Serious Virus/Trojan - VSMONS.EXE Flooding Port 445

I'm Technical Services Manager for a medium sized transport organisation (circa 300 node network over twenty sites).

Our largest site has just been hit by a very serious, but as yet unidetifiable virus/trojan. We have scoured the net and used all our contacts to try and find someone else who has seen this, but so far no joy. Details as follows:

>Multiple Workstations (about 30) at one subnet on our WAN are generating huge amounts of TCP traffic for port 445 on random addresses(tens of millions of packets).
>Problem only seems to affect XP workstations
>Patching to latest MS levels does not seem to help (I guess we may have locked the stable door a little late . . .)
>We have found a suspicious looking process running on all the "busy" workstations, named "vsmons.exe" (we note with suspicion that this is one character different from the ZoneAlarm executable name "vsmon.exeâ€)
>The executable is being told to start by five different locations in the registry
>The executable resides as hidden, read-only file in \windows\system32\
>If the process is running and the registry settings are removed, they are almost instantly re-written.
>If the process is terminated (sometimes there is more than one instance of the process) and the registry settings removed, but the machine is connected to the network, it restarts a process and re-writes the registry.
>We have managed to keep one machine "clean" by unplugging it, killing the processes and cleaning the registry. As soon as we reconnected to the LAN it re-infected.
>Infected machines appear to lose all of their default shares (C$, ADMIN$)


VirusScan Enterprise 7 (DAT 4377) does not show up anything, or the latest Stinger. Likewise Trend says everything is clean.

I've written a script using kix and a few command line tools, which temporarily cleans the machines (kills any active vsmons processes, removes executable and cleans out any related registry entries). Unfortunately, give it twenty minutes left on our LAN and the machines will re-infect.

For the time being our other sites seem to have escaped, since we have blocked all traffic for port 445 with an access list on the sites default gateway, but its just covering up the problem. Currently, we are getting 75,000 hits a minute against the blocking access list!

Any suggestions much appreciated,

Andy

 

Welcome to WindowsBBS DameSlap

Sounds to me that although the virus/process may not be active on the non-XP network machines, they are indeed infected, and respreading itself throughout the network. What have you used to ensure that it is not active on the non-XP machines? Something like Process Explorer may be helpful in determining that. All machines must be locked down and cleaned before being reconnected to the network.

In addition to removing the registry entries, you will need to remove the read only attributes of the executable, take ownership of the file and delete. May need to be moved to a 'junk' folder and additonally from the properties of the folder, take ownership of it's 'child occupants', to allow you to do so.

You should also check the value data for this key and entry.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows......AppInit_DLLs
If there is a dll filename present, it will probably be your baddie reinstalling things and will need to be deleted. You have to rename the Windows key, delete the value, name the key back then delete the file from safe mode.

If unsure about anything or none of this helps, by all means post back. (I'd like to know if it does help too. )

 

Hmm . . .

OK, thanks a lot fear. Few things I haven't tried yet there.

I've got to admit, we haven't looked very closely at the non-XP (NT4) machines yet since they hadn't displayed any symptoms and don't seem to be running the process, but as you say, probly a good idea to check it out.

To be honest, this is all I've done for three solid days now and I'm a bit frayed around the edges.

Can't find a scrap on information about this anywhere though, really does look brand new.

I always thought I'd get caught out when my Virus Scanning software was out of date. Never thought I'd see something NAI hadn't.

Thanks for your help.

Andy

 

Quite welcome. The possibility of other OS's being carriers only is good, like with sasser and 98. Unaffected but distribute. If possible, zip up a copy of the file(s) and submit to an AV company(s) for examination. Links can be provided to do that. Wouldn't mind having a copy myself to study.

 

Might check one known to be infected with RAV too. Different set of reference files. Notices alot of stuff that may be written suspiciously.

 

Update on VSMONS

Just a quick update,

>As far as I can tell, the NT machines really are completely clean. Can't see anything unusual.
>LOCAL_MACHINE ... AppInit_DLLs is clean, even on definitely infected machines
>Virus has sadly spread to our other sites, but largely we are able to control this with routing.
>In addition to port 445 traffic, the virus is also trying to send information to IP 205.209.170.156 port 8777
>I am beginning to hear about other people who have seen this now (one in particular alerted me to the 8777 traffic)
>Sample files have been submitted to McAfee, diamondcs.com.au and nod32.com. Still awaiting results

Anyone else who thinks they might be able to shed some light on this is welcome to a sample.

Thanks,

Andy Platt

 

Andy - I think Dave (noahdfear) indicated he'd like a copy.

 

Here's something else you could do if you like. Download this zip.

http://tools.zerosrealm.com/pv.zip

Unzip it to the desktop. It will not work if you run it from inside the zip. After unzipping open the pv folder. Double click on the runme.bat. A dos window will open. Select option 1 for explorer dlls by typing 1 and then pressing enter. Notepad will open with a log in it. Copy and paste the log into this thread. Usually pretty large and take more than one post.

It checks for hidden dll's that put things back in place. I'll look through it and let you know if I spot anything. Might want to submit one from one of the unaffected network machines too.

Did RAV find anything? Process Explorer?

I don't think you can send attachments through BBS mail. Check your private messages. I sent you my addy.

 

Results from PV.EXE

Module information for 'Explorer.EXE'
MODULE BASE SIZE PATH
Explorer.EXE 1000000 1011712 C:\WINDOWS\Explorer.EXE 6.00.2800.1221 (xpsp2.030511-1403) Windows Explorer
ntdll.dll 77f50000 684032 C:\WINDOWS\System32\ntdll.dll 5.1.2600.1217 (xpsp2.030429-2131) NT Layer DLL
kernel32.dll 77e60000 942080 C:\WINDOWS\system32\kernel32.dll 5.1.2600.1106 (xpsp1.020828-1920) Windows NT BASE API Client DLL
msvcrt.dll 77c10000 339968 C:\WINDOWS\system32\msvcrt.dll 7.0.2600.1106 (xpsp1.020828-1920) Windows NT CRT DLL
ADVAPI32.dll 77dd0000 577536 C:\WINDOWS\system32\ADVAPI32.dll 5.1.2600.1106 (xpsp1.020828-1920) Advanced Windows 32 Base API
RPCRT4.dll 78000000 548864 C:\WINDOWS\system32\RPCRT4.dll 5.1.2600.1254 (xpsp2.030801-1834) Remote Procedure Call Runtime
GDI32.dll 77c70000 262144 C:\WINDOWS\system32\GDI32.dll 5.1.2600.1106 (xpsp1.020828-1920) GDI Client DLL
USER32.dll 77d40000 573440 C:\WINDOWS\system32\USER32.dll 5.1.2600.1255 (xpsp2.030804-1745) Windows XP USER API Client DLL
SHLWAPI.dll 70a70000 413696 C:\WINDOWS\system32\SHLWAPI.dll 6.00.2800.1276 Shell Light-weight Utility Library
SHELL32.dll 773d0000 8331264 C:\WINDOWS\system32\SHELL32.dll 6.00.2800.1233 (xpsp2.030604-1804) Windows Shell Common Dll
ole32.dll 771b0000 1183744 C:\WINDOWS\system32\ole32.dll 5.1.2600.1263 (xpsp2.030819-2129) Microsoft OLE for Windows
OLEAUT32.dll 77120000 569344 C:\WINDOWS\system32\OLEAUT32.dll 3.50.5016.0 Microsoft OLE 3.50 for Windows NT(TM) and Windows 95(TM) Operating Systems
BROWSEUI.dll 75f80000 1032192 C:\WINDOWS\System32\BROWSEUI.dll 6.00.2800.1106 (xpsp1.020828-1920) Shell Browser UI Library
SHDOCVW.dll 71700000 1347584 C:\WINDOWS\System32\SHDOCVW.dll 6.00.2800.1276 Shell Doc Object and Control Library
UxTheme.dll 5ad70000 212992 C:\WINDOWS\System32\UxTheme.dll 6.00.2800.1106 (xpsp1.020828-1920) Microsoft UxTheme Library
comctl32.dll 71950000 933888 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.10.0_x-ww_f7fb5805\comctl32.dll 6.0 (xpsp1.020828-1920) User Experience Controls Library
comctl32.dll 77340000 569344 C:\WINDOWS\system32\comctl32.dll 5.82 (xpsp1.020828-1920) Common Controls Library
appHelp.dll 75f40000 126976 C:\WINDOWS\system32\appHelp.dll 5.1.2600.1106 (xpsp1.020828-1920) Application Compatibility Client Library
