No subject


Thu Nov 23 16:34:03 EST 2017


Symptoms
You may experience one or more of the following symptoms: 
Possible detection of Trojans such as Backdoor.IRC.Flood and its variants.
This might include related Trojans with similar functionality. These Trojans
may not necessarily be detected by your antivirus software after the hacker
has made modifications to your computer.
Modification of the security policy on domain controllers. Some of the
possible effects of a modified security policy are:
Previously-disabled guest accounts have been re-enabled.
Changed security permissions on your servers or in Active Directory.
No one can log on to the domain from the workstations.
Cannot open Active Directory snap-ins in the MMC.
Error logs show multiple failed logon attempts from legitimate users who
were locked out.
Technical Details
Finding any backdoor Trojan indicates that the server is extremely
vulnerable to privilege escalation and hacking.

The following files and program have also been found on the computers that
have been compromised: 
Gg.bat

Gg.bat attempts to connect to other servers as 'administrator', 'admin', or
'root'. It then looks for Flashfxp and Ws_ftp on the server, and then copies
several files including Ocxdll.exe to the server. Gg.bat then uses the
Psexec program to execute commands on the remote server.
Seced.bat

Seced.bat changes the security policy.
Nt32.ini
Ocxdll.exe
Psexec
Ws_ftp
Flashfxp
Gates.txt
If these files are found on your computer and they were not installed by you
or with your knowledge, run a thorough virus scan with an up-to-date
virus-scanning program. 







More information about the Snort-sigs mailing list