Tuesday, October 12, 2004

I got a virus/tojan in dnsSys.exe

Sunday 2nd October, just surfed the web and closed down Firefox, and noticed that my network activity lights are still going. Now, I'm paranoid when it comes to my computer.

Sygate firewall is installed on the W2K box, so checked its logs and c:\winnt\system32\drives\npt.sys was sending constant requests to the network (port 53 DNS). npt.sys was described as “NPF Driver – Time Extensions”, I doubled checking with Google, npt.sys looked a valid W2K program.

Out comes Ethereal network sniffer, simultaneously I logging into my IPCOP firewall and run tcpdump (filtering out ssh traffic). Both programs identify that my PC is sending out DNS requests for “urx.your-getting-rapped.co.uk”.(unresolvable)

I do not like this and reboot, just in case it will go away on its own. It doesn't!
I run free AVG AV, I download the latest virus definitions and scan the windows directory. No virus found!

The DNS requests are happening every second, so I decide to shut down all non-essential W2K services, with no result. I look next at the process table and spot “dnsSys.exe” (c:\winnt\system32\dnsSys.exe). I stop the program and YES the DNS request stop. Found you, you little bugger. But what is dnsSys.exe?

Transfered dnssys.exe to my Gentoo Linux machine and ran clamav id it as, Trojan.Mybot.gen-152.

fett apaton # md5deep dnsSys.exe
d30251e8502a7cf657e64922ea082ae9 /home/apaton/dnsSys.exe

fett apaton # /usr/bin/clamscan dnsSys.exe
dnsSys.exe: Trojan.Mybot.gen-152 FOUND

Now to clean it.
I deleted the file c:\winnt\system32\dnsSys.exe
removed registry entries in for dnsSys.exe
hkey_local_machine\software\Microsoft\Windows\CurrentVersion\Run
hkey_local_machine\software\Microsoft\Windows\CurrentVersion\RunServices


Hope this may help any one else as a Google for dnsSys.exe doesn't find much!
I now run ClamAV from www.clamwin.com and TREND.

apaton

No comments: