hey all you cyber fans out there... got a virus floating around

in the zip its harmless... doesnt execute till you unzip and run the pif file inside
had afew weird processes show up... avg EMAIL scanner shutdown... avg didnt detect a virus at all *and i just made a post saying i trusted AVG free to0*... guess this is irony at its best.

i clicked it on purpose, i knew what i was getting into.


if anyone has seen this before and can provide the community with info please share... im off to google to look up what i can now.

Hi there hex~ !

Please check out this site and bookmark it for future use ;)

I use it as a "first pass" as it scans a suspect with a variety of AVs and one hopes that their heuristics will give you a clue to what you are dealing with. Obviously this is very handy if you are dealing with a new variant?

AntiVir : Found nothing
ArcaVir : Found nothing
Avast : Found nothing
AVG Antivirus : Found nothing
BitDefender : Found nothing
ClamAV : Found nothing
Dr.Web : Found Win32.HLLW.MyBot.based
F-Prot Antivirus : Found nothing
Fortinet : Found nothing
Kaspersky Anti-Virus : Found Backdoor.Win32.SdBot.aad
NOD32 : Found a variant of IRC/SdBot
Norman Virus Control : Found W32/SDBot.AEJN
UNA : Found nothing
VirusBuster : Found nothing
VBA32 : Found nothing

There ya go :D

Incidentally, I fed it the raw zip file. IIRC AVG doesn't handle .zips very well...........it catches the beast when you release it?

EDIT: this is the site:

http://virusscan.jotti.org/

EDIT #2:

EWIDO does not spot it either...............I have sent them the file..............I will work through the others today ;)

McAfee found nothing either.

Norton Internet Security Suite picked it up straight after i downloaded the .zip file.

Gave me the option of Delete, Delete and Delete

f2B

Thats interesting now when you open it with winrar, under the "filetype" column it says "Shortcut to MS-Dos Program" rather than image file or similiar, oh and if anyone wants to play around with things like this, and don't have a spare machine, try using a program called deepfreeze, as soon as you reboot the PC any changes you have made to the HDD are reverted, including viruses.

There is another service out there called "virustotal"


VirusTotal
VirusTotal is a free file analisys service that works using several antivirus engines.


Select file :

Distribute
SSL


Enter your email, choose the file to be scanned with multiple antivirus engines and click Send.
Menu:

* News Hot news in the virus/antivirus sector.
* Estadisticas Statistics of VirusTotal procesing.
* Virustotal More info about Virustotal.

STATUS: FINISHED
Complete scanning result of "picture005.zip", received in VirusTotal at 06.04.2006, 14:36:57 (CET).

Antivirus Version Update Result
AntiVir 6.34.1.37 06.03.2006 no virus found
Authentium 4.93.8 06.02.2006 no virus found
Avast 4.7.844.0 06.02.2006 no virus found
AVG 386 06.02.2006 no virus found
BitDefender 7.2 06.04.2006 no virus found
CAT-QuickHeal 8.00 06.03.2006 (Suspicious) - DNAScan
ClamAV devel-20060426 06.04.2006 no virus found
DrWeb 4.33 06.04.2006 Win32.HLLW.MyBot.based
eTrust-InoculateIT 23.72.26 06.03.2006 no virus found
eTrust-Vet 12.6.2240 06.02.2006 no virus found
Ewido 3.5 06.04.2006 Backdoor.SdBot.aad
Fortinet 2.77.0.0 06.03.2006 no virus found
F-Prot 3.16f 06.02.2006 no virus found
Kaspersky 4.0.2.24 06.04.2006 Backdoor.Win32.SdBot.aad
McAfee 4776 06.02.2006 no virus found
Microsoft 1.1441 06.04.2006 no virus found
NOD32v2 1.1577 06.04.2006 a variant of IRC/SdBot
Norman 5.90.17 06.02.2006 W32/SDBot.AEJN
Panda 9.0.0.4 06.04.2006 Suspicious file
Sophos 4.05.0 06.03.2006 no virus found
Symantec 8.0 06.04.2006 no virus found
TheHacker 5.9.8.154 06.01.2006 no virus found
UNA 1.83 06.02.2006 no virus found
VBA32 3.11.0 06.04.2006 no virus found

Aditional Information
File size: 62509 bytes
MD5: 8e59bcb3102cf4c2e61810282aaf480a
SHA1: 48654fbaeb4a1c199f52b05afa9485a77c08f1a1
VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware.
> Go to: Home Contactar En Español
www.virustotal.com :: ©Hispasec Sistemas 2004-06:: e-mail info@virustotal.com

Thanks to Soda_Popinski for reminding me................it is a Spanish site, so I did not think to include it.. mea culpa! mea maxima culpa!
;)

Nice to see EWIDO have it onboard since my last post?

