Help me investigate trojan from 206.58.237.248 - Page 3
Page 3 of 3 FirstFirst 123
Results 21 to 29 of 29

Thread: Help me investigate trojan from 206.58.237.248

  1. #21
    Junior Member
    Join Date
    Oct 2004
    Posts
    14
    Thanks for the info Nihil,

    According to Belarc, none of my hotfixes failed verification although a few were unmarked.

  2. #22
    Junior Member
    Join Date
    Oct 2004
    Posts
    14
    As an update, I downloaded ClamWin and had it scan the kbdus.exe file, but it didn't detect anything.

  3. #23
    Also, I can't tell you why, but I've worked on some cases where proper updates allowed the scanners to pick up more objects that came through exploits (I've seen this in blaster and sasser, can't really say why). Maybe the fact that you are behind on some is impeding on your scans.

  4. #24
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,190
    Yes, there are some that it cannot positively verify, that is normal. I still find it a useful diagnostic tool to have in the "box" so to speak.

    Right, to progress.............kbdus.exe produces no hits on Google, which makes it rather suspicious. On the other hand it has not been recognised as part of any known malware either. "kbdus" as a .dll, or .kbd extension are OK....................they support the US keyboard.

    Can you make a copy as a .txt file or zip it and send it to me as a PM (personal message) attachment, so I can take a quick look. You might also like to send a copy to your AV company. Either in the help file or on their website you should find the instructions for submitting suspected malware.

    206.58.237.248........................well, well, well...............I ran a "Whois" and "Traceroute" on that address and it appears to be bogus/spoofed, which is not unusual.

    Cheers
    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

  5. #25
    Junior Member
    Join Date
    Oct 2004
    Posts
    14

    A few more clues...

    The file kbdus.exe also contains the string ' Marca = "hckdw2003*" ' This seems to be part of some script (possibly VBScript) that is embedded in the executable. There are a bunch of foreign words used floating around in there. The word "marca" means "it marks" in Spanish.

    According to Symantec, Trojan.Adwaheck is known to insert hckdw2003* into webpages. Do you think that this is what I havd/had on my system? They also say that Trojan.Adwaheck contains a backdoor with somekind of autoupdate feature, so it may be possible that the version on my system is not yet detected by AV.

    I really just want to know what the heck this thing is!

    nihil: I sent you a copy of it to look at.

  6. #26
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,190
    Thanks Mark~

    It is definitely a "bad guy" I haven't had chance to give it more than a quick look.

    My "call" right now is that it is a variant, which is why the AVs don't find it. The languages are Spanish and German. I guess that the German guy got the Spaniard's source code and modified it. Kinda crafty using a US keyboard like name.

    Update feature?.............try looking for uup.bat or " wildcard" and uup.bat on your system

    Cheers

    EDIT: Please try this link: http://www.trendmicro.com/vinfo/viru...=TROJ_SMALL.AN

    There is also a link to run "Housecall" that should deal with it for you
    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

  7. #27
    Junior Member
    Join Date
    Oct 2004
    Posts
    14
    The last time I ran HouseCall on it, it didn't detect it. I believe that TROJ_SMALL.AN is the same as Download.Trojan and SillyDl, which has been mentioned in this thread. At least according to http://www3.ca.com/securityadvisor/v....aspx?id=39574 that's true. Also, notice that the filesize is significantly larger than Trend Micro reports. My guess is that the bastard who created this thing had access to the source code of the SillyDl trojan (which I assume is pretty common) and he used some of it.

    I guess I'll try forwarding it to my AV company to see what they make of it.

  8. #28
    Junior Member
    Join Date
    Oct 2004
    Posts
    14
    Well, they sent a reply saying it's a new virus.

  9. #29
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,190
    Thanks for the update and also for your very positive feedbacks
    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •