µÃǨËÒ¡ÒÃâ¨ÁµÕ·Õèà¡ÕèÂÇ¢éͧ¡Ñº¡ÒÃâ·Ã¨Ñ¹ MIRC áÅЫèÍÁá«Á

¡ÒûÃѺ»Ãا: à»ç¹¢Í§à´×͹ 6 ¡Ñ¹ÂÒ¹ 2002 ÃÒ§ҹ¢Í§¡Ô¨¡ÃÃÁ·Õèà»ç¹ÍѹµÃÒ·ÕèµÒÁÃٻẺ੾ÒзÕè outlined 㹺·¤ÇÒÁ¹Õé ÁÕ lessened ÁÒ¡¢Öé¹ ¤ÇÒÁ»ÅÍ´ÀÑ·ÕÁ Microsoft ¡ÒúÃÔ¡ÒÃʹѺʹع¼ÅÔµÀѳ±ìä´é»ÃѺà»ÅÕè¹¹Õ麷¤ÇÒÁ°Ò¹¤ÇÒÁÃÙé¢Í§ Microsoft à¾×èÍãËéÊзé͹¶Ö§¢éÍÁÙŹÕé áÅÐãËé¤Óá¹Ð¹ÓÊÓËÃѺ¡ÒõÃǨËÒ¡ÒûÃѺ»Ãا áÅÐà§×è͹ä¢ã¹¡ÒëèÍÁá«Á

Microsoft ÁÕ investigated à¾ÔèÁ¢Öé¹ã¹¡Ô¨¡ÃÃÁ·Õèà»ç¹ÍѹµÃÒ·Õè¾ÂÒÂÒÁâËÅ´ÃËÑʺ¹à«ÔÃì¿àÇÍÃì·Õèãªé Microsoft Windows 2000 â´Â·ÑèÇä»·Õèà¡ÕèÂÇ¢éͧ¡Ñºâ»Ãá¡ÃÁ·ÕèÃкØà»ç¹ Backdoor.IRC.Flood ¡Ô¨¡ÃÃÁ¹Õéä´é

â´Â¡ÒÃÇÔà¤ÃÒÐËì¤ÍÁ¾ÔÇàµÍÃì·Õèä´éÃѺ¤ÇÒÁàÊÕÂËÒ Microsoft ä´é¡Ó˹´ÇèÒ ¡ÒÃâ¨ÁµÕàËÅèÒ¹ÕéäÁè»ÃÒ¡¯¢Öé¹à¾×èÍ ¹Ó´éÒ¹¡ÒÃÃÑ¡ÉÒ¤ÇÒÁ»ÅÍ´ÀÑ·Õèà¡ÕèÂÇ¢éͧ¡Ñº¼ÅÔµÀѳ±ìãËÁèã´ æ áÅÐäÁè»ÃÒ¡¯¢Öé¹à»ç¹ viral ËÃ×Í˹͹äÇÃÑÊàËÁ×͹㹸ÃÃÁªÒµÔ ¡ÒÃâ¨ÁµÕ¤é¹ËÒà¾×èÍãªé»ÃÐ⪹ì¨Ò¡Ê¶Ò¹¡Òóì·ÕèÁҵáÒûéͧ¡Ñ¹Áҵðҹä´éäÁè¶Ù¡ãªéá·¹ ÃÒÂÅÐàÍÕ´ã¹Êèǹ "¡Òûéͧ¡Ñ¹" ¡Ô¨¡ÃÃÁ»ÃÒ¡¯¢Öé¹·Õè ¨Ðàª×èÍÁ⧡ѺªØ´¢éÍÁÙÅ·ÕèãªéÃèÇÁ¡Ñ¹¢Í§áµèÅоÂÒÂÒÁ compromise à«ÔÃì¿àÇÍÃì·Õèãªé Windows 2000 ´éÇÂà赯 compromises àÊÃç¨àÃÕºÃéÍÂáÅéÇÍÍ¡¨Ò¡ÃٻẺ¾ÔàÈÉ º·¤ÇÒÁ¹ÕéáÊ´§á¿éÁáÅÐâ»Ãá¡ÃÁ·Õè¨ÐãËéËÅÑ¡°Ò¹¢Í§¤ÇÒÁàÊÕÂËÒÂÊÓàÃ稵ÒÁ¡ÒÃÃٻẺ¹Õéà¾×èÍãËé¤Ø³ÊÒÁÒö·Ó¡ÒôÓà¹Ô¹¡Ò÷ÕèàËÁÒÐÊÁ¡Ñº:

• µÃǨ¾º¤ÍÁ¾ÔÇàµÍÃì·Õè¶Ù¡â¨ÁµÕ
• «èÍÁá«Á áÅСÒáÙé¤×¹¤ÍÁ¾ÔÇàµÍÃì¶Ù¡â¨ÁµÕ

¼Å¡Ãзº¢Í§¡ÒÃâ¨ÁµÕ

¤ÇÒÁàÊÕÂËÒ¢ͧà«ÔÃì¿àÇÍÃì

ÍÒ¡ÒÃ

Ãкº·Õè¶Ù¡â¨ÁµÕáÊ´§ÍÂèÒ§¹éÍÂ˹Öè§ÍÒ¡ÒôѧµèÍ仹Õé:

• «Í¿µìáÇÃì»éͧ¡Ñ¹äÇÃÑÊÍÒ¨ºè§ªÕéÇèÒ ÁѹµÃǨ¾º Trojans àªè¹ Backdoor.IRC.Flood áÅеÑÇá»Ã¹Ñé¹ ¼ÅÔµÀѳ±ì»éͧ¡Ñ¹äÇÃÑʻѨ¨ØºÑ¹ (·ÕèãªéÅÒÂà«ç¹·ÕèÁÕ¡ÒûÃѺ»Ãاá¿éÁ) µÃǨ¾º Trojans àËÅèÒ¹Õé
• ¶éÒ¤ÍÁ¾ÔÇàµÍÃì¶Ù¡â¨ÁµÕà»ç¹µÑǤǺ¤ØÁâ´àÁ¹ ¹âºÒ¡ÒÃÃÑ¡ÉÒ¤ÇÒÁ»ÅÍ´ÀѶ١»ÃѺà»ÅÕè¹ ºÒ§Êèǹ¢Í§ÅѡɳоÔàÈÉ·Õèà»ç¹ä»ä´é¢Í§¹âºÒ¡ÒÃÃÑ¡ÉÒ¤ÇÒÁ»ÅÍ´ÀÑ·Õèá¡éä¢ä´é:
  • ºÑ­ªÕ guest ·Õè¶Ù¡»Ô´ãªé§Ò¹¡è͹˹éÒ¹Õé¡ÓÅѧ re-enabled
  • ºÑ­ªÕ·ÕèäÁèä´éÃѺ͹حҵãËÁè ÍÒ¨ ÁÕÊÔ·¸Ôì¢Í§¼Ùé´ÙáÅÃкº ¨Ð¶Ù¡ÊÃéÒ§¢Öé¹
  • ÁÕ¡ÒÃà»ÅÕè¹á»Å§ÊÔ·¸Ôì´éÒ¹¤ÇÒÁ»ÅÍ´ÀÑ º¹à«ÔÃì¿àÇÍÃì ËÃ×Í ã¹ Active Directory
  • ¼ÙéãªéäÁèÊÒÁÒöÅçÍ¡ÍÔ¹ä»Âѧâ´àÁ¹¨Ò¡àÇÔÃì¡Ê൪ѹ
  • ¼ÙéãªéäÁèÊÒÁÒöà»Ô´Êá¹ç»ÍÔ¹¢Í§ Active Directory ã¹ Microsoft Management Console (MMC)
  • àÁ×èͼÙé´ÙáÅÃкº¾ÂÒÂÒÁ·Õè¨Ðà»Ô´ä´àá·ÍÃբͧ䫵ì·Õèãªé§Ò¹ÍÂÙèáÅкÃÔ¡ÒÃÊá¹»ÍÔ¹ ¤Ø³ä´éÃѺ¢éͤÇÒÁáÊ´§¢éͤÇÒÁáÊ´§¢éͼԴ¾ÅÒ´µèÍ仹Õé:
    ¢éÍÁÙÅ¡ÒõÑ駪×èÍäÁèÁÕÍÂÙèà¹×èͧ¨Ò¡: à«ÔÃì¿àÇÍÃìäÁè·Ó§Ò¹ä´é µÔ´µèͼÙé´ÙáÅÃкº¢Í§¤Ø³à¾×è͵ÃǨÊͺÇèÒ â´àÁ¹¢Í§¤Ø³¶Ù¡¡Ó˹´¤èÒÍÂèÒ§¶Ù¡µéͧ áÅÐÍÂÙèã¹Ê¶Ò¹ÐÍ͹äŹìã¹¢³Ð¹Õé
  • ÅçÍ¡¢éͼԴ¾ÅÒ´áÊ´§¤ÇÒÁ¾ÂÒÂÒÁà¢éÒÊÙèÃкºÅéÁàËÅÇËÅÒ¨ҡ¼Ùéãªé·Õè¶Ù¡µéͧµÒÁ¡®ËÁÒ·Õè¶Ù¡»Ô´ãªé§Ò¹
  • àÁ×èͤس¾ÂÒÂÒÁ·Õè¨ÐàÃÕ¡ãªé DCDIAG º¹µÑǤǺ¤ØÁâ´àÁ¹ ¤Ø³ÍÒ¨ä´éÃѺ¢éͤÇÒÁáÊ´§¢éͼԴ¾ÅÒ´µèÍ仹ÕéÍÂèÒ§¹éÍÂ˹Öè§ÍÂèÒ§:
    Performing initial setup: [sic1] LDAP bind failed with error 31, a device attached to the system is not functioning.
    Performing initial setup: [Servername] LDAP bind failed with error 1323, unable to update the password. The value provided as the current password is incorrect. ***Error: The machine could not attach to the DC because the credentials were incorrect. Check your credentials or specify credentials with /u:<domain>\<user> & /p:[<password>|*|""]</password></user></domain>
    ËÁÒÂà˵Ø:ã¹¢éͤÇÒÁ¢éͼԴ¾ÅÒ´¹ÕéServernameis the name of the domain controller.

Also, when you try to back up the system state on the infected computer, the following error messages may appear in the Application log on the computer where you are performing the backup:ËÁÒÂà˵Ø:ã¹¢éͤÇÒÁ¢éͼԴ¾ÅÒ´¹Õécomputernameis the network basic input/output system (NetBIOS) name of the computer.

Technical Details

If the computer has been compromised, antivirus software may detect malicious code such as Backdoor.IRC.Flood and its variants. For more information, contact your antivirus vendor.

In the cases that Microsoft has analyzed, the compromised servers were found to have the following files and programs. The presence of these files indicates that the system has been compromised. If these files or programs are found on your computer, and if they were not installed by you or with your knowledge, run a complete virus scan with an up-to-date virus scanning program.

ËÁÒÂà˵Ø:Paths to the files are not listed because they may vary.

• Gg.bat: Gg.bat tries to connect to other servers as administrator, admin or root, looks for the Flashfxp and the Ws_ftp programs on the server, copies several files (including Ocxdll.exe) to the server, and then uses the Psexec program to execute commands on the remote server.
• Seced.bat: Seced.bat changes the security policy.
• Nt32.ini
• Ocxdll.exe
• Gates.txt
• Task32.exe

In other cases, legitimate programs have been installed by the attackers to aid in the compromise. If these programs are found on your systems, and if you did not install them, it may indicate a compromise, and you should investigate further.

• Psexec
• Ws_ftp
• Flashfxp

A final set of files that are associated with these attacks are a pair of legitimate system files that are routinely installed on systems, but trojanized versions of which are installed as part of the attack. Most antivirus vendors' products, when they are used in conjunction with the current virus signatures, will detect the trojanized versions of these files if they are present.

• MDM.exe
• Taskmngr.exe

Attack Vectors

Analysis to date indicates that the attackers appear to have gained entry to the systems by using weak or blank administrator passwords. Microsoft has no evidence to suggest that any heretofore unknown security vulnerabilities have been used in the attacks.

»éͧ¡Ñ¹

Microsoft recommends that customers protect their servers against this and other attacks by making sure that they follow standard security best practices, such as:

• Eliminating blank or weak administrator passwords.
• Disabling the guest account.
• Running current antivirus software with up-to-date virus signature definitions.
• Using firewalls to protect internal servers, including domain controllers.
• Staying up to date on all security patches.

For guidance on best practices to prescriptively configure Microsoft Windows 2000-based servers, see the Security Operations Guide for Windows 2000 Server. To see this guide, visit the following Microsoft Web site:For more information about how to keep Windows 2000 Server patched and secure, visit the following Microsoft Web site:Alternatively, you can use the Microsoft Security Baseline Analyzer. For more information about the Microsoft Security Baseline Analyzer, visit the following Microsoft Web site:

Detection

To date, the only systems reported to have been affected by this attack have been systems that are running Microsoft Windows 2000 Server. Microsoft recommends that customers scan their Windows 2000 Server-based environments to determine if the files that are listed in the "Technical Details" section of this article exist. Because some of the files may have been legitimately installed, customers should investigate them to determine their usage and intent.

¡Ùé¤×¹

For help with recovery, contact Microsoft Product Support Services by using your preferred method. For more information about methods to contact Microsoft Product Support Services, visit the following Microsoft Web site:

ÊÔè§ÊӤѭ¹ÕéÊèǹ ÇÔ¸Õ ËÃ×ͧҹ»ÃСͺ´éÇ¢Ñ鹵͹·ÕèºÍ¡ÇÔ¸Õ¡ÒÃá¡éä¢ÃÕ¨ÔÊ·ÃÕ ÍÂèÒ§äáçµÒÁ »Ñ­ËÒÃéÒÂáçÍÒ¨à¡Ô´¢Öé¹ËÒ¡¤Ø³»ÃѺà»ÅÕè¹ÃÕ¨ÔÊ·ÃÕäÁè¶Ù¡µéͧ ´Ñ§¹Ñé¹ â»Ã´µÃǨÊͺãËéá¹èã¨ÇèҤسä´é·ÓµÒÁ¢Ñ鹵͹àËÅèÒ¹ÕéÍÂèÒ§ÃÐÁÑ´ÃÐÇѧ ÊÓËÃѺ¡Òûéͧ¡Ñ¹à¾ÔèÁàµÔÁ ãËéÊÓÃͧÃÕ¨ÔÊ·ÃÕ¡è͹·Ó¡ÒûÃѺà»ÅÕè¹ à¾×èÍ·Õè¤Ø³¨ÐÊÒÁÒö¤×¹¤èÒÃÕ¨ÔÊ·ÃÕä´éËÒ¡ÁջѭËÒà¡Ô´¢Öé¹ ÊÓËÃѺ¢éÍÁÙÅà¾ÔèÁàµÔÁà¡ÕèÂǡѺÇÔ¸Õ¡ÒÃÊÓÃͧ¢éÍÁÙÅáÅФ׹¤èÒÃÕ¨ÔÊ·ÃÕ â»Ã´¤ÅÔ¡·ÕèËÁÒÂàÅ¢º·¤ÇÒÁµèÍ仹Õé à¾×èÍ´Ùº·¤ÇÒÁã¹°Ò¹¤ÇÒÁÃÙé¢Í§ Microsoft::

àÁ×è͵éͧ¡ÒÃá¡é䢻ѭËÒ¹Õé ¤Ø³µéͧ¡ÒÃà»ÅÕ蹪×èÍá¿éÁ·ÕèÃÐºØ áÅéÇ»ÃѺà»ÅÕè¹ÃÕ¨ÔÊ·ÃÕ â´ÂãËé·ÓµÒÁ¢Ñ鹵͹µèÍ仹Õé:

ËÁÒÂà˵Ø:¢Ñ鹵͹µèÍ仹ÕéÁÕ੾ÒСÒÃá¡é䢻ѭËÒªÑèǤÃÒÇ ¢Ñ鹵͹àËÅèÒ¹ÕéàÍÒÅѡɳоÔàÈɢͧ¡ÒõԴäÇÃÑÊ´Ñé§à´ÔÁà·èÒ¹Ñé¹ ¢Ñ鹵͹àËÅèÒ¹ÕéäÁèä´éźäÇÃÑÊ·Õèà¾ÔèÁàµÔÁã´ æ ·ÕèµÔ´äÇÃÑÊ㹤ÍÁ¾ÔÇàµÍÃì·Õèä´éÃѺËÅѧ¨Ò¡·Õè¤ÍÁ¾ÔÇàµÍÃì¶Ù¡áá àÃÒ¢Íá¹Ð¹ÓãËé ¤Ø³¤×¹¤èÒÃкº»¯ÔºÑµÔ¡Òà â´Â¡ÒÃãªéÊ×èÍÊÓÃͧ¢éÍÁÙŵÃǨÊͺ¨Ò¡¨Ø´·Õè´Õ·ÕèÃÙé¨Ñ¡ ¡è͹·Õè¤ÍÁ¾ÔÇàµÍÃì·ÕèÁÕ¡ÒõԴäÇÃÑÊ ¤Ø³ÊÒÁÒö¨Ð ¿ÍÃìáÁµä´Ã¿ìÎÒÃì´´ÔÊ¡ì µÔ´µÑé§Ãкº»¯ÔºÑµÔãËÁè áÅéÇ ¤×¹¤èÒ¢éÍÁÙÅ·Õè¢Ò´ËÒÂä» ´éÇ¡ÒÃãªéÊ×èÍÊÓÃͧ¢éÍÁÙŵÃǨÊͺ¨Ò¡¨Ø´·Õè´Õ·Õè·ÃÒºÍÂÙèáÅéÇ

1. º¹¤ÍÁ¾ÔÇàµÍÃì·Õèãªé Windows 2000 ¤ÅÔ¡¢ÇÒ·Õèᶺ§Ò¹ áÅШҡ¹Ñé¹ ¤ÅÔ¡µÑǨѴ¡Òçҹ.
2. ã¹µÑǨѴ¡Òçҹ àÅ×Í¡Taskmngr.exeáÅéÇ ¤ÅÔ¡¨Ø´ÊÔé¹ÊØ´.
   
   ËÁÒÂà˵Ø:µÃǨÊͺãËéá¹èã¨ÇèÒ ¤Ø³àÅ×Í¡Taskmngr.exeáÅÐäÁèTaskmgr.exe
3. »Ô´ Task Manager
4. â´Âãªé Microsoft Windows Explorer ¤é¹ËÒâ¿Åà´ÍÃì \WINNT\System32 à»ÅÕ蹪×èÍá¿éÁµèÍ仹Õé·ÕèÁÕÍÂÙèã¹â¿Åà´ÍÃì \WINNT\System32 â´Â¡ÒþÔÁ¾ì.bak㹵͹·éÒ¢ͧª×èÍá¿éÁ
   
   ËÁÒÂà˵Ø:ºÒ§á¿éÁàËÅèÒ¹ÕéÍÒ¨äÁèä´éÍÂÙèã¹â¿Åà´ÍÃì \WINNT\System32
   • Nt32.ini
   • Nt16.ini
   • Dll32nt.hlp
   • Xvpll.hlp
   • Dll32.hlp
   • Httpsearch.ini
   • Mdm.scr
   • Gates.txt
   • Taskmngr.exe
   • Secedit.sdb
   • Seced.bat
   • Ocx.dll
   • Dll16.ini
   • Gg.bat
   • Ocxdll.exe
   ËÁÒÂà˵Ø:¡ÒÃà»ÅÕ蹪×èÍá¿éÁàËÅèÒ¹Õé ´Óà¹Ô¹¡ÒôѧµèÍ仹Õé:
   1. ã¹â¿Åà´ÍÃì \WINNT\System32 ¤ÅÔ¡¢ÇÒ·Õèá¿éÁã¹ÃÒ¡ÒÃã´ æ ¤ÅÔ¡à»ÅÕ蹪×èÍ»ÃÐàÀ·:.bak㹵͹·éÒ¢ͧª×èÍá¿éÁ áÅéÇ¡´»é͹.
      
      µÑÇÍÂèÒ§àªè¹ ¤Ø³ÊÒÁÒöà»ÅÕ蹪×èÍ Nt32.ini ä» Nt32.ini.bak
   2. ¢Ñ鹵͹·Õè·Ó«éÓ¡ÒÃÊÓËÃѺáµèÅÐá¿éÁ·ÕèÍÂÙèã¹ÃÒ¡ÒùÕé
5. ¤ÅÔ¡àÃÔèÁ¡Ò÷ӧҹ¤ÅÔ¡àÃÕ¡ãªé»ÃÐàÀ·:regeditáÅéÇ ¤ÅÔ¡µ¡Å§.
6. ã¹ Registry Editor ¤é¹ËÒ¤ÕÂìÂèÍ¢ͧÃÕ¨ÔÊ·ÃÕµèÍ仹Õé:
   HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
7. ¤ÅÔ¡¤èÒ Rundll32 ·ÕèÍéÒ§ÍÔ§ Taskmngr.exe ÀÒÂãµé¤ÕÂìÂèÍ¢ͧÃÕ¨ÔÊ·ÃÕµèÍ仹Õé áÅШҡ¹Ñé¹ ¤Åԡź:
   HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
8. ¶éҤسÁÕµÑǤǺ¤ØÁâ´àÁ¹ Windows 2000 ·ÕèÁÕ¡ÒõԴäÇÃÑÊ·Õèâ·Ã¨Ñ¹ MIRC ãªé Windows Explorer à¾×èͤé¹ËÒá¿éÁ GmpTpl.inf ·ÕèÍÂÙèã¹â¿Åà´ÍÃìµèÍ仹Õéã¹µÑǤǺ¤ØÁâ´àÁ¹ 2000 Windows:
   \WINNT\SYSVOL\sysvol\DomainName\Policies\ {guid} \MACHINE\Microsoft\Windows NT\SecEdit
   ËÁÒÂà˵Ø:ã¹â¿Åà´ÍÃìª×è͹ÕéDomainNameª×èͧ͢â´àÁ¹ Windows 2000
9. à»ÃÕºà·Õºá¿éÁ·ÕèÃÙé¨Ñ¡´ÕÊÓà¹Ò¢Í§á¿éÁ GmpTpl.inf GmpTpl.inf ¤Ø³ÊÒÁÒö¤×¹¤èÒÊÓà¹Ò·Õè´Õ·ÕèÃÙé¨Ñ¡¢Í§á¿éÁ GmpTpl.inf â´Â¡ÒÃãªéÊ×èÍÊÓÃͧ¢éÍÁÙŵÃǨÊͺ¨Ò¡¨Ø´·Õè´Õ·ÕèÃÙé¨Ñ¡ ËÃ×Í â´ÂãªéµÑǤǺ¤ØÁâ´àÁ¹ Windows 2000 Í×è¹
   
   ËÁÒÂà˵Ø:äÇÃÑÊ MIRC â·Ã¨Ñ¹ÍÒ¨à»ÅÕè¹á»Å§ ËÃ×Íà¾ÔèÁ SeNetworkLogonRight ¤èÒ·ÕèÍÂÙèã¹á¿éÁ GmpTpl.inf ä´é

ËÅѧ¨Ò¡·Õè¤Ø³ä´é´Óà¹Ô¹¡ÒâÑ鹵͹àËÅèÒ¹Õé àÃÒ¢Íá¹Ð¹ÓãËé ¤Ø³ãªé«Í¿µìáÇÃì»éͧ¡Ñ¹äÇÃÑÊ·ÕèÁÕËÁÒÂàÅ¢äÇÃÑÊÅèÒÊØ´à¾×è͵ÃǨËÒ áÅÐàÍÒäÇÃÑÊ MIRC â·Ã¨Ñ¹ ¢Ñ鹵͹¶Ñ´ä» ¨Ñ´ÃٻẺáÅéÇ µÔ´µÑé§à«ÔÃì¿àÇÍÃì·Ñ¹·Õ·ÕèÁÕ¤ÇÒÁÊдǡÊÓËÃѺ¤Ø³ àÃÒ¢Íá¹Ð¹Ó¡ÒáÃзӹÕéä´éà¹×èͧ¨Ò¡à«ÔÃì¿àÇÍÃìä´éÃѺ¤ÇÒÁàÊÕÂËÒÂ