pidserv.exe - Virus? Trojan? Anyone else seen this?

Booty

Senior member
Aug 4, 2000
977
0
0
A client of ours had an internet outage a few days ago... the cable company in town more or less sucks, so it was their fault it went down, so they were doing some trouble-shooting to make sure they had the problems straightened out. The most technically-inclined guy working at this business - we'll call him Fred - was the one communicating with the cable internet company. So the cable tech has Fred trying some different things, but the internet's still not up. He decides to verify that the problem is on the company's side, so he tells Fred to take this PC and plug it straight into the cable modem... so Fred does. The internet works, so they determine that there's some issue with their firewall. So Fred then attempts to re-configure the firewall, has no luck, and finally ends up calling us to fix things.

My co-worker went out, re-configured their firewall (which I believe had been completely reset, but I'm not exactly sure what the deal was... I just knew that Fred managed to mess it up a bit), and we thought all was well. Nope - the next day they call because Fred's computer is no longer processing the login script now that his machine is connected back to the network - he's getting the mapped drive, resource is already in use error. So we figure we'll just go in, unmap the drives, logout, login, and all will be well (at the time of the call we didn't know that it flat-out wasn't reading the login script from the server). So when that doesn't work, we try to manually map the drives, but the system can't access the server... at least not to map the network shares. Exchange/Outlook still works fine and all that, but no internet. We tried removing then rejoining the PC to the domain, but when we went to rejoin it to the domain, we got an error (I don't have the error on me... I'll track it down if there ends up being any interest to this thread). From here I don't really remember what happened in what order, but eventually we end up running netstat and see a bunch of ftp crap and activity on port 6667 - so we immediately think backdoor IRC trojan. We end up checking a couple other machines and find similar activity, so we have everyone shut down for the rest of the day, and unplug them all at the switch.

It was near the end of the day at the point, so we took Fred's PC back to the office and scanned it with just about everything we could find... Norton, AVG, on-line scans, etc... unfortunately, trojanscan.com was down so I don't know if that would have picked it up. Anyway, I think Trojan Hunter is what eventually found something, but it didn't identify any known threats... just a possible trojan... %windir%/system32/pidserv.exe. We googled, we yahooed, we browsed forums... we found next to nothing on that particular file/process - basically just one forum in Dutch that didn't help much because babelfish didn't do the best job translating it.

Anyway, we booted into safemode, removed the file and any registry entries referencing it (it's the next day now, by the way), and took it back to the business. I almost forgot to mention - most of this company's computers had not been patched with Critical Updates for the last month or two - so the vulnerability that Sasser takes advantage of was still present (all Windows 2000 machines except for one or two XP boxes). So we patched Fred's machine, obviously... we got it back over there, hooked it up to the network, but it still wouldn't join the domain... same error. Through some dinking around I discovered that, though in the connection properties it was set to use NetBIOS over TCP/IP, doing ipconfig /all showed that it was disabled. To fix this we eventually just figured out that we had to remove TCP/IP, reboot, add TCP/IP, and reboot... it was then able to rejoin the domain, and everything else worked fine... logon script, mapped resources, etc. all worked fine.

So we went around to all the PCs, turned them on, killed the pidserv process (or booted to safe mode if we hit F8 in time), removed the file and registry entries, rebooted, hooked them to the network (but didn't logon to the domain yet), installed any necessary critical updates, removed/reinstalled TCP/IP, then re-joined them to the domain.

I'm posting this because I couldn't find any information on it and am hoping that it helps at least one person out there... I'm not sure if this thing spread using that sasser vulnerability or what... I'm also not sure if it got onto Fred's PC and spread from there, or was introduced to the network when Fred attempted to reconfigure their firewall. All I know is it spread to every 2k/XP box that was turned on (they have one 98 machine that it didn't appear to affect) and mangled the TCP/IP so that some of the active directory stuff stopped working. I doubt that the author intended for that to happen, because that's what gave away this thing's existance... had Fred been able to rejoin the domain without issue, we probably wouldn't have even recieved a call.

So anyway, hopefully someone out there finds this useful. We kept a copy of the file to submit to any Anti-Virus/Trojan companies out there, so if anyone wants to take a look at it, I might be able to get it to you.

I guess that's all... :)
 

Booty

Senior member
Aug 4, 2000
977
0
0
Someone we talked about this whole ordeal to thought it was the Dabber worm, but the issues we ran into didn't seem to quite match up the Symantec's description of Dabber, so I'm not sure whether to believe that or not... maybe it's a variant. I still can't find anything on the web regarding pidserv, so, who knows...
 

Booty

Senior member
Aug 4, 2000
977
0
0
Alright, after looking around a bit, it really looks like the virus was a variant of w32.korgo...
 

Davegod

Platinum Member
Nov 26, 2001
2,874
0
76
My guess is network got "owned" by someone who knew what they were doing. Submit the file to symantec etc etc
 

Booty

Senior member
Aug 4, 2000
977
0
0
Just an FYI - W32/Rbot-Y. Looks to have been 'discovered' just yesterday. We'll see if Symantec puts out anything regarding it once they've finished taking a look at the file we submitted to them.
 

501apd

Junior Member
Jun 8, 2004
3
0
0
We had the same experience as you had in your first post. The only difference is that it only effected two of or servers. It was noticed on the first server on Monday and the second one on Tuesday.

We did all of the same steps that you took, before I even found this post from you. After removing the file from system 32 and all the enteries in the reg, removing the protocol and restalling, it reappeared after about 20 minutes. So we did all the steps again but this time we blocked all incoming traffic to those two IP addresses and it seems to be working for the time being. So we monitored all incoming traffic and there has been something probing certain IP's within the network. The only thing different is that the effected machines can no longer get on the internet. Can't figure that one out. Any ideas?

We also contacted Norton and they don't seem to have any info about this virus. We are waiting to see if they will come up with something. The latest Norton deff's do nothing. We scanned the effected file and it came up fine.

Has any of your machines become effected again?
 

Booty

Senior member
Aug 4, 2000
977
0
0
The network we cleaned is still fine, to my knowledge... we went back once for a follow-up after a week and saw no signs of an encore, and haven't heard anything, so we're hoping that no news is good news.

This might go without saying, but just in case - make sure you've patched all your systems. Although it doesn't mention it on the Sophos website, we thought the virus might be using the infamous flaws discussed in MS04-011. I don't know how many systems you have, so this might be a pain for you, but what we actually did to ensure that this thing wasn't spreading was took everyone down (about 25 systems) and cleaned them one at a time before allowing them back on the network... there were 2 of us working on this and it took us a good 4 or 5 hours to get the whole network back on, but it would seem that it was enough to prevent the worm from re-spreading. We also installed a new firewall device, which probably helped, since the Sophos site says it "spreads to network shares with weak passwords as a result of the backdoor Trojan element receiving the appropriate command from a remote user."

My guess is that the 'hacker' (for lack of a better term) is probing around on your network for another infected machine. That, or you have an infected system inside your network that's doing the probing - I suppose it's possible that the worm has been spread manually on the network we worked on, but it really seemed more likely that the worm was spreading by itself, so maybe the 'remote user' doesn't need to issue commands to the trojan element to get it to spread... maybe it just spreads. Either way, your best bet would be to double-check and make sure you've got your network locked down at the firewall level... from there I'd check all your systems to see if the worm has spread. If it has, I'd think it would be best to take them all down, disconnect them from the network, and clean them one at a time before joining them back up to the network. Again, I don't know if this is feasible for you since you might be dealing with a much larger number of machines than we did.

I guess the other option might be to go buy Sophos anti-virus and throw it on your network, since it appears to be the only AV software out there right now that recognizes this threat. I'm trying to find more information on it, myself, to see if it'd be a better solution than Norton Corp. for both our network and our customers... so if anyone out there has any experiences with Sophos, please share.

I'll continue to post back with any updates or if we here back from anyone we submitted the file to, especially now that I might actually be helping someone. ;)
 

Nordberg

Junior Member
Jun 9, 2004
5
0
0
I found this virus on a machine yesterday and haven't been succesful in fixing the problem yet.

