** Ok What could this Be? **
Page 1 of 4 123 ... LastLast
Results 1 to 10 of 40

Thread: ** Ok What could this Be? **

  1. #1
    The Doctor Und3ertak3r's Avatar
    Join Date
    Apr 2002
    Posts
    2,744

    ** Ok What could this Be? **

    Story,

    A friend phoned my up asking for tech help..(shoot the bastard).. His machine was hanging on shutdown.. the file KCfetaic.exe ..

    OS: WinXP pro

    A quick Google revealed nothing.. that don't mean much..

    the i got him to d/l some of my regular tools.. Spybot and adaware were clean reports.. next CWShredder.. it errored half way through and closed out..

    Next the HJT log.. had him email it to me..

    while I perused the HJT log I had him restart in safemode and re-run the scanns including a AVG scann.. clean.

    A scann of the registry for the file name.... no mention.. OK.. Rename the bugger

    now .. lets ahve a look at the Firewall logs.. Zonealarm.. ouch every prog he was using in the last 2 hrs were being blocked.. ?? we are talking about even wrodpad..

    Ok this file may be used by another prog and therefor won't have a registry entry.. so what prog.. I didn'tt get him to d/l a process viewer..


    Location of the File.. c:\windows\system32\ ..0k we renamed it.. and moved it

    Restarted in the machine in Normal mode.. Zonealarm was poping mad. " " program was trying to access the internet?? rechecked taskmon.. no strange entries.. shutdown the machine and restarted.. no problerm.. and no probs with ZA.. Had him run The Cleaner.. only files he had were Istbar.. nothing else ..

    I had him go in and disable a number of unwanted services.. and email me a copy of the renamed file..

    I will post a Ziped version of it here for those who wish to have a look.. a quick look using a hex editor nothing stands out.. the text "instructions" toward the end of the file could be a clue.

    but not being into reverse engineering software.. have a lok if you like.. I will be putting it into my Crash Test Dummy in the next day or so to see what it does if anything..

    Now don't get bitten..


    Cheers
    "Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr

  2. #2
    Member
    Join Date
    Dec 2001
    Posts
    87
    The strings command under linux comes up with -
    WSAGetLastError
    WSAStartup
    __WSAFDIsSet
    accept
    bind
    closesocket
    connect
    gethostbyname
    htonl
    htons
    inet_addr
    ioctlsocket
    listen
    recv
    select
    send
    socket
    CoCreateInstance
    CLSIDFromString
    CoTaskMemFree
    CoInitialize
    CoUninitialize
    SysAllocString
    DeleteUrlCacheEntry
    FindFirstUrlCacheEntryA
    FindNextUrlCacheEntryA
    ExitProcess
    ExitThread
    ExpandEnvironmentStringsA
    FileTimeToLocalFileTime
    FileTimeToSystemTime
    FindClose
    FindFirstFileA
    FindNextFileA
    FreeLibrary
    GetCommandLineA
    GetCurrentProcessId
    GetCurrentThreadId
    GetExitCodeProcess
    GetExitCodeThread
    GetFileAttributesA
    GetFileSize
    GetFileTime
    GetLocalTime
    GetModuleFileNameA
    GetModuleHandleA
    CloseHandle
    GetProcAddress
    GetSystemDirectoryA
    GetTempPathA
    GetTickCount
    GetTimeZoneInformation
    GetVersion
    GetVersionExA
    GetWindowsDirectoryA
    GlobalMemoryStatus
    CopyFileA
    InterlockedIncrement
    IsBadReadPtr
    IsBadWritePtr
    LoadLibraryA
    CreateDirectoryA
    LocalAlloc
    LocalFree
    OpenFile
    OpenMutexA
    OpenProcess
    PeekNamedPipe
    CreateFileA
    ReadFile
    RemoveDirectoryA
    RtlUnwind
    SetFileAttributesA
    SetFilePointer
    CreateMutexA
    Sleep
    TerminateProcess
    TerminateThread
    TerminateThread
    CreatePipe
    VirtualQuery
    CreateProcessA
    WaitForSingleObject
    WideCharToMultiByte
    WinExec
    WriteFile
    lstrlenA
    lstrlenW
    CreateThread
    DeleteFileA
    GetWindowTextA
    GetWindowRect
    FindWindowA
    GetWindow
    IsWindowVisible
    GetClassNameA
    GetForegroundWindow
    LoadCursorA
    SetTimer
    KillTimer
    RegisterClassA
    GetMessageA
    CreateDesktopA
    SetThreadDesktop
    GetThreadDesktop
    TranslateMessage
    DispatchMessageA
    SendMessageA
    CharUpperBuffA
    OemToCharA
    PostQuitMessage
    ShowWindow
    CreateWindowExA
    DestroyWindow
    DefWindowProcA
    GetStockObject
    DeleteObject
    RegCreateKeyExA
    RegCloseKey
    RegOpenKeyExA
    RegQueryValueExA
    RegSetValueExA
    GetSecurityInfo
    SetSecurityInfo
    SetEntriesInAclA
    _itoa
    __GetMainArgs
    _sleep
    _strcmpi
    _stricmp
    atoi
    exit
    memcpy
    memset
    raise
    rand
    signal
    sprintf
    srand
    sscanf
    strcat
    strchr
    strncmp
    wsock32.dll
    ole32.DLL
    OLEAUT32.DLL
    WININET.DLL
    KERNEL32.DLL
    USER32.DLL
    GDI32.DLL
    ADVAPI32.DLL
    CRTDLL.DLL

    Definitely something network related.

  3. #3
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,403
    Dumped it in IDApro. Looks fishy. At first look it indeed uses WinSock and a few registrykeys. Unfortunately some of it is XOR'ed so I don't know what keys and/or what it actually does. I'll get back to you as soon as I know more.
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  4. #4
    Senior Member
    Join Date
    Feb 2004
    Posts
    197
    its some type of trojan or hijacker my computers alarm went off and it was trying to change alot of stuff like my home page.

    but neither did my antivirus detect it nor my active anti spy scanners(scans memory)






    im going to do some resarch


    Ps sorry for my spelling

  5. #5
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Undies: Looking at the strings output and hearing what others experience when "playing" with it I would submit it to Symantec or whoever you prefer. It certainly doesn't appear kosher.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  6. #6
    Senior Member
    Join Date
    Feb 2004
    Posts
    197
    now its trying to change my home page every 5 minutes

    I atached the results to the file


  7. #7
    Senior Member
    Join Date
    Feb 2004
    Posts
    197
    can some find out how to remove this thing it realy pissing me off it keeps on changeing my home page to about:blank and I am woried because it keeps on trying to turn my autocomplete on (i always have it off becouse password theft trojans use autocomplete)


    can some one hury and find out how to remove it












    sorry for bad spelling

  8. #8
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,324
    No offense... but:

    If you didn't know what you were doing... why did you open it in the first place?
    Any on top of it all... you didn't even use a test box.
    Its not good to go opening all kinds of attachments... even if they were posted here by a respected member.

    Do you have xp? If so, do a system restore... and pray that it works.

    Or, wait till everyone else knows whats up. I'm sure they'll update their findings.
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  9. #9
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    ROFLMAO........

    Seriously, wtf did you think you were doing. You had been told that it was, (at an absolute minimum), "odd"..... You were told it wasn't recognized by the "standard" tools as anything special therefore there would be no automated removal tool. It doesn't seem like you were running regmon, filemon etc. so your could track what it did and reverse it yourself yet you still went and installed it on a "production" box.

    No offense but I really have no sympathy.... Computer security isn't about blindly trying things to see what they do. It is about controlling the environment and logging and tracking events to determine what _exactly_ goes on so that it might be able to be reversed or mitigated. In extreme circumstances that might mean restoring the entire drive from a pre-made image, (such as on a "lab-rat" box that can be destroyed and rebuilt with no loss). Your "production" box isn't the place to be messing with things you don't understand.

    I just hope others read this and don't make the same silly mistake you just did.... At least then your foolishness will have benefitted someone here......
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  10. #10
    Senior Member
    Join Date
    Feb 2002
    Posts
    1,210
    LOL (@disturb) you gotta be kidding me. try running hijackthis now disturb and post your log.

    I haven't had time to run it through my trojan scanners yet.. that box keeps on blue screening me.. I have bad memory in it and limp by.. but now on one of my kids boxes i ran it thorugh pestpatrol's advanced analyze a file feature and indeed it does want to connect to the net..

    here's the output from pestpatrol

    File: C:\UTIL\virustemp\Kcfepaic.exe
    Size: 201,728 bytes
    Pest: Not a known pest
    MD5: 77930adafd715fc68860f615743f51b5
    Running/Active?: No.
    Creation Date: 04/13/2004
    Last Write: 04/13/2004
    DLLs Referenced: wsock32.dll
    Text: .hqojh jx-E: -U:g/ WI A EC1VJ ox.p ox.ph /Dpi Dpi Dpi p3xop;xhp0x OF Q.U.LK,c OF.Z-R. XA2xg5E OF.Up .UpDG C6u E3Xo 1gPsu PSUA r.A6H 2J6o Fu r.B6O p1I 3Xa; ,I.UpX ;a WSAGetLastError WSAStartup WSAFDIsSet accept bind closesocket connect gethostbyname htonl htons inet addr ioctlsocket listen recv select send socket CoCreateInstance CLSIDFromString CoTaskMemFree CoInitialize CoUninitialize SysAllocString DeleteUrlCacheEntry FindFirstUrlCacheEntryA FindNextUrlCacheEntryA ExitProcess ExitThread ExpandEnvironmentStringsA FileTimeToLocalFileTime FileTimeToSystemTime FindClose FindFirstFileA FindNextFileA FreeLibrary GetCommandLineA GetCurrentProcessId GetCurrentThreadId GetExitCodeProcess GetExitCodeThread GetFileAttributesA GetFileSize GetFileTime GetLocalTime GetModuleFileNameA GetModuleHandleA CloseHandle GetProcAddress GetSystemDirectoryA GetTempPathA GetTickCount GetTimeZoneInformation GetVersion GetVersionExA GetWindowsDirectoryA GlobalMemoryStatus CopyFileA InterlockedIncrement IsBadReadPtr IsBadWritePtr LoadLibraryA CreateDirectoryA LocalAlloc LocalFree OpenFile OpenMutexA OpenProcess PeekNamedPipe CreateFileA ReadFile RemoveDirectoryA RtlUnwind SetFileAttributesA SetFilePointer CreateMutexA Sleep TerminateProcess TerminateThread CreatePipe VirtualQuery A CreateProcessA WaitForSingleObject WideCharToMultiByte WinExec WriteFile lstrlenA lstrlenW CreateThread DeleteFileA GetWindowTextA GetWindowRect FindWindowA GetWindow IsWindowVisible GetClassNameA GetForegroundWindow LoadCursorA SetTimer KillTimer RegisterClassA GetMessageA CreateDesktopA SetThreadDesktop GetThreadDesktop TranslateMessage DispatchMessageA SendMessageA CharUpperBuffA OemToCharA PostQuitMessage ShowWindow CreateWindowExA DestroyWindow DefWindowProcA GetStockObject DeleteObject RegCreateKeyExA RegCloseKey RegOpenKeyExA RegQueryValueExA RegSetValueExA GetSecurityInfo SetSecurityInfo SetEntriesInAclA itoa GetMainArgs sleep strcmpi stricmp atoi exit memcpy memset raise a rand signal sprintf srand sscanf strcat OLEAUT32.DLL WININET.DLL KERNEL32.DLL USER32.DLL ADVAPI32.DLL
    File Type: .exe file.
    Compression: No compression or unknown compression method.
    Language: Unknown Language.
    Notes: Connects to the Internet.
    Caution: Use this automated file analysis with caution. Please do not substitute these results for good judgment.

    after I get back from my tax accountant.. I'll see what other scanners say..
    and maybe try w32dasm..


    edit : ooops.. I hadn't looked at disturb's picture.. looks like he had the same idea as me.. sorry

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides