7 replies to this topic

[roel]

Hello guys,

i have an few xp machines in our network. On that machine i see some strange local administrator accounts. Can someone tell me if this is some spyware or mallware?
How can i remove them? Can someone tell what program made those local administrator accounts.

User accounts :
agegldwlynJMZAXGXYA
aimsozcwbzCZEBELMXX
cfssmmasspUTCPZRDSG
cjhjdhjopbBEFJBNIMC
dlafzmxxdqMPPNJQLCG
dubyqbsqssXQVGTUDAY
epjjkjjgpyWYWJDLSFR
epkurptkfdOYDTNDJRW
fiqyfbxbfbBOUWKCXIO
foqjmwznswNTBAMAYNA
ftahgoomjoXRPTUKWGS
fvoifqzymoJITVRAXAU
grdpwkbcfvFIZYAJDDG
hotqkxaqytHRPNOWQSC
ipuiefapwcQUTRZZBSA
jaqubchkruGJVMJYMXP
jaqubchkruGJVMJYMXP
jaqubchkruGJVMJYMXP
jienjfkiepGJNZBMHMQ
jienjfkiepGJNZBMHMQ
jiusiprbrbFKNNCBTEU
jiusiprbrbFKNNCBTEU
jrcbtzfnezGJDZSKRJN
jzaqvlbznpQHEYJPLGR
jzgzampdefGJWAKNYPT
jzgzampdefGJWAKNYPT
mhwsqlxabmAFUKVKJQJ
osckezmqkpSAPFBDJBC
oymcelnfpjVVFABYGHV
paquqsfcnaEVPUEILDO
qegqzaourpTIRIDYLQC
riaugayatrQCFDPOFUV
rxjtsxncppBAWYUXIHS
sfrblitbilMUQGMAQJQ
shsblfewhhCPABQJPYQ
smmfqeklwdLUJUGSJHA
tdeljtwncgKKJNZGEQZ
tfogkgaonrBFSUCZSOV
tkwpsgqewyCMIJBUHOY
uekqwqxeomXOTCNPDWM
vinuyqqlqiMHNTEEEDI
vtncvxunubHIGYZLEWT
wjvtzepficCRPTTOUQJ
wquhfkxicqTUPQXHUYQ
wxzwdhbwkfZSEWJHBGU
xmrsoghwyrFGAVVSWRS
zeeoraiuirHKMDTEECN

[David H. Lipman]

roel, on 21 November 2011 - 10:04 AM, said:

Hello guys,

i have an few xp machines in our network. On that machine i see some strange local administrator accounts. Can someone tell me if this is some spyware or mallware?
How can i remove them? Can someone tell what program made those local administrator accounts.

< list snipped >

If you have administrative accounts on a PC with names like that then the initial response is that computer or computers have been compromised !

Probably the FIRST thing to do is to disconnect it/them ASAP from the network and isolate it/them.
{ Since you wrote "...few xp machines in our network. On that machine..." it can't be determined if this is one computer or multiple computers. }

Answering your questions is very complex. We can't know how the computers have been compromised, by what vector or by what software, if any. It could be malware or it could be an external compromise. At this point it is too early to make such a determination.

Are you an Administrator of the network in question with admin rights on all platforms ?

Is this a simplistic Local Are Network (LAN) or is this a more complex Active Directory Domain ?

[roel]

David H. Lipman, on 21 November 2011 - 11:16 AM, said:

If you have administrative accounts on a PC with names like that then the initial response is that computer or computers have been compromised !

Probably the FIRST thing to do is to disconnect it/them ASAP from the network and isolate it/them.
{ Since you wrote "...few xp machines in our network. On that machine..." it can't be determined if this is one computer or multiple computers. }

Answering your questions is very complex. We can't know how the computers have been compromised, by what vector or by what software, if any. It could be malware or it could be an external compromise. At this point it is too early to make such a determination.

Are you an Administrator of the network in question with admin rights on all platforms ?

Is this a simplistic Local Are Network (LAN) or is this a more complex Active Directory Domain ?

Hello David,

I am an administrator and i have all adminstrator right on every domain and machine. This is a simple Acitve directory domain.

[AdvancedSetup]

It would be best to disconnect them from the network by simply unplugging the network cable and if you have time and resources start a forensic analysis of where/what happened if possible. If time or resources do not permit then simply remove them from the Domain and wipe them including deletion of partitions and scan all other systems for any similar signs and for virus/malware threats.

It's possible that it could be an internal or external threat or simply code from an infection. System monitoring to ensure other systems are not attacked would be in order.

[David H. Lipman]

I agree w/Ron.

The affected computer(s) must be isolated.

Peer computers on the same subnet need to be examined thoroughly (system logs, anti malware logs, etc.) and need to have On Demand scanning performed. This should be done by both the fully installed anti virus application of the PC in question as well as alternative On Demand anti malware scanning software.

FireWall and Gateway appliance logs must be examined thoroughly.

Look for abnormal LAN and data activity.

Depending upon your needs and capabilities, hiring an outside security firm may be warranted.

[rgabbard]

Going out on a limb here, but in Active Directory if you delete a user who has access to a particular machine, then instead of listing the username in the user accounts section, it will show a some random characters. I believe it displays the GUID of the user instead of the name. Not sure if that's the case here or not.

[David H. Lipman]

rgabbard, on 23 November 2011 - 07:29 AM, said:

Going out on a limb here, but in Active Directory if you delete a user who has access to a particular machine, then instead of listing the username in the user accounts section, it will show a some random characters. I believe it displays the GUID of the user instead of the name. Not sure if that's the case here or not.

That's good. It shows you are thinking but, you are not quite there.

Associated with Organizational Unit Objects are Security Identifiers, SID. The Domain Controller converts the SID to a "User Name". If the Domain Controller is not present you will see the SID. If the the Object is deleted from the AD then you will see the orphaned SID. It is the SID that is used for permissions and Access Control Lists (ACLs).

The following is an example of a SID --> S-1-5-21-3623811015-3361044348-30300820-1013

"aimsozcwbzCZEBELMXX" not does it fit the pattern of a SID.

SID Wiki

[viit]

Hi,

we had the same thing on some of our machines. Always a random username consisting of 10 lowercase characters and 9 uppercase characters. After some analysis, we found the source of these users: Lenovo System Update. It seems to create the user when you run it. Hope that helps some other people.