• RSS
  • Twitter
  • FaceBook

Security Forums

Log in

FAQ | Search | Usergroups | Profile | Register | RSS | Posting Guidelines | Recent Posts

vsmon virus alert!

Users browsing this topic:0 Security Fans, 0 Stealth Security Fans
Registered Security Fans: None
Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Viruses // Worms

View previous topic :: View next topic  
Author Message
symetric
Just Arrived
Just Arrived


Joined: 29 Jun 2004
Posts: 0
Location: Sweden

Offline

PostPosted: Tue Jun 29, 2004 3:10 pm    Post subject: vsmon virus alert! Reply with quote

hi everybody.
i got some kind of worm/virus (don't know really) that masked itself as vsmon.exe (true vector internet monitoring from zonealarm)
it started to listen on the epmap-port (135) and started between 50 and 100 connections to other random ip's (mostly my own ISP) on epmap (port 135)

it started one day when vsmon.exe, wserv32.exe and pdshed.exe (in the registry they called themselves "zone alarm", "windows update" and "directx") suddently asked for permission to access the internet. i knew that vsmon belongs to zonealarm, so i gave it access. big mistake.
the fake vsmon.exe file places itself in c:\windows\system32\vsmon.exe (invisible)
the real file should be in c:\windows\system32\zonelabs\vsmon.exe (or something like that)

the real vsmon.exe DOES NOT ask for permission to acces the internet.

/symetric
Back to top
View user's profile Send private message MSN Messenger
symetric
Just Arrived
Just Arrived


Joined: 29 Jun 2004
Posts: 0
Location: Sweden

Offline

PostPosted: Tue Jun 29, 2004 5:32 pm    Post subject: Reply with quote

i found this "debug.txt" in my c:\ folder.
i think this has something to do with the virus i've got. it connected to some irc server (that no longer exists) and downloaded some file.
i have dynamic ip from my isp, so i didn't bother to remove it. and you shouldn't bother to try anything tricky ;P


NICK [IRC]|903104
USER jxefvw 0 0 :[IRC]|903104
:irc.rocketdive.us NOTICE AUTH :*** Looking up your hostname...
:irc.rocketdive.us NOTICE AUTH :*** Couldn't resolve your hostname; using your IP address instead
:irc.rocketdive.us 001 [IRC]|903104 :Welcome to the ROXnet IRC Network [IRC]|903104!jxefvw@81.225.216.199
USERHOST [IRC]|903104
MODE [IRC]|903104 -x+B
JOIN #irc dayaftertomorrow
:irc.rocketdive.us 002 [IRC]|903104 :Your host is irc.rocketdive.us, running version Unreal3.2
:irc.rocketdive.us 003 [IRC]|903104 :This server was created Wed Jun 23 2004 at 12:26:09 BST
:irc.rocketdive.us 004 [IRC]|903104 irc.rocketdive.us Unreal3.2 iowghraAsORTVSxNCWqBzvdHtGp lvhopsmntikrRcaqOALQbSeKVfMGCuzNT
:irc.rocketdive.us 005 [IRC]|903104 MAP KNOCK SAFELIST HCN MAXCHANNELS=10 MAXBANS=60 NICKLEN=30 TOPICLEN=307 KICKLEN=307 MAXTARGETS=20 AWAYLEN=307 :are supported by this server
USERHOST [IRC]|903104
MODE [IRC]|903104 -x+B
JOIN #irc dayaftertomorrow
:irc.rocketdive.us 005 [IRC]|903104 WALLCHOPS WATCH=128 SILENCE=15 MODES=12 CHANTYPES=# PREFIX=(ohv)@%+ CHANMODES=beqa,kfL,l,psmntirRcOAQKVGCuzNSMT NETWORK=ROXnet CASEMAPPING=ascii EXTBAN=~,cqr :are supported by this server
USERHOST [IRC]|903104
MODE [IRC]|903104 -x+B
JOIN #irc dayaftertomorrow
:irc.rocketdive.us 251 [IRC]|903104 :There are 1 users and 2587 invisible on 1 servers
:irc.rocketdive.us 252 [IRC]|903104 2 :operator(s) online
:irc.rocketdive.us 253 [IRC]|903104 9 :unknown connection(s)
:irc.rocketdive.us 254 [IRC]|903104 8 :channels formed
:irc.rocketdive.us 255 [IRC]|903104 :I have 2588 clients and 0 servers
:irc.rocketdive.us 265 [IRC]|903104 :Current Local Users: 2588 Max: 2626
:irc.rocketdive.us 266 [IRC]|903104 :Current Global Users: 2588 Max: 2626
:irc.rocketdive.us 422 [IRC]|903104 :MOTD File is missing
:[IRC]|903104 MODE [IRC]|903104 :+iwx
:irc.rocketdive.us 302 [IRC]|903104 :[IRC]|903104=+jxefvw@81.225.216.199
:irc.rocketdive.us NOTICE [IRC]|903104 :BOTMOTD File not found
:[IRC]|903104 MODE [IRC]|903104 Mad+B
:[IRC]|903104!jxefvw@81.225.216.199 JOIN :#irc
:irc.rocketdive.us 332 [IRC]|903104 #irc :.advscan lsass 100 0 0 -r
PRIVMSG #irc :[SCAN]: Random Port Scan started on 81.225.x.x:445 with a delay of 5 seconds for 0 minutes using 100 threads.
:irc.rocketdive.us 333 [IRC]|903104 #irc S 1088263626
:irc.rocketdive.us 353 [IRC]|903104 @ #irc :[IRC]|903104
:irc.rocketdive.us 366 [IRC]|903104 #irc :End of /NAMES list.
:irc.rocketdive.us 302 [IRC]|903104 :[IRC]|903104=+jxefvw@81.225.216.199
:irc.rocketdive.us 302 [IRC]|903104 :[IRC]|903104=+jxefvw@81.225.216.199
:irc.rocketdive.us 404 [IRC]|903104 #irc :You need voice (+v) (#irc)
PING :irc.rocketdive.us
PONG :irc.rocketdive.us
NICK [IRC]|817165
USER crefrmnz 0 0 :[IRC]|817165
:irc.rocketdive.us NOTICE AUTH :*** Looking up your hostname...
:irc.rocketdive.us NOTICE AUTH :*** Couldn't resolve your hostname; using your IP address instead
:irc.rocketdive.us 001 [IRC]|817165 :Welcome to the ROXnet IRC Network [IRC]|817165!crefrmnz@81.225.216.199
USERHOST [IRC]|817165
MODE [IRC]|817165 -x+B
JOIN #irc dayaftertomorrow
:irc.rocketdive.us 002 [IRC]|817165 :Your host is irc.rocketdive.us, running version Unreal3.2
:irc.rocketdive.us 003 [IRC]|817165 :This server was created Wed Jun 23 2004 at 12:26:09 BST
:irc.rocketdive.us 004 [IRC]|817165 irc.rocketdive.us Unreal3.2 iowghraAsORTVSxNCWqBzvdHtGp lvhopsmntikrRcaqOALQbSeKVfMGCuzNT
:irc.rocketdive.us 005 [IRC]|817165 MAP KNOCK SAFELIST HCN MAXCHANNELS=10 MAXBANS=60 NICKLEN=30 TOPICLEN=307 KICKLEN=307 MAXTARGETS=20 AWAYLEN=307 :are supported by this server
USERHOST [IRC]|817165
MODE [IRC]|817165 -x+B
JOIN #irc dayaftertomorrow
:irc.rocketdive.us 005 [IRC]|817165 WALLCHOPS WATCH=128 SILENCE=15 MODES=12 CHANTYPES=# PREFIX=(ohv)@%+ CHANMODES=beqa,kfL,l,psmntirRcOAQKVGCuzNSMT NETWORK=ROXnet CASEMAPPING=ascii EXTBAN=~,cqr :are supported by this server
USERHOST [IRC]|817165
MODE [IRC]|817165 -x+B
JOIN #irc dayaftertomorrow
:irc.rocketdive.us 251 [IRC]|817165 :There are 1 users and 2651 invisible on 1 servers
:irc.rocketdive.us 252 [IRC]|817165 2 :operator(s) online
:irc.rocketdive.us 253 [IRC]|817165 11 :unknown connection(s)
:irc.rocketdive.us 254 [IRC]|817165 8 :channels formed
:irc.rocketdive.us 255 [IRC]|817165 :I have 2652 clients and 0 servers
:irc.rocketdive.us 265 [IRC]|817165 :Current Local Users: 2652 Max: 2662
:irc.rocketdive.us 266 [IRC]|817165 :Current Global Users: 2652 Max: 2662
:irc.rocketdive.us 422 [IRC]|817165 :MOTD File is missing
:[IRC]|817165 MODE [IRC]|817165 :+iwx
:irc.rocketdive.us 302 [IRC]|817165 :[IRC]|817165=+crefrmnz@81.225.216.199
