[unisog] Mysterious appearance of Backdoor.RA on Win2K machines

Rita Seplowitz Saltz rita at Princeton.EDU
Fri Dec 7 11:38:38 GMT 2001

Stephen W. Thompson asked:
> What drew attention to the machines initially?  A group here had an
> NT4 box which unexpectedly was missing many files normally found on a
> healthy install.  Little investigation could be done before the group
> reformatted and started over.  Probably unrelated, but...

While I replied directly to his question, I did not know at the time that
his mail had been copied to this list.  So for the benefit of others, the
text of my reply is posted below:

The first person to report the discovery was having slow performance from
Internet Explorer, and also his task bar froze sporadically.  He does not
believe the presence of Backdoor.RA was related to the problems, however, as
they persisted for a time after he discovered and uninstalled the thing.

The other machine had been identified as behaving in suspicious fashion by
our network systems folks, and when the person responsible looked at it, it
clearly had been hacked.  Her words:

"On the day I was hacked, there were 3 backdoor.trojan files quarantined on
my system -- around the same time other suspicious files were created.  I
have absolutely no idea how the slave program was implanted on my server.
Once the attacker gained control over the server, an ftp service (ServU) was
installed in c:\winnt\fonts\truetype.  About 60 Gig of information was
stored on D:\recycler\dumpsite.  I deleted D:\recycler\dumpsite and was able
to uninstall slave and the ftp service."

I've just heard from the first fellow again.  I shared an alert with the
distributed computing support list a short while ago (which turned up the
second instance).  His deputy director, who is on that mailing list, found a
copy on his own machine and is in the process of checking workstations of
other VIP staff in the unit.  It apparently installs silently.  Now the
question is:  how?!

More information about the unisog mailing list