/18/05 08:38:30 : Running normal mode scan
05/18/05 08:38:39 [Hidden file]: C:\Documents and Settings\Administrator\Local Settings\Temp\wins.exe
05/18/05 08:38:39 : 10002 1
05/18/05 08:38:40 [Hidden file]: C:\Documents and Settings\Administrator\Local Settings\Temp\winsmon.dll
05/18/05 08:38:40 : 10002 1
05/18/05 08:38:40 [Hidden file]: C:\Documents and Settings\Administrator\Local Settings\Temp\winspool.drv
05/18/05 08:38:40 : 10002 1
05/18/05 08:38:41 [Hidden file]: C:\Documents and Settings\Administrator\Local Settings\Temp\winsrv.dll
05/18/05 08:38:41 : 10002 1
05/18/05 08:38:41 [Hidden file]: C:\Documents and Settings\Administrator\Local Settings\Temp\winssnap.dll
05/18/05 08:38:41 : 10002 1
05/18/05 08:38:41 [Hidden file]: C:\Documents and Settings\Administrator\Local Settings\Temp\winsta.dll
05/18/05 08:38:41 : 10002 1
05/18/05 08:38:50 [Hidden file]: C:\WINNT\system32\wins\$MssRk\FTP-Server\$MssRkServer.exe
05/18/05 08:38:50 : 10002 3
05/18/05 08:38:50 [Hidden file]: C:\WINNT\system32\wins\$MssRk\FTP-Server\$MssRkSys32.ini
05/18/05 08:38:50 : 10002 3
05/18/05 08:38:50 [Hidden file]: C:\WINNT\system32\wins\$MssRk\FTP-Server\MssrKStartUpLog.txt
05/18/05 08:38:50 : 10002 3
05/18/05 08:38:50 [Hidden file]: C:\WINNT\system32\wins\$MssRk\FTP-Server\Server-Start.bat
05/18/05 08:38:50 : 10002 3
05/18/05 08:38:50 [Hidden file]: C:\WINNT\system32\wins\$MssRk\FTP-Server\Set-Restart.reg
05/18/05 08:38:50 : 10002 3
05/18/05 08:38:50 [Hidden file]: C:\WINNT\system32\wins\$MssRk\HxDef\$MssRk.exe
05/18/05 08:38:50 : 10002 3
05/18/05 08:38:50 [Hidden file]: C:\WINNT\system32\wins\$MssRk\HxDef\$MssRk.ini
05/18/05 08:38:50 : 10002 3
05/18/05 08:38:50 [Hidden file]: C:\WINNT\system32\wins\$MssRk\Messages\Admin.txt
05/18/05 08:38:50 : 10002 3
05/18/05 08:38:50 [Hidden file]: C:\WINNT\system32\wins\$MssRk\Messages\Changedir.txt
05/18/05 08:38:50 : 10002 3
05/18/05 08:38:50 [Hidden file]: C:\WINNT\system32\wins\$MssRk\Messages\User.txt
05/18/05 08:38:50 : 10002 3
05/18/05 08:38:50 [Hidden file]: C:\WINNT\system32\wins\$MssRk\Start.bat
05/18/05 08:38:50 : 10002 3
05/18/05 08:38:51 [Hidden file]: C:\WINNT\system32\wins\$MssRk\Tools\Autospeed\pslist.exe
05/18/05 08:38:51 : 10002 3
05/18/05 08:38:51 [Hidden file]: C:\WINNT\system32\wins\$MssRk\Tools\PsList\PsList.bat
05/18/05 08:38:51 : 10002 3
05/18/05 08:38:51 [Hidden file]: C:\WINNT\system32\wins\$MssRk\Tools\PsList\PsList.exe
05/18/05 08:38:51 : 10002 3
05/18/05 08:38:51 [Hidden file]: C:\WINNT\system32\wins\$MssRk\Tools\PsService\PsService.bat
05/18/05 08:38:51 : 10002 3
05/18/05 08:38:51 [Hidden file]: C:\WINNT\system32\wins\$MssRk\Tools\PsService\PsService.exe
05/18/05 08:38:51 : 10002 3
05/18/05 08:38:51 [Hidden file]: C:\WINNT\system32\wins\wins.mdb
05/18/05 08:38:51 : 10002 3
05/18/05 08:38:51 [Hidden file]: C:\WINNT\system32\wins\winstmp.mdb
05/18/05 08:38:51 : 10002 3
05/18/05 08:38:58 [Hidden file]: C:\WINNT\system32\$MssRk.exe
05/18/05 08:38:58 : 10002 1
05/18/05 08:38:59 [Hidden file]: C:\WINNT\system32\winsrpc.dll
05/18/05 08:38:59 : 10002 1
05/18/05 08:39:00 [Hidden file]: C:\WINNT\system32\WINSRV.DLL
05/18/05 08:39:00 : 10002 1
05/18/05 08:39:00 [Hidden file]: C:\WINNT\system32\winssnap.dll
05/18/05 08:39:00 : 10002 1
05/18/05 08:39:01 [Hidden file]: C:\WINNT\system32\winsta.dll
05/18/05 08:39:01 : 10002 1
05/18/05 08:39:01 [Hidden file]: C:\WINNT\system32\winstrm.dll
05/18/05 08:39:01 : 10002 1
05/18/05 08:39:02 [Hidden file]: C:\WINNT\system32\winspool.exe
