"Fred Yarbrough" <postmaster@127.0.0.1> wrote in message
news:uBFOqhiYGHA.4248@TK2MSFTNGP05.phx.gbl...
> We have had 3 separate Windows 2000 servers running IIS come down with
> something.  This started about 2 weeks ago and it has the following
> symptoms.
>
> The server is very slow to login to.  Once up, if you go to the Event
Viewer
> you can see entries but cannot go into an entry to view the details of it.
> When you go to Manage the computer, IIS is completely gone from the
> Management MMC.  If you go to Add and Remove Programs it looks all funky
> like C&lose for the button and the title script is all jammed together and
> nothing shows up.  All websites are down.  We have had to rebuild 3
servers
> because we could not figure out what was going on.  We are running Trend's
> Office Scan Antivirus on the boxes and most all patches are applied.  Any
> Ideas?
>
>
> Thanks,
> Fred
>
>

"Fred Yarbrough" <postmaster@127.0.0.1> wrote in message
news:uMG4ZcmYGHA.3624@TK2MSFTNGP02.phx.gbl...
> Has anyone seen a root kit using the following files?
> Zzgdqzow.dll   Zzgdqzow.exe   Zzgdqzow.drv   Zzgdqzow.ime   Zzgdqzow.sys
> Zzgdqzow.tmp
>
> My server has these files.  Help!!!
>
>
>
>
>
>
> "Fred Yarbrough" <postmaster@127.0.0.1> wrote in message
> news:uBFOqhiYGHA.4248@TK2MSFTNGP05.phx.gbl...
>> We have had 3 separate Windows 2000 servers running IIS come down with
>> something.  This started about 2 weeks ago and it has the following
>> symptoms.
>>
>> The server is very slow to login to.  Once up, if you go to the Event
> Viewer
>> you can see entries but cannot go into an entry to view the details of
>> it.
>> When you go to Manage the computer, IIS is completely gone from the
>> Management MMC.  If you go to Add and Remove Programs it looks all funky
>> like C&lose for the button and the title script is all jammed together
>> and
>> nothing shows up.  All websites are down.  We have had to rebuild 3
> servers
>> because we could not figure out what was going on.  We are running
>> Trend's
>> Office Scan Antivirus on the boxes and most all patches are applied.  Any
>> Ideas?
>>
>>
>> Thanks,
>> Fred
>>
>>
>
>

">>Smith<<" <jjsm***@msn.com> wrote in message
news:e34hRjnYGHA.4860@TK2MSFTNGP02.phx.gbl...
> Hope you have back up...then reformat....
>
>
> AS I said for many years, MS finally says the best way to rid of problems
is
> REFORMAT.
>
>
>
> "Fred Yarbrough" <postmaster@127.0.0.1> wrote in message
> news:uMG4ZcmYGHA.3624@TK2MSFTNGP02.phx.gbl...
> > Has anyone seen a root kit using the following files?
> > Zzgdqzow.dll   Zzgdqzow.exe   Zzgdqzow.drv   Zzgdqzow.ime   Zzgdqzow.sys
> > Zzgdqzow.tmp
> >
> > My server has these files.  Help!!!
> >
> >
> >
> >
> >
> >
> > "Fred Yarbrough" <postmaster@127.0.0.1> wrote in message
> > news:uBFOqhiYGHA.4248@TK2MSFTNGP05.phx.gbl...
> >> We have had 3 separate Windows 2000 servers running IIS come down with
> >> something.  This started about 2 weeks ago and it has the following
> >> symptoms.
> >>
> >> The server is very slow to login to.  Once up, if you go to the Event
> > Viewer
> >> you can see entries but cannot go into an entry to view the details of
> >> it.
> >> When you go to Manage the computer, IIS is completely gone from the
> >> Management MMC.  If you go to Add and Remove Programs it looks all
funky
> >> like C&lose for the button and the title script is all jammed together
> >> and
> >> nothing shows up.  All websites are down.  We have had to rebuild 3
> > servers
> >> because we could not figure out what was going on.  We are running
> >> Trend's
> >> Office Scan Antivirus on the boxes and most all patches are applied.
Any
> >> Ideas?
> >>
> >>
> >> Thanks,
> >> Fred
> >>
> >>
> >
> >
>
>

