Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

What have I been hit by?

Status
Not open for further replies.

MikeWilliams

Programmer
Apr 9, 2002
4
GB
Hi All,

I am running XP SP2 with NAV 2003 and ZoneAlarm

Last night I experienced a sudden flurry of disk activity after which ZoneAlarm asked if FTP.exe could acces the internet. I said no (twice). ZoneAlarm's log showed the FTP was trying to access my ISP's DNS server (presumably to look up an address)

I then started to look into what had happened. I first did a search for ftp.exe and found it in the expected places, but I also found a new file in XP's prefetch area created at the time of the incident.

Looking into the Prefetch area the programs loaded (in order) are :-
[ol]
[li]CMD.EXE[/li]
[li]FIND.EXE[/li]
[li]GSAR.EXE[/li]
[li]SED.EXE[/li]
[li]PING.EXE[/li]
[li]ATTRIB.EXE[/li]
[li]FTP.EXE[/li]
[/ol]

I Can't find any trace of GSAR.EXE or SED.EXE on my PC, but they must have been there and executed for prefetch files to have been created.

A web search reveals :-
GSAR is a Global Search And Replace tool.
SED is a Stream EDitor

With this and the above new files in the prefetch area I conclude that some dos/cmd process ie a trojan was attempting to find and modify some files then ftp the results back somewhere.

I downloaded the latest AV definitions from Symantec and run a full scan, but did find anything.

Can anyone throw any light on what I have been hit by?
 
Thanks eyec, I dread to think what would have sent out if ZA haddn't done it's job.

I am concerned because it looks like GSAR and SED are capable of modifying files, I am wondering which files were targeted.
 
If you look in the gsar.pf and sed.pf files with notepad or a hex editor, you should find the path to where they used to be, or should have been. That's a starting point anyway.

gsar.exe: I thought it looked familar, it is a unxutil. At least in its unmodified form anyway.
sed.exe: Either another unxutil (which I'm guessing so), or it is a part of Ezula, a nasty little spyware program.

But, if you don't find them on your system after looking in the .pf file and running say notepad from the command line, then I guess you are good to go. :)

----------------------------
"Security is like an onion" - Unknown
 
As far as checking/eliminating processes the easy first step is to use something like hijackthis or bazooka and get a list of what is running and go from there on fixing/removing.

As an example for you, here is a thread which includes removing sed stuff.

-------------------------------------
It's 10 O'Clock ( somewhere! ).
Are your registry and data backed up?
 
Thanks All,

TechieMicheal, I have already delete the .pf files so that I could track if the programs were re-run, so far not which is good.

diogenese10, I have already checked with Task Manager and at the time there were no strange programs in memory, all the usual start up locations and all is clear.

Regards
Mike
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top