CLBCATQ.DLL 76fd0000 491520 C:\WINDOWS\System32\CLBCATQ.DLL 2001.12.4414.42
COMRes.dll 77050000 806912 C:\WINDOWS\System32\COMRes.dll 2001.12.4414.42
VERSION.dll 77c00000 28672 C:\WINDOWS\system32\VERSION.dll 5.1.2600.0 (xpclient.010817-1148) Version Checking and File Installation Libraries
cscui.dll 76620000 319488 C:\WINDOWS\System32\cscui.dll 5.1.2600.1106 (xpsp1.020828-1920) Client Side Caching UI
CSCDLL.dll 76600000 110592 C:\WINDOWS\System32\CSCDLL.dll 5.1.2600.0 (xpclient.010817-1148) Offline Network Agent
themeui.dll 559e0000 462848 C:\WINDOWS\System32\themeui.dll 6.00.2800.1106 (xpsp1.020828-1920) Windows Theme API
Secur32.dll 76f90000 65536 C:\WINDOWS\System32\Secur32.dll 5.1.2600.1106 (xpsp1.020828-1920) Security Support Provider Interface
MSIMG32.dll 76380000 20480 C:\WINDOWS\System32\MSIMG32.dll 5.1.2600.1106 (xpsp1.020828-1920) GDIEXT Client DLL
USERENV.dll 75a70000 675840 C:\WINDOWS\system32\USERENV.dll 5.1.2600.1106 (xpsp1.020828-1920) Userenv
actxprxy.dll 71d40000 110592 C:\WINDOWS\System32\actxprxy.dll 6.00.2600.0000 (XPClient.010817-1148) ActiveX Interface Marshaling Library
LINKINFO.dll 76980000 28672 C:\WINDOWS\System32\LINKINFO.dll 5.1.2600.0 (xpclient.010817-1148) Windows Volume Tracking
ntshrui.dll 76990000 147456 C:\WINDOWS\System32\ntshrui.dll 5.1.2600.1106 (xpsp1.020828-1920) Shell extensions for sharing
ATL.DLL 76b20000 86016 C:\WINDOWS\System32\ATL.DLL 3.00.9435 ATL Module for Windows NT (Unicode)
NETAPI32.dll 71c20000 319488 C:\WINDOWS\System32\NETAPI32.dll 5.1.2600.1106 (xpsp1.020828-1920) Net Win32 API DLL
urlmon.dll 1a400000 499712 C:\WINDOWS\system32\urlmon.dll 6.00.2800.1282 OLE32 Extensions for Win32
msi.dll 1360000 2101248 C:\WINDOWS\System32\msi.dll 2.0.2600.1106 Windows Installer
MPR.dll 71b20000 69632 C:\WINDOWS\system32\MPR.dll 5.1.2600.0 (xpclient.010817-1148) Multiple Provider Router DLL
drprov.dll 75f60000 24576 C:\WINDOWS\System32\drprov.dll 5.1.2600.0 (xpclient.010817-1148) Microsoft Terminal Server Network Provider
ntlanman.dll 71c10000 53248 C:\WINDOWS\System32\ntlanman.dll 5.1.2600.1106 (xpsp1.020828-1920) Microsoft® Lan Manager
NETUI0.dll 71cd0000 90112 C:\WINDOWS\System32\NETUI0.dll 5.1.2600.0 (xpclient.010817-1148) NT LM UI Common Code - GUI Classes
NETUI1.dll 71c90000 245760 C:\WINDOWS\System32\NETUI1.dll 5.1.2600.0 (xpclient.010817-1148) NT LM UI Common Code - Networking classes
NETRAP.dll 71c80000 24576 C:\WINDOWS\System32\NETRAP.dll 5.1.2600.0 (xpclient.010817-1148) Net Remote Admin Protocol DLL
SAMLIB.dll 71bf0000 69632 C:\WINDOWS\System32\SAMLIB.dll 5.1.2600.1106 (xpsp1.020828-1920) SAM Library DLL
davclnt.dll 75f70000 36864 C:\WINDOWS\System32\davclnt.dll 5.1.2600.0 (xpclient.010817-1148) Web DAV Client DLL
WINTRUST.dll 76c30000 176128 C:\WINDOWS\System32\WINTRUST.dll 5.131.2600.0 (xpclient.010817-1148) Microsoft Trust Verification APIs
CRYPT32.dll 762c0000 557056 C:\WINDOWS\system32\CRYPT32.dll 5.131.2600.1123 (xpsp2.020921-0842) Crypto API32
MSASN1.dll 762a0000 61440 C:\WINDOWS\system32\MSASN1.dll 5.1.2600.0 (XPClient.010817-1148) ASN.1 Runtime APIs
