Re: [Think I've got trouble]

[Greg Dotoli <gdotoli () bizinfoservices com>]

Katherine,

I don't know what nimreg is but your system seems compromised. I wouldn't
trust a "fix" rebuild and be more careful.

Greg


Name: BLA trojan 
Aliases: N/A 
Ports: 666, 1042, 20331 
Files: Dbla.zip - 307,489 bytes Bla.zip - 305,115 bytes Bla1.0.zip - 310,684
bytes Bla20.zip - 615,572 bytes Bla40.zip - 603,821 bytes Bla5.01.zip -
Bla502.zip - Bla503.zip - 838,477 bytes Bla51.zip - Trojan.exe - 64,658 bytes
Trojan.exe - 91,032 bytes Blaclient.exe - 1,359,360 bytes Bla(client).exe -
1,342,976 bytes Bla501 tcp proxy.exe - Bla501trojan.exe - Blaclient.exe -
Blaclient2.exe - Blaaaaa.exe - 1,284,096 bytes Blaaaaa.exe - 1,330,688 bytes
Msv32.dll - 64,658 bytes Msv32.dll - 144,896 bytes Msv32-1.dll - Scanirc.exe
-
303,616 bytes "renamed server".exe - 217,600 bytes Mprdll.exe - Asian
trojan.exe - 192,512 bytes Tcpload.exe - 255,488 bytes Tcpproxy.exe - 32,768
bytes Module.ini - 78 bytes Normal trojan.exe - 217,088 bytes Salope
trojan.exe - 229,376 bytes Self extract.exe - 94,208 bytes Log.txt - ???
bytes

Created: Mar 1999 
Requires: N/A 
Actions: Remote Access / Steals passwords 
The client also drops a server! The hacker could choose to log passwords only
or all text written. One of the functions is to kill antivirus software. 
Versions: 1.0, 1.1, 2.0, 4.0, 5.01, 5.02, 5.03, 5.1, 
Registers: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\

Notes: Works on Windows 95 and 98. 
Country: written in France 
Program: N/A 



Katherine Ogden <kogden () 4cd net> wrote:


We began having trouble with our exchange server. 
For no reason we could pin down the OWA would 
throw up an error and stop the www service.  Being 
the slightly paranoid sort I downloaded Retina and ran 
it against the email server.  It showed the usual things 
but it also showed
Port 1058 - Nim
Port 1090 - Xtreme

Two other exchange servers show these ports open.
Port 1042 - Bla
Port 1059 - Nimreg

Two questions.  Does anybody know what these
are?  And am I right in assuming that these machines 
have been compromised and will need to be rebuilt?

Thank you for the help.

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com




----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com