Hhmmm Trend Micro Internet 2006 didn't pick anything up either.... :mad:

its been submited to trend micro

here is a printout of my virus vault in AVG this morning after i turned my computer on.

i have about 14 new procs running... and you have to look at them closely becuase one will be...
steam.exe *videogames*
staem.exe *virus* <-- clever...

im formatting and installing linux tonight anyway so im just gonna see what this thing does... time to run some netstat or ethereal


what was funny... winrar did more to protect my system then AVG did at the time of infection
when i downloaded the file i just double clicked the program inside and winrar said "warning stopping execution of potentialy dangerous software" or something along thoes lines... AVG didnt see a thing till i rebooted

:rolleyes:


!!EDIT!!

Stay off AIM when you are infected with this one... last night all my friends got messages from me saying "Hey man, download these sweet pics of me (picture005.zip)"

turned on Gaim... friends havent noticed anything.

picture says it all

Not really special, just another virus? Commong sense and all that should stop you from getting this. Stop making threads for viruses and the like that aren't unique or special at all.

Originally posted here (http://www.AntiOnline.com/showthread.php?threadid=275475#post903423) by bk_ghost
Not really special, just another virus? Commong sense and all that should stop you from getting this. Stop making threads for viruses and the like that aren't unique or special at all.

I think it's special enough that quite a few AV's didn't recognise the virus/trojan, I think it was right for the member to start a thread to let everyone know, give a heads up...do you have anything to contribute? :rolleyes:

Ahem!

This is the AntiVirus Discussions forum, isn't it? what are we supposed to discuss here...........my latest nasty little rash? :eek:

Dalek has an excellent point...............a lot of up to date AVs failed to detect this new variant, and many of us on this site get called in to sort out the aftermath of infections. It is helpful to know what is "out there" so to speak.

Several of us will have sent a sample to anti-virus vendors, thus helping to protect the general public.


Stop making threads for viruses and the like that aren't unique or special at all.

I await your analysis of the virus to demonstrate that it does not meet these criteria :rolleyes:

Well here is what I have gathered from the virus/trojan/malware/what-ever-you-want-to-call-it, however I never allowed this access to the internet so I didn't get its full whack

It seems to install itself as a service in c:\WINDOWS\wmiapsv.exe, not to be confused with C:\WINDOWS\System32\wbem\wmiapsrv.exe

The service calls itself/infects "WMI Performance Adapter"

It continuously tries to communicate with 221x245x42x42.ap221.ftth.ucom.ne.jp [221.245.42.42] on port 4280

I also recieved the following message from counterspy: An attempted change to the Windows Restrict Anonymous setting has been detected. This change will lower your Windows overall security policies. Change: 1

Scanning c:\WINDOWS\wmiapsv.exe with VirusTotal finds alot more:

Complete scanning result of "wmiapsv.exe", received in VirusTotal at 06.05.2006, 13:32:46 (CET).

Antivirus Version Update Result
AntiVir 6.34.1.37 06.05.2006 Worm/Sdbot.63488.46
Authentium 4.93.8 06.02.2006 no virus found
Avast 4.7.844.0 06.05.2006 no virus found
AVG 386 06.02.2006 no virus found
BitDefender 7.2 06.05.2006 no virus found
CAT-QuickHeal 8.00 06.03.2006 (Suspicious) - DNAScan
ClamAV devel-20060426 06.04.2006 no virus found
DrWeb 4.33 06.05.2006 Win32.HLLW.MyBot.based
eTrust-InoculateIT 23.72.28 06.04.2006 no virus found
eTrust-Vet 12.6.2243 06.05.2006 no virus found
Ewido 3.5 06.05.2006 Backdoor.SdBot.aad
Fortinet 2.77.0.0 06.05.2006 W32/SDBot.AAD!tr.bdr
F-Prot 3.16f 06.02.2006 no virus found
Ikarus 0.2.65.0 06.02.2006 no virus found
Kaspersky 4.0.2.24 06.05.2006 Backdoor.Win32.SdBot.aad
McAfee 4776 06.02.2006 no virus found
Microsoft 1.1441 06.05.2006 no virus found
NOD32v2 1.1579 06.05.2006 a variant of IRC/SdBot
Norman 5.90.17 06.05.2006 W32/SDBot.AEJN
Panda 9.0.0.4 06.04.2006 Suspicious file
Sophos 4.05.0 06.05.2006 no virus found
Symantec 8.0 06.05.2006 no virus found
TheHacker 5.9.8.155 06.05.2006 no virus found
UNA 1.83 06.02.2006 no virus found
VBA32 3.11.0 06.05.2006 Backdoor.Win32.SdBot.aad

Aditional Information
File size: 63488 bytes
MD5: 3be65b88470a97bd11b801311d74a584
SHA1: b6816efb37f034436d13d5929f734c739531a51b

Since I never let it access the address it wanted to all I did to remove it was run "sfc /scannow" (which may not have been neccesary) and disable the service in services.msc

So am I correct in saying that in theory tracking down and taking down 221.245.42.42 would render this virus useless?

looks like it's part of this listing: http://www.mail-archive.com/botnets@whitestar.linuxbox.org/msg00426.html :cool:

This is a non-technical account of what's going on when screwing with the trojan file.

