2

I got involved in a strange scenario today :-) . Some 'UDPAgent.exe' file/worm/virus was trying to access my collegue's system and the antivirum program was showing that this particular thing is coming from my ip though I had no idea aboutt he particular trojan/worm/virus.

Any ideas/guesses/helps in identifying the issue would be highly appreciated?


After Rory's reply, my questions would be: 1 - Anyone in the forum had seen such programs/scripts before? 2 - what investigation can I carry out on my computer when I suspect it is compromised?

Thanks Rory!

Rory Alsop
  • 61,367
  • 12
  • 115
  • 320
p_upadhyay
  • 1,121
  • 3
  • 14
  • 31
  • This isn't the site for that sort of thing - your best bet for identification would be to check out one of the antivirus vendors' lists. However you really should take some actions right now, as you are running a machine you don't necessarily control. **[This question][1]** over on Serverfault has some excellent answers on what to do, and Rein gave some nice simple steps **[here][2]** [1]: http://serverfault.com/q/218005/62544 [2]: http://security.stackexchange.com/questions/2939/what-to-do-after-suspected-intrusion-on-hobby-webserver/2980#2980 – Rory Alsop May 06 '11 at 09:57
  • @Rory: Thanks for the link. I have asked this question here because I thought it could be a simple popular script and just wanted to see if anyone has an idea about it. Other then that I would have liked to know if there is any way to look into my machine(OS:windows) logs where I can find some information aboutt he same – p_upadhyay May 06 '11 at 10:03
  • now you're getting to a much more relevant question for security stack exchange: where to look for information after an attack. The actual types of virus etc are not on topic here, but if you reword your question to something like: what investigation can I carry out on my computer when I suspect it is compromised, you'd get some good answers. – Rory Alsop May 06 '11 at 10:08
  • @Rory: I tried to rephrase my question. Kindly feel free to add/edit/modify. Thanks again! – p_upadhyay May 06 '11 at 10:13
  • I think that should get some answers - I rephrased the title as well. Will move this answer thread to comments and see what comes in :-) – Rory Alsop May 06 '11 at 10:26

2 Answers2

3

Alright, so I'm not going to outline an entire incident response procedure, but I will give you a place to start.

Download and run this tool. It is basically an in-depth snapshot of running processes on your machine. If you do have something running on your machine, 9.5 chances out of 10 it will come up in the hijackthis report. Now I will also say that if you're new to this type of thing, the resulting report i fairly hard to process, but if you're on other forums talking about this, than they're going to want to see that report.

Also, i recommend that you take a look at the proposed answers to this question which outline some general steps that one can take to mitigate threats. Like the responses there say, the only foolproof way to make sure you're not infected is to start from scratch; Wipe the disk and start over.

One last comment, if you do happen to find out that you have x or y rootkit/malware you can then research for the tool that removes it best. I know there have been a bunch of times where kaspersky rootkit removal tools have saved my rear-end. But I must again caution that if you remove one entity it does not mean that you've solved your problem. When you are able to remove malware you have no way to know if that's the initial attack, the result of a bigger issue, or the only case of malware on the machine.

Ormis
  • 1,940
  • 13
  • 18
2

From your mention of udpagent.exe it sounds like you got hit with a chinese based exploit kit payload, udpagent.exe is a very common tool that is additionally downloaded after the true payload has been run to attempt to compromise more machines on a LAN. I tend to see it most commonly with malware payloads out of china. I agree with the majority of Ormis's suggestions above as Hijackthis is a great tool for determining the locations of the infection and hopefully removal with the guidance of a Forum Mod on the Hijackthis Forums. Though, following my own set of rules when dealing with malware these days i would suggest removing the machine from any network connection, changing all user names and passwords from a clean machine and running DBAN on the box www.dban.org. I deal with hundreds of cases like this daily and more often than not we see VERY persistent executable's, bypassing AV and ex-filtrating all worthwhile data by the time they get removed via AV, Combofix, Hijackthis, specialized rootkit removers and the like. So to sum it up, nuke the drive.

detro
  • 124
  • 3