Announcement

Collapse
No announcement yet.

Malware that creates Local accounts

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Malware that creates Local accounts

    Is anyone aware of any such malware??
    I've done a quick search and appart from an SMS vulnerability (which we don't use) i can't seem to find anything else.

    Here is the "script".

    From the security scan yesterday, found out that a few random local account (Members of the Administrators group) were created in half a dozen machines.
    The account names were randomly generated i.e "mfrT45ytrfgdhhsj".
    Nothing logged on the events,
    Run a full AV scan (Mcafee VSE 8.0) - Nothing
    Several AS scans - Nothing

    It is only affecting certain machines that do have port 80 open.

    Any ideas would be appreciated.

    Thanks
    Caesar's cipher - 3

    ZKHQ BRX HYHQWXDOOB GHFLSKHU WKLV BRX ZLOO UHDOLVH LW ZDV D ZDVWH RI WLPH!

    SFX JNRS FC U6 MNGR

  • #2
    Re: Malware that creates Local accounts

    The account names sound suspicious but other than that I know that many programs create local user accounts and\or groups when they're installed (Doubletake, SQL Server, Sharepoint, IIS, etc.). Is there anything installed on these servers that's not installed on other servers?

    Comment


    • #3
      Re: Malware that creates Local accounts

      Hi Joe,

      These are client machines actually. All patched up,
      I also did a Rootkit scan - nothing out of ordinary,
      HijackThis report shows nothing suspicious as far as I can see.


      Back to the chase...

      I was a bit reluctant but might have to enable Account management auditing on this one.
      Last edited by L4ndy; 1st October 2009, 15:22.
      Caesar's cipher - 3

      ZKHQ BRX HYHQWXDOOB GHFLSKHU WKLV BRX ZLOO UHDOLVH LW ZDV D ZDVWH RI WLPH!

      SFX JNRS FC U6 MNGR

      Comment

      Working...
      X