9 replies to this topic

[shalomshachne]

I found someone hacked into my machine. I ran Malwarebytes but it didn't detect any problem. I used netstat, and I think I found the rogue process, it was called: srchsot.exe. It had installed itself deep in the Windows\System32 directory (\windows\system32\mui\dispspec\Microsoft\). There was an install.bat file and srchsot.exe file in that folder. The install had installed registry keys to auto start when machine restarts.

I killed process, delete those files, and associated registry keys.

When the process was running it was connected to: h1915849.stratoserver.net:6667 . Below was the suspicious netstat output which helped me track it.

TCP SAM-LAPTOP:3575 h1915849.stratoserver.net:6667 ESTABLISHED 4604
TCP SAM-LAPTOP:3586 v-client-5b.sjc.dropbox.com:https CLOSE_WAIT 5804
TCP SAM-LAPTOP:3588 sjc-not17.sjc.dropbox.com:http ESTABLISHED 812

Can you please update your database with this info?

[exile360]

Greetings

In order to add detection for a threat to our database, we need a sample of the file. If you still have a copy of srchsot.exe, then please zip and attach it in a new topic here and our Research team will do an analysis on it and add detection for it if it is a threat.

Thanks

[David H. Lipman]

It looks like an IRC Bot.

What anti virus software is installed on this computer ?

[David H. Lipman]

Yepper, a PamoBot communicating IRC with Velillos2010.no-ip.org (85.214.215.52)

Quote

NICK PamoBot|655
USER PamoBot|867 192.168.0.13 Velillos2010.no-ip.org :PamoBot|584
PONG :152AC498
JOIN ##200##
PONG :IRC.Velillos.com

{ Associated with; http://www.minpop.com }

What anti virus software is installed on this computer ?

[shalomshachne]

I had Symantec running, and also MalwareBytes service. Neither of them detected this. When I saw there was someone actually controlling the mouse on my machine (!?), I ran the MalwareBytes scan, but it did not detect this. I found it using netstat -o.

[shalomshachne]

exile360, on 12 April 2012 - 02:09 PM, said:

Greetings

In order to add detection for a threat to our database, we need a sample of the file. If you still have a copy of srchsot.exe, then please zip and attach it in a new topic here and our Research team will do an analysis on it and add detection for it if it is a threat.

Thanks

I found that I still had a copy in my Recycle bin (oops), and uploaded it to the MB site noted. Hopefully this will help.

[exile360]

Excellent, thanks .

[David H. Lipman]

shalomshachne, on 12 April 2012 - 03:52 PM, said:

I found that I still had a copy in my Recycle bin (oops), and uploaded it to the MB site noted. Hopefully this will help.

Ade got it and he'll recognize this IRC Bot.

I'm sorry that NAV and MBAM didn't catch this but its submission to Virus Total showed no recognition for that Bot.

The thing is, rarely does there exist one singular malware. The EXE dropped 7 DLL files and none of them seemed to be recognized either. You might want to to start a thread in the Malware Removal - HijackThis Logs thread after reading I'm infected - What do I do now? .

[Fatdcuk]

Hi all

Just to post to confirm it is an IRCBot and detection will be created for it.

Just for matter of interest it looks like all the AV's @ VirusTotal (0/42) would have been bypassed by this Trojan.
https://www.virustot...44b59/analysis/

@ Dave, the toolkit can not be called malicious and can be readily nuked just by emptying the temp folder.

[David H. Lipman]

Fatdcuk, on 12 April 2012 - 05:36 PM, said:

@ Dave, the toolkit can not be called malicious and can be readily nuked just by emptying the temp folder.

That explains the zero detection on VT on the 7 DLLs.