svchost.exe spawns iexplore.exe (revisited)

[LudmilTinkov]

Hi, I've had a similar problem as the one described here:
svchost.exe spawns iexplore.exe
(now moved to the forum archives, where I can't post)

I found the culprit - a hidden executable named nat.exe - disguised as a Windows service that could not be stopped.
It had had the following registry entries:

Code:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\nat]
"Type"=dword:00000110
"Start"=dword:00000002
"ErrorControl"=dword:00000000
"ImagePath"=hex(2):22,00,44,00,3a,00,5c,00,57,00,49,00,4e,00,4e,00,54,00,5c,00,\
  73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,6e,00,61,00,74,00,2e,\
  00,65,00,78,00,65,00,22,00,00,00
"DisplayName"="NAT Service"
"ObjectName"="LocalSystem"
"FailureActions"=hex:0a,00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,10,41,13,\
  00,01,00,00,00,b8,0b,00,00
"Description"="Network address translation for network. If this service is stopped or disabled, programs using NAT service will not function properly"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\nat\Security]
"Security"=hex:01,00,14,80,a0,00,00,00,ac,00,00,00,14,00,00,00,30,00,00,00,02,\
  00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
  00,00,02,00,70,00,04,00,00,00,00,00,18,00,fd,01,02,00,01,01,00,00,00,00,00,\
  05,12,00,00,00,74,00,69,00,00,00,1c,00,ff,01,0f,00,01,02,00,00,00,00,00,05,\
  20,00,00,00,20,02,00,00,76,00,65,00,00,00,18,00,8d,01,02,00,01,01,00,00,00,\
  00,00,05,0b,00,00,00,20,02,00,00,00,00,1c,00,fd,01,02,00,01,02,00,00,00,00,\
  00,05,20,00,00,00,23,02,00,00,76,00,65,00,01,01,00,00,00,00,00,05,12,00,00,\
  00,01,01,00,00,00,00,00,05,12,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\nat\Enum]
"0"="Root\\LEGACY_NAT\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001

A strange thing was that the parent of the IEXPLORE.EXE was actually svchost.exe. I guess the virus creates a remote thread in svchost and then instructs it to spawn a child process with command line:

"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -Embedding.

thus keeping a low profile as it appears that IEXPLORE has been spawned from svchost.exe.

Another interesting behavior was that when I killed nat.exe it respawned itself as a hidden process (the Administrators group didn't have rights to Query its process state - only the SYSTEM account had Synchonize rights).

There were some acompanying files two of which looked like .LOG files but were actually executables starting with MZ (one of them was exactly the size of the virus executable and had the same creation date). I changed their extension to .EXE and their icons showed up. There was also a .dll which I'm not sure about but its date was almost the same as the date of the .exe. I've saved all these in a ZIP and I can post them here as an attachment, if any of you virologists are interested in touching them

[tashi]

Hi there.

Please send the zipped files to: detections(AT)spybot.info (Replace AT with @)

Put the name of the file/infection into subject matter.

That is the preferred method for our detectives attention. Please do not attach here.

Thank you.

[LudmilTinkov]

I've just sent it to detectives.

I'm not sure about the way the server got infected, but it is a Windows 2000 machine with a real IP. It is running IIS and SQL Server 2000.

Hope this will be helpful.

[tashi]

Thank you, I am sure they will take a good look at it.