** Ok What could this Be? **

[Und3ertak3r]

Story,

A friend phoned my up asking for tech help..(shoot the bastard).. His machine was hanging on shutdown.. the file KCfetaic.exe ..

OS: WinXP pro

A quick Google revealed nothing.. that don't mean much..

the i got him to d/l some of my regular tools.. Spybot and adaware were clean reports.. next CWShredder.. it errored half way through and closed out..

Next the HJT log.. had him email it to me..

while I perused the HJT log I had him restart in safemode and re-run the scanns including a AVG scann.. clean.

A scann of the registry for the file name.... no mention.. OK.. Rename the bugger

now .. lets ahve a look at the Firewall logs.. Zonealarm.. ouch every prog he was using in the last 2 hrs were being blocked.. ?? we are talking about even wrodpad..

Ok this file may be used by another prog and therefor won't have a registry entry.. so what prog.. I didn'tt get him to d/l a process viewer..


Location of the File.. c:\windows\system32\ ..0k we renamed it.. and moved it

Restarted in the machine in Normal mode.. Zonealarm was poping mad. " " program was trying to access the internet?? rechecked taskmon.. no strange entries.. shutdown the machine and restarted.. no problerm.. and no probs with ZA.. Had him run The Cleaner.. only files he had were Istbar.. nothing else ..

I had him go in and disable a number of unwanted services.. and email me a copy of the renamed file..

I will post a Ziped version of it here for those who wish to have a look.. a quick look using a hex editor nothing stands out.. the text "instructions" toward the end of the file could be a clue.

but not being into reverse engineering software.. have a lok if you like.. I will be putting it into my Crash Test Dummy in the next day or so to see what it does if anything..

Now don't get bitten..


Cheers

[owensleftfoot]

The strings command under linux comes up with -
WSAGetLastError
WSAStartup
__WSAFDIsSet
accept
bind
closesocket
connect
gethostbyname
htonl
htons
inet_addr
ioctlsocket
listen
recv
select
send
socket
CoCreateInstance
CLSIDFromString
CoTaskMemFree
CoInitialize
CoUninitialize
SysAllocString
DeleteUrlCacheEntry
FindFirstUrlCacheEntryA
FindNextUrlCacheEntryA
ExitProcess
ExitThread
ExpandEnvironmentStringsA
FileTimeToLocalFileTime
FileTimeToSystemTime
FindClose
FindFirstFileA
FindNextFileA
FreeLibrary
GetCommandLineA
GetCurrentProcessId
GetCurrentThreadId
GetExitCodeProcess
GetExitCodeThread
GetFileAttributesA
GetFileSize
GetFileTime
GetLocalTime
GetModuleFileNameA
GetModuleHandleA
CloseHandle
GetProcAddress
GetSystemDirectoryA
GetTempPathA
GetTickCount
GetTimeZoneInformation
GetVersion
GetVersionExA
GetWindowsDirectoryA
GlobalMemoryStatus
CopyFileA
InterlockedIncrement
IsBadReadPtr
IsBadWritePtr
LoadLibraryA
CreateDirectoryA
LocalAlloc
LocalFree
OpenFile
OpenMutexA
OpenProcess
PeekNamedPipe
CreateFileA
ReadFile
RemoveDirectoryA
RtlUnwind
SetFileAttributesA
SetFilePointer
CreateMutexA
Sleep
TerminateProcess
TerminateThread
TerminateThread
CreatePipe
VirtualQuery
CreateProcessA
WaitForSingleObject
WideCharToMultiByte
WinExec
WriteFile
lstrlenA
lstrlenW
CreateThread
DeleteFileA
GetWindowTextA
GetWindowRect
FindWindowA
GetWindow
IsWindowVisible
GetClassNameA
GetForegroundWindow
LoadCursorA
SetTimer
KillTimer
RegisterClassA
GetMessageA
CreateDesktopA
SetThreadDesktop
GetThreadDesktop
TranslateMessage
DispatchMessageA
SendMessageA
CharUpperBuffA
OemToCharA
PostQuitMessage
ShowWindow
CreateWindowExA
DestroyWindow
DefWindowProcA
GetStockObject
DeleteObject
RegCreateKeyExA
RegCloseKey
RegOpenKeyExA
RegQueryValueExA
RegSetValueExA
GetSecurityInfo
SetSecurityInfo
SetEntriesInAclA
_itoa
__GetMainArgs
_sleep
_strcmpi
_stricmp
atoi
exit
memcpy
memset
raise
rand
signal
sprintf
srand
sscanf
strcat
strchr
strncmp
wsock32.dll
ole32.DLL
OLEAUT32.DLL
WININET.DLL
KERNEL32.DLL
USER32.DLL
GDI32.DLL
ADVAPI32.DLL
CRTDLL.DLL

Definitely something network related.

[SirDice]

Dumped it in IDApro. Looks fishy. At first look it indeed uses WinSock and a few registrykeys. Unfortunately some of it is XOR'ed so I don't know what keys and/or what it actually does. I'll get back to you as soon as I know more.

[disturb]

its some type of trojan or hijacker my computers alarm went off and it was trying to change alot of stuff like my home page.

but neither did my antivirus detect it nor my active anti spy scanners(scans memory)






im going to do some resarch


Ps sorry for my spelling

[Tiger Shark]

Undies: Looking at the strings output and hearing what others experience when "playing" with it I would submit it to Symantec or whoever you prefer. It certainly doesn't appear kosher.

