Results 1 to 6 of 6

Thread: Virus - revopdo-A

  1. #1
    Senior Member
    Join Date
    Feb 2002
    Posts
    130

    Virus - revopdo-A

    Hiya,

    We have just found a file on one of our machines that has what Sophos has identified as troj/revopdo-A. There does not seem to be much info about this about, I have spoken to sophos and they are sending it to their labs. It seems to have dropped the file do.exe in the root of the C: drive on a Win98 SE box. Our proxy does not allow downloading of executable files so IE (the usual suspect) is pretty much out. The thing is Sophos don't currently seem to know how it spreads from what the guy said to me, wont have a chance to check it out more till later. Any adventurous people out there fancy having a look at a copy if I upload it ?

  2. #2
    The Doctor Und3ertak3r's Avatar
    Join Date
    Apr 2002
    Posts
    2,744
    Do you have any of these files on the machine..

    c:\do.exe
    cmpi.exe
    programfilesdir+\over.exe
    programfilesdir+\pup.exe
    stimem.exe
    syscm.exe
    systemroot+\buddy.exe
    systemroot+\pup.exe
    systemroot+\system\allbackf.exe
    systemroot+\system\cctresa.exe
    systemroot+\system\dvdq.exe
    systemroot+\system\hellexts.exe
    systemroot+\system\lb32v.exe
    systemroot+\system\lethk32o.exe
    systemroot+\system\m20f.exe
    systemroot+\system\mcompata.exe
    systemroot+\system\msdmodw.exe
    systemroot+\system\nternati.exe
    systemroot+\system\ommdlgc.exe
    systemroot+\system\pg2spltm.exe
    systemroot+\system\prservm.exe
    systemroot+\system\sound3dd.exe
    systemroot+\system\sratelcm.exe
    systemroot+\system\storesp.exe
    systemroot+\system\taigfxi.exe
    systemroot+\system\winpup32.exe
    systemroot+\system\ysinfos.exe
    systemroot+\system32\_932c.exe
    systemroot+\system32\20444887.exe
    systemroot+\system32\23777407.exe
    systemroot+\system32\24065798.exe
    systemroot+\system32\25199526.exe
    systemroot+\system32\27032107.exe
    systemroot+\system32\39197939.exe
    systemroot+\system32\4026430.exe
    systemroot+\system32\61692446.exe
    systemroot+\system32\64075869.exe
    systemroot+\system32\6904238.exe
    systemroot+\system32\73934572.exe
    systemroot+\system32\75082033.exe
    systemroot+\system32\77946108.exe
    systemroot+\system32\8439272.exe
    systemroot+\system32\92135256.exe
    systemroot+\system32\96062868.exe
    systemroot+\system32\astapir.exe
    systemroot+\system32\en2232v.exe
    systemroot+\system32\input8d.exe
    systemroot+\system32\inverw.exe
    systemroot+\system32\mdrvm.exe
    systemroot+\system32\onsolec.exe
    systemroot+\system32\ppmgra.exe
    systemroot+\system32\winpup.exe
    systemroot+\system32\winpup32.exe
    systemroot is usually c:\windows on a win98 system btw..

    and if you do .. cancell your support contract with Sophos.. and check this link
    http://www3.ca.com/securityadvisor/p...x?id=453075331
    if these files dont exist..
    What have you done to analyse this bug.. if Sophos can name it.. they must have some idea of the files it produces, and some of its registry entries.. AND THEY HAVENT HAD YOU SEARCH FOR THESE???

    Also are you sure of the Name.. sure it isnt REVOP.xx ??? do a google on revop and have a fiddle with the hits..

    yes password Zip the file and uploadit.. let us have a play..
    "Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr

  3. #3
    Senior Member
    Join Date
    Feb 2002
    Posts
    130
    I have not really done a lot of looking at it at the moment, am a bit snowed under, just took the machine off the network. No Sophos did not get me to look for any of those files, in fact they did not even seem to know it was an alias for anything. I will have a look for those files in a few mins, thanks. I have attached the offending file.


    [edit]

    I have searched for those files, no sign that I can see, also none of those processes running

    Also are you sure of the Name.. sure it isnt REVOP.xx ??? do a google on revop and have a fiddle with the hits..
    The name is definate, it refers to this article on the Sophos site

    http://www.sophos.com/virusinfo/anal...jrevopdoa.html

    As you can see they say it has only been detected since yesterday which is quite disturbing. One of the most disturbing things is how did it get there ? All HTTP traffic goes through our proxy (Squid) and Executables are disallowed, unless we missed some obscure one that this thing uses as a dropper.

  4. #4
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    Hi,

    I just tested it with AVG 7.0 (Grisoft) and it recognised it as "Trojan Horse Downloader Revop.A"

    Picked it up in the .zip, .exe and even as a .txt file.

    I will have to try it on another machine, as something (not sure what) on this one won't even let me open it as a .txt file...............it says I don't have authority (I am the bloody administrator!)

    It is a downloader, so it is part of something else. The interesting part is to find out where it is going and what it is trying to download from that site.

    AVG don't give any details either. I suspect that is because the code can be used to download pretty much anything, so it would be misleading and potentially dangerous to cite specific files and processes?

    Cheers

    EDIT:
    and Executables are disallowed
    How do you detect them? would you detect a compressed executable?

    EDIT#2:

    This link may interest you:

    http://www.bleedingsnort.com/blackho...id-acl.include

    I have had a look at it: it tries to go to achtungachtung.com and download pup.exe and over.exe

    It puts them both into C:\program files


  5. #5
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    Some more links (hence the double post)

    http://vic.zonelabs.com/tmpl/body/CA....jsp?VId=38866

    http://www.trendmicro.com/vinfo/viru...OP%2EA&VSect=P

    http://www.webservertalk.com/archive...4-2-87278.html

    I am not surprised that the files were not loaded as the achtungachtung website has been dead for ages.


  6. #6
    Senior Member
    Join Date
    Feb 2002
    Posts
    130
    How do you detect them? would you detect a compressed executable?
    Don't laugh Nihil, it just does it based on a list of file extensions, the people at my place are not usually malicious and it just stops things being automatically downloaded without their knowledge if their happens to be another unpatched IE bug.

    I just tested it with AVG 7.0 (Grisoft) and it recognised it as "Trojan Horse Downloader Revop.A"
    I am at home now and I have AVG here too, same result, the scary thing is that this machine does a full scan every day and it has not been picked up until today. I am wondering if the file is very slightly different to the original but close enough that most AVs pick it up, just not Sophos apparently.

    Very interesting indeed, thanks for that, simple but effective, just the way I like it

    Some more links (hence the double post)
    Much appreciated

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •