Poke poke regedit!
True enough I foud a rather suspicious looking file in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.
It was calling this file csnss.exe file as "System Monitor". The entry was "System Monitor" = "csnss.exe" and also another copy of itself at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices as well. I know that this is not right, looks alot like a typical worm trigger to me. So poof I deleted them off only to find the values restored when I load up regedit again.
Worm is in memory! and true enough I found 2 instance of csnss.exe running in my task manager.
TCP hog
Knowing that the worm is still in memory, I did a quick check of my outgoing connections. And I found that I have a lot of connection out to port 445 of random ip addresses within my home network. The virus is trying to propogate!.
E:\Documents and Settings\root>netstat -aCulprit?
Active Connections
Proto Local Address Foreign Address State
TCP rumah:epmap rumah:0 LISTENING
TCP rumah:microsoft-ds rumah:0 LISTENING
TCP rumah:61190 rumah:0 LISTENING
TCP rumah:1033 rumah:0 LISTENING
TCP rumah:10110 rumah:0 LISTENING
TCP rumah:netbios-ssn rumah:0 LISTENING
TCP rumah:1037 xdsl-87-78-63-92.netcologne.de:4661 ESTABLISHED
TCP rumah:1322 192.168.73.201:ms-sql-s SYN_SENT
TCP rumah:1323 192.168.106.44:microsoft-ds SYN_SENT
TCP rumah:1324 192.168.131.139:microsoft-ds SYN_SENT
TCP rumah:1325 192.168.100.105:ms-sql-s SYN_SENT
TCP rumah:1326 192.168.144.204:microsoft-ds SYN_SENT
TCP rumah:1327 192.168.22.25:microsoft-ds SYN_SENT
TCP rumah:1328 192.168.243.129:ms-sql-s SYN_SENT
TCP rumah:1329 192.168.187.27:microsoft-ds SYN_SENT
TCP rumah:1330 192.168.95.51:microsoft-ds SYN_SENT
TCP rumah:1331 192.168.72.253:ms-sql-s SYN_SENT
UDP rumah:tftp *:*
UDP rumah:microsoft-ds *:*
UDP rumah:isakmp *:*
UDP rumah:1029 *:*
UDP rumah:1036 *:*
UDP rumah:4500 *:*
UDP rumah:ntp *:*
UDP rumah:1900 *:*
UDP rumah:62515 *:*
UDP rumah:62517 *:*
UDP rumah:62519 *:*
UDP rumah:62521 *:*
UDP rumah:62523 *:*
UDP rumah:62524 *:*
UDP rumah:ntp *:*
UDP rumah:netbios-ns *:*
UDP rumah:netbios-dgm *:*
UDP rumah:1900 *:*
E:\Documents and Settings\root>
An interesting finding... seems that there's a host that my machine connecting outside of my home network. Could be worm calling home and sending informations from my machine.
TCP rumah:1037 xdsl-87-78-63-92.netcologne.de:4661 ESTABLISHED
Or maybe it's just my machine connecting via edonkey protocol that's running on port 4661 on the machine. Hmm I don't have any P2P running at the time that I took the netstat reading.. suspicious.. suspicious...
I quickly Killed both of the csnss.exe and proceeded to remove the 2 registry keys above. Success! I rebooted and checked again and no more worm processes spawned by registry. Ran quick windows update to plug whatever holes the worm came in from and started my forensic investigation.
To be continued with my forensic investigation of how I got wormed in the first place...