wormed pt duex!

So I got home and ran AVG scan.. nothign came up.. I got bored and tired of waiting (short attention span?) so I cancelled the scan and start poking aroung the system myself. I know that whatever worm that's infected my machine would need to drop a copy of itself somewhere in the system. And most importantly it will need a trigger to start itself up each time the system boots up. Where else to check for this other than in the registry!

Poke poke regedit!
True enough I foud a rather suspicious looking file in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.
It was calling this file csnss.exe file as "System Monitor". The entry was "System Monitor" = "csnss.exe" and also another copy of itself at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices as well. I know that this is not right, looks alot like a typical worm trigger to me. So poof I deleted them off only to find the values restored when I load up regedit again.

Worm is in memory! and true enough I found 2 instance of csnss.exe running in my task manager.

TCP hog
Knowing that the worm is still in memory, I did a quick check of my outgoing connections. And I found that I have a lot of connection out to port 445 of random ip addresses within my home network. The virus is trying to propogate!.

E:\Documents and Settings\root>netstat -a

Active Connections

Proto Local Address Foreign Address State
TCP rumah:epmap rumah:0 LISTENING
TCP rumah:microsoft-ds rumah:0 LISTENING
TCP rumah:61190 rumah:0 LISTENING
TCP rumah:1033 rumah:0 LISTENING
TCP rumah:10110 rumah:0 LISTENING
TCP rumah:netbios-ssn rumah:0 LISTENING
TCP rumah:1037 xdsl-87-78-63-92.netcologne.de:4661 ESTABLISHED

TCP rumah:1322 192.168.73.201:ms-sql-s SYN_SENT
TCP rumah:1323 192.168.106.44:microsoft-ds SYN_SENT
TCP rumah:1324 192.168.131.139:microsoft-ds SYN_SENT
TCP rumah:1325 192.168.100.105:ms-sql-s SYN_SENT
TCP rumah:1326 192.168.144.204:microsoft-ds SYN_SENT
TCP rumah:1327 192.168.22.25:microsoft-ds SYN_SENT
TCP rumah:1328 192.168.243.129:ms-sql-s SYN_SENT
TCP rumah:1329 192.168.187.27:microsoft-ds SYN_SENT
TCP rumah:1330 192.168.95.51:microsoft-ds SYN_SENT
TCP rumah:1331 192.168.72.253:ms-sql-s SYN_SENT
UDP rumah:tftp *:*
UDP rumah:microsoft-ds *:*
UDP rumah:isakmp *:*
UDP rumah:1029 *:*
UDP rumah:1036 *:*
UDP rumah:4500 *:*
UDP rumah:ntp *:*
UDP rumah:1900 *:*
UDP rumah:62515 *:*
UDP rumah:62517 *:*
UDP rumah:62519 *:*
UDP rumah:62521 *:*
UDP rumah:62523 *:*
UDP rumah:62524 *:*
UDP rumah:ntp *:*
UDP rumah:netbios-ns *:*
UDP rumah:netbios-dgm *:*
UDP rumah:1900 *:*

E:\Documents and Settings\root>

Culprit?
An interesting finding... seems that there's a host that my machine connecting outside of my home network. Could be worm calling home and sending informations from my machine.

TCP rumah:1037 xdsl-87-78-63-92.netcologne.de:4661 ESTABLISHED

Or maybe it's just my machine connecting via edonkey protocol that's running on port 4661 on the machine. Hmm I don't have any P2P running at the time that I took the netstat reading.. suspicious.. suspicious...

I quickly Killed both of the csnss.exe and proceeded to remove the 2 registry keys above. Success! I rebooted and checked again and no more worm processes spawned by registry. Ran quick windows update to plug whatever holes the worm came in from and started my forensic investigation.

To be continued with my forensic investigation of how I got wormed in the first place...