GrayPigeon_Hacker.com.cn.exe

[hesaloser]

Hey all,
I am supporting a Microsoft 2003 server that I recently noticed had a fishy service running. The service shows up as Name: “GrayPigeon_Hacker.com.cn” Description is” »Ò¸ë×Ó•þÎñ¶Ë³ÌÐò¡£Ô¶³Ì¼à¿Ø¹ÜÀí.” , Log On: local system account. I disabled this process and looked around for more information on it via the web.

http://vil.nai.com/vil/content/v_138016.htm

http://www.castlecops.com/o23-all.html

Found out it is a Backdoor Trojan…
Inside my C:\Windows a file named Hacker.com.cn.exe was created, I renamed the file with an unusable extension for the time being.

Upon doing a search in regedit for “gray” I found the following key:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_GRAYPIGEON_HACKER.COM.CN
Inside this key is a directory named “0000” that holds 7 more entries:
(Default), REG_SZ ,(value not set)
Class, REG_SZ , LegacyDriver
ClassGUID, REG_SZ, {8ECC055D-047F-11D1-A537-0000F8753ED1}
ConfigFlags, REG_DWORD, 0x00000000 (0)
DeviceDesc, REG_SZ, GrayPigeon_Hacker.com.cn
Legacy, REG_DWORD, 0x00000000 (1)
Service, REG_SZ, GrayPigeon_Hacker.com.cn

Along with that registry key I was able to locate I found all of the keys listed on the Nortion site above (1st link). The only difference is that the last two keys listed on the site are not on my machine.
These two:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001
\Services\GrayPigeon_Hacker.com.cn\Enum "0"
= "Root\LEGACY_GRAYPIGEON_HACKER.COM.CN\0000"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001
\Services\GrayPigeon_Hacker.com.cn\Enum "Count"
= "01, 00, 00, 00"

I ran a full up-to-date scan with Symantec AV version 10.0.2.2 and nothing gets found. I’ve scanned the C:\Windows\hacker.com.cn file directly with Symantec and nothing is found. I’ve ran Hijack this analyzed the log and nothing stands out. I’ve ran Microsoft’s RootKit Revealer and nothing is found. I’ve ran the latest and greatest Windows Malicious Tool, nothing is found. All windows updates have been implemented. Looking at add or remove programs with show updates, nothing out of the norm appears, I have WebEx installed but that was a legit installation from a legit source.
Can I go ahead and delete registry keys? Do you think I’ll run into adverse effects from deleting the keys? If this is a backdoor Trojan couldn’t there very likely be a “fake” legit looking program lurking around my server?
Looking for some advice from some of you experts out there…

 

[electronicsfreak]

Make an image or backup of the system first. Once you have ensure the backup is working, then delete the keys. You never know with the registry lol.

Also while your at it, make sure all temp folders have been emptied. I would also keep a close eye out for a little while for any more attempts.

Once the keys are gone id delete the file. If you will post the hijackthis log on here.

There is a point in wisdom and knowledge that when you reach it, you exceed what is considered possible - Jason Schoon

 

[hesaloser]

Well i take back hi-jack this not finding anything....have a look here...i see a couple of suspicious entries, svchost's as well as a svchost .exe (additional space at end of file name and before extension) along with some other unknowns. Let me know what you think.


Thanks alot.

(i changed domain\nameserver information in log)


Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v6.00 SP2 (6.00.3790.3959)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\Backup Exec\beremote.exe
C:\WINDOWS\system32\svchost .exe
C:\WINDOWS\system32\certsrv.exe
C:\WINDOWS\system32\CpqRcmc.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\Dfssvc.exe
C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLSDBNT.EXE
C:\WINDOWS\System32\dns.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\inetsrv\svchost.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\system32\CBA\pds.exe
C:\WINDOWS\System32\ismserv.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\WINDOWS\system32\ntfrs.exe
C:\WINDOWS\system32\wmiprvse.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\hp\hpsmh\bin\smhstart.exe
C:\hp\hpsmh\bin\hpsmhd.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLPWDNT.EXE
D:\Exchsrvr\bin\exmgmt.exe
C:\hp\hpsmh\bin\rotatelogs.exe
C:\hp\hpsmh\bin\rotatelogs.exe
C:\hp\hpsmh\bin\hpsmhd.exe
D:\Exchsrvr\bin\mad.exe
C:\hp\hpsmh\bin\rotatelogs.exe
C:\hp\hpsmh\bin\rotatelogs.exe
C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe
C:\WINDOWS\system32\sysdown.exe
C:\WINDOWS\System32\svchost.exe
D:\Exchsrvr\bin\store.exe
D:\Exchsrvr\bin\emsmta.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\cpqteam.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLPSP.EXE
C:\WINDOWS\system32\oobechk.exe
C:\WINDOWS\system32\mshta.exe
C:\WINDOWS\system32\wuauclt.exe
c:\windows\system32\inetsrv\w3wp.exe
C:\WINDOWS\regedit.exe
C:\SYS Utilities\Hijack this analyzer\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/hardAdmin.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://shdoclc.dll/hardAdmin.htm
O4 - HKLM\..\Run: [CPQTEAM] cpqteam.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [DLPSP] "C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLPSP.EXE"
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O15 - ESC Trusted Zone:

http://downloads.canon.com

O15 - ESC Trusted Zone:

http://www.realvnc.com

O15 - ESC Trusted Zone:

http://*.windowsupdate.com

O15 - ESC Trusted Zone:

http://*.windowsupdate.com

(HKLM)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -

http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1172350949250

O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) -

https://symantec.webex.com/client/T23L/support/ieatgpc.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = mydomain.com
O17 - HKLM\Software\..\Telephony: DomainName = mydomain.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{587698C9-EAE9-4866-A3EF-96F4BD052E20}: NameServer = na.me.ser.ver,na.me.ser.ver
O17 - HKLM\System\CCS\Services\Tcpip\..\{8A3819B3-24B2-407F-933B-345C40841184}: NameServer = na.me.ser.ver
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = mydomain.com
O23 - Service: Backup Exec Remote Agent for Windows Systems (BackupExecAgentAccelerator) - Symantec Corporation - C:\Program Files\Symantec\Backup Exec\beremote.exe
O23 - Service: Backup Exec Agent Browser (BackupExecAgentBrowser) - Symantec Corporation - C:\Program Files\Symantec\Backup Exec\benetns.exe
O23 - Service: Backup Exec Device & Media Service (BackupExecDeviceMediaService) - Symantec Corporation - C:\Program Files\Symantec\Backup Exec\pvlsvr.exe
O23 - Service: Backup Exec Job Engine (BackupExecJobEngine) - Symantec Corporation - C:\Program Files\Symantec\Backup Exec\bengine.exe
O23 - Service: Backup Exec Server (BackupExecRPCService) - Symantec Corporation - C:\Program Files\Symantec\Backup Exec\beserver.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: CCProxy - Unknown owner - C:\WINDOWS\system32\svchost .exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: HP ProLiant Remote Monitor Service (CpqRcmc) - Hewlett-Packard Company - C:\WINDOWS\system32\CpqRcmc.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Dell Printer Status Watcher (DLPWD) - Dell Inc. - C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLPWDNT.EXE
O23 - Service: Dell Printer Status Database (DLSDB) - Dell Inc. - C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLSDBNT.EXE
O23 - Service: Event Notification (ENS) - Unknown owner - C:\WINDOWS\netsvc.exe
O23 - Service: Shell Hardware Dectection Service (HWDect) - Unknown owner - C:\WINDOWS\system32\inetsrv\svchost.exe
O23 - Service: Intel PDS - LANDesk Software Ltd. - C:\WINDOWS\system32\CBA\pds.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Protected Storage Manager (rspp) - Unknown owner - cmd /c start C:\WINDOWS\system32\wmiprvse.exe (file missing)
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: HP ProLiant System Shutdown Service (sysdown) - Compaq Computer Corporation - C:\WINDOWS\system32\sysdown.exe
O23 - Service: HP System Management Homepage (SysMgmtHp) - Hewlett-Packard Company - C:\hp\hpsmh\bin\smhstart.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

 

[electronicsfreak]

do a search on svchost .exe and see if the file is actually like that. If so, delete it. I have a feeling that one is part of the culprit.

There is a point in wisdom and knowledge that when you reach it, you exceed what is considered possible - Jason Schoon

 

[hesaloser]

Found svchost .exe in C:\Windows\system32 size is 776KB when highlighted the description shows as: "CCProxy Microsoft MFC Application" Proxy? huh? could be spamming with my ip / domain? task manager says it is currently using 6,600 K of memory.

The other svchost.exe in system32 directory is 15kb

task manager shows 10 svchost.exe's running ontop of the 1 svchost .exe

I looked at date created on the 15k svchost and it was feb 17, 2007.
svchost .exe was april 23,2007. there is an svchost.exe in dir C:\Windows\system32\inetsrv date created was april 22, 2007. I think we may be on to something.

I don't have the ability to modify system settings just quite yet. I want to make sure we get a full back-up done before i start messing around, hopefully tonight that will go through without any problems.

Thanks again

 

[electronicsfreak]

n/p, when you do get the back up id delete that file or when you can. That file im 99 percent sure is the culprit.

There is a point in wisdom and knowledge that when you reach it, you exceed what is considered possible - Jason Schoon

 

[jdeane]

Upload the suspect files to

http://www.virustotal.com

for comparrsion against 32 AV packages to see which ones are detecing it.

Jon

 

[BadBigBen]

my 2cents worth:

svchost .exe is the culprit. Could be the following:
Win32.GrayBird._

http://www.megasecurity.org/trojans/h/hgz/Hgz_all.html

C:\WINDOWS\system32\inetsrv\svchost.exe is not the USUAL place for the SVCHOST to start from... I would take a look at that aswell...

Some AV's will not correctly detect TROJAN Horses, I would always double back with a dedicated AntiTrojan app, ie. AVG AntiMalware (ex EWIDO) or A-Squared...

PS:

SVCHOST.EXE should be around 15kb on disk, and in MEM it can be different sizes, depending on what other service was started with it...
I have 7 instances of svchost.exe running and the largest is at 19.304 kB and the smallest at 3.444 kB ...


Ben

"If it works don't fix it! If it doesn't use a sledgehammer..."

 

[Diancecht]

Maybe this helps:

http://www.antispyware.com/glossary_details.php?ID=3165

Cheers,
Dian

 

[BadBigBen]

Dianchecht - are you sure that the link works... I can't see a thing when I click it...

(could be just busy)

Ben

"If it works don't fix it! If it doesn't use a sledgehammer..."

 

[electronicsfreak]

It just worked on my end so it probably was down for maintenance or something lol.

There is a point in wisdom and knowledge that when you reach it, you exceed what is considered possible - Jason Schoon

 

[hesaloser]

Sorry everyone, i haven't been able to devote a whole lot of time to this issue today!

I ran sigcheck on the system32 folder and manually looked up all the unsigned files on the web. The ones that stood out to me are the following:

::c:\windows\system32::

-svchost_.exe
-SVKP.sys
-srv.exe
-ndisget.scr
-ndisnc.scr
-pskill.exe (sys utility from microsoft, however i didn't install this)
-wmiprvse.exe (real wmiprvse is located in system32\wbem)

Also upon closer inspection i noticed some more funky services:

CCproxy which points to the svchost_.exe

Shell hardware detection service
system32\inetsrv\svchost.exe

protected storage manager
"cmd /c start c:\windows\system32\wmiprvse.exe c:\windows\system32\_2006

(I cannot locate this directory _2006...)

shell hardware dectection (i didn't misspell that) lol who creates this crap...they can't spell but they can hack!
system32\inetsrv\svchost.exe

real shell hardware detection i think...
C:\windows\system32\svchost.exe -k netsvcs

I plan on using sys utilities process explorer to get some more info. I'll post when done...