05/18/05 08:39:02 : 10002 1
05/18/05 08:39:03 [Hidden file]: C:\WINNT\system32\wins\$MssRk\FTP-Server\$MssRkServer.exe
05/18/05 08:39:03 : 10002 3
05/18/05 08:39:03 [Hidden file]: C:\WINNT\system32\wins\$MssRk\FTP-Server\$MssRkSys32.ini
05/18/05 08:39:03 : 10002 3
05/18/05 08:39:03 [Hidden file]: C:\WINNT\system32\wins\$MssRk\FTP-Server\MssrKStartUpLog.txt
05/18/05 08:39:03 : 10002 3
05/18/05 08:39:03 [Hidden file]: C:\WINNT\system32\wins\$MssRk\FTP-Server\Server-Start.bat
05/18/05 08:39:03 : 10002 3
05/18/05 08:39:03 [Hidden file]: C:\WINNT\system32\wins\$MssRk\FTP-Server\Set-Restart.reg
05/18/05 08:39:03 : 10002 3
05/18/05 08:39:03 [Hidden file]: C:\WINNT\system32\wins\$MssRk\HxDef\$MssRk.exe
05/18/05 08:39:03 : 10002 3
05/18/05 08:39:03 [Hidden file]: C:\WINNT\system32\wins\$MssRk\HxDef\$MssRk.ini
05/18/05 08:39:03 : 10002 3
05/18/05 08:39:03 [Hidden file]: C:\WINNT\system32\wins\$MssRk\Messages\Admin.txt
05/18/05 08:39:03 : 10002 3
05/18/05 08:39:03 [Hidden file]: C:\WINNT\system32\wins\$MssRk\Messages\Changedir.txt
05/18/05 08:39:03 : 10002 3
05/18/05 08:39:03 [Hidden file]: C:\WINNT\system32\wins\$MssRk\Messages\User.txt
05/18/05 08:39:03 : 10002 3
05/18/05 08:39:03 [Hidden file]: C:\WINNT\system32\wins\$MssRk\Start.bat
05/18/05 08:39:03 : 10002 3
05/18/05 08:39:03 [Hidden file]: C:\WINNT\system32\wins\$MssRk\Tools\Autospeed\pslist.exe
05/18/05 08:39:03 : 10002 3
05/18/05 08:39:03 [Hidden file]: C:\WINNT\system32\wins\$MssRk\Tools\PsList\PsList.bat
05/18/05 08:39:03 : 10002 3
05/18/05 08:39:03 [Hidden file]: C:\WINNT\system32\wins\$MssRk\Tools\PsList\PsList.exe
05/18/05 08:39:03 : 10002 3
05/18/05 08:39:03 [Hidden file]: C:\WINNT\system32\wins\$MssRk\Tools\PsService\PsService.bat
05/18/05 08:39:03 : 10002 3
05/18/05 08:39:03 [Hidden file]: C:\WINNT\system32\wins\$MssRk\Tools\PsService\PsService.exe
05/18/05 08:39:03 : 10002 3
05/18/05 08:39:03 [Hidden file]: C:\WINNT\system32\wins\wins.mdb
05/18/05 08:39:03 : 10002 3
05/18/05 08:39:03 [Hidden file]: C:\WINNT\system32\wins\winstmp.mdb
05/18/05 08:39:03 : 10002 3
05/18/05 08:39:03 [Hidden file]: C:\WINNT\system32\WINS.EXE
05/18/05 08:39:03 : 10002 1
05/18/05 08:39:04 [Hidden file]: C:\WINNT\system32\wins.mib
05/18/05 08:39:04 : 10002 1
05/18/05 08:39:05 [Hidden file]: C:\WINNT\system32\winscard.dll
05/18/05 08:39:05 : 10002 1
05/18/05 08:39:05 [Hidden file]: C:\WINNT\system32\winsctrs.dll
05/18/05 08:39:05 : 10002 1
05/18/05 08:39:06 [Hidden file]: C:\WINNT\system32\winsevnt.dll
05/18/05 08:39:06 : 10002 1
05/18/05 08:39:06 [Hidden file]: C:\WINNT\system32\winsmgmt.msc
05/18/05 08:39:06 : 10002 1
05/18/05 08:39:06 [Hidden file]: C:\WINNT\system32\winsmib.dll
05/18/05 08:39:06 : 10002 1
05/18/05 08:39:07 [Hidden file]: C:\WINNT\system32\winsmon.dll
05/18/05 08:39:07 : 10002 1
05/18/05 08:39:07 [Hidden file]: C:\WINNT\system32\winsock.dll
05/18/05 08:39:07 : 10002 1
05/18/05 08:39:08 [Hidden file]: C:\WINNT\system32\WINSPOOL.DRV
05/18/05 08:39:08 : 10002 1
05/18/05 08:39:08 [Info]: Filesystem scan completed
*************************************************
The $MssRk was the key to this whole thing. When we finally got to the bottom of this whole thing we were able to rename and delete the culprit and get our system back to normal.

Anyone else ever here of this ?

This conversation is currently closed to new comments.

0 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Back to Networks Forum
0 total posts (Page 1 of 1)  

Related Discussions

Related Forums