Not really special, just another virus? Commong sense and all that should stop you from getting this. Stop making threads for viruses and the like that aren't unique or special at all.
Printable View
Not really special, just another virus? Commong sense and all that should stop you from getting this. Stop making threads for viruses and the like that aren't unique or special at all.
I think it's special enough that quite a few AV's didn't recognise the virus/trojan, I think it was right for the member to start a thread to let everyone know, give a heads up...do you have anything to contribute? :rolleyes:Quote:
Originally posted here by bk_ghost
Not really special, just another virus? Commong sense and all that should stop you from getting this. Stop making threads for viruses and the like that aren't unique or special at all.
Ahem!
This is the AntiVirus Discussions forum, isn't it? what are we supposed to discuss here...........my latest nasty little rash? :eek:
Dalek has an excellent point...............a lot of up to date AVs failed to detect this new variant, and many of us on this site get called in to sort out the aftermath of infections. It is helpful to know what is "out there" so to speak.
Several of us will have sent a sample to anti-virus vendors, thus helping to protect the general public.
Stop making threads for viruses and the like that aren't unique or special at all.
I await your analysis of the virus to demonstrate that it does not meet these criteria :rolleyes:
Well here is what I have gathered from the virus/trojan/malware/what-ever-you-want-to-call-it, however I never allowed this access to the internet so I didn't get its full whack
It seems to install itself as a service in c:\WINDOWS\wmiapsv.exe, not to be confused with C:\WINDOWS\System32\wbem\wmiapsrv.exe
The service calls itself/infects "WMI Performance Adapter"
It continuously tries to communicate with 221x245x42x42.ap221.ftth.ucom.ne.jp [221.245.42.42] on port 4280
I also recieved the following message from counterspy: An attempted change to the Windows Restrict Anonymous setting has been detected. This change will lower your Windows overall security policies. Change: 1
Scanning c:\WINDOWS\wmiapsv.exe with VirusTotal finds alot more:
Since I never let it access the address it wanted to all I did to remove it was run "sfc /scannow" (which may not have been neccesary) and disable the service in services.mscQuote:
Complete scanning result of "wmiapsv.exe", received in VirusTotal at 06.05.2006, 13:32:46 (CET).
Antivirus Version Update Result
AntiVir 6.34.1.37 06.05.2006 Worm/Sdbot.63488.46
Authentium 4.93.8 06.02.2006 no virus found
Avast 4.7.844.0 06.05.2006 no virus found
AVG 386 06.02.2006 no virus found
BitDefender 7.2 06.05.2006 no virus found
CAT-QuickHeal 8.00 06.03.2006 (Suspicious) - DNAScan
ClamAV devel-20060426 06.04.2006 no virus found
DrWeb 4.33 06.05.2006 Win32.HLLW.MyBot.based
eTrust-InoculateIT 23.72.28 06.04.2006 no virus found
eTrust-Vet 12.6.2243 06.05.2006 no virus found
Ewido 3.5 06.05.2006 Backdoor.SdBot.aad
Fortinet 2.77.0.0 06.05.2006 W32/SDBot.AAD!tr.bdr
F-Prot 3.16f 06.02.2006 no virus found
Ikarus 0.2.65.0 06.02.2006 no virus found
Kaspersky 4.0.2.24 06.05.2006 Backdoor.Win32.SdBot.aad
McAfee 4776 06.02.2006 no virus found
Microsoft 1.1441 06.05.2006 no virus found
NOD32v2 1.1579 06.05.2006 a variant of IRC/SdBot
Norman 5.90.17 06.05.2006 W32/SDBot.AEJN
Panda 9.0.0.4 06.04.2006 Suspicious file
Sophos 4.05.0 06.05.2006 no virus found
Symantec 8.0 06.05.2006 no virus found
TheHacker 5.9.8.155 06.05.2006 no virus found
UNA 1.83 06.02.2006 no virus found
VBA32 3.11.0 06.05.2006 Backdoor.Win32.SdBot.aad
Aditional Information
File size: 63488 bytes
MD5: 3be65b88470a97bd11b801311d74a584
SHA1: b6816efb37f034436d13d5929f734c739531a51b
So am I correct in saying that in theory tracking down and taking down 221.245.42.42 would render this virus useless?
looks like it's part of this listing: http://www.mail-archive.com/botnets@.../msg00426.html :cool:
This is a non-technical account of what's going on when screwing with the trojan file.
During attempt to download the file from AntiOnline, it gets flagged as a variant of IRC/SdBot trojan.
If I allow the download, once saved, the picture005.zip file gets flagged as a variant of Win32/TrojanDownloader.Adload.NAI.
When doubleclicking on the zipped file, I find the picture005.pif file.
Extracting and doubleclicking on the picture005.pif file sends a download command to a Apache server at IP 209.188.31.15 which downloads the comhost.zip file (WinRar'd), expands it and installs comhost.exe, manager.exe, mc-110-12-0000488.exe and msnupdate.exe.
It installs (among other things) a c:\windows\wmiapsv.exe process at PID 3848 which I killed a couple times (for the fun of it) and a WinRAR self-extracting archive window popped up screaming,
Extracting manager.exe
Extracting mc-110-12-0000488.exe
Extracting msnupdate.exe
CRC failed in msnupdate.exe
Unexpected end of archive
**Whoops....sorry if I punched the Trojan in the eye... My bad!
Basically, the trojan installs a protected kernel process which re-replicates the basic trojan install in case of problems.
Comhost.exe, itself, is a UPX executable and packed with UPX version 1.20.
Comhost.exe contains (and is not limited to) the following:
A S K N E X T V O L G E T P A S S W O R D 1 L I C E N S E D L G R E N A M E D L G R E P L A C E F I L E D L G S T A R T D L G D V C L A L
Some more Comhost.exe fun:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Roshal.WinRAR.WinRAR" type="win32" /> <description>WinRAR archiver.</description> <dependency> <dependentAssembly> <assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*" /> </dependentAssembly> </dependency> </assembly>
****I noticed that this trojan writer has access/used Soft-Ice, a kernel mode debugger which dates back to the late 80's. Evidently he/she/they know a bit about programming.****
For kicks, IP 209.188.31.15 has a few open ports (not all inclusive):
209.188.31.15 80 TCP Server: Apache/1.3.33 (Debian GNU/Linux) PHP/4.3.10-16 World Wide Web HTTP
209.188.31.15 21 TCP File Transfer [Control]
209.188.31.15 22 TCP SSH Remote Login Protocol
209.188.31.15 25 TCP Simple Mail Transfer
209.188.31.15 113 TCP Authentication Service
209.188.31.15 199 TCP SMUX
209.188.31.15 389 UDP Lightweight Directory Access Protocol
209.188.31.15 6838 UDP Possible is used by trojan (UDP) - Mstream
I don't have time today to give a step by step listing of what it actually does, I must get back to work.
Have fun.
After a late afternoon re-read of an earlier post, the section above is merely a header for WinRAR and is not the intended "comhost.exe fun".Quote:
Some more Comhost.exe fun:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Roshal.WinRAR.WinRAR" type="win32" /> <description>WinRAR archiver.</description> <dependency> <dependentAssembly> <assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*" /> </dependentAssembly> </dependency> </assembly>
Since I posted in a rush this morning and no longer have the virus on disk, I have no idea how this header section was copy/pasted into this thread. It should have been something more enlightning I would imagine?
Sorry!
Nortons detected it.................W32.Spybot.Worm.Quote:
Originally posted here by hexadecimal
hey all you cyber fans out there... got a virus floating around
in the zip its harmless... doesnt execute till you unzip and run the pif file inside
had afew weird processes show up... avg EMAIL scanner shutdown... avg didnt detect a virus at all *and i just made a post saying i trusted AVG free to0*... guess this is irony at its best.
i clicked it on purpose, i knew what i was getting into.
if anyone has seen this before and can provide the community with info please share... im off to google to look up what i can now.
jamz
When you see the dates flashing at the top of posts in a thread it means that the thread is old and its content may well have been resolved, or is obsolete. This is a classic example of that:
Of course it does........................it is three weeks since the virus was reported in this thread! However, if you study the posts more carefully you will see that at the time Symantec (Norton) was one of the numerous major AV players that did not detect it.Quote:
Nortons detected it.................W32.Spybot.Worm.
;)
ugh nvm