Mysterious appearance of Backdoor.RA on Win2K machines
Stephen W. Thompson
thompson at pobox.upenn.edu
Wed Dec 12 15:22:24 GMT 2001
Here's another indication that there is some vector for infection or
intruding into NT/Win2k machines active on the net which hasn't been
This from another of our sysadmins:
> Greetings. Yesterday, for the first time since I setup this server in
> October, 1999, the Norton Antivirus Server Real time program caught a
> virus. It quarteened
> the Goner virus which I subsequently deleted, then ran a manual scan
> afterward.(A scheduled scan runs every night and has never located a
> The mystery is, I have no idea how this could have been transmitted to
> the server!
> Although our NT server has Outlook and IE installed, the former is not
> configured and neither is used. I was doing no file copying at the time
> of the attack.Nor did any of my users admit to copying anything to the
> effected folder at the time of infection.
> I have gone to each workstation and checked their quaranteen folder and
> Virus History - nothing for yesterday! Moreover, my users are always
> being told about safe attachment opening techniques, and no one came
> forward to say they were involved. Moreover, they would have had to save
> the attachment to disk (a server shared common
> folder) while they had the Virus warning screen up, which they can't
> background - not really likely. All there Virus scanner were enabled
> with the latest Virus definitions.
> Is there another entry point for this virus other than e-mail? What
> should I be checking?
[and same sysadmin, in another message:]
> If it was copied from a workstation, I would think there would have
> been a trace of the virus on the workstation. I checked the Virus
> history and Quaranteen for each workstation. There were no viruses
> detected that day on ANY workstation, and no Goner virus on any day. (I
> don't have the managed version of Norton on the server, just the regular
> version, so It wouldn't tell me from which machine the virus was copied,
> if it was copied!)
> The virus ended up on a folder beneath a shared server folder. All of
> my users would have access to this folder, even student workers.
Earlier bits of this thread:
Rita Seplowitz Saltz <rita at Princeton.EDU>
> This week, two different departments here reported discovering Backdoor.RA,
> a component of the package Remote Anything, running on a Windows 2000 system
> without having been installed by the responsible parties. Both machines are
> phsyically secured, and those with access have disclaimed responsibility for
> installing the item. In each case, the presence of Backdoor.RA was
> discovered when, exploring problems with the machine, the user scanned the
> Task Manager list and noted a process called Slave.exe running.
> It appears that the instances were remote installs. Anyone know of an
> exploit or apres-virus vulnerability which involves remote installation of
I wrote in reply about a different case than today's:
> What drew attention to the machines initially? A group here had an
> NT4 box which unexpectedly was missing many files normally found on a
> healthy install. Little investigation could be done before the group
> reformatted and started over. Probably unrelated, but...
And later, also from Rita Seplowitz Saltz <rita at Princeton.EDU>, quoting
> The first person to report the discovery was having slow performance from
> Internet Explorer, and also his task bar froze sporadically. He does not
And quoting another of her syadmins:
> "On the day I was hacked, there were 3 backdoor.trojan files quarantined on
> my system -- around the same time other suspicious files were created. I
> have absolutely no idea how the slave program was implanted on my server.
> Once the attacker gained control over the server, an ftp service (ServU) was
> installed in c:\winnt\fonts\truetype. About 60 Gig of information was
> stored on D:\recycler\dumpsite. I deleted D:\recycler\dumpsite and was able
> to uninstall slave and the ftp service."
And more info she gives:
> I've just heard from the first fellow again. I shared an alert with the
> distributed computing support list a short while ago (which turned up the
> second instance). His deputy director, who is on that mailing list, found a
> copy on his own machine and is in the process of checking workstations of
> other VIP staff in the unit. It apparently installs silently. Now the
> question is: how?!
lbuchana at csc.com wrote:
> In an earlier private email to Rita, I noted that I had found a machine
> with RemotelyAnywhere on it. The manner in which it was discovered was by
> our IDS detecting it attacking another part of our organization. I can't
> share many details as there may be an ongoing criminal investigation. The
> method used to attack the machine I looked at was different than the attack
> the IDS noticed.
Jeff Bollinger <jeff01 at email.unc.edu> wrote:
> Yes, we have seen this as well. Note that the Trojan installs s32.exe and
> the servuFTP. No idea though as to how it got in yet.
Steve, security analyst
Stephen W. Thompson, UPenn, ISC Information Security, 215-898-1236, WWW has PGP
thompson at isc.upenn.edu URL=http://pobox.upenn.edu/~thompson/index.html
For security matters, use security at isc.upenn.edu, read by InfoSec staff
* OPEN LETTER: http://pobox.upenn.edu/~thompson/considered-war.html *
More information about the unisog