During attempt to download the file from AntiOnline, it gets flagged as a variant of IRC/SdBot trojan.
If I allow the download, once saved, the picture005.zip file gets flagged as a variant of Win32/TrojanDownloader.Adload.NAI.
When doubleclicking on the zipped file, I find the picture005.pif file.

Extracting and doubleclicking on the picture005.pif file sends a download command to a Apache server at IP 209.188.31.15 which downloads the comhost.zip file (WinRar'd), expands it and installs comhost.exe, manager.exe, mc-110-12-0000488.exe and msnupdate.exe.

It installs (among other things) a c:\windows\wmiapsv.exe process at PID 3848 which I killed a couple times (for the fun of it) and a WinRAR self-extracting archive window popped up screaming,
Extracting manager.exe
Extracting mc-110-12-0000488.exe
Extracting msnupdate.exe
CRC failed in msnupdate.exe
Unexpected end of archive

**Whoops....sorry if I punched the Trojan in the eye... My bad!

Basically, the trojan installs a protected kernel process which re-replicates the basic trojan install in case of problems.

Comhost.exe, itself, is a UPX executable and packed with UPX version 1.20.
Comhost.exe contains (and is not limited to) the following:
A S K N E X T V O L G E T P A S S W O R D 1 L I C E N S E D L G R E N A M E D L G R E P L A C E F I L E D L G S T A R T D L G D V C L A L

Some more Comhost.exe fun:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Roshal.WinRAR.WinRAR" type="win32" /> <description>WinRAR archiver.</description> <dependency> <dependentAssembly> <assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*" /> </dependentAssembly> </dependency> </assembly>

****I noticed that this trojan writer has access/used Soft-Ice, a kernel mode debugger which dates back to the late 80's. Evidently he/she/they know a bit about programming.****

For kicks, IP 209.188.31.15 has a few open ports (not all inclusive):

209.188.31.15 80 TCP Server: Apache/1.3.33 (Debian GNU/Linux) PHP/4.3.10-16 World Wide Web HTTP
209.188.31.15 21 TCP File Transfer [Control]
209.188.31.15 22 TCP SSH Remote Login Protocol
209.188.31.15 25 TCP Simple Mail Transfer
209.188.31.15 113 TCP Authentication Service
209.188.31.15 199 TCP SMUX
209.188.31.15 389 UDP Lightweight Directory Access Protocol
209.188.31.15 6838 UDP Possible is used by trojan (UDP) - Mstream

I don't have time today to give a step by step listing of what it actually does, I must get back to work.

Have fun.

Some more Comhost.exe fun:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Roshal.WinRAR.WinRAR" type="win32" /> <description>WinRAR archiver.</description> <dependency> <dependentAssembly> <assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*" /> </dependentAssembly> </dependency> </assembly>

After a late afternoon re-read of an earlier post, the section above is merely a header for WinRAR and is not the intended "comhost.exe fun".

Since I posted in a rush this morning and no longer have the virus on disk, I have no idea how this header section was copy/pasted into this thread. It should have been something more enlightning I would imagine?

Sorry!

Originally posted here (http://www.AntiOnline.com/showthread.php?threadid=275475#post903397) by hexadecimal
hey all you cyber fans out there... got a virus floating around

in the zip its harmless... doesnt execute till you unzip and run the pif file inside
had afew weird processes show up... avg EMAIL scanner shutdown... avg didnt detect a virus at all *and i just made a post saying i trusted AVG free to0*... guess this is irony at its best.

i clicked it on purpose, i knew what i was getting into.


if anyone has seen this before and can provide the community with info please share... im off to google to look up what i can now.

Nortons detected it.................W32.Spybot.Worm.

jamz

When you see the dates flashing at the top of posts in a thread it means that the thread is old and its content may well have been resolved, or is obsolete. This is a classic example of that:

Nortons detected it.................W32.Spybot.Worm.

Of course it does........................it is three weeks since the virus was reported in this thread! However, if you study the posts more carefully you will see that at the time Symantec (Norton) was one of the numerous major AV players that did not detect it.

;)

ugh nvm

Hi Zoxeris , old chap(esse),

Another bit of advice: one line posts are generally unpopular, particularly if they do not add anything to the discussion in the thread.

;)