Help me investigate trojan from 206.58.237.248

[markml]

Thanks for the info Nihil,

According to Belarc, none of my hotfixes failed verification although a few were unmarked.

[markml]

As an update, I downloaded ClamWin and had it scan the kbdus.exe file, but it didn't detect anything.

[Soda_Popinsky]

Also, I can't tell you why, but I've worked on some cases where proper updates allowed the scanners to pick up more objects that came through exploits (I've seen this in blaster and sasser, can't really say why). Maybe the fact that you are behind on some is impeding on your scans.

[nihil]

Yes, there are some that it cannot positively verify, that is normal. I still find it a useful diagnostic tool to have in the "box" so to speak.

Right, to progress.............kbdus.exe produces no hits on Google, which makes it rather suspicious. On the other hand it has not been recognised as part of any known malware either. "kbdus" as a .dll, or .kbd extension are OK....................they support the US keyboard.

Can you make a copy as a .txt file or zip it and send it to me as a PM (personal message) attachment, so I can take a quick look. You might also like to send a copy to your AV company. Either in the help file or on their website you should find the instructions for submitting suspected malware.

206.58.237.248........................well, well, well...............I ran a "Whois" and "Traceroute" on that address and it appears to be bogus/spoofed, which is not unusual.

Cheers

[markml]

The file kbdus.exe also contains the string ' Marca = "hckdw2003*" ' This seems to be part of some script (possibly VBScript) that is embedded in the executable. There are a bunch of foreign words used floating around in there. The word "marca" means "it marks" in Spanish.

According to Symantec, Trojan.Adwaheck is known to insert hckdw2003* into webpages. Do you think that this is what I havd/had on my system? They also say that Trojan.Adwaheck contains a backdoor with somekind of autoupdate feature, so it may be possible that the version on my system is not yet detected by AV.

I really just want to know what the heck this thing is!

nihil: I sent you a copy of it to look at.

[nihil]

Thanks Mark~

It is definitely a "bad guy" I haven't had chance to give it more than a quick look.

My "call" right now is that it is a variant, which is why the AVs don't find it. The languages are Spanish and German. I guess that the German guy got the Spaniard's source code and modified it. Kinda crafty using a US keyboard like name.

Update feature?.............try looking for uup.bat or " wildcard" and uup.bat on your system

Cheers

EDIT: Please try this link: http://www.trendmicro.com/vinfo/viru...=TROJ_SMALL.AN

There is also a link to run "Housecall" that should deal with it for you

[markml]

The last time I ran HouseCall on it, it didn't detect it. I believe that TROJ_SMALL.AN is the same as Download.Trojan and SillyDl, which has been mentioned in this thread. At least according to http://www3.ca.com/securityadvisor/v....aspx?id=39574 that's true. Also, notice that the filesize is significantly larger than Trend Micro reports. My guess is that the bastard who created this thing had access to the source code of the SillyDl trojan (which I assume is pretty common) and he used some of it.

I guess I'll try forwarding it to my AV company to see what they make of it.

[markml]

Well, they sent a reply saying it's a new virus.

[nihil]

Thanks for the update and also for your very positive feedbacks