A interesting find
Page 1 of 2 12 LastLast
Results 1 to 10 of 14

Thread: A interesting find

  1. #1
    Banned
    Join Date
    Apr 2004
    Posts
    843

    A interesting find

    Ok so im useing my moms computer, you know im sitting around doing my usual things then when I try to play d2 I notice its tottaly laged up way more than anything normally expected. So I close that window off and check some things out and I notice some program actually running at a higher rate than the actual game.

    So anyways I end that process and low and behold everything is fine. So what I did after seeing if things where running a bit better I checked for all files that have been modified and stuff today. The only thing that showed up was Nknhpelg.exe which was the screwy program running moments ago. Its located right in windows/system32 ummm so yeah... the odd filename (similiar to ntkrnlpa.exe), the fact that it was running the way it was, and the location is enought to point at and say "malware calling card". Ma's AV isn't up to par either... This is like the 3rd damned time I've fixed this computer alone. Pluse she brought home a computer from work that I basicly fixed also.

    So at first im thinking maybe the game didn't appear messed up just because of performance... maybe this thing was running like that because of some high speed scanning and it was litterally laged instead of just appearing that way. Maybe its a worm... sasser? But whats funny is I remember patching the PC up for mom. Then I also thought maybe it was adware or something but no registry changes were made in IE to change the startpage and stuff. I also don't remember browseing any ad/spyware filled porn sites on this computer today either... I've mainly been on the board all day actually.

    Oh and WDASM seems to crash when I try opening the file with it and checking it out. Odd... very odd indeed. If it weren't for WDASM crashing I'd probably already have a good idea of what it is and what it does.

  2. #2
    Macht Nicht Aus moxnix's Avatar
    Join Date
    May 2002
    Location
    Huson Mt.
    Posts
    1,752
    I'm sure you tried google, and I hope you had better luck than I did.
    Your search - Nknhpelg.exe - did not match any documents.
    No pages were found containing "nknhpelg".
    \
    Did a quick look at the symatic site also, but didn't find anything.
    \"Life should NOT be a journey to the grave with the intention of arriving safely in an attractive and well preserved body, but rather to skid in sideways, Champagne in one hand - strawberries in the other, body thoroughly used up, totally worn out and screaming WOO HOO - What a Ride!\"
    Author Unknown

  3. #3
    Well once sasser is installed, a patch wont fix anything. But the sasser viruses are like "23456_up" or something like that. It does look like a generated name though.

    Norton [strike]picked[/strike] didn't pick up a virus.
    Neither did housecall. And viewing its contents doesn't reveal any files, so maybe its encrypted? Zip passes are easiely cracked, I'm gonna check that out.

    Not encrypted according to passware.

    Hexplorer dissassembled code:
    push eax
    dec ebx
    add eax, 0x6
    add [eax], al
    add [eax], al
    add [eax], al
    add [eax], al
    add [eax], al
    add [eax], al
    add [eax], al
    add [eax], al
    add [eax], al

    whatever the hell that means. It's only 22 bytes, is that enough to do anything more that make a memory leak or something?

  4. #4
    Banned
    Join Date
    Apr 2004
    Posts
    843
    Originally posted here by moxnix
    I'm sure you tried google, and I hope you had better luck than I did.
    Nope and if I did find anything then chances are I wouldn't even be posting this.

    Originally posted here by Soda_Popinsky
    It does look like a generated name though.
    Yeah as I mentioned before the filename could be closely compaired to some NT kernal and sys files within system32 but when I check the properties it doesn't give any discriptions at all. Clearly this does not appear to be some command line tool laying around either.

  5. #5
    AntiOnline n00b
    Join Date
    Feb 2004
    Posts
    665
    Hey Soda

    Norton Picked it up As a Backdoor Trojan Well Mine did Notron 2003 with latest updates. It isen't giving Much Detail of it Just says it is a generic detection for a group of Backdoor Trojan Horses. All the Trojans detected as Backdoor.Trojan have one thing in common: they allow unauthorized access to an infected computer.

    Wll My AVG dosen't Detect anything malicious Nor Does Trend Micro's. Boy o Boy am i glad i have just Purchased Norton Just yesterday and i't Showing it's worth

  6. #6
    Macht Nicht Aus moxnix's Avatar
    Join Date
    May 2002
    Location
    Huson Mt.
    Posts
    1,752
    SwordFish_13, Where did you get it from?

    Edit -- Never mind real dumb question...

    Re Edit -- Ok, I got it as Win32.Webber trojan. Image attached.
    \"Life should NOT be a journey to the grave with the intention of arriving safely in an attractive and well preserved body, but rather to skid in sideways, Champagne in one hand - strawberries in the other, body thoroughly used up, totally worn out and screaming WOO HOO - What a Ride!\"
    Author Unknown

  7. #7
    Macht Nicht Aus moxnix's Avatar
    Join Date
    May 2002
    Location
    Huson Mt.
    Posts
    1,752
    Here is what I found on it.
    http://www.srnmicro.com/virusinfo/webber.htm

    Webber is a backdoor Trojan, can be used to steal passwords in the infected system. It arrives as an e-mail attachment. The infected attachment name will be "web.da.us.citi.heloc.pif".
    Also from: http://www.viruslibrary.com/virusinf...y.Win32.Webber(akaHeloc).htm
    Webber is a Win32 trojan program that installs a hidden proxy server on victim machines (with up to 100 connections), reports IP addresses and cached passwords of victim machines to its 'master'. The trojan also downloads (from a URL) and executes other EXE files such as its upgrades.
    Hope this helps, Specialist
    \"Life should NOT be a journey to the grave with the intention of arriving safely in an attractive and well preserved body, but rather to skid in sideways, Champagne in one hand - strawberries in the other, body thoroughly used up, totally worn out and screaming WOO HOO - What a Ride!\"
    Author Unknown

  8. #8
    Senior Member therenegade's Avatar
    Join Date
    Apr 2003
    Posts
    400
    Why does NAV2003 come up with it when symantec's got nothing on it on its site?

  9. #9
    Senior Member
    Join Date
    Sep 2003
    Posts
    126
    Norton 2004 picked it up as a backdoor Trojan and gave some generic removal instructions.
    They also show this class of Trojans as being around since January 1998 so my guess is that some script kiddie got a hold of the original and modified it. Here’s a link that has what
    Norton
    says about it.
    [Shadow] have you ever noticed work is like a tree full of monkeys you look down and all you see is monkeys below you then you look up and all you see is a bunch of *******s above[/shadow]

  10. #10
    AntiOnline n00b
    Join Date
    Feb 2004
    Posts
    665
    Hi therenegade

    Actually the naming is the problem every AV compny names the virus or trojan according to it's own finding. So every Virus or Trojan might have many names you just searched one of it's name , which norton dosen't seem to have have you tried it's other names Downloader-DI McAfee, TrojanProxy.Win32.Webber.10 KAV, Troj/Webber-A Sophos

    House Call Detects it as : TROJ_AXJ.B

    Here is the info on it on Norton Site Trojan is the same But with different name
    And there is one thing more to it the BloodHound feature of Norton can even detect Virus which are not in it's list but display possible virus like activity or features

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides