I recently received a call from a client who had performance problems on a Windows 2000 server. The server was working extremely slowly and would respond sluggishly when loading applications and documents. The organization was also using this server as a workstation. Best practices dictate that you shouldn’t use the server as a workstation. In the company's original network design, I specified separate workstations for the users, but budget and space constraints forced the company to use the server as a workstation.
Intermittent problems are the most frustrating to solve. Just when you think you’ve fixed the problem, it reappears, which is what happened in this situation: By the time I got to the client's site, the problem had disappeared; shortly after I left, the problem reappeared. I tried updating the server to Win2K Service Pack 4 (SP4), but the problem continued. A complete virus scan of the server turned up nothing. In Windows Task Manager, I noticed multiple copies of svchost.exe running under the Process tab. I did some research on the svchost.exe process and discovered that this file is used as a generic host process for services that run from DLLs. Using Task Manager, I sorted the processes by CPU usage and noticed that one Svchost process in particular was using a lot of CPU cycles. I tried ending the Svchost process, and the server started working as usual. But, whenever someone would log back on to the server or start a Win2K Server Terminal Services session, the Svchost process would reappear and the server would slow down again. I even tried deleting the Svchost file from the C:\winnt\system32 directory, but as soon as someone logged on, the Svchost file would reappear. The problem acts like a virus, but why didn’t the antivirus software catch it? By the time I looked at the problem, it had been ongoing for about a month and the server had the most recent virus pattern. This server was protected from viruses with Symantec's Norton AntiVirus (NAV) Corporate Edition software. I submitted a copy of the Svchost file to Symantec, who determined that the file was infected with a variant of the Backdoor.Beasty virus; Symantec didn't have a pattern to catch this variant.
The scary aspect of this virus is that a kit exists that lets an intruder create variants of the virus. Therefore, intruders can quickly create variants and slip them under the radar of antivirus programs. Backdoor.Beasty creates a backdoor that allows unauthorized access to the infected computer. The virus uses ICQ to notify the intruder that the Trojan horse is running, then opens TCP port 6666 (some variants use port 63117) and waits for a connection. Fortunately, this client had a firewall configured to block ICQ and ports 6666, and 63117, so the intruder was unable to connect to the server. The infected Svchost file was approximately 54KB in size; the noninfected svchost.exe file is 7952 bytes. The virus was smart enough to give the file a date stamp and timestamp the same as the svchost.exe file in the SP4 download. Whenever I suspect a computer is infected with a virus, I check the following entries in the registry:
· HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
· HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
· If the machine is running Windows Server 2003, Windows XP, Win2K, or Windows NT, you should also check HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
I didn’t check the latter registry key, which is the subkey from which the virus was loading. This registry entry caused the infected Svchost to reload every time someone logged on or started a Terminal Services session on the server. After we updated the virus patterns, the antivirus software found and identified the virus as the Backdoor.Beasty virus. The antivirus software picked up svchost.exe, msbooq.com, and mskcfv.com as infected files. I used the instructions at http://securityresponse.symantec.com/avcenter/venc/data/backdoor.beasty.h.html to manually remove the virus from the server. If one of these variants infects a workstation or server, it can cause major damage to the infected machine and possibly other machines on your network. This is another great reason to have a quality, properly configured firewall at your location. I don't know how the machine was originally infected. Possibly software loaded on the server by a user or a downloaded screen saver could have infected the server. I’ll be following up on this machine to try to determine the source of the virus. The good news is that server is now virus-free and working great!
Here's a tip for troubleshooting Win2K services. You can use msconfig.exe from XP to troubleshoot problems on a Win2K machine. By default, msconfig.exe is in C:\windows\PCHealth\HelpCtr\Binaries on an XP machine. Simply copy the msconfig.exe file to the Win2K machine in the directory C:\winnt\system32. Msconfig displays information about the Startup selection, system.ini, win.ini, boot.ini, Services, and Startup. Using settings on the Services tab, you can selectively control which services are started on the machine (e.g., hide all Microsoft services and display only services from other vendors). On the Startup tab, you can view the programs that are automatically loaded at boot up. The filename, load parameters, and registry subkey location are also displayed on the Startup tab. Keep msconfig.exe in mind the next time you have startup problems or need to troubleshoot an XP or Win2K machine.
