Jump to content


Photo

srchsot.exe

trojan

  • Please log in to reply
9 replies to this topic

#1 shalomshachne

shalomshachne

    New Member

  • Members
  • Pip
  • 4 posts

Posted 12 April 2012 - 01:56 PM

I found someone hacked into my machine. I ran Malwarebytes but it didn't detect any problem. I used netstat, and I think I found the rogue process, it was called: srchsot.exe. It had installed itself deep in the Windows\System32 directory (\windows\system32\mui\dispspec\Microsoft\). There was an install.bat file and srchsot.exe file in that folder. The install had installed registry keys to auto start when machine restarts.

I killed process, delete those files, and associated registry keys.

When the process was running it was connected to: h1915849.stratoserver.net:6667 . Below was the suspicious netstat output which helped me track it.

TCP SAM-LAPTOP:3575 h1915849.stratoserver.net:6667 ESTABLISHED 4604
TCP SAM-LAPTOP:3586 v-client-5b.sjc.dropbox.com:https CLOSE_WAIT 5804
TCP SAM-LAPTOP:3588 sjc-not17.sjc.dropbox.com:http ESTABLISHED 812


Can you please update your database with this info?

#2 exile360

exile360

    exile

  • Administrators
  • PipPipPipPipPipPip
  • 16,017 posts
  • Gender:Male

Posted 12 April 2012 - 02:09 PM

Greetings :)

In order to add detection for a threat to our database, we need a sample of the file. If you still have a copy of srchsot.exe, then please zip and attach it in a new topic here and our Research team will do an analysis on it and add detection for it if it is a threat.

Thanks :)
Samuel E Lindsey
Product Manager

Posted Image

Follow us: Twitter, Become a fan: Facebook

#3 David H. Lipman

David H. Lipman

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 4,251 posts
  • Gender:Male
  • Location:Jersey Shore USA
  • Interests:Malware Research, dSLR Photography, Numismatics & Surf Fishing

Posted 12 April 2012 - 02:42 PM

It looks like an IRC Bot.

What anti virus software is installed on this computer ?
David H. Lipman
DLipman@Verizon.Net

#4 David H. Lipman

David H. Lipman

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 4,251 posts
  • Gender:Male
  • Location:Jersey Shore USA
  • Interests:Malware Research, dSLR Photography, Numismatics & Surf Fishing

Posted 12 April 2012 - 03:22 PM

Yepper, a PamoBot communicating IRC with Velillos2010.no-ip.org (85.214.215.52)

NICK PamoBot|655
USER PamoBot|867 192.168.0.13 Velillos2010.no-ip.org :PamoBot|584
PONG :152AC498
JOIN ##200##
PONG :IRC.Velillos.com


{ Associated with; http://www.minpop.com }

What anti virus software is installed on this computer ?
David H. Lipman
DLipman@Verizon.Net

#5 shalomshachne

shalomshachne

    New Member

  • Members
  • Pip
  • 4 posts

Posted 12 April 2012 - 03:51 PM

I had Symantec running, and also MalwareBytes service. Neither of them detected this. When I saw there was someone actually controlling the mouse on my machine (!?), I ran the MalwareBytes scan, but it did not detect this. I found it using netstat -o.

#6 shalomshachne

shalomshachne

    New Member

  • Members
  • Pip
  • 4 posts

Posted 12 April 2012 - 03:52 PM

Greetings :)

In order to add detection for a threat to our database, we need a sample of the file. If you still have a copy of srchsot.exe, then please zip and attach it in a new topic here and our Research team will do an analysis on it and add detection for it if it is a threat.

Thanks :)


I found that I still had a copy in my Recycle bin (oops), and uploaded it to the MB site noted. Hopefully this will help.

#7 exile360

exile360

    exile

  • Administrators
  • PipPipPipPipPipPip
  • 16,017 posts
  • Gender:Male

Posted 12 April 2012 - 04:20 PM

Excellent, thanks :).
Samuel E Lindsey
Product Manager

Posted Image

Follow us: Twitter, Become a fan: Facebook

#8 David H. Lipman

David H. Lipman

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 4,251 posts
  • Gender:Male
  • Location:Jersey Shore USA
  • Interests:Malware Research, dSLR Photography, Numismatics & Surf Fishing

Posted 12 April 2012 - 04:26 PM

I found that I still had a copy in my Recycle bin (oops), and uploaded it to the MB site noted. Hopefully this will help.


Ade got it and he'll recognize this IRC Bot.

I'm sorry that NAV and MBAM didn't catch this but its submission to Virus Total showed no recognition for that Bot.

The thing is, rarely does there exist one singular malware. The EXE dropped 7 DLL files and none of them seemed to be recognized either. You might want to to start a thread in the Malware Removal - HijackThis Logs thread after reading I'm infected - What do I do now? .
David H. Lipman
DLipman@Verizon.Net

#9 Fatdcuk

Fatdcuk

    Malware BBQ'er

  • Moderators
  • PipPipPipPipPipPip
  • 20,550 posts
  • Gender:Male
  • Location:127.0.0.1

Posted 12 April 2012 - 05:36 PM

Hi all

Just to post to confirm it is an IRCBot and detection will be created for it.

Just for matter of interest it looks like all the AV's @ VirusTotal (0/42) would have been bypassed by this Trojan.
https://www.virustot...44b59/analysis/

@ Dave, the toolkit can not be called malicious and can be readily nuked just by emptying the temp folder.
Ade Gill
Research Engineer

Posted Image

Follow us: Twitter, Become a fan: Facebook

#10 David H. Lipman

David H. Lipman

    Forum Deity

  • Experts
  • PipPipPipPipPipPip
  • 4,251 posts
  • Gender:Male
  • Location:Jersey Shore USA
  • Interests:Malware Research, dSLR Photography, Numismatics & Surf Fishing

Posted 12 April 2012 - 05:47 PM

@ Dave, the toolkit can not be called malicious and can be readily nuked just by emptying the temp folder.


That explains the zero detection on VT on the 7 DLLs.
David H. Lipman
DLipman@Verizon.Net





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users