nuuhxuie - a trojan?

[rmeleiro]

Hello all
For the last couple of days my company's network has experienced slowdowns in http traffic and even denial of service for users. Tracking down from router and firewall logs, we've found that a single computer running Windows XP SP2 in the network was resopnsible for this: it had a program running (albeit a trojan) running under the name nuuhxuie and issuing DCOM calls through port 135 to several hundred ip addresses in several countries. Checking msconfig, that program was setup to run on startup, although no entry was found anywhere in the registry. I have foun absolutely no reference to this anywhere (eventually the name is randomly generated). Does anyone have any ideas on what it could be?

TIA

Rui Meleiro

 

[arnoldrimmer]

Not if it's using a randomly generated exe name have you scanned it with an upto date virus/spyware.

Running Hijack This may reveal more info from registry entries.

http://www.spywareinfo.com/~merijn/downloads.html

 

[rmeleiro]

Thank you for the tip. The truth of the matter is that this program, besides placing itself in the \windows\prefetch area, registers itself as an exception to SP2 firewall and neither Symantec Enterprise, AVG, Avast, AdWare, Microsoft A/S detects them. The major payload is such that it "eats" out the available bandwidht.

 

[arnoldrimmer]

Sounds nasty are you going to reformat of continue to investigate?

Process explorer might reveal some interesting info, it will tell you what files are in use by the app if it uses any other files you might be able to find info on them.

http://www.sysinternals.com/ntw2k/freeware/procexp.shtml

Rootkit revealer is also very interesting to look at.

http://www.sysinternals.com/ntw2k/freeware/rootkitreveal.shtml

 

[rmeleiro]

The machine has been quarantined and we'll take some of our already scarce time to investigate deeper. Thank you for the tip to rootkit.