>
> ">>Smith<<" <jjsm***@msn.com> wrote in message
> news:e34hRjnYGHA.4860@TK2MSFTNGP02.phx.gbl...
>> Hope you have back up...then reformat....
>>
>>
>> AS I said for many years, MS finally says the best way to rid of problems
> is
>> REFORMAT.
>>
>>
>>
>> "Fred Yarbrough" <postmaster@127.0.0.1> wrote in message
>> news:uMG4ZcmYGHA.3624@TK2MSFTNGP02.phx.gbl...
>> > Has anyone seen a root kit using the following files?
>> > Zzgdqzow.dll   Zzgdqzow.exe   Zzgdqzow.drv   Zzgdqzow.ime
>> > Zzgdqzow.sys
>> > Zzgdqzow.tmp
>> >
>> > My server has these files.  Help!!!
>> >
>> >
>> >
>> >
>> >
>> >
>> > "Fred Yarbrough" <postmaster@127.0.0.1> wrote in message
>> > news:uBFOqhiYGHA.4248@TK2MSFTNGP05.phx.gbl...
>> >> We have had 3 separate Windows 2000 servers running IIS come down with
>> >> something.  This started about 2 weeks ago and it has the following
>> >> symptoms.
>> >>
>> >> The server is very slow to login to.  Once up, if you go to the Event
>> > Viewer
>> >> you can see entries but cannot go into an entry to view the details of
>> >> it.
>> >> When you go to Manage the computer, IIS is completely gone from the
>> >> Management MMC.  If you go to Add and Remove Programs it looks all
> funky
>> >> like C&lose for the button and the title script is all jammed together
>> >> and
>> >> nothing shows up.  All websites are down.  We have had to rebuild 3
>> > servers
>> >> because we could not figure out what was going on.  We are running
>> >> Trend's
>> >> Office Scan Antivirus on the boxes and most all patches are applied.
> Any
>> >> Ideas?
>> >>
>> >>
>> >> Thanks,
>> >> Fred
>> >>
>> >>
>> >
>> >
>>
>>
>
>

"Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote in message
news:OFIcKRvYGHA.3448@TK2MSFTNGP04.phx.gbl...
>
> "Fred Yarbrough" <postmaster@127.0.0.1> wrote in message
> news:Oqu2YouYGHA.3868@TK2MSFTNGP04.phx.gbl...
> > Yep, that is what we have done but the scary part is that I do not know
> > how
> > it happened.
> >
>
> Well, I was concerned when I saw your "most patches" comment.
>
> If you had been able to keep an image from one of them then
> something may have been discovered.  Keep in mind that your
> environment might have facilitated spread from the initial entry
> machine onto the others even if the others had no vulnerabilities
> other than configuration that did not isolate them.
>
> Do you have any info from the headers of those Zzgdqzow files ?
> as the naming may be unique for your penetration
>
>
> >
> > ">>Smith<<" <jjsm***@msn.com> wrote in message
> > news:e34hRjnYGHA.4860@TK2MSFTNGP02.phx.gbl...
> >> Hope you have back up...then reformat....
> >>
> >>
> >> AS I said for many years, MS finally says the best way to rid of
problems
> > is
> >> REFORMAT.
> >>
> >>
> >>
> >> "Fred Yarbrough" <postmaster@127.0.0.1> wrote in message
> >> news:uMG4ZcmYGHA.3624@TK2MSFTNGP02.phx.gbl...
> >> > Has anyone seen a root kit using the following files?
> >> > Zzgdqzow.dll   Zzgdqzow.exe   Zzgdqzow.drv   Zzgdqzow.ime
> >> > Zzgdqzow.sys
> >> > Zzgdqzow.tmp
> >> >
> >> > My server has these files.  Help!!!
> >> >
> >> >
> >> >
> >> >
> >> >
> >> >
> >> > "Fred Yarbrough" <postmaster@127.0.0.1> wrote in message
> >> > news:uBFOqhiYGHA.4248@TK2MSFTNGP05.phx.gbl...
> >> >> We have had 3 separate Windows 2000 servers running IIS come down
with
> >> >> something.  This started about 2 weeks ago and it has the following
> >> >> symptoms.
> >> >>
> >> >> The server is very slow to login to.  Once up, if you go to the
Event
> >> > Viewer
> >> >> you can see entries but cannot go into an entry to view the details
of
> >> >> it.
> >> >> When you go to Manage the computer, IIS is completely gone from the
> >> >> Management MMC.  If you go to Add and Remove Programs it looks all
> > funky
> >> >> like C&lose for the button and the title script is all jammed
together
> >> >> and
> >> >> nothing shows up.  All websites are down.  We have had to rebuild 3
> >> > servers
> >> >> because we could not figure out what was going on.  We are running
> >> >> Trend's
> >> >> Office Scan Antivirus on the boxes and most all patches are applied.
> > Any
> >> >> Ideas?
> >> >>
> >> >>
> >> >> Thanks,
> >> >> Fred
> >> >>
> >> >>
> >> >
> >> >
> >>
> >>
> >
> >
>
>

