|
Posted by =?Utf-8?B?VG9tIEdlYWlybg==?= on April 26, 2006, 2:03 pm
If you were Registered and logged in, you could reply and use other advanced thread options
When browsing my banking website, I received a "trojan blocked" message
related to "taskdir~.exe". Within a few minutes, my machine was spewing
forth SMTP messages to all variety of hosts.
Luckily, these messages were blocked at the outbound firewall. A quick
perusal of %SYSTEMROOT% shows the following files (see bottom of msg) from
the time of occurence. Note that although some of these files have the same
name as known trojans; NAV, Windows Defender, and the online safety.live.com
scanner all passed them with flying colors.
The registry was also modified to start the executables with a simple
addition to the run key. I don't yet know if there are any other pieces.
On a virtual test machine, I have confirmed that starting "taskdir.exe"
results in port 25 messages being sent to a variety of endpoints.
filelist:
moogyfly.exe
nvapps.xml
parad.raw.exe
svcp.csv
taskdir.exe
winsub.xml
zlbw.dll
|
|
Posted by David H. Lipman on April 26, 2006, 2:11 pm
If you were Registered and logged in, you could reply and use other advanced thread options
| When browsing my banking website, I received a "trojan blocked" message
| related to "taskdir~.exe". Within a few minutes, my machine was spewing
| forth SMTP messages to all variety of hosts.
|
| Luckily, these messages were blocked at the outbound firewall. A quick
| perusal of %SYSTEMROOT% shows the following files (see bottom of msg) from
| the time of occurence. Note that although some of these files have the same
| name as known trojans; NAV, Windows Defender, and the online safety.live.com
| scanner all passed them with flying colors.
|
| The registry was also modified to start the executables with a simple
| addition to the run key. I don't yet know if there are any other pieces.
|
| On a virtual test machine, I have confirmed that starting "taskdir.exe"
| results in port 25 messages being sent to a variety of endpoints.
|
| filelist:
| moogyfly.exe
| nvapps.xml
| parad.raw.exe
| svcp.csv
| taskdir.exe
| winsub.xml
| zlbw.dll
You are infected with the Trojan Troj/Orse or Troj/Tibs
http://www.sophos.com/virusinfo/analyses/trojtibss.html
http://www.sophos.com/virusinfo/analyses/trojorses.html
Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe
To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close
Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }
NOTE: You may have to disable your software FireWall or allow WGET.EXE to go
through your
FireWall to allow it to download the needed AV vendor related files.
C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal
Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the
PC.
You can choose to go to each menu item and just download the needed files or you
can
download the files and perform a scan in Normal Mode. Once you have downloaded
the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode
[F8 key
during boot] and re-run the menu again and choose which scanner you want to run
in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.
When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive
PDF help
file. http://www.ik-cs.com/multi-av.htm
Additional Instructions:
http://pcdid.com/Multi_AV.htm
* * * Please report back your results * * *
--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm
|
|
Posted by Tom Geairn on April 26, 2006, 2:34 pm
If you were Registered and logged in, you could reply and use other advanced thread options >
> You are infected with the Trojan Troj/Orse or Troj/Tibs
...> Dave
> http://www.claymania.com/removal-trojan-adware.html
> http://www.ik-cs.com/got-a-virus.htm
>
Dave-
Thanks for the quick response. Unfortunately, all of the scanning engines
report these files as clean. I have verified this both on my "connected"
system, and after moving the AV-CLS directory to my safe system. I can the
directory where I have dropped the files, and each of the tools report them
as clean. I think this is some variant, but I don't have earlier sigs to
compare.
-Tom
|
|
Posted by David H. Lipman on April 26, 2006, 2:46 pm
If you were Registered and logged in, you could reply and use other advanced thread options
| Dave-
| Thanks for the quick response. Unfortunately, all of the scanning engines
| report these files as clean. I have verified this both on my "connected"
| system, and after moving the AV-CLS directory to my safe system. I can the
| directory where I have dropped the files, and each of the tools report them
| as clean. I think this is some variant, but I don't have earlier sigs to
| compare.
|
| -Tom
|
There is NO doubt that you are infected. The files..
parad.raw.exe
taskdir.exe
zlbw.dll
Are known to be Trojans.
Did you scan that quickly ? I can't believe you did a full scan of all files on
the PC
using at least the McAfee and Sophos modules in the short amount of time between
my post and
your subsequent reply.
From you list,
moogyfly.exe
parad.raw.exe
taskdir.exe
zlbw.dll
Please submit a sample of each to Virus Total --
http://www.virustotal.com/flash/index_en.html
The submission will then be tested against many different AV vendor's scanners.
That will give you an idea what it is and who recognizes it. In addition,
unless told
otherwise, Virus Total will provide the sample to all participating vendors.
You can also submit a suspect, one at a time, via the following email URL...
mailto:scan@virustotal.com?subject=SCAN
When you get the report, please post back the exact results.