IMAGEHLP.dll 76c90000 139264 C:\WINDOWS\system32\IMAGEHLP.dll 5.1.2600.1106 (xpsp1.020828-1920) Windows NT Image Helper
rsaenh.dll ffd0000 143360 C:\WINDOWS\System32\rsaenh.dll 5.1.2600.1029 (xpsp1.020426-1800) Microsoft Base Cryptographic Provider
comdlg32.dll 763b0000 282624 C:\WINDOWS\system32\comdlg32.dll 6.00.2800.1106 (xpsp1.020828-1920) Common Dialogs DLL
WINSTA.dll 76360000 61440 C:\WINDOWS\System32\WINSTA.dll 5.1.2600.1106 (xpsp1.020828-1920) Winstation Library
webcheck.dll 74b30000 266240 C:\WINDOWS\System32\webcheck.dll 6.00.2800.1106 (xpsp1.020828-1920) Web Site Monitor
stobject.dll 74b00000 131072 C:\WINDOWS\System32\stobject.dll 5.1.2600.1106 (xpsp1.020828-1920) Systray shell service object
BatMeter.dll 74af0000 36864 C:\WINDOWS\System32\BatMeter.dll 6.00.2600.0000 (xpclient.010817-1148) Battery Meter Helper DLL
POWRPROF.dll 74ad0000 28672 C:\WINDOWS\System32\POWRPROF.dll 6.00.2600.0000 (xpclient.010817-1148) Power Profile Helper DLL
SETUPAPI.dll 76670000 946176 C:\WINDOWS\System32\SETUPAPI.dll 5.1.2600.1106 (xpsp1.020828-1920) Windows Setup API
WTSAPI32.dll 76f50000 32768 C:\WINDOWS\System32\WTSAPI32.dll 5.1.2600.1106 (xpsp1.020828-1920) Windows Terminal Server SDK APIs
WINMM.dll 76b40000 180224 C:\WINDOWS\System32\WINMM.dll 5.1.2600.1106 (xpsp1.020828-1920) MCI API DLL
SYNCOR11.DLL 6bd00000 53248 C:\WINDOWS\System32\SYNCOR11.DLL 1.2.3 SynthCore R2.0 Midi Interface Driver
wdmaud.drv 72d20000 36864 C:\WINDOWS\System32\wdmaud.drv 5.1.2600.0 (XPClient.010817-1148) WDM Audio driver mapper
msacm32.drv 72d10000 32768 C:\WINDOWS\System32\msacm32.drv 5.1.2600.0 (xpclient.010817-1148) Microsoft Sound Mapper
MSACM32.dll 77be0000 81920 C:\WINDOWS\System32\MSACM32.dll 5.1.2600.0 (xpclient.010817-1148) Microsoft ACM Audio Filter
midimap.dll 77bd0000 28672 C:\WINDOWS\System32\midimap.dll 5.1.2600.0 (xpclient.010817-1148) Microsoft MIDI Mapper
NETSHELL.dll 75cf0000 1642496 C:\WINDOWS\system32\NETSHELL.dll 5.1.2600.1106 (xpsp1.020828-1920) Network Connections Shell
credui.dll 76c00000 184320 C:\WINDOWS\system32\credui.dll 5.1.2600.1106 (xpsp1.020828-1920) Credential Manager User Interface
WS2_32.dll 71ab0000 81920 C:\WINDOWS\system32\WS2_32.dll 5.1.2600.1240 (xpsp2.030618-0119) Windows Socket 2.0 32-Bit DLL
WS2HELP.dll 71aa0000 32768 C:\WINDOWS\system32\WS2HELP.dll 5.1.2600.0 (xpclient.010817-1148) Windows Socket 2.0 Helper for Windows NT
iphlpapi.dll 76d60000 90112 C:\WINDOWS\system32\iphlpapi.dll 5.1.2600.1240 (xpsp2.030618-0119) IP Helper API
browselc.dll 72430000 73728 C:\WINDOWS\System32\browselc.dll 6.00.2800.1106 (xpsp1.020828-1920) Shell Browser UI Library
WININET.dll 76200000 622592 C:\WINDOWS\system32\WININET.dll 6.00.2800.1106 (xpsp1.020828-1920) Internet Extensions for Win32
WINSPOOL.DRV 73000000 143360 C:\WINDOWS\System32\WINSPOOL.DRV 5.1.2600.1106 (xpsp1.020828-1920) Windows Spooler Driver
mstask.dll 735d0000 258048 C:\WINDOWS\System32\mstask.dll 5.1.2600.1106 (xpsp1.020828-1920) Task Scheduler interface DLL
SXS.DLL 75e90000 684032 C:\WINDOWS\System32\SXS.DLL 5.1.2600.1106 (xpsp1.020828-1920) Fusion 2.5
printui.dll 74b80000 532480 C:\WINDOWS\System32\printui.dll 5.1.2600.1106 (xpsp1.020828-1920) Print UI DLL

