Re: netbuie.exe, scorpionsearch.com and fastcounter.bcentral.com

[Nick FitzGerald <nick () virus-l demon co uk>]

"Edwards, David  (JTS)" <Edwards.Dave () saugov sa gov au> wrote:

> We've just found some instances of "netbuie.exe" running in some terminal
> server sessions here.  The file was written to the Winnt\system32 directory
> about 6:00pm on Sunday and registry entries made in:
>
> HKLM/Software\Microsoft\windows\current version\run
> HKLM/Software\Microsoft\windows\run

First, why do non-admin users even have write access to these keys?

If they don't, you clearly need to revise your site's judgments about 
who is worthy of having admin (equivalent) passwords.

> It seems to be a Vb 5 PE that hits on two web sites, scorpionsearch.com and
> fastcounter.bcentral.com when run.  Possibly just generating revenue for
> some bod somewhere.

It wouldn't be the first...

> Looks like the server wasn't fully patched, hfnetchk showed 6 Win2k Server
> patches missing and 2 IE6.
>
> This sounded familiar (when I first saw it) but I haven't been able to find
> any other references so I thought I'd make one :-)   The worry is (of
> course) that the server is further compromised.  Anyone seen this before?

Can't help you on the likely entry point, but given that non-admin 
users can change crucial registry key contents or that some of your 
admins are incompetent, I'm not sure that compromise via open 
security vulnerabilities is the most obvious path of entry...

Anyway, aside from resolving how it got on your machines, please send 
samples to your preferred antivirus developers.  If this thing is 
being actively spread (regardless of how) getting detection of it 
into virus scanners is the best technique to reduce its continued 
spread.  To save you digging them out, here are the sample submission 
addresses of the better-known AV developers:

   Command Software             <virus () commandcom com>
   Computer Associates (US)     <virus () ca com>
   Computer Associates (Vet/EZ) <ipevirus () vet com au>
   DialogueScience (Dr. Web)    <Antivir () dials ru>
   Eset (NOD32)                 <trnka () eset sk>
   F-Secure Corp.               <samples () f-secure com>
   Frisk Software (F-PROT)      <viruslab () f-prot com>
   Grisoft (AVG)                <virus () grisoft cz>
   Kaspersky Labs               <newvirus () kaspersky com>
   Network Associates (McAfee)  <virus_research () nai com>
   Norman (NVC)                 <analysis () norman no>
   Sophos Plc.                  <support () sophos com>
   Symantec (Norton)            <avsubmit () symantec com>
   Trend Micro (PC-cillin)      <virus_doctor () trendmicro com>
     (Trend may only accept files from registered users of its
     products)



-- 
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com