Article ID: 328691 - View products that this article applies to.
This article was previously published under Q328691
NoticeThis article applies to Windows 2000. Support for Windows 2000 ends on July 13, 2010. The Windows 2000 End-of-Support Solution Center
(http://support.microsoft.com/win2000)is a starting point for planning your migration strategy from Windows 2000. For more information see the Microsoft Support Lifecycle Policy
UPDATE: As of September 6, 2002, reports of malicious activity that follow the particular pattern that is outlined in this article have lessened significantly. The Microsoft Product Support Services Security Team has modified this Microsoft Knowledge Base article to reflect this information and to refine suggestions for detection and repair criteria.
Microsoft has investigated an increase in malicious activity that tries to load code on Microsoft Windows 2000-based servers. This activity is typically associated with a program that has been identified as Backdoor.IRC.Flood.
By analyzing computers that have been compromised, Microsoft has determined that these attacks do not appear to exploit any new product-related security vulnerabilities and do not appear to be viral or worm-like in nature. Instead, the attacks seek to take advantage of situations where standard precautions have not been taken as detailed in the "Prevention" section. The activity appears to be associated with a coordinated series of individual attempts to compromise Windows 2000-based servers. As a result, successful compromises leave a distinctive pattern. This article lists files and programs that would provide evidence of a successful compromise according to this pattern so that you can take appropriate action to:
Impact of AttackCompromise of Server
SymptomsCompromised systems show one or more of the following symptoms:
Note In this error message, ComputerName is the network basic input/output system (NetBIOS) name of the computer.
Event ID: 8012
The 'Active Directory' returned 'A device attached to the system is not functioning.' from a call to 'BackupPrepare()' additional data '\\ComputerName'.
Event ID: 1000
Windows cannot determine user or computer name. Return value (1326)
Technical DetailsIf the computer has been compromised, antivirus software may detect malicious code such as Backdoor.IRC.Flood and its variants. For more information, contact your antivirus vendor.
In the cases that Microsoft has analyzed, the compromised servers were found to have the following files and programs. The presence of these files indicates that the system has been compromised. If these files or programs are found on your computer, and if they were not installed by you or with your knowledge, run a complete virus scan with an up-to-date virus scanning program.
Note Paths to the files are not listed because they may vary.
Attack VectorsAnalysis to date indicates that the attackers appear to have gained entry to the systems by using weak or blank administrator passwords. Microsoft has no evidence to suggest that any heretofore unknown security vulnerabilities have been used in the attacks.
PreventionMicrosoft recommends that customers protect their servers against this and other attacks by making sure that they follow standard security best practices, such as:
http://technet.microsoft.com/en-us/library/dd277322.aspxFor more information about how to keep Windows 2000 Server patched and secure, visit the following Microsoft Web site:
http://www.microsoft.com/technet/security/current.aspxAlternatively, you can use the Microsoft Security Baseline Analyzer. For more information about the Microsoft Security Baseline Analyzer, visit the following Microsoft Web site:
DetectionTo date, the only systems reported to have been affected by this attack have been systems that are running Microsoft Windows 2000 Server. Microsoft recommends that customers scan their Windows 2000 Server-based environments to determine if the files that are listed in the "Technical Details" section of this article exist. Because some of the files may have been legitimately installed, customers should investigate them to determine their usage and intent.
RecoveryFor help with recovery, contact Microsoft Product Support Services by using your preferred method. For more information about methods to contact Microsoft Product Support Services, visit the following Microsoft Web site:
Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
(http://support.microsoft.com/kb/322756/ )How to back up and restore the registry in Windows
To work around this problem, you must rename specific files and then modify the registry. To do this, follow these steps.
Note The following steps are only a temporary solution. These steps only remove the effects of the original infection. These steps do not remove any additional viruses that the computer obtained after the computer was first infected. We recommend that you restore the operating system by using verified backup media from a known good point, before the computer was infected. You can also format the hard disk drive, reinstall the operating system, and then restore the missing data by using verified backup media from a known good point.
After you complete these steps, we recommend that you use antivirus software that has the latest virus definitions to detect and remove the MIRC Trojan virus. Next, format and then reinstall the server as soon as it is convenient for you. We recommend this action because the server has been compromised.