Unoffical empeg BBS

Quick Links: Empeg FAQ | RioCar.Org | Hijack | BigDisk Builder | jEmplode | emphatic
Repairs: Repairs

Topic Options
#304681 - 02/12/2007 16:52 What is this program?
pca
old hand

Registered: 20/07/1999
Posts: 1102
Loc: UK
Hi.

A friend's windows 2000 game server was remotely administered via VNC. Unfortunately, it was an old version, and he hadn't used any encryption on it. So, two days ago, someone broke in and started screwing around with it. Luckily, we were there at the time and noticed within a couple of hours, and disconnected it.

The perp had apparently been using it as a proxy/gateway for a yahoo VoIP service, registering a dozen virtual phone numbers on the service with a probably stolen credit card number and making a number of short calls to numbers in the US. When we kicked him off, the yahoo windows were still open and logged in, so we were able to save out a load of info on what accouts were opened and when, the phone numbers, the numbers called, the email address, and so on. I also saved the history of the command line buffer, which had some IP addresses of interest as well.

All this information will be passed on to Yahoo's abuse department, so they can ignore it/deal with it, depending on their whim.

Anyway, having deleted everything we could find that he had installed (an IRC trojan seemed to be most of it, in addition to the VoIP app), we removed and reinstalled all the virus checkers, rootkit detectors, spyware removers, and so on. The machine was thoroughly sanitised, and is now running UltraVNC with RC4 encryption tunneled over SSH with different encryption. It should be fairly difficult to compromise it again, I hope.

However, there is a process that keeps popping up in the task manager, named vjvl.exe. Neither of us can think of anything legitimate it could be, and google draws a blank. I'm going to hunt it down and kill it, but does anyone know what it is?

pca
_________________________
Experience is what you get just after it would have helped...

Top
#304682 - 02/12/2007 17:10 Re: What is this program? [Re: pca]
tman
carpal tunnel

Registered: 24/12/2001
Posts: 5528
I'd reinstall from scratch. You can never be 100% sure that everything was cleaned out without going through every file. If you're doing that then you might as well reinstall as it'll be quicker.

Looks like the rootkit downloaded/installed something with a random file name to make it harder to identify. Anything of interest actually inside the file?

Top
#304683 - 02/12/2007 18:55 Re: What is this program? [Re: tman]
wfaulk
carpal tunnel

Registered: 25/12/2000
Posts: 16706
Loc: Raleigh, NC US
Quote:
I'd reinstall from scratch. You can never be 100% sure that everything was cleaned out

Agreed.

But if you can't do that for whatever reason, try using HijackThis and StartupList to help you figure out how that program keeps getting run.
_________________________
Bitt Faulk

Top
#304684 - 02/12/2007 21:06 Re: What is this program? [Re: wfaulk]
pca
old hand

Registered: 20/07/1999
Posts: 1102
Loc: UK
We had thought this would be necessary but wanted to avoid the pain in the arse job it will be. However, you're both right, annoyingly The server has been dropped off with me, and at some point in the next week or so I get to reinstall 150GB of OS and apps. Hooray. Yippee. And so on...

On the upside, it's going to end up with a terabye of hard drives to future proof it. It's already got a striped array of 10K RPM ultrawide SCSI drives which will have the OS installed on, so it should go rather faster. The data will be on the SATA drives.

Dual 2.8GHz Xeon processors in a nice server motherboard, slightly overkill for running half a dozen different dedicated game servers with a total of about 6 users, but none of us like to wait

pca
_________________________
Experience is what you get just after it would have helped...

Top
#304685 - 02/12/2007 22:17 Re: What is this program? [Re: pca]
AndrewT
old hand

Registered: 16/02/2002
Posts: 867
Loc: Oxford, UK
Firstly, I agree with what has been proposed and agreed here already as the best course of remedial action....

Quote:
vjvl.exe. Neither of us can think of anything legitimate it could be, and google draws a blank. I'm going to hunt it down and kill it, but does anyone know what it is?


You might gain some insight into what that .exe is by attempting to copy it to other systems to see what their AV/malware scanners report (if anything).

Top
#305131 - 14/12/2007 04:13 Re: What is this program? [Re: AndrewT]
Shonky
pooh-bah

Registered: 12/01/2002
Posts: 2009
Loc: Brisbane, Australia
So where was it running from?

User it's running under?

It's not changing it's name I guess from your description but possibly generated that random name itself when it installed to prevent identification. That's certainly not rare or new...
_________________________
Christian
#40104192 120Gb (no longer in my E36 M3, won't fit the E46 M3)

Top
#305135 - 14/12/2007 11:36 Re: What is this program? [Re: AndrewT]
g_attrill
old hand

Registered: 14/04/2002
Posts: 1172
Loc: Hants, UK
These two online scanners are pretty comprehensive:

http://virusscan.jotti.org/
http://www.virustotal.com/

Top