Page 2 of 3 FirstFirst 123 LastLast
Results 11 to 20 of 21

Thread: !!WARNING!! the attached is a virus

  1. #11
    Not really special, just another virus? Commong sense and all that should stop you from getting this. Stop making threads for viruses and the like that aren't unique or special at all.

  2. #12
    The ******* Shadow dalek's Avatar
    Join Date
    Sep 2005
    Posts
    1,564
    Originally posted here by bk_ghost
    Not really special, just another virus? Commong sense and all that should stop you from getting this. Stop making threads for viruses and the like that aren't unique or special at all.
    I think it's special enough that quite a few AV's didn't recognise the virus/trojan, I think it was right for the member to start a thread to let everyone know, give a heads up...do you have anything to contribute?
    PC Registered user # 2,336,789,457...

    "When the water reaches the upper level, follow the rats."
    Claude Swanson

  3. #13
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    Ahem!

    This is the AntiVirus Discussions forum, isn't it? what are we supposed to discuss here...........my latest nasty little rash?

    Dalek has an excellent point...............a lot of up to date AVs failed to detect this new variant, and many of us on this site get called in to sort out the aftermath of infections. It is helpful to know what is "out there" so to speak.

    Several of us will have sent a sample to anti-virus vendors, thus helping to protect the general public.


    Stop making threads for viruses and the like that aren't unique or special at all.

    I await your analysis of the virus to demonstrate that it does not meet these criteria

  4. #14
    Well here is what I have gathered from the virus/trojan/malware/what-ever-you-want-to-call-it, however I never allowed this access to the internet so I didn't get its full whack

    It seems to install itself as a service in c:\WINDOWS\wmiapsv.exe, not to be confused with C:\WINDOWS\System32\wbem\wmiapsrv.exe

    The service calls itself/infects "WMI Performance Adapter"

    It continuously tries to communicate with 221x245x42x42.ap221.ftth.ucom.ne.jp [221.245.42.42] on port 4280

    I also recieved the following message from counterspy: An attempted change to the Windows Restrict Anonymous setting has been detected. This change will lower your Windows overall security policies. Change: 1

    Scanning c:\WINDOWS\wmiapsv.exe with VirusTotal finds alot more:

    Complete scanning result of "wmiapsv.exe", received in VirusTotal at 06.05.2006, 13:32:46 (CET).

    Antivirus Version Update Result
    AntiVir 6.34.1.37 06.05.2006 Worm/Sdbot.63488.46
    Authentium 4.93.8 06.02.2006 no virus found
    Avast 4.7.844.0 06.05.2006 no virus found
    AVG 386 06.02.2006 no virus found
    BitDefender 7.2 06.05.2006 no virus found
    CAT-QuickHeal 8.00 06.03.2006 (Suspicious) - DNAScan
    ClamAV devel-20060426 06.04.2006 no virus found
    DrWeb 4.33 06.05.2006 Win32.HLLW.MyBot.based
    eTrust-InoculateIT 23.72.28 06.04.2006 no virus found
    eTrust-Vet 12.6.2243 06.05.2006 no virus found
    Ewido 3.5 06.05.2006 Backdoor.SdBot.aad
    Fortinet 2.77.0.0 06.05.2006 W32/SDBot.AAD!tr.bdr
    F-Prot 3.16f 06.02.2006 no virus found
    Ikarus 0.2.65.0 06.02.2006 no virus found
    Kaspersky 4.0.2.24 06.05.2006 Backdoor.Win32.SdBot.aad
    McAfee 4776 06.02.2006 no virus found
    Microsoft 1.1441 06.05.2006 no virus found
    NOD32v2 1.1579 06.05.2006 a variant of IRC/SdBot
    Norman 5.90.17 06.05.2006 W32/SDBot.AEJN
    Panda 9.0.0.4 06.04.2006 Suspicious file
    Sophos 4.05.0 06.05.2006 no virus found
    Symantec 8.0 06.05.2006 no virus found
    TheHacker 5.9.8.155 06.05.2006 no virus found
    UNA 1.83 06.02.2006 no virus found
    VBA32 3.11.0 06.05.2006 Backdoor.Win32.SdBot.aad

    Aditional Information
    File size: 63488 bytes
    MD5: 3be65b88470a97bd11b801311d74a584
    SHA1: b6816efb37f034436d13d5929f734c739531a51b
    Since I never let it access the address it wanted to all I did to remove it was run "sfc /scannow" (which may not have been neccesary) and disable the service in services.msc

    So am I correct in saying that in theory tracking down and taking down 221.245.42.42 would render this virus useless?
    I\'m Dying To Find Out The Hard Way

  5. #15
    The ******* Shadow dalek's Avatar
    Join Date
    Sep 2005
    Posts
    1,564
    looks like it's part of this listing: http://www.mail-archive.com/botnets@.../msg00426.html
    PC Registered user # 2,336,789,457...

