On 12/26/2006 10:21 PM, something possessed Raffi to write:
> David H. Lipman wrote:
>> From: "Raffi" <thegrizzzly@yahoo.com>
>>
>>
>>
>> | I had some time to do packet analysis using Etherial and most of the
>> | conenctions were DNS queries and SMTP connections.
>>
>> | I went ahead and blocked all traffic from the PC to the ISP DNS servers
>> | in my firewall (Comodo). The DNS server for my PC is statically defined
>> | as the gateway router. Since the ISP DNS was no longer accessible it
>> | rerouted the DNS queries (and/or query responses) to the gateway
>> | router. These were a bunch of MX queries for mostly .ru domains.
>>
>> | Next I blocked all inbound and outbound UDP connections for svchost.exe
>> | and services.exe. This stopped most of the traffic. After a while I
>> | started seeing traffic to a couple of specific ip addresses
>> | (208.66.195.78 and 62.189.194.215) which don't resolve to anything with
>> | nslookup. I blocked these IP addresses in the firewall as well. Next
>> | the PC started sending out a bunch of broadcasts (.255). So I blocked
>> | outbound broadcast connections.
>>
>> | Next it started sending broadcast to 0.255 using the ZIP (Zone
>> | Information Protocol) protocol. I don't think I've seen this one
>> | before. I haven't been able to block these yet.
>>
>> | My guess is the PC is somehow being used as a DNS/SMTP relay. Another
>> | guess is my svchost.exe and/or services.exe have been compromized.
>>
>> | As usual, any help in getting to the bottom of this would be welcome.
>>
>> | Raffi
>>
>> http://www.dnsstuff.com/tools/whois....whois.arin.net
>>
>> http://www.dnsstuff.com/tools/whois....4.215&email=on
>>
>>
>> This is suspicious.
>>
>> You may have to backup the PC, wipe it and then reinstall the OS from scratch if all the
>> csnas have come up negative.
>>
>> The only other option is to use anti RootKit software such as Gmer and BlackLight to find
>> the malware. Otherwise, wipe the system.
>>
>> --
>> Dave
>> http://www.claymania.com/removal-trojan-adware.html
>> http://www.ik-cs.com/got-a-virus.htm
>
> Update - I had tried a couple of rootkit detection software without
> success and had given up. But gmer finally found it. Turns out it is a
> rootkit. It's called Backdoor.Rustock.B. It uses the following hidden
> data stream c:\windows\system32:lzx32.sys (c:\windows\system32:18467).
> This Symantec website has more information:
> http://www.symantec.com/security_res...305-99&tabid=3
>
> The syptoms for the rootkit are similar to what I'm experiencing. From
> what I've read so far it might be tricky to get rid of. It seems to be
> active in safe mode as well. I'll be searching for a way to get rid of
> it. If there are any ideas out there, please let me know.
>
> Thanks for all the help.
> Raffi
>
First, stay of the network with your infected PC. Secondly, Get
PEBuilder and create a BartPE LiveCD. Use this to edit your
registry.hiv file in order to remove the rootkit (I haven't done the
research because my blood sugar is getting low, so you'll need to do the
research to figure out what registry keys in registry.hiv should be
deleted (or maybe someone else here will be nice enough to post those
for you). Good luck.

Cheers,

Will