A client of ours had an internet outage a few days ago... the cable company in town more or less sucks, so it was their fault it went down, so they were doing some trouble-shooting to make sure they had the problems straightened out. The most technically-inclined guy working at this business - we'll call him Fred - was the one communicating with the cable internet company. So the cable tech has Fred trying some different things, but the internet's still not up. He decides to verify that the problem is on the company's side, so he tells Fred to take this PC and plug it straight into the cable modem... so Fred does. The internet works, so they determine that there's some issue with their firewall. So Fred then attempts to re-configure the firewall, has no luck, and finally ends up calling us to fix things.
My co-worker went out, re-configured their firewall (which I believe had been completely reset, but I'm not exactly sure what the deal was... I just knew that Fred managed to mess it up a bit), and we thought all was well. Nope - the next day they call because Fred's computer is no longer processing the login script now that his machine is connected back to the network - he's getting the mapped drive, resource is already in use error. So we figure we'll just go in, unmap the drives, logout, login, and all will be well (at the time of the call we didn't know that it flat-out wasn't reading the login script from the server). So when that doesn't work, we try to manually map the drives, but the system can't access the server... at least not to map the network shares. Exchange/Outlook still works fine and all that, but no internet. We tried removing then rejoining the PC to the domain, but when we went to rejoin it to the domain, we got an error (I don't have the error on me... I'll track it down if there ends up being any interest to this thread). From here I don't really remember what happened in what order, but eventually we end up running netstat and see a bunch of ftp crap and activity on port 6667 - so we immediately think backdoor IRC trojan. We end up checking a couple other machines and find similar activity, so we have everyone shut down for the rest of the day, and unplug them all at the switch.
It was near the end of the day at the point, so we took Fred's PC back to the office and scanned it with just about everything we could find... Norton, AVG, on-line scans, etc... unfortunately, trojanscan.com was down so I don't know if that would have picked it up. Anyway, I think Trojan Hunter is what eventually found something, but it didn't identify any known threats... just a possible trojan... %windir%/system32/pidserv.exe. We googled, we yahooed, we browsed forums... we found next to nothing on that particular file/process - basically just one forum in Dutch that didn't help much because babelfish didn't do the best job translating it.
Anyway, we booted into safemode, removed the file and any registry entries referencing it (it's the next day now, by the way), and took it back to the business. I almost forgot to mention - most of this company's computers had not been patched with Critical Updates for the last month or two - so the vulnerability that Sasser takes advantage of was still present (all Windows 2000 machines except for one or two XP boxes). So we patched Fred's machine, obviously... we got it back over there, hooked it up to the network, but it still wouldn't join the domain... same error. Through some dinking around I discovered that, though in the connection properties it was set to use NetBIOS over TCP/IP, doing ipconfig /all showed that it was disabled. To fix this we eventually just figured out that we had to remove TCP/IP, reboot, add TCP/IP, and reboot... it was then able to rejoin the domain, and everything else worked fine... logon script, mapped resources, etc. all worked fine.
So we went around to all the PCs, turned them on, killed the pidserv process (or booted to safe mode if we hit F8 in time), removed the file and registry entries, rebooted, hooked them to the network (but didn't logon to the domain yet), installed any necessary critical updates, removed/reinstalled TCP/IP, then re-joined them to the domain.
I'm posting this because I couldn't find any information on it and am hoping that it helps at least one person out there... I'm not sure if this thing spread using that sasser vulnerability or what... I'm also not sure if it got onto Fred's PC and spread from there, or was introduced to the network when Fred attempted to reconfigure their firewall. All I know is it spread to every 2k/XP box that was turned on (they have one 98 machine that it didn't appear to affect) and mangled the TCP/IP so that some of the active directory stuff stopped working. I doubt that the author intended for that to happen, because that's what gave away this thing's existance... had Fred been able to rejoin the domain without issue, we probably wouldn't have even recieved a call.
So anyway, hopefully someone out there finds this useful. We kept a copy of the file to submit to any Anti-Virus/Trojan companies out there, so if anyone wants to take a look at it, I might be able to get it to you.
I guess that's all...
My co-worker went out, re-configured their firewall (which I believe had been completely reset, but I'm not exactly sure what the deal was... I just knew that Fred managed to mess it up a bit), and we thought all was well. Nope - the next day they call because Fred's computer is no longer processing the login script now that his machine is connected back to the network - he's getting the mapped drive, resource is already in use error. So we figure we'll just go in, unmap the drives, logout, login, and all will be well (at the time of the call we didn't know that it flat-out wasn't reading the login script from the server). So when that doesn't work, we try to manually map the drives, but the system can't access the server... at least not to map the network shares. Exchange/Outlook still works fine and all that, but no internet. We tried removing then rejoining the PC to the domain, but when we went to rejoin it to the domain, we got an error (I don't have the error on me... I'll track it down if there ends up being any interest to this thread). From here I don't really remember what happened in what order, but eventually we end up running netstat and see a bunch of ftp crap and activity on port 6667 - so we immediately think backdoor IRC trojan. We end up checking a couple other machines and find similar activity, so we have everyone shut down for the rest of the day, and unplug them all at the switch.
It was near the end of the day at the point, so we took Fred's PC back to the office and scanned it with just about everything we could find... Norton, AVG, on-line scans, etc... unfortunately, trojanscan.com was down so I don't know if that would have picked it up. Anyway, I think Trojan Hunter is what eventually found something, but it didn't identify any known threats... just a possible trojan... %windir%/system32/pidserv.exe. We googled, we yahooed, we browsed forums... we found next to nothing on that particular file/process - basically just one forum in Dutch that didn't help much because babelfish didn't do the best job translating it.
Anyway, we booted into safemode, removed the file and any registry entries referencing it (it's the next day now, by the way), and took it back to the business. I almost forgot to mention - most of this company's computers had not been patched with Critical Updates for the last month or two - so the vulnerability that Sasser takes advantage of was still present (all Windows 2000 machines except for one or two XP boxes). So we patched Fred's machine, obviously... we got it back over there, hooked it up to the network, but it still wouldn't join the domain... same error. Through some dinking around I discovered that, though in the connection properties it was set to use NetBIOS over TCP/IP, doing ipconfig /all showed that it was disabled. To fix this we eventually just figured out that we had to remove TCP/IP, reboot, add TCP/IP, and reboot... it was then able to rejoin the domain, and everything else worked fine... logon script, mapped resources, etc. all worked fine.
So we went around to all the PCs, turned them on, killed the pidserv process (or booted to safe mode if we hit F8 in time), removed the file and registry entries, rebooted, hooked them to the network (but didn't logon to the domain yet), installed any necessary critical updates, removed/reinstalled TCP/IP, then re-joined them to the domain.
I'm posting this because I couldn't find any information on it and am hoping that it helps at least one person out there... I'm not sure if this thing spread using that sasser vulnerability or what... I'm also not sure if it got onto Fred's PC and spread from there, or was introduced to the network when Fred attempted to reconfigure their firewall. All I know is it spread to every 2k/XP box that was turned on (they have one 98 machine that it didn't appear to affect) and mangled the TCP/IP so that some of the active directory stuff stopped working. I doubt that the author intended for that to happen, because that's what gave away this thing's existance... had Fred been able to rejoin the domain without issue, we probably wouldn't have even recieved a call.
So anyway, hopefully someone out there finds this useful. We kept a copy of the file to submit to any Anti-Virus/Trojan companies out there, so if anyone wants to take a look at it, I might be able to get it to you.
I guess that's all...