|
Posted by Alan on May 11, 2007, 8:42 am
If you were Registered and logged in, you could reply and use other advanced thread options
Hi Steve,
I'm crossposting this to the microsoft.private.security.spyware.general,
microsoft.private.security.spyware.announcements and the
microsoft.public.security.virus newsgroups.
Maybe someone in one of those groups will have some ideas as to cleaning
this.
At least they will be on the alert that a new virus seems to be making its
way through the 'Net.
Alan
Wife got a fake blue mountain ecard yesterday and it looks like when
she clicked through we picked up a virus of some sorts. So far
neither AVG nor Panda detect it - which is worrysome. Here are the
indications.
running in taskmon was winverr.exe, which was located in \system32\
and time stamped with the correct time for the infection. fport
showed it active on 1029 and 1031 tcp.
I killed the process, removed the startup reg key in HKLM\Software\MS
\Windows\CurrentVersion\Run and rebooted.
Upon reboot, my Firefox.exe file was replaced (same size - 7,455) with
upload.exe and all shortcuts to firefox.exe were updated to
upload.exe. Deleted that reinstalled firefox, rebooted, and same
thing - a new upload.exe and firefox.exe is gone.
Look back in taskmon and now it's cdrwrr.exe running on 1029 and
1031. Netstat showed the processes connecting to 209.51.196.244:80.
Both winverr.exe and cdrwrr.exe were small - about 71k in size.
Other files that have the same timestamp in \system32 are:
default_user_class.dat.LOG
looking at that in textpad shows:
s y s t e m 3 2 \ d e f a u l t _ u s e r _ c l a s s . d a t
>^��DIRT˙
and a file called: ulvrsao with the only content displayable in
notepad being: Y2RydnY&
As I mentioned both AVG and Panda report the system clean. The other
suspicious factor is that it seems to be adding a 2nd duplicate letter
at the end of the running process in an attempt to hide itself -
winver.exe to winverr.exe etc.
In Eventviewer under System, I see a couple of these:
Windows Defender Real-Time Protection agent has detected changes.
Microsoft recommends you analyze the software that made these changes
for potential risks. You can use information about how these programs
operate to choose whether to allow them to run or remove them from
your computer. Allow changes only if you trust the program or the
software publisher. Windows Defender can't undo changes that you
allow.
For more information please see the following:
http://go.microsoft.com/fwlink/?linkid=74409
Scan ID:
User: STEVE-QPGWKTW1R\Steve
Name: Unknown
ID:
Severity: Not Yet Classified
Category: Not Yet Classified
Path Found: clsid:HKLM\SOFTWARE\CLASSES\CLSID\{9A9307A0-7DA4-4DAF-
B042-5009F29E09E1};regkey:HKLM\Software\Microsoft\Code Store Database
\Distribution Units\\CONTAINS
\FILES\C:\WINDOWS\Downloaded Program Files\asinst.dll;regkey:HKLM
\Software\Microsoft\Code Store Database\Distribution Units
\;regkey:HKLM\SOFTWARE\CLASSES
\TYPELIB\.0;regkey:HKLM
\SOFTWARE\CLASSES\CLSID\{9A9307A0-7DA4-4DAF-
B042-5009F29E09E1};activex:HKLM\Software\Microsoft\Code Store Database
\Distribution Units\{9A9307A0-7DA4-4DAF-
B042-5009F29E09E1};typelibversion:HKLM\SOFTWARE\CLASSES\TYPELIB
\.0;typelib:HKLM\SOFTWARE
\CLASSES\TYPELIB\;file:C:\WINDOWS
\Downloaded Program Files\asinst.dll
Alert Type: Unclassified software
Detection Type:
2nd:
Scan ID:
User: STEVE-QPGWKTW1R\Steve
Name: Unknown
ID:
Severity: Not Yet Classified
Category: Not Yet Classified
Path Found: driver:RkPavProc
Alert Type: Unclassified software
Detection Type:
3rd:
Scan ID:
User: STEVE-QPGWKTW1R\Steve
Name: Unknown
ID:
Severity: Not Yet Classified
Category: Not Yet Classified
Path Found:
regkey:HKCU@S-1-5-21-1454471165-1708537768-839522115-1003\Software
\Microsoft\Windows\CurrentVersion\Run\
\SPOLSV;runkey:HKCU@S-1-5-21-1454471165-1708537768-839522115-1003\Software
\Microsoft\Windows\CurrentVersion\Run\SPOLSV;file:C:\WINDOWS
\system32\tracerts.exe
Alert Type: Unclassified software
Detection Type:
| 
XML site map