[unisog] Super-hidden spamming exploits?
leboldug at post.queensu.ca
Thu Sep 25 17:39:15 GMT 2003
At 10:37 AM 2003-09-25 -0400, Rita Seplowitz Saltz wrote:
>We've seen a number of student-owned MS Windows machines exploited by
>spammers, even after the "usual suspects" have been addressed
>(administrator password, backdoors, remote code, spyware, assorted
>viruses) and the systems are believed to have been locked down securely.
We've had 15 spam proxies in the last 2 weeks. We're definitely seeing a
new type, I believe, see further down.
I don't have any clues as to the infection route. I haven't found any
strict commonality apart from not being completely patched with Windows
Update. They all have a p2p program of some sort ( typically Kazaa but not
all ) and some chat program ( typically MSN Messenger but not all ).
We are blocking 135-139, 445, 593 tcp+udp at our border, so that should
rule out the RPC vulnerabilities.
Infected computers had 50-100 connections inbound. Blocking inbound to the
IP stopped the outbound 25/tcp streams, as expected. We have since blocked
25/tcp outbound for ResNet and are periodically logging to check for new
>Has anyone else seen this kind of thing? And, if so, have you any
>helpful insights to offer?
The first proxies we saw were generally all different. Ports used were all
different. Symantec Antivirus typically identified them generically as
Backdoor.Trojan. We also saw Backdoor.SDbot ( with a dropper ) and
We discovered 9 new proxies of the similar unknown type on Monday/Tuesday.
There were not in the Symantec VDF. They also loosely had a dropper.
Filenames were different, but all trojan files started with an asterisk.
Ports were all different and seemingly randomly determined on boot.
Here's what we have for removal instructions for this new proxy, as
determined by our Support folks. Tell me if this looks similar to your
1. Run Regedit. Check
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce for a
key beginning with *. Take note of that key name.
2. Reboot the computer into safe mode command prompt.
3. Change directory to c:\Documents and Settings\(Username)\Local
4. Delete the file in that directory with the same name as the key from
5. While still in safe mode's command prompt, run regedit. Delete the key
from RunOnce and Run.
6. Reboot. Voila.
Systems Programmer Information Technology Services
More information about the unisog