 

Continued Results from PV.EXE

ACTIVEDS.dll 76e40000 192512 C:\WINDOWS\System32\ACTIVEDS.dll 5.1.2600.0 (xpclient.010817-1148) ADs Router Layer DLL
adsldpc.dll 76e10000 151552 C:\WINDOWS\System32\adsldpc.dll 5.1.2600.1106 (xpsp1.020828-1920) ADs LDAP Provider C DLL
WLDAP32.dll 76f60000 180224 C:\WINDOWS\system32\WLDAP32.dll 5.1.2600.1106 (xpsp1.020828-1920) Win32 LDAP API DLL
CFGMGR32.dll 74ae0000 28672 C:\WINDOWS\System32\CFGMGR32.dll 5.1.2600.0 (xpclient.010817-1148) Configuration Manager Forwarder DLL
shext.dll 1de0000 1081344 C:\Program Files\Network Associates\VirusScan\shext.dll 7.1.0.187 Shell Extension
ShExtRes.dll 1ef0000 12288 C:\Program Files\Network Associates\VirusScan\Res09\ShExtRes.dll 7.1.0.187 English(09) Shell Extension Resources
shdoclc.dll 76170000 557056 C:\WINDOWS\System32\shdoclc.dll 6.00.2600.0000 (xpclient.010817-1148) Shell Doc Object and Control Library
mydocs.dll 72410000 102400 C:\WINDOWS\System32\mydocs.dll 6.00.2600.0000 (xpclient.010817-1148) My Documents Folder UI
AcroIEHelper.ocx 10000000 32768 C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx 1, 0, 0, 1 AcroIEHelper Module
msohev.dll 32520000 73728 C:\Program Files\Microsoft Office\Office10\msohev.dll 10.0.2609 Microsoft Office XP component
zipfldr.dll 73380000 335872 C:\WINDOWS\System32\zipfldr.dll 6.00.2800.1126 (xpsp2.020921-0842) Compressed (zipped) Folders
asfsipc.dll 70eb0000 28672 C:\WINDOWS\System32\asfsipc.dll 1.1.00.3917 ASFSipc Object
MSISIP.DLL 605f0000 53248 C:\WINDOWS\System32\MSISIP.DLL 2.0.2600.0 MSI Signature SIP Provider
wshext.dll 74ea0000 65536 C:\WINDOWS\System32\wshext.dll 5.6.0.6626 Microsoft (r) Shell Extension for Windows Script Host
MCPS.DLL 365a0000 90112 C:\PROGRA~1\MICROS~2\Office10\MCPS.DLL 10.0.4128 Media Catalog Proxy/Stub
MSVCP60.DLL 55900000 397312 C:\WINDOWS\System32\MSVCP60.DLL 6.00.8972.0 Microsoft (R) C++ Runtime Library

 

Results of PV

Hmm . . .

