Couldn't have said it better..............
Originally posted by sepultura:
Quote:
Hi I can explain this to you. You are infected with a bot called nesebot. Nesebot is an irc bot which scans and spreads through a windows exploit called lsass or dcass. It gets into your machine and then it reports to an irc (internet relay chat)channel deignated by the hacker. The hacker then gives the "bot", you computer, and all the other computers that are infected and idling in the irc channel, commands to scan for other vulnerable pcs and to do other tasks such as ddos attacks and various other malicious things. The file you were looking at is the log file for the bot. It logs everyhting the bot does. It tells you the channel name your bot is reporting to is #nesebot, I gues the hacker wasn't too creative this time, he named the irc channel the name of the bot. It tells you everything the bot, your pc, is doing for the hacker.
For instance:
.advscan dcass 200 5 9999 -b -r -s
this command tells ur machine to scan 200 pcs a minute with a 5 second delay for a total of 9999 minute for the dcass exploit. Every time your mahcine finds a vulnerable ip it copies itself to the machine and this is how it spreads. Thats what the dos screen your seeing says file copied over and over. This is what the hacker sees in his irc channel:
[14:55] <IVAN-S2QEF6X5JG856> lsass: exploited (62.83.2.109)
[14:55] <COMPAQ473> ftp: 81.39.58.218 -> (315392 bytes) (total sends: 1)
[14:55] <RUDI306> lsass: exploited (84.130.48.186)
[14:55] <HOME-ZTGPNTDNZY183> lsass: exploited (4.27.94.217)
[14:55] <DAVOR048> lsass: exploited (209.29.46.249)
[14:55] <DAVOR048> ftp: 209.29.46.249 on 15440
[14:55] <IVAN-S2QEF6X5JG856> ftp: 62.83.2.109 on 16029
[14:55] <DB7WND31758> lsass: exploited (4.231.174.82)
[14:55] <PYPE-PDXL20442E970> lsass: exploited (192.168.0.186)
[14:55] <YOUR-2ISY4XSPOD648> lsass: exploited (4.161.33.135)
[14:55] <YOUR-2ISY4XSPOD648> ftp: 4.161.33.135 on 5308
[14:55] <AUGACONS-0L6KTE464> lsass: exploited (83.40.127.9)
Each one of those is an infected pc scanning and spreading for him, and then reporting the results to him.
The -b means to scan the first 2 numbers of ur ip range and then random numbers after that. So if your ip is 81.157.105.238, which it seems it is from the log, then the bot was told to scan 81.157.x.x. -r means random numbers not sequential, and the -s means silent mode meaning the bot won't relay the reposnses it gives to the irc channel it is idling in when he issues the command. If he left the -s out the bot would respond like this to the command:
[sCAN]: Random Port Scan started on 81.157.x.x:445 with a delay of 5 seconds for 9999 minutes using 200 threads.
Well this is how you remove it. The bot will reside in C:\windows\system32. An easy way to find it is to list your system32 folder by "date modified" it will be a recently added .exe file with a funky name such as winhlp32.exe, bling.exe, wuamgrd.exe, wualct1.exe, msn32.exe, msc32.exe, etc. The hacker can call the exe whatever he wants when he creates the bot, so it can be anything. But there shouldn't be new exe's in system32 unless u did an upgrade recently. All you have to do is google for the exe if your not sure and if it doesn't google to the micorsoft database then you know thats the one. Then open task manager, (hold down ctrl/alt/del together), click the processes tab, and find the process and terminate it, then u can delete the exe from system32.
Then you need to remove the registry entry that start the bot. Goto start/run and the type regedit and click ok. Here is where you need to go to delete the 3 keys the bot has created:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx
In each of those 3 folders you will see the registry entries for whatever the exe name was, they will have a bogus description but they will point to that exe. Delete them. All 3 need to be deleted or the bot can return, becase a backup dat file is somewhere on your machine, it is a copy of the bot in case you delete the exe. So make sure you delete the 3 registry entries.
If you need more help email me at mattc72@comcast.net. I am very familar with the code for nesebot and rxbot and other irc bots so I know how it works and how to remove it. If you dont remove it your internet connection will be very slow because you pc is scanning 200 ips addresses every min all the time. Besides that nothing really malicous will happen to your pc, just major bandwith loss. To avoid this happening in the future make sure you frequently get the microsoft patches for new exploits, and it doesn't hurt to become familar with the processes running in task manager so you can identify when a bogus virus/spyware/bot exe is running and kill it immediately.
I hope this helps.