:irc.rocketdive.us NOTICE [IRC]|817165 :BOTMOTD File not found
:[IRC]|817165 MODE [IRC]|817165 Mad+B
:[IRC]|817165!crefrmnz@81.225.216.199 JOIN :#irc
:irc.rocketdive.us 332 [IRC]|817165 #irc :.advscan lsass 100 0 0 -r
PRIVMSG #irc :[SCAN]: Random Port Scan started on 81.225.x.x:445 with a delay of 5 seconds for 0 minutes using 100 threads.
:irc.rocketdive.us 333 [IRC]|817165 #irc S 1088263626
:irc.rocketdive.us 353 [IRC]|817165 @ #irc :[IRC]|817165
:irc.rocketdive.us 366 [IRC]|817165 #irc :End of /NAMES list.
:irc.rocketdive.us 302 [IRC]|817165 :[IRC]|817165=+crefrmnz@81.225.216.199
:irc.rocketdive.us 302 [IRC]|817165 :[IRC]|817165=+crefrmnz@81.225.216.199
:irc.rocketdive.us 404 [IRC]|817165 #irc :You need voice (+v) (#irc)
:CookAh!noob@k.null MODE #irc +o CookAh
:CookAh!noob@k.null MODE #irc -o CookAh
PING :irc.rocketdive.us
PONG :irc.rocketdive.us
NICK [IRC]|990347
USER mrpqizhb 0 0 :[IRC]|990347
:irc.rocketdive.us NOTICE AUTH :*** Looking up your hostname...
:irc.rocketdive.us NOTICE AUTH :*** Couldn't resolve your hostname; using your IP address instead
:irc.rocketdive.us 001 [IRC]|990347 :Welcome to the ROXnet IRC Network [IRC]|990347!mrpqizhb@81.225.216.199
USERHOST [IRC]|990347
MODE [IRC]|990347 -x+B
JOIN #irc dayaftertomorrow
:irc.rocketdive.us 002 [IRC]|990347 :Your host is irc.rocketdive.us, running version Unreal3.2
:irc.rocketdive.us 003 [IRC]|990347 :This server was created Wed Jun 23 2004 at 12:26:09 BST
:irc.rocketdive.us 004 [IRC]|990347 irc.rocketdive.us Unreal3.2 iowghraAsORTVSxNCWqBzvdHtGp lvhopsmntikrRcaqOALQbSeKVfMGCuzNT
:irc.rocketdive.us 005 [IRC]|990347 MAP KNOCK SAFELIST HCN MAXCHANNELS=10 MAXBANS=60 NICKLEN=30 TOPICLEN=307 KICKLEN=307 MAXTARGETS=20 AWAYLEN=307 :are supported by this server
USERHOST [IRC]|990347
MODE [IRC]|990347 -x+B
JOIN #irc dayaftertomorrow
:irc.rocketdive.us 005 [IRC]|990347 WALLCHOPS WATCH=128 SILENCE=15 MODES=12 CHANTYPES=# PREFIX=(ohv)@%+ CHANMODES=beqa,kfL,l,psmntirRcOAQKVGCuzNSMT NETWORK=ROXnet CASEMAPPING=ascii EXTBAN=~,cqr :are supported by this server
USERHOST [IRC]|990347
MODE [IRC]|990347 -x+B
JOIN #irc dayaftertomorrow
:irc.rocketdive.us 251 [IRC]|990347 :There are 1 users and 2656 invisible on 1 servers
:irc.rocketdive.us 252 [IRC]|990347 2 :operator(s) online
:irc.rocketdive.us 253 [IRC]|990347 6 :unknown connection(s)
:irc.rocketdive.us 254 [IRC]|990347 8 :channels formed
:irc.rocketdive.us 255 [IRC]|990347 :I have 2657 clients and 0 servers
:irc.rocketdive.us 265 [IRC]|990347 :Current Local Users: 2657 Max: 2714
:irc.rocketdive.us 266 [IRC]|990347 :Current Global Users: 2657 Max: 2714
:irc.rocketdive.us 422 [IRC]|990347 :MOTD File is missing
:[IRC]|990347 MODE [IRC]|990347 :+iwx
:irc.rocketdive.us 302 [IRC]|990347 :[IRC]|990347=+mrpqizhb@81.225.216.199
:irc.rocketdive.us NOTICE [IRC]|990347 :BOTMOTD File not found
:[IRC]|990347 MODE [IRC]|990347 Mad+B
:[IRC]|990347!mrpqizhb@81.225.216.199 JOIN :#irc
:irc.rocketdive.us 332 [IRC]|990347 #irc :.advscan lsass 100 0 0 -r
PRIVMSG #irc :[SCAN]: Random Port Scan started on 81.225.x.x:445 with a delay of 5 seconds for 0 minutes using 100 threads.
:irc.rocketdive.us 333 [IRC]|990347 #irc S 1088263626
:irc.rocketdive.us 353 [IRC]|990347 @ #irc :[IRC]|990347
:irc.rocketdive.us 366 [IRC]|990347 #irc :End of /NAMES list.
:irc.rocketdive.us 302 [IRC]|990347 :[IRC]|990347=+mrpqizhb@81.225.216.199
:irc.rocketdive.us 302 [IRC]|990347 :[IRC]|990347=+mrpqizhb@81.225.216.199
:irc.rocketdive.us 404 [IRC]|990347 #irc :You need voice (+v) (#irc)
PING :irc.rocketdive.us
PONG :irc.rocketdive.us
PRIVMSG #irc :[lsass]: Exploiting IP: 81.225.159.42.
:irc.rocketdive.us 404 [IRC]|990347 #irc :You need voice (+v) (#irc)
PRIVMSG #irc :[TFTP]: File transfer started to IP: 81.225.159.42 (C:\WINDOWS\System32\rmptsin.exe).
:irc.rocketdive.us 404 [IRC]|990347 #irc :You need voice (+v) (#irc)
PING :irc.rocketdive.us
PONG :irc.rocketdive.us
PRIVMSG #irc :[lsass]: Exploiting IP: 81.225.221.144.
:irc.rocketdive.us 404 [IRC]|990347 #irc :You need voice (+v) (#irc)
PRIVMSG #irc :[TFTP]: File transfer started to IP: 81.225.221.144 (C:\WINDOWS\System32\rmptsin.exe).
:irc.rocketdive.us 404 [IRC]|990347 #irc :You need voice (+v) (#irc)
PRIVMSG #irc :[lsass]: Exploiting IP: 81.225.17.78.
:irc.rocketdive.us 404 [IRC]|990347 #irc :You need voice (+v) (#irc)
PING :irc.rocketdive.us
PONG :irc.rocketdive.us
PRIVMSG #irc :[lsass]: Exploiting IP: 81.225.207.161.
:irc.rocketdive.us 404 [IRC]|990347 #irc :You need voice (+v) (#irc)
PING :irc.rocketdive.us
PONG :irc.rocketdive.us

