f0r0r dir in windows system32

Hello all.  Windows XP (Home HPOT)  with Current AV, it is offline now  
(Everything is preliminary analysis, and this is not possible law case so 
you will see forensic process breakdowns.. so dont flame.)  anything with // 
are my comments.

saw two process in memory,

ppi.exe and dirote.exe
I did some searching online but did not find too much on these two files 
that were in memory.
I was looking for them in the HDrive, win dirs, but i could not find them. 
Yes i checked and made sure the hidden dir and files was configured to be 
shown. I also used the windows search and verified the advanced feature of 
hidden files and folders was checked. I also tried the attrib -h *.* several 
of the main dirs //results = nothing//
I will try to cd to the dir in the blind in the near future.  I am not used 
to seeing this rootkit like actions in the windows arena, usually the hidden 
attribute is as far as malware takes it.  I will try alternate stream, and 
other advanced tools in the near future.

I did mountthe HD in the (Bump for the new knoppix 3.4) Linux boot cd to 
find where the processes were located. Notice in the file listing below 
there is one file that says dir32.exe hmmmmmmmmmmm
After the knoppix boot, I booted to windws again (Forensic process breakdown 
note) to try the attrib -h *.* in the system32 dir  for the f0r0r dir and 
//results = nothing but very interesting//

Symantec (sigs as of May 9 2004) does not catch/flag any of the files listed 
below as of yet.

the two process were in the system32 dir  //those two are zeros//
c:\windows\system32\f0r0r\

Did some strings, and got some good info, but I have just started and this 
was done pretty last night, so nothing really advanced as far as the 
forensic process has been accomplished.

Here is a listing of the files&dir that were in the dir:
calcu.exe
dirote.exe
dorod.ini
logs //DIR//
redroses
van32.exe
demo.xt
dordo.sys
kltye.exe  //Sys Internals PS Tool to start remote processes//
niamx  //RPC SCanner//
romto
wexp.exe
dir32.exe
dorod.exe
kolder.exe
ppi.exe
sounds //DIR//

Preliminary Analysis Results
?       Reboots the system at least once (mine was three times)
?       Rootkit like characteristics and very automated
?       IRC, Bot, SPAM and SYNFLood references
?	Checks to see if virus/programs/bots are installed in windows dir previous 
to copying dirod.exe and ppi.exe
?       possible sniffer installed
?       bnc referenced numerous times in code
?       rpc scanner
?	generic NIC installation (have not really verified this through the code 
but was installed in XP)
?	Referenced backdoor ccc.exe and port //I have not found this on the drive 
as of yet//

_________________________________________________________________
Is your PC infected? Get a FREE online computer virus scan from McAfee® 
Security. http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963

_______________________________________________
Intrusions mailing list
Intrusions@xxxxxxxxxxxxxx
http://www.dshield.org/mailman/listinfo/intrusions