I found pidserv.exe, deleted it, and changed the registry entries but still nothing worked. There were five total entries, the three with pidserve.exe and the one DCOM and one anonymous login entry that Sophos recommends to change. Anyway, when I rebooted the machine, the pidserv entries were gone but my changes on the other two were back. So I figured I had more versions of the same thing under different names. I found and deleted ntconfig.exe and ms32cnd.exe (I might be wrong on the name of that one). Anyway, when I deleted these two the virus seems to be gone. My registry entries remain intact.

But I can not get the computer to connect to other computers on the network. I tried unchecking TCP/IP and then rebooting - like suggested above, but I still can't get it to work. I uninstalled the network adapter, re-installed it, re-setup the network...nothing. I think there might be a network configuration that the virus changed that I am missing.

I am also not sure whether I exactly uninstalled the TCP/IP protocol - can someone go through the procedure here?

Thanks for any help... I'm really stuck here.
 

501apd

Junior Member
Jun 8, 2004
3
0
0
My Experience was after you have all of the reg enteries fixed, and deleted the PIDSERV.EXE from system32, unistall the TCP/IP Protocol from the network adapter by the following:

1. Right click on My Network Place and go to properties.
2. Right click on the LAN adapter and select properties.
3. select the Internet Protocol(TCP/IP) should be highlighted blue and select Unistall.
4. Reboot the machine when asked and add the protocol back into the adapter.
 

Nordberg

Junior Member
Jun 9, 2004
5
0
0
Thanks - I should have mentioned earlier that I have windows XP Pro and it says that TCP/IP can not be uninstalled. Do you have any other ideas?
 

w84ng

Junior Member
Jun 9, 2004
3
0
0
hi,

1)start safe mode (F8)
search&delete for pidserv.exe in %systemroot% (include hidden&system)
search&delete for pidserv.exe in registry and delete the entries (3 times)
there are some more registry entries created by pidserve - not so important

2)boot system and check taskmanager if you can find pidserv.exe or not

3)now search registry for TransportBindName - should be located in parameters of netbt registry key
pidserv.exe deletes this entry - should be "\Device\" (without quotes) - add this parameter and reboot
(check other system xp or w2k if you are not sure)

ps: in the case you cant get rid of pidserv.exe you can prevent this specific registry key from being overwritten by pidserv.exe when starting regedt32 and configure this registry key with only read permission for all entries in the ACL.

good luck
 

Booty

Senior member
Aug 4, 2000
977
0
0
Good tip on the TransportBindName entry, w84ng - I didn't know about that. I'm not sure if that's all that's required to fix TCP/IP on affected systems or not... I just knew it was broken and figured the past of least resistance would be to do a total uninstall/reinstall.

The systems I dealt with were all Windows 2000 boxes... in the case that you have XP and can't remove TCP/IP, you could try one of the winsock/TCP/IP repair tools out there... here's one that's been useful, but one that might be even better is linked at the bottom of that page... that link appears to bed dead, but googling for WinsockXPFix will bring up plenty of other places to grab it. I'd be interested in knowing whehter that fixes the connection issues in XP after the virus is removed or not, so if anyone out there runs into this on XP, please try that and post here with results.

Nordberg - when you first deleted pidserv.exe, were you in safe mode? I don't know if I mentioned that, but in case I didn't, I'll emphasize w84ng's steps...

Reboot system into safe mode.
Search for and remove all instances of pidserv on the system and in the registry.
Repair TCP/IP using one of the methods mentioned in this post.

501apd - are your problems taken care of now or are you still dealing with weird activity?
 

w84ng

Junior Member
Jun 9, 2004
3
0
0
just one more thing,

you cant get rid of this worm even when formatting and installing from scratch! - Why?
Because I did it and a little bit later there worm was present again - Why?
weak password for local admin (should better say no password) when setting up - and the original worm source was another PC on the network and..... first c$ share attempt succeeded.....

hth
 

Nordberg

Junior Member
Jun 9, 2004
5
0
0
I would say that the TransportBindName was the registry entry that fixed the TCP/IP problem. I rebooted and it worked right away.

I really had a problem deleting pidserv.exe - and I feel shame for it! I am not an XP user but it was on a co-worker's machine and in folder options I had "show hidden files" checked but not "show system files" or whatever the second one was. So I couldn't find the file for a substantial amount of time.