(I removed most of the PING-PONG lines)

if you can get any info out of this, i would be grateful.
/symetric
Back to top
View user's profile Send private message MSN Messenger
Anub!$
Just Arrived
Just Arrived


Joined: 23 Sep 2003
Posts: 1
Location: Computer Chair

Offline

PostPosted: Tue Jun 29, 2004 5:44 pm    Post subject: Reply with quote

Hmmm, that's odd.

I did a google search on that wserv32.exe, and it lead back here to another thread.

http://www.security-forums.com/forum/viewtopic.php?t=15014

I also found this on it.

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_RBOT.AF

This may be what you have been infected with.
Back to top
View user's profile Send private message
symetric
Just Arrived
Just Arrived


Joined: 29 Jun 2004
Posts: 0
Location: Sweden

Offline

PostPosted: Tue Jun 29, 2004 7:08 pm    Post subject: Reply with quote

truly odd.
yeah, maybe. but i'm using trend micro pc-cillin with all the latest updates, and it doesn't find anything. strange, because one of your links refere to trend micros virus database..

thank you.

/symetric
Back to top
View user's profile Send private message MSN Messenger
arken
Just Arrived
Just Arrived


Joined: 02 Oct 2003
Posts: 1


Offline

PostPosted: Wed Jun 30, 2004 4:27 am    Post subject: Reply with quote

Looks like you were a drone in a botnet/dosnet... Pure and simple fact of the matter is that it looks like your system was owned, and might still be owned. Personally, I'd recommend a format of the drive.
Back to top
View user's profile Send private message
symetric
Just Arrived
Just Arrived


Joined: 29 Jun 2004
Posts: 0
Location: Sweden

Offline

PostPosted: Wed Jun 30, 2004 2:11 pm    Post subject: Reply with quote

maybe. but atleast i've stopped the computer to make all those epmap-connections =P also cleaned the registry from those little bastards ;P (had to find them myself)
but that fake vsmon.exe had me there for a couple of hours =P
well, i'll wait and see. if it keeps doing strange things, i might have to format.

/symetric (hopefully owned no longer)
Back to top
View user's profile Send private message MSN Messenger
Display posts from previous:   

Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Viruses // Worms All times are GMT + 2 Hours
Page 1 of 1


 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Community Area

Log in | Register