yyzvxGINA.dll? - Windows NT

This is a discussion on yyzvxGINA.dll? - Windows NT ; Hello all, I am attempting to determine if my system was compromised. This system is a dedicated server located offiste. On the morning of 7/28 I began noticing some odd behavior and logged in via Terminal Services. The first thing ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: yyzvxGINA.dll?

  1. yyzvxGINA.dll?

    Hello all,

    I am attempting to determine if my system was compromised. This system
    is a dedicated server located offiste. On the morning of 7/28 I began
    noticing some odd behavior and logged in via Terminal Services. The
    first thing I noticed was that there was a file called yyzvxGINA.dll
    sitting on my desktop. I did not put it there, and the other person
    responsible for the server also claims to have not put it there.
    Further investigation showed that this DLL is now listed as the login
    DLL for Windows. Going through the event logs I noticed over the past
    few days hundreds of attempted but failed logins using the typical
    usernames (admin, administrator, guest). These attempts stopped right
    around the time my problems started.

    I am assuming the system has been compromised and that I will have to
    wipe it and start over. What I'm wondering is does this sound like an
    attack that people are familiar with? Can I get a sense of what the
    attacker had access to or might have modified? A search of the drive
    in question shows no noteworthy files being added or modified in that
    time frame, although I'm assuming that information is not completely
    trustworthy.

    Any additional comments would be apprecaited.

    Greg Dunlap
    heyrocker@Yahoo.com

  2. Re: yyzvxGINA.dll?


    "Hey Rocker" wrote in message
    news:c8c99e01.0307291357.b88fd88@posting.google.co m...
    > Hello all,
    >
    > I am attempting to determine if my system was compromised. This system
    > is a dedicated server located offiste. On the morning of 7/28 I began
    > noticing some odd behavior and logged in via Terminal Services. The
    > first thing I noticed was that there was a file called yyzvxGINA.dll
    > sitting on my desktop. I did not put it there, and the other person
    > responsible for the server also claims to have not put it there.
    > Further investigation showed that this DLL is now listed as the login
    > DLL for Windows. Going through the event logs I noticed over the past
    > few days hundreds of attempted but failed logins using the typical
    > usernames (admin, administrator, guest). These attempts stopped right
    > around the time my problems started.
    >
    > I am assuming the system has been compromised and that I will have to
    > wipe it and start over. What I'm wondering is does this sound like an
    > attack that people are familiar with? Can I get a sense of what the
    > attacker had access to or might have modified? A search of the drive
    > in question shows no noteworthy files being added or modified in that
    > time frame, although I'm assuming that information is not completely
    > trustworthy.
    >
    > Any additional comments would be apprecaited.
    >
    > Greg Dunlap
    > heyrocker@Yahoo.com


    The usernames you gave are all used by the Mumu worm. And that's how it
    would show in your
    logs.(http://securityresponse.symantec.com...w32.mumu.b.wor
    m.html) Just an idea.

    As for the Gina file, it is possible it is a modified version used by a
    cracker and the system is compromised. I'd take a look at the properities
    for a file version and source date, then compare against what MS says the
    info should be for that version. (Although other companies put out Gina
    files also.) If it is hostile you are looking at part of a root kit. And
    if someone left a file like that on the desktop, they were stupid. (Is it
    on the 'all users' desktop?)

    But unless you know the file properties from before you don't have anyway to
    know what changed.



+ Reply to Thread