    "When the water reaches the upper level, follow the rats."
    Claude Swanson

  6. #16
    Senior Member
    Join Date
    Mar 2005
    Posts
    400
    This is a non-technical account of what's going on when screwing with the trojan file.

    During attempt to download the file from AntiOnline, it gets flagged as a variant of IRC/SdBot trojan.
    If I allow the download, once saved, the picture005.zip file gets flagged as a variant of Win32/TrojanDownloader.Adload.NAI.
    When doubleclicking on the zipped file, I find the picture005.pif file.

    Extracting and doubleclicking on the picture005.pif file sends a download command to a Apache server at IP 209.188.31.15 which downloads the comhost.zip file (WinRar'd), expands it and installs comhost.exe, manager.exe, mc-110-12-0000488.exe and msnupdate.exe.

    It installs (among other things) a c:\windows\wmiapsv.exe process at PID 3848 which I killed a couple times (for the fun of it) and a WinRAR self-extracting archive window popped up screaming,
    Extracting manager.exe
    Extracting mc-110-12-0000488.exe
    Extracting msnupdate.exe
    CRC failed in msnupdate.exe
    Unexpected end of archive

    **Whoops....sorry if I punched the Trojan in the eye... My bad!

    Basically, the trojan installs a protected kernel process which re-replicates the basic trojan install in case of problems.

    Comhost.exe, itself, is a UPX executable and packed with UPX version 1.20.
    Comhost.exe contains (and is not limited to) the following:
    A S K N E X T V O L G E T P A S S W O R D 1 L I C E N S E D L G R E N A M E D L G R E P L A C E F I L E D L G S T A R T D L G D V C L A L

    Some more Comhost.exe fun:
    <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Roshal.WinRAR.WinRAR" type="win32" /> <description>WinRAR archiver.</description> <dependency> <dependentAssembly> <assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*" /> </dependentAssembly> </dependency> </assembly>

    ****I noticed that this trojan writer has access/used Soft-Ice, a kernel mode debugger which dates back to the late 80's. Evidently he/she/they know a bit about programming.****

    For kicks, IP 209.188.31.15 has a few open ports (not all inclusive):

    209.188.31.15 80 TCP Server: Apache/1.3.33 (Debian GNU/Linux) PHP/4.3.10-16 World Wide Web HTTP
    209.188.31.15 21 TCP File Transfer [Control]
    209.188.31.15 22 TCP SSH Remote Login Protocol
    209.188.31.15 25 TCP Simple Mail Transfer
    209.188.31.15 113 TCP Authentication Service
    209.188.31.15 199 TCP SMUX
    209.188.31.15 389 UDP Lightweight Directory Access Protocol
    209.188.31.15 6838 UDP Possible is used by trojan (UDP) - Mstream

    I don't have time today to give a step by step listing of what it actually does, I must get back to work.

    Have fun.
    ZT3000
    Beta tester of "0"s and "1"s"

  7. #17
    Senior Member
    Join Date
    Mar 2005
    Posts
    400
    Some more Comhost.exe fun:
    <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Roshal.WinRAR.WinRAR" type="win32" /> <description>WinRAR archiver.</description> <dependency> <dependentAssembly> <assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*" /> </dependentAssembly> </dependency> </assembly>
    After a late afternoon re-read of an earlier post, the section above is merely a header for WinRAR and is not the intended "comhost.exe fun".

    Since I posted in a rush this morning and no longer have the virus on disk, I have no idea how this header section was copy/pasted into this thread. It should have been something more enlightning I would imagine?

    Sorry!
    ZT3000
    Beta tester of "0"s and "1"s"

  8. #18
    Junior Member
    Join Date
    Jul 2003
    Posts
    23

    Re: !!WARNING!! the attached is a virus

    Originally posted here by hexadecimal
    hey all you cyber fans out there... got a virus floating around

    in the zip its harmless... doesnt execute till you unzip and run the pif file inside
    had afew weird processes show up... avg EMAIL scanner shutdown... avg didnt detect a virus at all *and i just made a post saying i trusted AVG free to0*... guess this is irony at its best.

    i clicked it on purpose, i knew what i was getting into.


    if anyone has seen this before and can provide the community with info please share... im off to google to look up what i can now.
    Nortons detected it.................W32.Spybot.Worm.

  9. #19
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    jamz

    When you see the dates flashing at the top of posts in a thread it means that the thread is old and its content may well have been resolved, or is obsolete. This is a classic example of that:

    Nortons detected it.................W32.Spybot.Worm.
    Of course it does........................it is three weeks since the virus was reported in this thread! However, if you study the posts more carefully you will see that at the time Symantec (Norton) was one of the numerous major AV players that did not detect it.


  10. #20
    Junior Member
    Join Date
    Jun 2006
    Posts
    1
    ugh nvm

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •