General SecurityPost any general questions related to security, viruses or spyware here.
Mission Statement
WindowsBBS is an online community dedicated to easily accessible technical support for those using Microsoft operating systems and other Windows software.
Our goal is to become the leading resource for computer users that require assistance with their day-to-day computer usage, including full support for networking PC's, virus & malware removal, system upgrades and general support questions.
Working on a customers machine that was pretty infected (spyware/viruses/worms) thought I had it cleaned up. contacted the customer about 2 suspicious "network drives" she said she had not created them. I disconnected them and when restarted, was when ZoneAlarm notified me that ppi.exe and dirote.exe were trying to access internet. Not sure if those drives are relevant, thought I would mention it. think the drive names were: d$winbackup and windevelopement.
One of the quick flashes on boot up was an ftp window.
This thread was VERY helpfull, thanks to all, Joe
Good to hear you found help here, and thanks for the added input. If you think of anything else, or learn anything else about it, please post it here. We're obviously on to something new and complex, with what appears to be a target date of 7-05-2004 for something. I've been tracking some other discussions also and will post more information that may be helpful as I find it. Some of what I've found suggests that this may remain resident in memory even after deleted, and recreate itself.
I did recieve an email from Panda AV that simply said, "Thank you for the file submission. We have added it to our signatures."
Hope that means their scanner can detect and remove it, even with it being hidden by the running process.
Thanks newt for the welcome. Not much more to post here.
I downloaded and tried the agent ransack. With the dirote.exe in memory, the source file can not be found. In addition this happens with other trusted binaries of command.com. I tried with a copy of Helix (Forensics CD with trusted command.com and other windows forensic tools) and I got the same results from dir within the system32 dir. The files are very well hidden unless you are a technical person and know what you are doing.
Others are indicating they can see the dir after stopping the dirote and ppi services. I am getting different results where I can not see it at all unless I go to a linux OS, or cd directly to it. But then again I did not delete out of the registry or reboot, since I want to explore this more.
I infected a vmware system with the d0r1t1s.exe, this is the file that is made available via ftp when a system is infected. This file is located in another well hidden dir c:\Temp. The d0r1t1s.exe is the only file in the hidden Temp dir. Once the application is executed the newly infected system does a standard DNS query to 0rdez.q8hell.org. It also puts the dirote.exe and ppi.exe into memory, creates the dir of f0r0r in the systems32 dir. Also a ftp server locally is setup with the same file dor1t1s.exe is made available. If you look at the processes when the system first boots, you will see van32.exe and dordo.exe in the processes, but they soon dissapear.
There was nothing else downloaded from the domain 0rdez.q8hell.org
As for the reinstallation, many viruses will call itself back through the windows XP restore. So Disable System Restore (Windows XP) when taking care of viruses. But as complex as this one is, it will be very easy to miss something.
As stated earlier, I ran a sniffer online with the infected system. Other then the DNS (which does happen more then just on boot, but nothing that will catch the eye unless paying close attention)-this trojan is make very little network noise.
-Roger
Last edited by rogerwroberts; 17th May 2004 at 04:15.
Reason: small note to add