--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm
|
|
Posted by Tom Geairn on April 26, 2006, 3:00 pm
If you were Registered and logged in, you could reply and use other advanced thread options >
> There is NO doubt that you are infected. The files..
>
> parad.raw.exe
> taskdir.exe
> zlbw.dll
>
> Are known to be Trojans.
>
> Did you scan that quickly ? I can't believe you did a full scan of all
> files on the PC
> using at least the McAfee and Sophos modules in the short amount of time
> between my post and
> your subsequent reply.
>
> From you list,
>
> moogyfly.exe
> parad.raw.exe
> taskdir.exe
> zlbw.dll
>
> Please submit a sample of each to Virus Total --
> http://www.virustotal.com/flash/index_en.html
> The submission will then be tested against many different AV vendor's
> scanners.
> That will give you an idea what it is and who recognizes it. In addition,
> unless told
> otherwise, Virus Total will provide the sample to all participating
> vendors.
>
> You can also submit a suspect, one at a time, via the following email
> URL...
> mailto:scan@virustotal.com?subject=SCAN
>
> When you get the report, please post back the exact results.
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> http://www.ik-cs.com/got-a-virus.htm
>
>
Thanks again Dave-
Agreed, no doubt that this is viral. I did not do full scans against the
machine, just scanned the selected directory where the files are.
I also submitted the files to the virustotal website. Results are the end
of reply. Since Panda and CA both showed some interest in the files, I went
to their websites and did online scans. The CA site allows specifying a
directory, and it showed all files as clean. The Panda site seems to want
to scan everything, that scan also shows no viruses (it does show some
tracking cookies, but that's not what we're here for).
VirusTotal Results:
STATUS: FINISHED
Complete scanning result of "moogyfly.exe", received in VirusTotal at
04.26.2006, 20:41:13 (CET).
Antivirus Version Update Result
AntiVir 6.34.0.24 04.20.2006 no virus found
Avast 4.6.695.0 04.26.2006 no virus found
AVG 386 04.26.2006 no virus found
Avira 6.34.1.58 04.26.2006 no virus found
BitDefender 7.2 04.26.2006 no virus found
CAT-QuickHeal 8.00 04.26.2006 no virus found
ClamAV devel-20060202 04.26.2006 no virus found
DrWeb 4.33 04.26.2006 no virus found
eTrust-InoculateIT 23.71.139 04.25.2006 no virus found
eTrust-Vet 12.4.2179 04.26.2006 Win32/Sinteri
Ewido 3.5 04.26.2006 no virus found
Fortinet 2.71.0.0 04.26.2006 no virus found
F-Prot 3.16c 04.26.2006 no virus found
Ikarus 0.2.59.0 04.26.2006 no virus found
Kaspersky 4.0.2.24 04.26.2006 no virus found
McAfee 4749 04.26.2006 no virus found
Norman 5.90.17 04.26.2006 no virus found
Panda 9.0.0.4 04.26.2006 Suspicious file
Sophos 4.05.0 04.26.2006 no virus found
Symantec 8.0 04.26.2006 no virus found
TheHacker 5.9.7.135 04.25.2006 no virus found
UNA 1.83 04.26.2006 no virus found
VBA32 3.11.0 04.26.2006 no virus found
Aditional Information
File size: 6149 bytes
MD5: 21504eff9a24ed70f86c4d471d078555
SHA1: 80f479a9b0a6092499edbd215f872d2ac88c30b1
STATUS: FINISHED
Complete scanning result of "taskdir.exe", received in VirusTotal at
04.26.2006, 20:39:15 (CET).
Antivirus Version Update Result
AntiVir 6.34.0.24 04.20.2006 no virus found
Avast 4.6.695.0 04.26.2006 no virus found
AVG 386 04.26.2006 no virus found
Avira 6.34.1.58 04.26.2006 no virus found
BitDefender 7.2 04.26.2006 no virus found
CAT-QuickHeal 8.00 04.26.2006 no virus found
ClamAV devel-20060202 04.26.2006 no virus found
DrWeb 4.33 04.26.2006 no virus found
eTrust-InoculateIT 23.71.139 04.25.2006 no virus found
eTrust-Vet 12.4.2179 04.26.2006 Win32/Sinteri
Ewido 3.5 04.26.2006 no virus found
Fortinet 2.71.0.0 04.26.2006 no virus found
F-Prot 3.16c 04.26.2006 no virus found
Ikarus 0.2.59.0 04.26.2006 no virus found
Kaspersky 4.0.2.24 04.26.2006 no virus found
McAfee 4749 04.26.2006 no virus found
Norman 5.90.17 04.26.2006 no virus found
Panda 9.0.0.4 04.26.2006 Suspicious file
Sophos 4.05.0 04.26.2006 no virus found
Symantec 8.0 04.26.2006 no virus found
TheHacker 5.9.7.135 04.25.2006 no virus found
UNA 1.83 04.26.2006 no virus found
VBA32 3.11.0 04.26.2006 no virus found
Aditional Information
File size: 51241 bytes
MD5: 198bc23b83cf99d21ae1ac2b32913249
SHA1: f6cb48c4e1f7589868b004bb72fd69cb2fc9addb
STATUS: FINISHED
Complete scanning result of "parad.raw.exe", received in VirusTotal at
04.26.2006, 20:40:47 (CET).