That's handy. The results above are from a definitely infected Win XP machine.

I'm just running RAV on the same one.

Cheers,

Andy

 

Rav

RAV didn't pick anything up either.

 

Yeah, handy app. Sorry to say it didn't produce anything bad. I guess you could try checking some of the other dll's. What you're looking for is a dll with no version #. It'll look something like the following.

logignh.dll 61c00000 61440 c:\windows\system32\logignh.dll

rather than

adsldpc.dll 76e10000 151552 C:\WINDOWS\System32\adsldpc.dll 5.1.2600.1106 (xpsp1.020828-1920) ADs LDAP Provider C DLL

Just now getting to my email. I'll let you know what, if anything, I determine from it.

 

I'm no programmer, and don't know alot about how these viruses are written (trying to figure it out ), but here's what I found in the executable, along with alot of code, and my thoughts.

Is this bolded text at the end maybe a command to create another GDI32.dll, maybe to keep recreating itself if deleted? Were it mine, I'd install Agent Ransack and do a search of the drive for it, then check the properties on any found. You would probably need to show hidden files. Something else I thought about, do a search for vsmons.inf. If you find one, I'd like to see what's in it too. BTW, the file is a read only (at least the one I have) so would need that attribute removed, and possibly change permissions to successfully delete. I've also seen where they have to be renamed and moved to a junk folder, permissions reset on it too, then deleted.

 

Potentially identified?

Interestingly I've had this response from NOD32 this morning:

Hello,

the file was a new variant belonging to a failry well-known family of Win32/Rbot Backdoors. It's been named Win32/Rbot.HF and NOD32 should detect it soon. It is a backdoor server controlled via IRC network. It has many 'features' including keylogger, file server
or SOCKS proxy. It is able to exploit some of the recent MS Windows
vulnerabilities for spreading, including, for example, the WebDav
vulnerability. It doesn't seem to exploit a vulnerability that is not
covered by Microsoft security updates. It also has a list of weak
passwords that are tried against shares on machines on the network. Try
to ensure that your machines have all the recent security updates from
Microsoft. When the next update is released, NOD32 will be able to
detect this backdoor. We will perform more detailed analysis to see why
your machines get infected again and again.

Best regards,

Juraj Sarinay
ESET s.r.o.

Only thing is, SANS are hinting that it might be a Sasser variant. Hmm . . .

 

Looking like RBot is our culprit

I've been shown a really useful online malware scan that uses multiple engines to scan any files you upload and two of them (Kaspersky and F-Secure) are identifying our little gremlin.

Service can be found at http://virusscan.jotti.dhs.org/

Here are the results of the scan of vsmons.exe:

Service load: 0% 100%

File: vsmons.exe
Status: INFECTED/MALWARE
Packers detected:

AntiVir No viruses found (1.33 seconds taken)
BitDefender No viruses found (3.99 seconds taken)
ClamAV No viruses found (4.89 seconds taken)
Dr.Web No viruses found (5.61 seconds taken)
F-Prot Antivirus No viruses found (0.32 seconds taken)
F-Secure Anti-Virus Backdoor.Rbot.gen (3.68 seconds taken)
Kaspersky Anti-Virus Backdoor.Rbot.gen (3.80 seconds taken)
McAfee VirusScan No viruses found (1.85 seconds taken)
Norman Virus Control No viruses found (37.24 seconds taken)

So this seems to confirm what NOD32 have said. Only problem now is to wait for McAfee to identify it and include it in their pattern files, cause that's what we're using on all our workstations.

 

Here is a pretty exaustive write-up on this particular critter that may help you out.

Note that Kaspersky seems to have used a single name while some other companies have used .A, .B, .C, etc. to identify variations.