Ygoow And Moorhunt

[Mr. Stuky]

Hey guys.

For sometime, ive seen another admin acc called "Support". I assumed guys at the DC set it up to help me with any issues faster or something. Last week i changed the pw, and logged in as it seemed a bit suspicious. I logged in, Then an application, "ygoow" was starting up. I immediately went into the processes and closed it before it fully started up. Again, "ygoow" was starting up and I immediately closed that process. I went to check the programs ("Start" - "All Programs") and saw that moorhunt was installed. I never used that program, don't even know what it is. It was in some foreign language that I can't figure out either when I opened that program up. It looked to be like a shell dos kind of thing with a command-like prompt and everything. It downloaded some torrents, and uploaded I guess. I updated windows server 08 r2, changed all the passwords, and verified that things are secure. I removed the support account, and remove the programs and files and the account. Today I checked, and moorhunt.exe was running under guest account. I checked when the file was downloaded which was 4/15 and the Guest account has been disabled long before that time.

Does anyone know what either of these programs are? Am I a victim of some sort of attack on my server? How can I stop this from happening again?

Thanks for any information and help that can be given Hak5er's <3

[digip]

Sounds like you got whacked by something. If you are unsure these files aren't legit, then I would check all files in question via VirusTotal and if possible CWSandbox. Notify whomever you need to at your work/security department, and make sure to document anything you do before and after making changes. They may want you to image this machine for forensic analysis, but that is up to whomever is in charge of your IT Security department. If you are a small shop and you are pretty much in charge of everything, notify your boss and assess the damages and go from there.

I would take every precaution to make sure that other machines on the network haven't been infected. Being that this is on the domain controller, chances are, its pushed itself out to all the clients on the network, which is an even bigger task to mop up. Whatever you decide, make sure you have backups of everything you touch and document what you find in case you have to turn it over to someone such as the authorities.

http://www.google.com/search?num=50&hl=en&newwindow=1&safe=off&q=%22moorhunt.exe+%22+ygoow&btnG=Search

Looks to be Polish.

Edited April 18, 2011 by digip

[Infiltrator]

A friend of my mum, asked me to take a look at her computer and determine the cause why it was running so slowly.

After analyzing it for sometime, discovered it was infected with more than 5 different types of Malware and Trojan.

Whenever I opened an Internet Explorer window, at the title bar I could read the very same line "Ygoow And Moorhunt".

If I were you I would run a full virus scan and if that doesn't fix the issue, reinstall Windows.

Good luck.

Edited April 18, 2011 by Infiltrator

[Mr. Stuky]

He managed to log on again. I did a scan with AVG and doing a scan now with microsoft malicious software removal. Im going to do a OS Reload this weekend. Im running gameservers for clients, so I cant do it today. Thanks for your help guys.

[Mr. Stuky]

He managed to log on again. I did a scan with AVG and doing a scan now with microsoft malicious software removal. Im going to do a OS Reload this weekend. Im running gameservers for clients, so I cant do it today. Thanks for your help guys. Question, is it possible to view where did the uploaded files come from? Thanks

Edited April 19, 2011 by Mr. Stuky

[Infiltrator]

He managed to log on again. I did a scan with AVG and doing a scan now with microsoft malicious software removal. Im going to do a OS Reload this weekend. Im running gameservers for clients, so I cant do it today. Thanks for your help guys. Question, is it possible to view where did the uploaded files come from? Thanks

That's the problem with malware, viruses and worms in general. They can come from anywhere.

1) Email attachments

2) Infected USBs

3) Infected PCs on a network

4) From the internet, by visiting websites

5) From network file sharing apps, such Limewire, Emule or Torrents.

To minimize the risks of infections, always keep your computer software updated, have a good antivirus installed and always maintain it updated.

Don't go clicking on links or downloading files that you are not certain where they are from.

The above should keep you safe. Furthermore, if I am going to do something that I know it's going to infect my PC, I always use Vmware or Virtual Box to create a virtual machine where the infection will be contained within the VM itself.

[Infiltrator]

Sorry double post, connection kept on dropping out.

Edited April 19, 2011 by Infiltrator

[Mr. Stuky]

That's the problem with malware, viruses and worms in general. They can come from anywhere.

1) Email attachments

2) Infected USBs

3) Infected PCs on a network

4) From the internet, by visiting websites

5) From network file sharing apps, such Limewire, Emule or Torrents.

To minimize the risks of infections, always keep your computer software updated, have a good antivirus installed and always maintain it updated.

Don't go clicking on links or downloading files that you are not certain where they are from.

The above should keep you safe. Furthermore, if I am going to do something that I know it's going to infect my PC, I always use Vmware or Virtual Box to create a virtual machine where the infection will be contained within the VM itself.

Its a dedicated server in a DC. All I can think of is a security hole in IIS or something Idk im no expert, He created a folder called MOF in system32 and I cannot delete it. I tried to change ownership but it wont work. I also found more torrents, and programs. Ive scanned it with software and it found nothing. I will be doing a OS reload during the weekend.

[Infiltrator]

Its a dedicated server in a DC. All I can think of is a security hole in IIS or something Idk im no expert, He created a folder called MOF in system32 and I cannot delete it. I tried to change ownership but it wont work. I also found more torrents, and programs. Ive scanned it with software and it found nothing. I will be doing a OS reload during the weekend.

You cannot delete it, did u log in with an administrator account at all?

[digip]

Boot off a live linux disc and remove it or boot in safe mode and take ownership of it, remove the system attributes via cmd shell and then delete it.

[digip]

By the way, does this server run the MS FTP service, and is it accessible from the internet? If so, there is currently an attack against the ms ftp service which could give someone access to the system. I believe its based off of the MS11-004 vuln, but they found new ways to get around DEP, Memory and ASLR protections.

http://www.theregister.co.uk/2011/04/18/windows_heap_exploit_shield_pierced/

Edited April 19, 2011 by digip

[nopenopenope]

Boot off a live linux disc and remove it or boot in safe mode and take ownership of it, remove the system attributes via cmd shell and then delete it.

Id go with this, I never have a problem removing anything while on a linux cd, that and malwarebytes

[Mr. Stuky]

The hacker logs in via the Guest Remote Desktop account. the account has been disabled so im not sure how hes connecting. I already ordered a OS reload from the datacenter, hopefully this fixes it. Thanks Guys.