Winsit.dll flooding network / hammering admin accounts

[jbrackett]

Our last step in our active directory migration takes place this weekend, and I received a call at 1:30 am from the New Orleans location doing the migration saying that they appear to be having trouble hitting our domain controllers due to excessive network traffic. Consultant handling the migration indicates that he had first run into a problem with a machine at our Bakersfield, CA. location that was sending repeated logon attempts to our domain controllers. The consultant remotes in to the machine in question, finds the culprit is a process called "winsit.exe", shuts it down, and things quiet down. Approximately half an hour later, the same machine starts the process all over again. This time he remotes in and shuts the machine off.

Shortly thereafter, another pc, this time at our OK City location begins the same thing. Then three minutes later, a machine in an Electra, TX location starts. Approximately 45 minutes later, a machine in New Iberia, LA. All of them have this same process running. That's when they called me (lucky me, eh?).

A check of the security logs reveals that the machines in question are sending logon requests to the dcs, attempting to access a variety of standard administrative accounts (in several languages and permutations) at the rate of eight hits per second.

Managed to either shut off all the machines, or close their site to site tunnels to eliminate the traffic to the domain controllers.

Can find no reference to this process anywhere on NAI, Symantec, Trend, or any of the typical security sites. The closest thing I have been able to find is a reference to a "winset.ini" process related to a "W32.HLLP.Spreda.B" virus.

I am hoping that the description I received was in error and that it was actually this virus that he was trying to describe, but am beginning to doubt it. The symptoms just don't quite match up.

Has anyone had any similar incident recently that might indicate a new virus or worm in the wild?

(I am NOT looking forward to going back in to work Monday!)

Any input would be appreciated.

_{"The Crystal Wind is the storm, and the storm is data, and the data is life. You have been slaves, denied the storm, denied the freedom of your data. That is now ended; the whirlwind is upon you . . . . . . Whether you like it or not."}

^{"Trent the Uncatchable" in The Long Run by Daniel Keys Moran}

 

[2ffat]

Sure sounds like a DoS attack. Is there a possiblity of this being an insider job? Maybe from someone with a grudge?


James P. Cottingham
-----------------------------------------
^{To determine how long it will take to write and debug a program, take your best estimate, multiply that by two, add one, and convert to the next higher units.}

 

[jbrackett]

There is always that possibility, I suppose. But it would have to have been someone with more knowledge than the average user, by far. As a followup, I received another call from our on site contractor yesterday (Sunday) evening. He says he found a Microsoft security release to this issue that came out Saturday night at about 11:30 pm CST. I asked him to email me with details, as I can still find no reference to this issue. However, I have found additional machines that are hammering us. At one of our locations, this thing is proliferating to the point that it has maxed out the security logs on the dcs.

Additionally, he now tells me that the process is "winsit32.exe". I have found one machine here at the main office that seems to be infected. It's actually our phone switch software box, and is not really even ours (leased from phone provider). I had been told in the past that it had no connection to our network, but it just so happens that I found last week that, while it is not on our domain, it DOES share our IP subnet in an independent workgroup. With the way viruses/virii propogate via ip shares, that does me no good whatsoever, so I checked out the security on the box and nearly had a cow! NT 4.0 running SP5, with no AV whatsoever!

Brought service pack and critical updates up to date, and loaded McAfee. Luckily it scanned clean. Then called the provider and told them what I had done. Luckily, they had no problem with my doing that (not that it really mattered at that point).

Still, I get in this morning and find half a dozen instances of winsit32.exe errors on the machine.

So I suppose my modified question to the group is, have any of you heard of winsit32.exe, or know anything about a Microsoft release from Oct. 09 that might cover this problem?

_{"The Crystal Wind is the storm, and the storm is data, and the data is life. You have been slaves, denied the storm, denied the freedom of your data. That is now ended; the whirlwind is upon you . . . . . . Whether you like it or not."}

^{"Trent the Uncatchable" in The Long Run by Daniel Keys Moran}

 

[jbrackett]

Finally heard back from WebImmune. Turns out that a new variant of Sdbot bit us. Below is the pertinent info from the email they sent back. Spoke with a tech at McAfee & he says they have presently found more than 60k variants of this bugger.


A.V.E.R.T. Sample Analysis
Issue Number: 1422867
File name: winsit32.exe
Virus Research Analyst: L. Clark
Identified: W32/Sdbot.worm

AVERT(tm) Labs, Aylesbury

Thank you for submitting your suspicious file.

Synopsis -

Attached is a file for extra detection, which will be included in a future DAT set.
<snip>

_{"The Crystal Wind is the storm, and the storm is data, and the data is life. You have been slaves, denied the storm, denied the freedom of your data. That is now ended; the whirlwind is upon you . . . . . . Whether you like it or not."}

^{"Trent the Uncatchable" in The Long Run by Daniel Keys Moran}