5aLIVE
October 27th, 2008, 05:34
My PC is is running XP Home SP3 and recently I noticed that a copy SVCHOST.EXE used for DCOM and terminal services is being used to connect and disconnect to random websites and mail servers and Syn flooding them and incrementing through the network ports as it goes.
Once connected to particular sites it attempts to execute ActiveX, VB and Java scripts.
I ran ProcessExplorer to find the process ID of the offending generic host.
Once I did that, I confirmed that only the DCOM Launch and Termservices were using SVCHOST.
What I wanted to do was try and find a way to identify all the DLLs which were using this host. I tried
attaching to the host in OllyDbg and then viewing the executable modules to see if I could find the rogue DLL.
There didn't appear to be anything suspicious looking (to me) here.
I tried scanning my Windows folder NOD32 and SUPERAntispyware which couldn't find anything. I also ran the
BitDefender online scanner which identified the file C:\WINDOWS\system32\bnts32.dll as :
DeepScan:Generic.Clicker.Lobgal.FB7B9232.
Why didn't OllyDbg show this rogue DLL in it list of executable modules? Is it something I have overlooked or
do I need to use a different tool or technique?
A Google search revealed no information on this malware. I can attach a zipped and password protected copy of the malware if anyone is interested. I wonder if the infection had anything to do with the latest MS08-067 exploit. I've installed this patch too.
Deleting the supicious DLL file seems to have fixed the problem.
UPDATE: Since posting this, my firewall showed a process with no name try to open the closed telnet port. So it looks like I've got another nasty hiding away. Can anyone suggest how I can identify this hidden process?
Damn it! I'm also seeing an outgoing HTTPS connection to paypal.com via port 1414.
Thanks for reading.
Once connected to particular sites it attempts to execute ActiveX, VB and Java scripts.
I ran ProcessExplorer to find the process ID of the offending generic host.
Once I did that, I confirmed that only the DCOM Launch and Termservices were using SVCHOST.
What I wanted to do was try and find a way to identify all the DLLs which were using this host. I tried
attaching to the host in OllyDbg and then viewing the executable modules to see if I could find the rogue DLL.
There didn't appear to be anything suspicious looking (to me) here.
I tried scanning my Windows folder NOD32 and SUPERAntispyware which couldn't find anything. I also ran the
BitDefender online scanner which identified the file C:\WINDOWS\system32\bnts32.dll as :
DeepScan:Generic.Clicker.Lobgal.FB7B9232.
Why didn't OllyDbg show this rogue DLL in it list of executable modules? Is it something I have overlooked or
do I need to use a different tool or technique?
A Google search revealed no information on this malware. I can attach a zipped and password protected copy of the malware if anyone is interested. I wonder if the infection had anything to do with the latest MS08-067 exploit. I've installed this patch too.
Deleting the supicious DLL file seems to have fixed the problem.
UPDATE: Since posting this, my firewall showed a process with no name try to open the closed telnet port. So it looks like I've got another nasty hiding away. Can anyone suggest how I can identify this hidden process?
Damn it! I'm also seeing an outgoing HTTPS connection to paypal.com via port 1414.
Thanks for reading.