When I deleted pidserv.exe, I wasn't in safe mode but ended the process first. Then I changed all of the registry entries that Sophos recommends on the Rbot virus. When I rebooted, pidserve didn't load but the other registry entries that I changed, changed back. And the network still didn't work. When I look in WINNT\System32 I noticed that there were two brand new executables in there (new since the computer had been infected). These two exectuables also had registry entries - they looked suspicious. So basically I had three versions of the same virus in three different files. And if you look at all of the Rbot varieties, they are all different file names basically doing the exact same thing.

When I finally cleaned all of those files out - the network still didn't work. It was only when I changed the TransportBindName registry entry did the network start to work again.

I'm sure that changing this registry entry or un-installing/re-installing tcp/ip on earlier versions of windows is roughly equivalent.
 

Booty

Senior member
Aug 4, 2000
977
0
0
w84ng - that's why you're definately better off disconnecting infected PCs from the network and re-introducing them one at a time... like you said, a reformat isn't going to do any good if you just throw it onto an infected network. Let's face it - most people aren't going to have sufficiently 'tough' passwords even if they do change the defaults.

Nordberg - you had all 3 variations? Man, that sucks... good to hear it works now, though. :)
 

Nordberg

Junior Member
Jun 9, 2004
5
0
0
Yes and I think there were two new variations that Sophos hasn't yet identified :

ntconfig.exe
win32snc.exe

both files were 92KB in size.

pidserv.exe identifies itself as Process Session Manager in these registry entries :
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

win32snc.exe was "Microsoft Update Configuration"

and I apolgize but I forget what ntconfig.exe identified itself as. It was something rather generic sounding.

Obviously, R-bot comes in many different files/names/variations.
 

Booty

Senior member
Aug 4, 2000
977
0
0
Yeah, I wouldn't be suprised at all if Sophos hasn't picked up all the variations of it... did you submit samples of the infected files to any of the AV companies? I'm wondering how long it's going to be before Symantec, Trend Micro, etc. pick up on this one. Maybe it's just not common enough for them to pay much attention to yet.
 

w84ng

Junior Member
Jun 9, 2004
3
0
0
A few days ago I sent "pidserv.exe" and another suspicios file to symantec - here comes their answer:

We have analyzed your submission. The following is a report of our
findings for each file you have submitted:

filename: A:\PIDSERV.EXE
machine:
result: This file is infected with W32.Spybot.Worm

filename: A:\Dc1.pf
machine:
result: This file is clean

Developer notes:
A:\PIDSERV.EXE is non-repairable threat. NAV with the latest rapidrelease definition detects this. Please delete this file and replace it if neccessary. Please follow the instruction at the end of this email message to install the latest rapidrelease definitions.
A:\Dc1.pf is a clean file.



Symantec Security Response has determined that the sample(s) that you provided are infected with a virus, worm, or Trojan. We have created RapidRelease definitions that will detect this threat. Please follow the instruction at the end of this email message to download and install the latest RapidRelease definitions.
Downloading and Installing RapidRelease Definition Instructions:
1. Open your Web browser. If you are using a dial-up connection, connect to any Web site, such as: http://securityresponse.symantec.com/
2. Click this link to the ftp site: ftp://ftp.symantec.com/public/engli...irus/rapidrelease/symcrapidreleasedefsx86.exe. If it does not go to the site (this could take a minute or so if you have a slow connection), copy and paste the address into the address bar of your Web browser and then press Enter.
3. When a download dialog box appears, save the file to the Windows desktop.
4. Double-click the downloaded file and follow the prompts.
----------------------------------------------------------------------
This message was generated by Symantec Security Response automation



hth
 

Booty

Senior member
Aug 4, 2000
977
0
0
Originally posted by: w84ng
*snip*
2. Click this link to the ftp site: ftp://ftp.symantec.com/public/engli...definitions/norton_antivirus/rapidrelease/symcrapidreleasedefsx86.exe. *snip*

I know that most of that hidden word is made of from 'rapid', but it still stuck out to me for some reason. ;)

So is Symantec going to update their definitions to detect this threat, then? According to their site, the information was update June 10, but at first glance I don't see anything in the document that sounds like they changed anything. I'm going to try scanning a disk with infected file both before and after updating definitions and see if it detects it... it'd be nice to know whether it's catching this or not.