One of our (windows) servers is currently sending out SPAM and I am not able to find what is causing it. It is not send thru one of the sites using a php/perl bug as I have disabled them and still it sends out SPAM...

I have been running NOD32 & Spybot S&D (after it got infected) and both did not find anything.

I have a feeling it something which hides itself thus finding it will be hard

Any suggestions how to get rid of this Worm/Zombie other than reinstalling the server (which would be best but would be a lot of work)

Ouch, any constant traffic coming through any TCP and UDP protocols? As in maybe someone is using your system as a middle guy to send out spam?

Do you know what is being sent out, perhaps knowing that would make it easier to get more info into whats going on, since maybe other servers had the same problem.

You can also use Trends free online AV scanner. http://housecall.trendmicro.com/

I am running housecall now... let's see if it find anything

What I did find was a suspicious .dll file which is in use and is upx'ed, it is dated 2 days ago and I have not installed anything on this server... is resides in: WINDOWS\TEMP (see attached .dll)

The SPAM itself is always the same (or with similar links xxx.blogspot.com):

================================================== =====================
Hallo,

Real men! Milliions of people acrosss the world have already tested THIS and ARE making their ggirlfriends feel brand new sexual seensations! YOU are the best in bed, aren't you ?
Girls! Deveelop your sexual relationshipp and get even MORE pleaasure! Make your boyyfriend a gift!
http://adelinelindstromn.blogspot.com

She said these words repeatedly. Soon, the divine a paper
inserted in the memoires de l'academie and without the stiffness
which usually accompanies should take care to gratify the
regenerate ones. Hidden evidence of wealth and of superiority
to or any last cry of farewell? It was ulva calling many
painters who have sought by means of the they felt at home
there, as in some barn whose you lately. So when carlos
proposedyou see i don't to do with him, ma'am, as much as
you can wish those rites were ended, a strange goddess,
o king, to place. As if i had not enough luggage to carry
of thy army, headed by bhishma and drona, impetuously excuse
that to have then attempted to put these of vasudeva, by
name samva, will bring forth a.
================================================== =====================

UPX'd dll yeah I think you found your cause. UPX as you know is the poor mans compressor :P

But have you tried to go into safemode and use regsvr32 to uninstall it and remove it. Also remove anything from the c:\windows\system32\prefetch folder also. As it may be residing in there.

Also check your startup incase there is a self executable that reinstates it.

And perhaps even use sfc /scannow to check for legit system files not being tampered with.


EDIT: Search for a lifuqyny file on your system. perhaps thats the culprit :\

There is also a reference to a %08X.dll and %s%s.bak

That is just it, it is a remote server to which I do not have any access to, also no kvm access, so safemode is not possible

Windows\prefecht only has the usual NTOSBOOT-B00DFAAD.pf file which every Win2K3 server has, startup & services does not have anything "interesting", registry does not have any links to the dll file

sfc does not work in a RDC session it wants to run as administrator running a console session...

regsvr32 does not work

Ouch :\ Kinda limited then :(

yeah... I know so a reinstall would be the easiest to get rd of anything... ok i'll run the housecall and see if it turns up anything to kill... I am off now for a few hours... thanks DABhand!

No problem, hope it gets sorted soon, and sorry I wasnt any more help.

housecall did not find anything... too bad

Can you run a rootkit scanner on the remote server?

Also, can you sort the system32 directory by date and see if any suspicious EXES or DLLS have been added recently?

This server is fully under my control and I can run anything (if it is supported within RDP)

Do you have a link to a rootkit scanner?

As for system32 files, the problem started last december when I got a few spamcop messages which pointed to a possible problem but this only lasted 2-3 days and went away and I did not think much about it. So my guess it that the worm was installed at that time and was dormant until a few days ago

Try this free one from Grisoft (They make AVG Antivirus):

http://free.grisoft.com/filedir/beta/avgarkt/avgarkt-setup-1.1.0.42.exe

Found another Free Rootkit Scanner from Sophos:

http://www.sophos.com/support/cleaners/sarsfx.exe

Both did not find anything

At the moment all port 25 activity stopped, looks like the spammers and smart and only "use" it during the weekend...

I think I found the culprit!

As the DLL was upx'ed (UPX 3.00) I ran a search for other upx'ed files and found one: C:\WINDOWS\SYSTEM32\fsusd32.dll

At every logon fsusd32.dll created C:\WINDOWS\TEMP\1EB725F9.dll, this DLL was killed using Unlocker (http://ccollomb.********/unlocker) as regsvr32 did not work. Great tool btw using a GUI to show/kill file locks.
Unlocker could not kill fsusd32.dll as this would result in a logout as it is being loaded thru winlogon.exe

Then I used HijackThis to see if fsusd32.dll was being loaded, it did:

O20 - Winlogon Notify: fsusd32 - C:\WINDOWS\SYSTEM32\fsusd32.dll

Removed it using HijackThis, rebooted and fsusd32.dll could be deleted

Hope this will do it....

I could only find 2 references to fsusd32.dll in google, one link says it is: Trojan-Downloader.Win32.Adload.dq (10-2006, ASPacked)

So maybe is was not "used" that much or this is an "update" (because of the UPX 3.00 packer instead of ASPack) and therefor is not recognized by any AV/Malware software?!

I still do not know how this server got infected as updates are run asap, nothing was installed on it and it has only the necessary ports available

I checked for references to changes using winlogon.exe and found them in setupapi.log, so I think it got installed on 2007/07/09...

I am keeping my fingers crossed ;)

Good find!

I use Unlocker too, it's a good utility!

Hope you've solved the problem, fingers crossed also!

i'd personally now set up a little honey pot, with a modded dll that does what their one did, except it logs their ip's and commands etc.. :)