A interesting find

[TheSpecialist]

Ok so im useing my moms computer, you know im sitting around doing my usual things then when I try to play d2 I notice its tottaly laged up way more than anything normally expected. So I close that window off and check some things out and I notice some program actually running at a higher rate than the actual game.

So anyways I end that process and low and behold everything is fine. So what I did after seeing if things where running a bit better I checked for all files that have been modified and stuff today. The only thing that showed up was Nknhpelg.exe which was the screwy program running moments ago. Its located right in windows/system32 ummm so yeah... the odd filename (similiar to ntkrnlpa.exe), the fact that it was running the way it was, and the location is enought to point at and say "malware calling card". Ma's AV isn't up to par either... This is like the 3rd damned time I've fixed this computer alone. Pluse she brought home a computer from work that I basicly fixed also.

So at first im thinking maybe the game didn't appear messed up just because of performance... maybe this thing was running like that because of some high speed scanning and it was litterally laged instead of just appearing that way. Maybe its a worm... sasser? But whats funny is I remember patching the PC up for mom. Then I also thought maybe it was adware or something but no registry changes were made in IE to change the startpage and stuff. I also don't remember browseing any ad/spyware filled porn sites on this computer today either... I've mainly been on the board all day actually.

Oh and WDASM seems to crash when I try opening the file with it and checking it out. Odd... very odd indeed. If it weren't for WDASM crashing I'd probably already have a good idea of what it is and what it does.

[moxnix]

I'm sure you tried google, and I hope you had better luck than I did.

Your search - Nknhpelg.exe - did not match any documents.
No pages were found containing "nknhpelg".

\
Did a quick look at the symatic site also, but didn't find anything.

[Soda_Popinsky]

Well once sasser is installed, a patch wont fix anything. But the sasser viruses are like "23456_up" or something like that. It does look like a generated name though.

Norton [strike]picked[/strike] didn't pick up a virus.
Neither did housecall. And viewing its contents doesn't reveal any files, so maybe its encrypted? Zip passes are easiely cracked, I'm gonna check that out.

Not encrypted according to passware.

Hexplorer dissassembled code:
push eax
dec ebx
add eax, 0x6
add [eax], al
add [eax], al
add [eax], al
add [eax], al
add [eax], al
add [eax], al
add [eax], al
add [eax], al
add [eax], al

whatever the hell that means. It's only 22 bytes, is that enough to do anything more that make a memory leak or something?

[TheSpecialist]

Originally posted here by moxnix
I'm sure you tried google, and I hope you had better luck than I did.

Nope and if I did find anything then chances are I wouldn't even be posting this.

Originally posted here by Soda_Popinsky
It does look like a generated name though.

Yeah as I mentioned before the filename could be closely compaired to some NT kernal and sys files within system32 but when I check the properties it doesn't give any discriptions at all. Clearly this does not appear to be some command line tool laying around either.

[SwordFish_13]

Hey Soda

Norton Picked it up As a Backdoor Trojan Well Mine did Notron 2003 with latest updates. It isen't giving Much Detail of it Just says it is a generic detection for a group of Backdoor Trojan Horses. All the Trojans detected as Backdoor.Trojan have one thing in common: they allow unauthorized access to an infected computer.

Wll My AVG dosen't Detect anything malicious Nor Does Trend Micro's. Boy o Boy am i glad i have just Purchased Norton Just yesterday and i't Showing it's worth

[moxnix]

SwordFish_13, Where did you get it from?

Edit -- Never mind real dumb question...

Re Edit -- Ok, I got it as Win32.Webber trojan. Image attached.

[moxnix]

Here is what I found on it.
http://www.srnmicro.com/virusinfo/webber.htm

Webber is a backdoor Trojan, can be used to steal passwords in the infected system. It arrives as an e-mail attachment. The infected attachment name will be "web.da.us.citi.heloc.pif".

Also from: http://www.viruslibrary.com/virusinf...y.Win32.Webber(akaHeloc).htm

Webber is a Win32 trojan program that installs a hidden proxy server on victim machines (with up to 100 connections), reports IP addresses and cached passwords of victim machines to its 'master'. The trojan also downloads (from a URL) and executes other EXE files such as its upgrades.

Hope this helps, Specialist

[therenegade]

Why does NAV2003 come up with it when symantec's got nothing on it on its site?

[PoSer]

Norton 2004 picked it up as a backdoor Trojan and gave some generic removal instructions.
They also show this class of Trojans as being around since January 1998 so my guess is that some script kiddie got a hold of the original and modified it. Here’s a link that has what
Norton
says about it.

[SwordFish_13]

Hi therenegade

Actually the naming is the problem every AV compny names the virus or trojan according to it's own finding. So every Virus or Trojan might have many names you just searched one of it's name , which norton dosen't seem to have have you tried it's other names Downloader-DI McAfee, TrojanProxy.Win32.Webber.10 KAV, Troj/Webber-A Sophos

House Call Detects it as : TROJ_AXJ.B

Here is the info on it on Norton Site Trojan is the same But with different name

• Trojan.Download.Berbew
  
• Backdoor.Berbew
  

And there is one thing more to it the BloodHound feature of Norton can even detect Virus which are not in it's list but display possible virus like activity or features