ServU-deamon trojan warning with McAfee

From: Fred Blum (h.f.blum_at_marketconnectnospam.nl)
Date: 09/28/04 

Date: Tue, 28 Sep 2004 12:04:52 +0200

We found two ServU-deamon trojans on our SBS server. This type of trojan is
NOT standard detected by McAfee VirusScan 4.5 or V7.

Go to http://vil.nai.com/vil/content/v_125021.htm for information on how to
configure V7 to detect this type of program. With 4.5 run the command line
scanner with the /PROGRAM switch.
  1.. Click the START button
  2.. Click RUN
  3.. Type COMMAND and hit ENTER
  4.. Type:

  c:\progra~1\common~1\networ~1\viruss~1\4.0.xx\scan.exe c: /program /sub

  and hit ENTER.
The first one was picked up while not yet running as svchost.exe in the
directory C:\winnt\system32\spool\nt\svchost.exe by our scanner. Running a
full scan we found regedit.exe in the system32 directory. This instance was
started as a service in the registry. As a symptom regedit would not start.
This problem occured about half a year ago. So since half a year we have
been running a FTP server on our server.

The question is how we came infected? And what damage can the do running a
FTP server on our SBS box?
The regedit.exe infection occured around the time the sasser patch came
available. According to the MS site our server was infected. Our virus scan
software didn't pick up this infection altough the DAT file included the
description for sasser. So during the time of sasser and the patch coming
available we could have been infected.
How did svchost.exe infect our system? We are fully patched and our
virusscanner is uptodate. The FTP trojan could be the cause. But what would
be the point in loading two FTP trojans? According to our System Intregrator
visting a webiste with IE on this server could be a cause aswell. IE is only
used as an exeption while vistiting the microsoft site to look up the
techdoc's. On that day I made a typo and ended up at the www.micorsoft.com
website. IE is patched aswell to the latest level.
 ISA, SQL and Exchange are patched to the latest level. I'm worried that ISA
is not doing a sufficient job. Is there a best pratice tool for ISA? Or a
document what ports need to be opened and for what reason? How can specific
ports be made Stealth?

TIA,

Regards,

Fred