news:1145373836.622102.261580@i39g2000cwa.googlegroups.com...
>
> Fred Yarbrough wrote:
> > We have several machines with it here now.  Some are fully patched!
W2K3
> > servers and W2K servers too.
> >
> > I will be calling Microsoft as soon as we get a grasp as to what is
going
> > on.
> >
> I'd say, create ghost images of the affected systems, scrub them and
> reinstall.
>
> You don';t have admins surfing the web from one of your servers?
>
>
> Jeroen
> http://wijnands.blogspot.com
>

"Fred Yarbrough" <postmaster@127.0.0.1> wrote in message
news:e2HgE1vYGHA.500@TK2MSFTNGP03.phx.gbl...
>I suspect that to be a very good possibility.
>
> We have our systems patched and running Trend OfficeScan and it is not
> stopping it.
>
> We have noticed these infected machines are broadcasting out http to the
> following IP addresses
>
> 61.144.253.3
> 61.144.253.6
>
> Check your firewall logs for http going to either of these sites!!!!
>
>
>
> Thanks,
> Fred
>
> <jeroen.wijna***@gmail.com> wrote in message
> news:1145373836.622102.261580@i39g2000cwa.googlegroups.com...
>>
>> Fred Yarbrough wrote:
>> > We have several machines with it here now.  Some are fully patched!
> W2K3
>> > servers and W2K servers too.
>> >
>> > I will be calling Microsoft as soon as we get a grasp as to what is
> going
>> > on.
>> >
>> I'd say, create ghost images of the affected systems, scrub them and
>> reinstall.
>>
>> You don';t have admins surfing the web from one of your servers?
>>
>>
>> Jeroen
>> http://wijnands.blogspot.com

"Fred Yarbrough" <postmaster@127.0.0.1> wrote in message
news:e2HgE1vYGHA.500@TK2MSFTNGP03.phx.gbl...
> I suspect that to be a very good possibility.
>
> We have our systems patched and running Trend OfficeScan and it is not
> stopping it.
>
> We have noticed these infected machines are broadcasting out http to the
> following IP addresses
>
> 61.144.253.3
> 61.144.253.6
>
> Check your firewall logs for http going to either of these sites!!!!
>
>
>
> Thanks,
> Fred
>
> <jeroen.wijna***@gmail.com> wrote in message
> news:1145373836.622102.261580@i39g2000cwa.googlegroups.com...
> >
> > Fred Yarbrough wrote:
> > > We have several machines with it here now.  Some are fully patched!
> W2K3
> > > servers and W2K servers too.
> > >
> > > I will be calling Microsoft as soon as we get a grasp as to what is
> going
> > > on.
> > >
> > I'd say, create ghost images of the affected systems, scrub them and
> > reinstall.
> >
> > You don';t have admins surfing the web from one of your servers?
> >
> >
> > Jeroen
> > http://wijnands.blogspot.com
> >
>
>

"Fred Yarbrough" <postmaster@127.0.0.1> wrote in message
news:ujk7uTxYGHA.4936@TK2MSFTNGP05.phx.gbl...
> Update.
>
> There is another IP address the infected machines are trying to contact
> 211.235.253.131.
>
> The file names also appear to somewhat random but have always been located
> in our c:\winnt\system32 directory.  They always start with z and appear
> as
> 6 files on Windows 2000 Servers.  Our Windows 2003 server only shows the
> single dll file.
> Here is what one of our W2K servers has for these files
>
> Zzgdqzow.dll
> Zzgdqzow.drv
> Zzgdqzow.ime
> Zzgdqzow.log
> Zzgdqzow.sys
> Zzgdqzow.tmp
>
>
> Fred
>
>

> Update.
>
> There is another IP address the infected machines are trying to contact
> 211.235.253.131.
>
> The file names also appear to somewhat random but have always been located
> in our c:\winnt\system32 directory.  They always start with z and appear
> as 6 files on Windows 2000 Servers.  Our Windows 2003 server only shows
> the single dll file.
> Here is what one of our W2K servers has for these files
>
> Zzgdqzow.dll
> Zzgdqzow.drv
> Zzgdqzow.ime
> Zzgdqzow.log
> Zzgdqzow.sys
> Zzgdqzow.tmp

"Daniel Crichton" <msn***@worldofspack.co.uk> wrote in message
news:eaL0wc4YGHA.3972@TK2MSFTNGP04.phx.gbl...
> Fred wrote  on Tue, 18 Apr 2006 13:21:53 -0500:
>
> > Update.
> >
> > There is another IP address the infected machines are trying to contact
> > 211.235.253.131.
> >
> > The file names also appear to somewhat random but have always been
located
> > in our c:\winnt\system32 directory.  They always start with z and appear
> > as 6 files on Windows 2000 Servers.  Our Windows 2003 server only shows
> > the single dll file.
> > Here is what one of our W2K servers has for these files
> >
> > Zzgdqzow.dll
> > Zzgdqzow.drv
> > Zzgdqzow.ime
> > Zzgdqzow.log
> > Zzgdqzow.sys
> > Zzgdqzow.tmp
>
> If you get what appears to be an infection and your AV product isn't
picking
> it up then it's worth getting other AV vendors to check with too. Try NAI,
> you can submit them online and get an instant response.
>
> http://vil.nai.com/vil/submit-sample.aspx
>
> Searching for the filenames on Google will likely be pointless as the
> filenames will be random, and you'll only find a match if someone else
> happens to have the same filenames generated. Even then it might be
> something completely different. The only sure way to find out what they
are
> is to get an AV product to detect the signature.
>
> Dan
>
>

"Fred Yarbrough" <postmaster@127.0.0.1> wrote in message
news:uXWITx%23YGHA.4580@TK2MSFTNGP03.phx.gbl...
> Microsoft and Trend have confirmed this to be a new Malware/RootKit
attack.
> Trend is trying to develop a pattern/fix for it.  We are testing samples
for
> them but nothing stops it yet.  Watch your firewall logs for outgoing HTTP
> traffic to any of the 3 IP addresses.
>
>
> 61.144.253.3
> 61.144.253.6
> 211.235.253.131
>
>
>
>
> Thanks,
> Fred
>
>
> "Daniel Crichton" <msn***@worldofspack.co.uk> wrote in message
> news:eaL0wc4YGHA.3972@TK2MSFTNGP04.phx.gbl...
> > Fred wrote  on Tue, 18 Apr 2006 13:21:53 -0500:
> >
> > > Update.
> > >
> > > There is another IP address the infected machines are trying to
contact
> > > 211.235.253.131.
> > >
> > > The file names also appear to somewhat random but have always been
> located
> > > in our c:\winnt\system32 directory.  They always start with z and
appear
> > > as 6 files on Windows 2000 Servers.  Our Windows 2003 server only
shows
> > > the single dll file.
> > > Here is what one of our W2K servers has for these files
> > >
> > > Zzgdqzow.dll
> > > Zzgdqzow.drv
> > > Zzgdqzow.ime
> > > Zzgdqzow.log
> > > Zzgdqzow.sys
> > > Zzgdqzow.tmp
> >
> > If you get what appears to be an infection and your AV product isn't
> picking
> > it up then it's worth getting other AV vendors to check with too. Try
NAI,
> > you can submit them online and get an instant response.
> >
> > http://vil.nai.com/vil/submit-sample.aspx
> >
> > Searching for the filenames on Google will likely be pointless as the
> > filenames will be random, and you'll only find a match if someone else
> > happens to have the same filenames generated. Even then it might be
> > something completely different. The only sure way to find out what they
> are
> > is to get an AV product to detect the signature.
> >
> > Dan
> >
> >
>
>

news:1145373836.622102.261580@i39g2000cwa.googlegroups.com...
>
> Fred Yarbrough wrote:
>> We have several machines with it here now.  Some are fully patched!  W2K3
>> servers and W2K servers too.
>>
>> I will be calling Microsoft as soon as we get a grasp as to what is going
>> on.
>>
> I'd say, create ghost images of the affected systems, scrub them and
> reinstall.
>
> You don';t have admins surfing the web from one of your servers?
>

> <jeroen.wijna***@gmail.com> wrote in message
> news:1145373836.622102.261580@i39g2000cwa.googlegroups.com...
> >
> > Fred Yarbrough wrote:
> >> We have several machines with it here now.  Some are fully patched!  W2K3
> >> servers and W2K servers too.
> >>
> >> I will be calling Microsoft as soon as we get a grasp as to what is going
> >> on.
> >>
> > I'd say, create ghost images of the affected systems, scrub them and
> > reinstall.
> >
> > You don';t have admins surfing the web from one of your servers?
> >
>
> Or even from a workstation to which they are allowed
> login with credentials used for server management and
> from which the servers are network accessible for more
> than http/https.
>

>
> "Fred Yarbrough" <postmaster@127.0.0.1> wrote in message
> news:uMG4ZcmYGHA.3624@TK2MSFTNGP02.phx.gbl...
>> Has anyone seen a root kit using the following files?
>> Zzgdqzow.dll   Zzgdqzow.exe   Zzgdqzow.drv   Zzgdqzow.ime   Zzgdqzow.sys
>> Zzgdqzow.tmp
>>
>> My server has these files.  Help!!!
>>
>>
>>
>>
>>
>>
>> "Fred Yarbrough" <postmaster@127.0.0.1> wrote in message
>> news:uBFOqhiYGHA.4248@TK2MSFTNGP05.phx.gbl...
>>> We have had 3 separate Windows 2000 servers running IIS come down with
>>> something.  This started about 2 weeks ago and it has the following
>>> symptoms.
>>>
>>> The server is very slow to login to.  Once up, if you go to the Event
>> Viewer
>>> you can see entries but cannot go into an entry to view the details of
>>> it.
>>> When you go to Manage the computer, IIS is completely gone from the
>>> Management MMC.  If you go to Add and Remove Programs it looks all funky
>>> like C&lose for the button and the title script is all jammed together
>>> and
>>> nothing shows up.  All websites are down.  We have had to rebuild 3
>> servers
>>> because we could not figure out what was going on.  We are running
>>> Trend's
>>> Office Scan Antivirus on the boxes and most all patches are applied.
>>> Any
>>> Ideas?
>>>
>>>
>>> Thanks,
>>> Fred
>>>
>>>
>>
>>
>
>