Results 1 to 10 of 10

Thread: Axel.DAV Virus or some other Malware

  1. #1
    The Doctor Und3ertak3r's Avatar
    Join Date
    Apr 2002
    Posts
    2,744

    Axel.DAV Virus or some other Malware

    Greets Guys,

    HAve a machine that has been hit with some form of MAlware..

    ALL the customers Files have been deleted.. many of the Program Files Folders have been deleted.. Windows, System and system32 mostly deleted.. A common file in EVERY Folder is AXEL.DAV which has the contents of AXEL Davis..

    The best information I have come up with is a heap of victems.. On this Google Search
    One of the references was to redlof.A VBS virus.. but the symantec details dont match what I have seen so far..

    I WILL BE RE FORMATTING THE HDD.. BUT first I have to recover the customers Documenst and accounting data..

    What I am looking for is some information of the attack vector so I can help the customer prevent this next time.. (besides giving them the drill on BACK UP, Back Up, Back Up)

    BRB..
    "Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr

  2. #2
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    Hi Undies,

    This heap of garbage looks like the culprit for generating it:

    http://www.mailsend-online.com/

    Bloody skiddies

  3. #3
    The Doctor Und3ertak3r's Avatar
    Join Date
    Apr 2002
    Posts
    2,744
    ..Ok finaly got to the Link.. Bloody ISP (Telstra PigPond) has DNS and routing problems..

    Other than "Run and Hide" I dont see a relivence to Axel.dav?
    All I have found in any of the links in search is people who have found a ton of these files in their system.. from all I have checked sofar they are all 1k in size and contain 2 words (Axel Davis)..

    I have not found any virus or worm that is reported to leave such files in peoples machines.. just a number of people refering to axel.dav as a virus.. me thinks I will do file recovery on the system - System32, TIF and Email folders (as well as the needed files) I want to know what this sucker is..

    Just finished a HDD Regen scan on the first 15GB of the HDD (160GB hdd) 1 bad sector - repaired - in about the 8GB point.. should be far enopugh away from system filles.. the HDD should be ready by morning ..

    BTW for the look'n peepers..
    System is a Compaq SR1278AN
    P4 3.2GHz
    512Mb PC3200
    160GB SATA
    WinXP Home..

    hmm looks like I need to invest in a SATA to USB adapter or at least a SATA Card (with external cable) for my pc
    ..

    im out for the day.. cheers
    "Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr

  4. #4
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    Other than "Run and Hide" I dont see a relivence to Axel.dav?
    There isn't one, but that was the only computer program related entry on the whole of the net

    Seems like some skiddie concoction using a virus generation toolkit and some stuff off that site?

    If you get a chance have a look around for any other file fragments and names, there might be a few more clues..........also, where are the axel.dav files...............does it look as if they overwrote genuine files??

    Cheers

  5. #5
    The Doctor Und3ertak3r's Avatar
    Join Date
    Apr 2002
    Posts
    2,744
    Thanks Nihil, I see what your saying..

    Axel.dav is in every folder.. now here is a bit of information.. ALL folders that remain were created at 3.17 Am of 2 days ago (19th April..it is the 21st in this part of the world ATM)

    If it wasnt for the fact that these machines come with a **** load of software.. if would say the customer had tried to reinstall
    "Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr

  6. #6
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    ..Ok finaly got to the Link.. Bloody ISP (Telstra PigPond) has DNS and routing problems..
    Giggling like hell.... ROFLMAO..... Lying on the floor with people attempting to give me Heart Massage.....

    Here, you might want to call....

    Joke.... but it was something that made me laugh..... thanks....
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  7. #7
    The Doctor Und3ertak3r's Avatar
    Join Date
    Apr 2002
    Posts
    2,744
    A news letter from late 2003:

    Good Morning to all our Customers.

    Oh sorry.. Good evening if your with Telstra Bigpond
    ..

    Most common page to not be found.. www.bigpond.com and www.telstra.com
    as we deal direct to telstra for such things as Mobile and ADSL connections, their online server will be unavailable for hours each day.. so we created a prepaid dialup account with their opposition (Optus), and the server didnt fault.. when asked by a "battry hen" as to how come we were able to use the server.. our reply.. WE HAVE SWITCHED OUR INTERNET ACCOUNT OVER TO OPTUS.... Yep they "fixed" the problem.... for a couple of days..

    My next problem.. I have run out of UPS... We have had two major power outages in this area in the past 24hrs.. (any area in South East Queensland can now boast a 1hr plus black out per 200hrs, that is not including the 1 to 5min black outs, and the little brownies and surges) Prob was the UPS battery died during the second Blackout .. and the File recovery had failed.. Had to start again..
    "Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr

  8. #8
    AO Part Timer
    Join Date
    Feb 2003
    Posts
    331
    Sounds like there will always be people who are being out smarted by their computers. Kind of of ironic really. We built the things, yet allow them to cause us so much greif.

    off topic

    Skiddies will always be the same nihil.
    Undertaker, I see you are still alive and banging your head against the wall thanks to your customers : )
    Tiger..Tiger..Tiger.... nuff said

    /topic
    Sorry no real help from me. Just wanted to say hello again

    Good to be back guys, good to see you guys are still around

  9. #9
    The Doctor Und3ertak3r's Avatar
    Join Date
    Apr 2002
    Posts
    2,744
    Hey look what the cat dragged in!!!

    G'day Dopey... Your still alive.. Nice to see your return..

    BTW: Customers always assure a fresh supply of problems..stories and grief..

    ciao
    "Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr

  10. #10
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    Hi Undies~

    This one is rather interesting, and possibly a bit concerning?

    It has obviously been around for some time (6 months plus?), but is not mentioned by ANY of the AV or anti-malware shops?

    I suspect that it is not a conventional virus/trojan/worm as we know them? As it has not raised attention.

    On the face of it, it looks more like some sort of direct vandal attack rather than something that attempts to replicate itself? Which is why I suggested a generation toolkit plus some of the stuff on that site I mentioned earlier.

    That would suggest either e-mail or P2P as the vector to me.

    Was your customer using an up to date AV and firewall?

    I would be inclined to install RegistryProt as a preventative measure, also something like ScriptDefender from AnalogX (intercepts VBS, Java and the like and opens them in notepad)

    http://www.analogx.com/welcome.htm

    Please see if you can find anymore trace evidence

    My current suspicion is that your customer has p1$$ed someone off on AIM/IRC or whatever, and got this as a result.............

    Hi dopey~ where have you been hiding?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •