UPDATE: As of September 6, 2002, reports of malicious activity that follow the particular pattern that is outlined in this article have lessened significantly. The Microsoft Product Support Services Security Team has modified this Microsoft Knowledge Base article to reflect this information and to refine suggestions for detection and repair criteria.
Microsoft has investigated an increase in malicious activity that tries to load code on Microsoft Windows 2000-based servers. This activity is typically associated with a program that has been identified as Backdoor.IRC.Flood.
By analyzing computers that have been compromised, Microsoft has determined that these attacks do not appear to exploit any new product-related security vulnerabilities and do not appear to be viral or worm-like in nature. Instead, the attacks seek to take advantage of situations where standard precautions have not been taken as detailed in the "Prevention" section. The activity appears to be associated with a coordinated series of individual attempts to compromise Windows 2000-based servers. As a result, successful compromises leave a distinctive pattern. This article lists files and programs that would provide evidence of a successful compromise according to this pattern so that you can take appropriate action to:
Detect compromised computers.
Repair and recover compromised computers.
Impact of Attack
Compromise of Server
Compromised systems show one or more of the following symptoms:
Antivirus software may indicate that it has detected Trojans, such as Backdoor.IRC.Flood and its variants. Current antivirus products (that use up-to-date signature files) detect these Trojans.
If the compromised computer is a domain controller, the security policy is modified. Some of the possible effects of a modified security policy are:
Guest accounts that were previously disabled are re-enabled.
New unauthorized accounts, possibly with administrative privileges, are created.
Security permissions are changed on servers or in Active Directory.
Users cannot log on to the domain from the workstations.
Users cannot open Active Directory snap-ins in Microsoft Management Console (MMC).
When an administrator tries to open the Active Directory Sites and Services snap-in, you receive the following error message:
Naming Information cannot be located because: The server is not operational. Contact your system administrator to verify that your domain is properly configured and is currently online.
Error logs display multiple failed logon attempts from legitimate users who were locked out.
When you try to run DCDIAG on a domain controller, you may receive one or more of the following error messages:
Performing initial setup: [sic1] LDAP bind failed with error 31, a device attached to the system is not functioning.
Performing initial setup: [ServerName] LDAP bind failed with error 1323, unable to update the password. The value provided as the current password is incorrect. ***Error: The machine could not attach to the DC because the credentials were incorrect. Check your credentials or specify credentials with /u:<domain>\<user> & /p:[<password>|*|""]
Note In this error message, ServerName is the name of the domain controller.
Also, when you try to back up the system state on the infected computer, the following error messages may appear in the Application log on the computer where you are performing the backup:
Event ID: 8012 Source: NTBackup Description: The 'Active Directory' returned 'A device attached to the system is not functioning.' from a call to 'BackupPrepare()' additional data '\\ComputerName'.
Note In this error message, ComputerName is the network basic input/output system (NetBIOS) name of the computer.
Event ID: 1000 Source: Userenv Description: Windows cannot determine user or computer name. Return value (1326)
If the computer has been compromised, antivirus software may detect malicious code such as Backdoor.IRC.Flood and its variants. For more information, contact your antivirus vendor.
In the cases that Microsoft has analyzed, the compromised servers were found to have the following files and programs. The presence of these files indicates that the system has been compromised. If these files or programs are found on your computer, and if they were not installed by you or with your knowledge, run a complete virus scan with an up-to-date virus scanning program.
Note Paths to the files are not listed because they may vary.
Gg.bat: Gg.bat tries to connect to other servers as administrator, admin or root, looks for the Flashfxp and the Ws_ftp programs on the server, copies several files (including Ocxdll.exe) to the server, and then uses the Psexec program to execute commands on the remote server.
Seced.bat: Seced.bat changes the security policy.
In other cases, legitimate programs have been installed by the attackers to aid in the compromise. If these programs are found on your systems, and if you did not install them, it may indicate a compromise, and you should investigate further.
A final set of files that are associated with these attacks are a pair of legitimate system files that are routinely installed on systems, but trojanized versions of which are installed as part of the attack. Most antivirus vendors' products, when they are used in conjunction with the current virus signatures, will detect the trojanized versions of these files if they are present.
Analysis to date indicates that the attackers appear to have gained entry to the systems by using weak or blank administrator passwords. Microsoft has no evidence to suggest that any heretofore unknown security vulnerabilities have been used in the attacks.
Microsoft recommends that customers protect their servers against this and other attacks by making sure that they follow standard security best practices, such as:
Eliminating blank or weak administrator passwords.
Disabling the guest account.
Running current antivirus software with up-to-date virus signature definitions.
Using firewalls to protect internal servers, including domain controllers.
Staying up to date on all security patches.
For guidance on best practices to prescriptively configure Microsoft Windows 2000-based servers, see the Security Operations Guide for Windows 2000 Server. To see this guide, visit the following Microsoft Web site:
To date, the only systems reported to have been affected by this attack have been systems that are running Microsoft Windows 2000 Server. Microsoft recommends that customers scan their Windows 2000 Server-based environments to determine if the files that are listed in the "Technical Details" section of this article exist. Because some of the files may have been legitimately installed, customers should investigate them to determine their usage and intent.
For help with recovery, contact Microsoft Product Support Services by using your preferred method. For more information about methods to contact Microsoft Product Support Services, visit the following Microsoft Web site:
Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
322756 How to back up and restore the registry in Windows
To work around this problem, you must rename specific files and then modify the registry. To do this, follow these steps.
Note The following steps are only a temporary solution. These steps only remove the effects of the original infection. These steps do not remove any additional viruses that the computer obtained after the computer was first infected. We recommend that you restore the operating system by using verified backup media from a known good point, before the computer was infected. You can also format the hard disk drive, reinstall the operating system, and then restore the missing data by using verified backup media from a known good point.
On the Windows 2000-based computer, right-click the taskbar, and then click Task Manager.
In Task Manager, select Taskmngr.exe, and then click End.
Note Make sure that you select Taskmngr.exe and not Taskmgr.exe
Close Task Manager.
By using Microsoft Windows Explorer, locate the \WINNT\System32 folder. Rename the following files that are contained in the \WINNT\System32 folder by typing .bak at the end of the file name.
Note Some of these files may not be contained in the \WINNT\System32 folder.
Note To rename these files, follow these steps:
In the \WINNT\System32 folder, right-click any of the files in the list, click Rename, type .bak at the end of the file name, and then press Enter.
For example, you can rename Nt32.ini to Nt32.ini.bak.
Repeat step a for each file that is in this list.
Click Start, click Run, type regedit, and then click OK.
In Registry Editor, locate the following registry subkey:
If you have a Windows 2000 domain controller that has been infected with the MIRC Trojan virus, use Windows Explorer to locate the GmpTpl.inf file that is located in the following folder on the Windows 2000 domain controller:
Note In this folder name, DomainName is the name of the Windows 2000 domain.
Compare the GmpTpl.inf file to a known good copy of the GmpTpl.inf file. You can restore a known good copy of the GmpTpl.inf file by using verified backup media from a known good point or by using another Windows 2000 domain controller.
Note The MIRC Trojan virus may change or add the SeNetworkLogonRight value that is contained in the GmpTpl.inf file.
After you complete these steps, we recommend that you use antivirus software that has the latest virus definitions to detect and remove the MIRC Trojan virus. Next, format and then reinstall the server as soon as it is convenient for you. We recommend this action because the server has been compromised.