[disturb]

now its trying to change my home page every 5 minutes

I atached the results to the file

[disturb]

can some find out how to remove this thing it realy pissing me off it keeps on changeing my home page to about:blank and I am woried because it keeps on trying to turn my autocomplete on (i always have it off becouse password theft trojans use autocomplete)


can some one hury and find out how to remove it












sorry for bad spelling

[phishphreek]

No offense... but:

If you didn't know what you were doing... why did you open it in the first place?
Any on top of it all... you didn't even use a test box.
Its not good to go opening all kinds of attachments... even if they were posted here by a respected member.

Do you have xp? If so, do a system restore... and pray that it works.

Or, wait till everyone else knows whats up. I'm sure they'll update their findings.

[Tiger Shark]

ROFLMAO........

Seriously, wtf did you think you were doing. You had been told that it was, (at an absolute minimum), "odd"..... You were told it wasn't recognized by the "standard" tools as anything special therefore there would be no automated removal tool. It doesn't seem like you were running regmon, filemon etc. so your could track what it did and reverse it yourself yet you still went and installed it on a "production" box.

No offense but I really have no sympathy.... Computer security isn't about blindly trying things to see what they do. It is about controlling the environment and logging and tracking events to determine what _exactly_ goes on so that it might be able to be reversed or mitigated. In extreme circumstances that might mean restoring the entire drive from a pre-made image, (such as on a "lab-rat" box that can be destroyed and rebuilt with no loss). Your "production" box isn't the place to be messing with things you don't understand.

I just hope others read this and don't make the same silly mistake you just did.... At least then your foolishness will have benefitted someone here......

[sumdumguy]

LOL (@disturb) you gotta be kidding me. try running hijackthis now disturb and post your log.

I haven't had time to run it through my trojan scanners yet.. that box keeps on blue screening me.. I have bad memory in it and limp by.. but now on one of my kids boxes i ran it thorugh pestpatrol's advanced analyze a file feature and indeed it does want to connect to the net..

here's the output from pestpatrol

File: C:\UTIL\virustemp\Kcfepaic.exe
Size: 201,728 bytes
Pest: Not a known pest
MD5: 77930adafd715fc68860f615743f51b5
Running/Active?: No.
Creation Date: 04/13/2004
Last Write: 04/13/2004
DLLs Referenced: wsock32.dll
Text: .hqojh jx-E: -U:g/ WI A EC1VJ ox.p ox.ph /Dpi Dpi Dpi p3xop;xhp0x OF Q.U.LK,c OF.Z-R. XA2xg5E OF.Up .UpDG C6u E3Xo 1gPsu PSUA r.A6H 2J6o Fu r.B6O p1I 3Xa; ,I.UpX ;a WSAGetLastError WSAStartup WSAFDIsSet accept bind closesocket connect gethostbyname htonl htons inet addr ioctlsocket listen recv select send socket CoCreateInstance CLSIDFromString CoTaskMemFree CoInitialize CoUninitialize SysAllocString DeleteUrlCacheEntry FindFirstUrlCacheEntryA FindNextUrlCacheEntryA ExitProcess ExitThread ExpandEnvironmentStringsA FileTimeToLocalFileTime FileTimeToSystemTime FindClose FindFirstFileA FindNextFileA FreeLibrary GetCommandLineA GetCurrentProcessId GetCurrentThreadId GetExitCodeProcess GetExitCodeThread GetFileAttributesA GetFileSize GetFileTime GetLocalTime GetModuleFileNameA GetModuleHandleA CloseHandle GetProcAddress GetSystemDirectoryA GetTempPathA GetTickCount GetTimeZoneInformation GetVersion GetVersionExA GetWindowsDirectoryA GlobalMemoryStatus CopyFileA InterlockedIncrement IsBadReadPtr IsBadWritePtr LoadLibraryA CreateDirectoryA LocalAlloc LocalFree OpenFile OpenMutexA OpenProcess PeekNamedPipe CreateFileA ReadFile RemoveDirectoryA RtlUnwind SetFileAttributesA SetFilePointer CreateMutexA Sleep TerminateProcess TerminateThread CreatePipe VirtualQuery A CreateProcessA WaitForSingleObject WideCharToMultiByte WinExec WriteFile lstrlenA lstrlenW CreateThread DeleteFileA GetWindowTextA GetWindowRect FindWindowA GetWindow IsWindowVisible GetClassNameA GetForegroundWindow LoadCursorA SetTimer KillTimer RegisterClassA GetMessageA CreateDesktopA SetThreadDesktop GetThreadDesktop TranslateMessage DispatchMessageA SendMessageA CharUpperBuffA OemToCharA PostQuitMessage ShowWindow CreateWindowExA DestroyWindow DefWindowProcA GetStockObject DeleteObject RegCreateKeyExA RegCloseKey RegOpenKeyExA RegQueryValueExA RegSetValueExA GetSecurityInfo SetSecurityInfo SetEntriesInAclA itoa GetMainArgs sleep strcmpi stricmp atoi exit memcpy memset raise a rand signal sprintf srand sscanf strcat OLEAUT32.DLL WININET.DLL KERNEL32.DLL USER32.DLL ADVAPI32.DLL
File Type: .exe file.
Compression: No compression or unknown compression method.
Language: Unknown Language.
Notes: Connects to the Internet.
Caution: Use this automated file analysis with caution. Please do not substitute these results for good judgment.

after I get back from my tax accountant.. I'll see what other scanners say..
and maybe try w32dasm..


edit : ooops.. I hadn't looked at disturb's picture.. looks like he had the same idea as me.. sorry