We found some of the Users getting created & deleted within an hour................

We checked it & found that there is no detection of mebroot virus or trojan on the server , but we found that users getting created & deleted by named helpassistance_XXXXXX or OPS.

We are unable to get any information about it or any logs related to it.

Please help ASAP.

Users are any named with helpassistance_XXXXXX with 6 digit alpha-numeric character.

NEED exactly your view about this & also the CVE - number / vulnerability regarding this.

Step to find the virus or the trojan ??????????

Open a support case, run the SEP support tool having Load POint enabled and pass it on to us.

It could be worm, so ensure the systems ( network) are patched and updated with the latest AV signature.

Check running network tool to identify the remote machine is contacting the affacted machine for this traffic.

First things first, contact Symantec Support for assistance.

You can also use the SEP Support Tool with load point diagnostics. It can get all the necessary details required for troubleshooting SEP clients, including malware infections.

If you want to troubleshoot for malwares yourself, you can start with checking what processes are loaded into your system. Either via MS Task manager, tasklist command in cmd, Sysinternals' Process Explorer and Autoruns.

Common load point in the registry is HKLM/Software/Microsoft/Windows/CurrentVersion/Run

Cheers.

First check the processes which are running by using task manager and tcp view. Mebroot trojan acts as rootkit as well, thus detecting and removing the mebroot manually is quite difficult task. Besides removing infected files, you will need to restore original boot record  of the computer using windows install cd, which might corrupt your PC in some cases.  This is done by

a) booting your PC to rescue mode from windows install/recovery cd.

b) executing  ”fdisk /mbr” to restore original master boot record.

c) booting into safe mode and deleting mebroots dlls.

SEP is upto date but it`s not on one server it over the multiple systems & also in a time span of one to two days & users get created & deleted in a span of time......

SEP havn`t detected any of the virus / trojan mentioned

1. HTTP Trojan Mebroot Request
2. Trojan.Mebroot

Also the logs for the system doesn`t contain Source IP. As it`s a windows 2K3 servers.......

Hi Prasad,

This is the normal behaviour of Windows.

When a Remote Assistance session is initiated, a HelpAssistance user account is automatically created. The Remote Desktop Help Session Manager service manages the HelpAssistance user account. HelpAssistance is automatically deleted when there are no Remote Assistance requests pending.

Hope this hepls you!!

But we have seen that the Server get restarted , shutdown with no reasons......

Is this also the normal behaviour of Windows , i don`t think so.............

So i mentioned the Name as mebroot.bz is the trojan which have the same behaviour. As i check it also the Server logs don`t shows any Source IP it is just shows as

• value not set
• value changed, but not displayed
• never

these are the Values shown in logs.

CVE - number / vulnerability related to mebroot.bz over windows 2K3 server.

Hi Prasad,

Is the mentioned risks has been detected on the system by SEP???

B'coz you have mentioned that still no infection has been detected. But yes we can't ignore the risk also.

regarding the abnormal restart can you please share the event details of the Abnormal restart & shutdown so as to analyze the further.

Also if you still doubt for any virus or risk then,  i also suggest you to immediatly open the case with symantec & get ther server diagnosed for the available risks.

Hi,

Following links may be helpfull.

https://www-secure.symantec.com/connect/blogs/new-wave-mebroot

https://www-secure.symantec.com/connect/blogs/bootroot-trojanmebroot-rootkit-your-mbr

Apart from this below are some listed CVE's in starting stage of MEBroot.

Microsoft Data Access Components (MDAC) Function vulnerability (MS06-014)
AOL SuperBuddy ActiveX Control Code Execution vulnerability (CVE-2006-5820)
Online Media Technologies NCTsoft NCTAudioFile2 ActiveX Buffer Overflow (CVE-2007-0018)
GOM Player "GomWeb3" ActiveX Control Buffer Overflow (CVE-2007-5779)
Microsoft Internet Explorer WebViewFolderIcon setSlice (CVE-2006-3730)
Yahoo! JukeBox datagrid.dll AddButton() Buffer Overflow
DirectAnimation.PathControl KeyFrame vulnerability (CVE-2006-4777)
Microsoft DirectSpeechSynthesis Module Remote Buffer Overflow

Hey bro sorry but couldn`t share the logs......

As this is a server no extra app would be installed. bt still will check it out.

you can check the event id and check the Microsoft articles for the reference.

Hi Prabhu,

Take help of SSIM security logs and trace the user/ machine events. You may get some idea related to this.

Regards

Kishorilal

Hi Prabhu ,

is ther anything to identfy during ssim log analysis for Zero day attcks . can you provide any document related to this.?

Regarsd

Kishorilal

This is not a Malicious activity..Microsoft Remote Assistance works this way.

If you suspect anything contact the server admin. as when you create a session file for Remote Assistance it create a file with this username.

Once logged account is auto- deleted.