[unisog] Mysterious appearance of Backdoor.RA on Win2Kmachines

Jeff Bollinger jeff01 at email.unc.edu
Fri Dec 7 19:48:15 GMT 2001


Yes, we have seen this as well.  Note that the Trojan installs s32.exe and the
servuFTP.  No idea though as to how it got in yet.

Jeff

Rita Seplowitz Saltz wrote:

> Stephen W. Thompson asked:
> >
> > What drew attention to the machines initially?  A group here had an
> > NT4 box which unexpectedly was missing many files normally found on a
> > healthy install.  Little investigation could be done before the group
> > reformatted and started over.  Probably unrelated, but...
>
> While I replied directly to his question, I did not know at the time that
> his mail had been copied to this list.  So for the benefit of others, the
> text of my reply is posted below:
>
> The first person to report the discovery was having slow performance from
> Internet Explorer, and also his task bar froze sporadically.  He does not
> believe the presence of Backdoor.RA was related to the problems, however, as
> they persisted for a time after he discovered and uninstalled the thing.
>
> The other machine had been identified as behaving in suspicious fashion by
> our network systems folks, and when the person responsible looked at it, it
> clearly had been hacked.  Her words:
>
> "On the day I was hacked, there were 3 backdoor.trojan files quarantined on
> my system -- around the same time other suspicious files were created.  I
> have absolutely no idea how the slave program was implanted on my server.
> Once the attacker gained control over the server, an ftp service (ServU) was
> installed in c:\winnt\fonts\truetype.  About 60 Gig of information was
> stored on D:\recycler\dumpsite.  I deleted D:\recycler\dumpsite and was able
> to uninstall slave and the ftp service."
>
> I've just heard from the first fellow again.  I shared an alert with the
> distributed computing support list a short while ago (which turned up the
> second instance).  His deputy director, who is on that mailing list, found a
> copy on his own machine and is in the process of checking workstations of
> other VIP staff in the unit.  It apparently installs silently.  Now the
> question is:  how?!

--
Jeff Bollinger
University of North Carolina
IT Security Analyst
105 Abernethy Hall
mailto: jeff_bollinger at unc.edu




More information about the unisog mailing list