MALZER.EXE ?!?

My network has been infected and within an hour of removing the virus it comes back up.

Can you provide a link from where you got the removal instructions from? How did you know the virus is called Malzer.exe?

Has any heard of or been infected with the virus MALZER.EXE? My network has been infected and within an hour of removing the virus it comes back up. The virus has been replicating itself throughout the workstations on the network and is now starting to infect the file servers. Any help on this would be great. :evil:

kennyj,

I have seen this on my systems. I have not been able to identify the name of the threat.

My traffic monitoring shows that the infected unit uses some kind of buffer-overflow exploit in windows that attacks on port 135, 139, 445, 1443.

I have done offline scans of hard drives that are infected with this worm. Nothing.

If the infected unit detects an exploitable host it tries to dump a file that represents some kind of FTP client that when executed attempts to download "MALZER.EXE" (and have also seen "MAL.EXE") which is blocked by anti-virus protection on the destination host. If the destination host has no virus protection, the deposited payload (malzer.exe) tries to download "adult1.exe". Adult1.exe is some kind of porn dialer and is not successful through the http anti-virus filtering. Our fortigate 60 detected the http download target as: "W32/Dialer.U!tr", "W32/QDial.QY!tr"


Log entry from the FG60:
The file mal.exe is infected with W32/Dialer.U!tr. ref www.fortinet.com/VirusEncyclopedia/searc...=W32%2FDialer.U%21tr .

The file Browser.exe is infected with W32/QDial.QY!tr. ref www.fortinet.com/VirusEncyclopedia/searc...=W32%2FQDial.QY%21tr .

The file bv.exe is infected with Suspicious. ref www.fortinet.com/VirusEncyclopedia/searc...virusName=Suspicious .

The infected unit attempts to propagate itself using random destination host IP addresses. The first two octets of the IP are the same and the last two octets are random.

I was able to infect a Windows 2000 professional box in about 10 minutes.

So far, we have had to rebuild and recover operating systems (C:\winnt and system state) on infected critical servers.

We are still researching to find an identification for this infection.

If you have any information on how to clean an infected host, we would be grateful.



Regards,
FortiNut67

Well, this is more based on server-side analysis than network analysis, but I noticed that every machine with malzer.exe exhibits certain characteristics:

1. Every machine so far has 2 or 3 system files modified or created that I have found easily - FTP.EXE, TFTP.EXE, and SFC.DLL.

2. There seems to be a file in the system32 directory with a one-letter name and no extension. This file contains a string of FTP commands to download something from another machine on the network.

3. An infected machine seems to look over the network for other accessible machines. When one is found, it queries the target's user list & tries to login to each account sequentially with an unknown password (possibly blank).

Preliminary observations on my part. Take all with a grain of salt & let me know if I'm wrong. I work for a school city, so rebuilding the servers really isn't a great option. I think we were one of the first to get it; google brought up nothing right after we first got infected. Fun times.

<edit>

Thanks to a trialware prog called Security Task Manager ( www.neuber.com/taskmanager/index.html ), I found a few things. Once the app loads, you can use it to view the svchost process. The app gives a window on the bottom right that reads something like "text in file." After copying & pasting this into notepad for better reading, it looks like we've got a rootkit. There are long strings of commands, many ftp, that show remote file access. One of the FTP command returns says "happy rooting," so it looks like FTP.EXE is modified. the file also shows one site that the offending executable is downloaded from. The line actually reads "DOWN Downloading URL http//66.11.113.85/sin/mal.exe to c\mal.exe". Add the missing colon, and the file is downloadable.

Also, there is a duplicate hidden svchost.exe in the windows folder (not in system32). Moving this file to a clean system & running it will take the file from its original location & put it in the windows folder, presumably infecting the machine.

Going to attempt to submit this info to our virus prot company today. Hopefully there's a solution soon.

Found something.

On both servers that I've seen infected, I believe the bogus SVCHOST.EXE is acting like a shim between the system & whatever is running malicious code. I set up the machine to delete (on reboot) the bogus svchost.exe from the root of the windows folder, and deleted ftp.exe and tftp.exe for good measure since I'll never use them on a server here. I think there are a couple of apps out there that can set up a PendingFileRenameOperation in the registry. One was called killbox, the other was a command-line app called movefile. Then, on reboot, as long as the virus scanning software is capable of stopping it (Trend Micro's OfficeScan is now detecting it for us as "worm_sdbot.ayq" and "troj_dialer.oh"), it doesn't seem to come back & stops chattering over the network.

Keeping my fingers crossed. This probably didn't completely remove it, but it's been castrated to the point that it's not active on the system anymore. We'll see how it goes in teh upcoming week.

After copying & pasting this into notepad for better reading, it looks like we've got a rootkit.

I can see you seem to have it under control, but have you tried Sysinternal's (now Microsoft's) rootkit revealer ? It may bring to light any other nasty critters that may be hidden in dark corners...

nnbnbnnbnbnnbnbnnbnbnnbnbYup, do a search on sophos's site for ftp.exe and it comes up with several Worms and Spyware.

www.sophos.com/search/search-results/?search=ftp.exe

As already mentioned in previous posts, its essential to have an updating process in place to fully patch your Windows infrastrcture, most of these things do exploit vulnerabilities in the OS.

One of the Worms that Sophos are classifying it as W32/Sdbot-CQC says that it exploits vulnerabilities a few specific vulnerabilities (The first one listed below is from Augusts 2006 & September 2006 Patches so i am really hoping that this is the culprit). If it is this worm then take a look at the links to the security updates.

www.microsoft.com/technet/security/bulletin/ms06-040.mspx - Most likely this is the patch required from August 2006 Affects Operating Systems from Windows 2000 Service Pack 4 upwards

www.microsoft.com/technet/security/bulletin/MS03-049.mspx - November 2003 Check Which Operating Systems Are Affected

www.microsoft.com/technet/security/Bulletin/ms05-039.mspx - This ones really old so i would imagine everyone has this patch from August 2005 Affects Operating Systems from Windows 2000 Service Pack 4 upwards

www.microsoft.com/technet/security/Bulletin/MS04-007.mspx - This ones really old so i would imagine everyone has this patch from Feb/June 2004 Affects from Windows NT Service Pack 6a Upwards

If you are struggling to clean your systems without it returning, ensure that the patch in the above links (if they are applicable) is installed, this should then stop the machine from getting re-infected.[/b]