Antivirus Version Update Result
AntiVir 6.34.0.24 04.20.2006 no virus found
Avast 4.6.695.0 04.26.2006 no virus found
AVG 386 04.26.2006 no virus found
Avira 6.34.1.58 04.26.2006 no virus found
BitDefender 7.2 04.26.2006 no virus found
CAT-QuickHeal 8.00 04.26.2006 no virus found
ClamAV devel-20060202 04.26.2006 no virus found
DrWeb 4.33 04.26.2006 no virus found
eTrust-InoculateIT 23.71.139 04.25.2006 no virus found
eTrust-Vet 12.4.2179 04.26.2006 Win32/Sinteri
Ewido 3.5 04.26.2006 no virus found
Fortinet 2.71.0.0 04.26.2006 no virus found
F-Prot 3.16c 04.26.2006 no virus found
Ikarus 0.2.59.0 04.26.2006 no virus found
Kaspersky 4.0.2.24 04.26.2006 no virus found
McAfee 4749 04.26.2006 no virus found
Norman 5.90.17 04.26.2006 no virus found
Panda 9.0.0.4 04.26.2006 Suspicious file
Sophos 4.05.0 04.26.2006 no virus found
Symantec 8.0 04.26.2006 no virus found
TheHacker 5.9.7.135 04.25.2006 no virus found
UNA 1.83 04.26.2006 no virus found
VBA32 3.11.0 04.26.2006 no virus found
Aditional Information
File size: 51241 bytes
MD5: 198bc23b83cf99d21ae1ac2b32913249
SHA1: f6cb48c4e1f7589868b004bb72fd69cb2fc9addb
STATUS: FINISHED
Complete scanning result of "zlbw.dll", received in VirusTotal at
04.26.2006, 20:56:17 (CET).
Antivirus Version Update Result
AntiVir 6.34.0.24 04.20.2006 no virus found
Avast 4.6.695.0 04.26.2006 no virus found
AVG 386 04.26.2006 no virus found
Avira 6.34.1.58 04.26.2006 no virus found
BitDefender 7.2 04.26.2006 no virus found
CAT-QuickHeal 8.00 04.26.2006 no virus found
ClamAV devel-20060202 04.26.2006 no virus found
DrWeb 4.33 04.26.2006 no virus found
eTrust-InoculateIT 23.71.139 04.25.2006 no virus found
eTrust-Vet 12.4.2179 04.26.2006 no virus found
Ewido 3.5 04.26.2006 no virus found
Fortinet 2.71.0.0 04.26.2006 suspicious
F-Prot 3.16c 04.26.2006 no virus found
Ikarus 0.2.59.0 04.26.2006 no virus found
Kaspersky 4.0.2.24 04.26.2006 no virus found
McAfee 4749 04.26.2006 no virus found
NOD32v2 1.1508 04.26.2006 no virus found
Norman 5.90.17 04.26.2006 no virus found
Panda 9.0.0.4 04.26.2006 no virus found
Sophos 4.05.0 04.26.2006 no virus found
Symantec 8.0 04.26.2006 no virus found
TheHacker 5.9.7.135 04.25.2006 no virus found
UNA 1.83 04.26.2006 no virus found
VBA32 3.11.0 04.26.2006 no virus found
Aditional Information
File size: 46592 bytes
MD5: f42601d4ac18bb06d830b6f8e4500adf
SHA1: 66ff00d72ed68fa417638b514610c7cf611ddb90
|
| Similar Threads | Posted | | Re: Zero-day IE exploit... | November 23, 2005, 7:13 am |
| Zero-day IE exploit... | November 22, 2005, 7:46 pm |
| Re: Where is the IE zero day exploit in the news... | November 27, 2005, 2:12 pm |
| Why was IE6 vulnerable to the wmf exploit? | January 5, 2006, 7:45 pm |
| Dcom Exploit | May 16, 2008, 2:14 pm |
| Bloodhound.Exploit.54 bundled with I.E.beta7 ?? | June 3, 2006, 2:43 pm |
| My machine was compromised via mshta.exe. Is this a new exploit? | July 28, 2006, 9:28 pm |
| XP security exploit causes BSOD - when will patch be released? | July 7, 2005, 1:37 pm |
| Reporting cross-platform possible exploit vulnerability | November 25, 2005, 11:45 am |
| Unknown exploit - Boot.ini/Windows shares | February 20, 2006, 5:05 am |
|
XML site map