NetDevil - ADVAPI

Discussion in 'Virus Information' started by =?Utf-8?B?YmNsYXk=?=, Jan 21, 2005.

  1. I'm seeing a massive amount of failed logins on a particular IIS 6 server.
    The login names are random, and the attempting logon process is call ADVAPI.

    The particular advapi.exe (not to be confused with the valid advapi32.dll)
    is associated with the Netdevil virus version 12. I found several references
    that point to ports 901-903 for this virus - a complete scan of our internal
    network showed nothing open on these ports.

    Anyone know if these logon attempts could be external - coming in on https,
    ftp, etc..? Does the existance of these login attempts prove it's internal?

    Any thoughts appreciated..
     
    =?Utf-8?B?YmNsYXk=?=, Jan 21, 2005
    #1
    1. Advertisements

  2. Put Ethereal on the server and analyze the packets.

    --
    Dave




    | I'm seeing a massive amount of failed logins on a particular IIS 6 server.
    | The login names are random, and the attempting logon process is call ADVAPI.
    |
    | The particular advapi.exe (not to be confused with the valid advapi32.dll)
    | is associated with the Netdevil virus version 12. I found several references
    | that point to ports 901-903 for this virus - a complete scan of our internal
    | network showed nothing open on these ports.
    |
    | Anyone know if these logon attempts could be external - coming in on https,
    | ftp, etc..? Does the existance of these login attempts prove it's internal?
    |
    | Any thoughts appreciated..
    |
    |
     
    David H. Lipman, Jan 21, 2005
    #2
    1. Advertisements


  3. Every reference with a Google search for ADVAPI came up with the Netdevil
    virus. A subsequent Technet search found one hit - apparently ADVAPI is a
    Kerberos component in AD.

    The massive logon attempts, still disconcerting.
     
    =?Utf-8?B?YmNsYXk=?=, Jan 21, 2005
    #3
  4. =?Utf-8?B?YmNsYXk=?=

    Ian Kenefick Guest

    The massive login attempts are explained by the fact that netdevil is
    a RAT - Remote Access Trojan. Can you capture a sample and send for
    analysis to your AV vendor? If you can, do this! - and for an instant
    analysis send it to scan[at]virustotal.com with subjectline 'SCAN'
    without the inverted commas (replace [at] with @).

    Post back with results!

    Regards,
    Ian Kenefick
    http://www.IK-CS.com
     
    Ian Kenefick, Jan 22, 2005
    #4
  5. Questions-

    1. You said RAT - is this an external trojan attempting to logon via web
    services?

    2. Capture a sample - do you mean a capture of the public traffic to this
    server during logon attempts?

    thx-
     
    =?Utf-8?B?YmNsYXk=?=, Jan 22, 2005
    #5
  6. =?Utf-8?B?YmNsYXk=?=

    Ian Kenefick Guest

    Yes as in remote access - external. This is possible if such services
    are hijacked.
    Well, using public traffic to identify the offending machine firstly -
    and then on that machine idintify possible malware in relation to
    these attacks.

    Regards,
    Ian Kenefick
    http://www.IK-CS.com
     
    Ian Kenefick, Jan 22, 2005
    #6
  7. =?Utf-8?B?YmNsYXk=?=

    Ian Kenefick Guest

    Hi,
    Yes as in remote access - external. This is possible if such services
    are hijacked.
    Well, using public traffic to identify the offending machine firstly -
    and it should be possible to block traffic from the offending IP?

    Regards,
    Ian Kenefick
    http://www.IK-CS.com


    Regards,
    Ian Kenefick
    http://www.IK-CS.com
     
    Ian Kenefick, Jan 22, 2005
    #7
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.