70GB of Files Uploaded Because of a Trojan Virus

July 17th, 2007 by Sameer | Filed under Hosting.

The name ‘trojan’ came from a historical concept known as a ‘Trojan Horse’.  It was actually a giant wooden horse that was given as a gift to some town or castle, but in reality it was not a gift but had soldiers inside it who jumped out and attacked and ramsacked the town or castle.  This word has now come to mean a program that gets inside and attacks your computer!  It could be an innocent looking software that you install that has this on it.

Recently I was dealing with a server that was compromised by the Trojan Wollf Virus…

According to Symantec, "Backdoor.Wollf.16 is a Backdoor Trojan Horse that installs itself as a server and allows unauthorized access to an infected computer.."

According to Sophos, it:

  • Allows others to access the computer
  • Steals information
  • Downloads code from the internet
  • Records keystrokes
  • Installs itself in the Registry

Now.. the hacker who gained access to the serve,r he managed to upload some 70GB of personal files - apps, warez, mp3s, illegally copied movies, etc on this server

Take a look for yourself!  Backdoor uploaded files (331kb) 

Here is a snippet:

 Directory of C:\System Volume Information\catalog.wci\bin\DVDR

06/03/2007  10:54 AM    <DIR>          .
06/03/2007  10:54 AM    <DIR>          ..
05/26/2007  10:01 AM    <DIR>          Borat.2006.PAL.MULTISUBS.DVDR-RUSH
06/03/2007  03:40 AM    <DIR>          FaTz
06/03/2007  01:25 PM    <DIR>          Heroes.S01.INTERNAL.HDTV.XviD-SCT
05/26/2007  01:56 PM    <DIR>          Smokin.Aces.PAL.NORDIC.DVDR-RUSH
05/26/2007  11:22 AM    <DIR>          The.Fountain.2006.PAL.PROPER.MULTISUBS.DVDR-SSB
               0 File(s)              0 bytes

I created this list from command prompt by typing "dir /s > output.txt"

These were uploaded to a dedicated windows machine that had its Windows Update set to "automatically download but let me choose when to install"

I cleaned it up with the following steps:

  1. Never turn off Automatic Windows update unless you are going to watch it like a Hawk
  2. If you are infected with a trojan, check your hard disk for large files as you may have been used as a file server
  3. Install Microsoft Defender
  4. Install Spybot Search & Destroy
  5. Install Lavasoft Adaware
  6. Install ClamWin (will only search) or AVG antivirus (AVG cannot be used for free on servers though)
  7. Download Mcafee Stinger, a free tool to clean viruses from your machine
  8. Run Microsoft Malicious Software Removal Tool
  9. Make sure your Windows Firewall is enabled, or better yet, get ZoneAlarm or some other software firewall

Any comments?

 

Other Interesting Posts

« Growing Pains of a Software Company
Smarter Debug Code With Conditional Compilation »

Share Your Thoughts

Valid XHTML 1.0 Transitional Valid CSS!