Let me know if you guys know of anything in particular about any of the processes / services above

I appreciate all of your help!!

Thanks a TON!

 

[hesaloser]

Also,
Virustotal scan of svchost_.exe returned the following positives & or false negatives:

ahnLab-V3 : Win-AppCare/CCProxy.794624
avast : Win32:Trojan-gen. {VC}
Fortinet : Adware/Ccproxy
F-Prot : W32/HackTool.ANG
Ikarus : not-a-virus:Server-Proxy.Win32.CCProxy.63
Kaspersky : not-a-virus:Server-Proxy.Win32.CCProxy.63
NOD32v2 : a variant of Win32/CCProxy
Panda : Hacktool/CCProxyOver
VBA32 : suspected of Backdoor.Bifrose.2 (paranoid heuristics)
Webwasher-Gateway 6.0.1 : Riskware.Tool.Agent.FI



Thanks for showing me this tool, very valuable. I will also upload some other suspicious files if i get a chance. I take it the result of this scan means svchost_.exe is confirmed to be malicious code yes?

Its sad that two AV scanners found this to not be a virus...

 

[electronicsfreak]

svchost_.exe, keylogger , delete it

http://vil.nai.com/vil/content/v_126417.htm

http://www.file.net/process/svkp.sys.html

this one I dont know if it is bad or not

srv.exe malware, delete

http://www.bleepingcomputer.com/startups/srv.exe-822.html

ndisget.scr unknown (most likely bad since little can be found about it)

ndisnc.scr (same as ndisget.scr)

pskill.exe scan it with sites and see if its microsofts or not

http://www.neuber.com/taskmanager/process/wmiprvse.exe.html

All of them except SVKP.sys id delete. pskill id check to see if its microsoft with that site. If it isnt delete it.

There is a point in wisdom and knowledge that when you reach it, you exceed what is considered possible - Jason Schoon

 

[electronicsfreak]

By the way once the system is cleaned, Change all passwords and important information as the person who infected you with these things most likely has your passwords and other important info.

There is a point in wisdom and knowledge that when you reach it, you exceed what is considered possible - Jason Schoon

 

[jdeane]

Since we at NOD32 detect the virus run the Eset online scanner

http://www.eset.com/onlinescan

Then run a reg cleaner.

Rembember to keep the System Restore turned off until all this is resolved.

Jon

 

[BadBigBen]

I found another thread on another forum, that talks about the same deal here, albeit no solution other than what was said already here...

http://mcpmag.com/forums/forum_posts.asp?tid=3481&pn=1&Tpn=1

Ben

"If it works don't fix it! If it doesn't use a sledgehammer..."

 

[hesaloser]

Well I dunno if anyone is still watching this thread...my bad i haven't been able to make a lot of progress recently.

Anywho,
Starting to narrow down and remove some of these malicious / unknown files. I recently ran microsoft's sigcheck on the system32/inetsrv folder and found that svchost.exe contained in this directory is not signed by microsoft. The following link contains information on this directory and svchost.exe however is this valid or has it been modified? Why wouldn't it be signed?

http://technet.microsoft.com/en-us/library/e43fcb2a-f73d-46c3-8d70-4defa64d0661.aspx

 

[electronicsfreak]

It should be signed, I did not read that entire page just skimmed parts of it. If the svchost.exe is not signed by microsoft, compare it with the size and info of the others that are. If it differs in size, delete it.

There is a point in wisdom and knowledge that when you reach it, you exceed what is considered possible - Jason Schoon