vnet576
Jan 15 2004, 01:44 AM
Found this strange file that was created today on my pc..it keeps trying to add itself to the run key of my registry. I'm blocking it but it crashes explorer.exe when I access adaware. I later tried scanning that file with adaware and then with an av checker...it did not pick it up. I'm gonna add this file here to see if anybody can get something out of it.
andydis
Jan 15 2004, 02:25 AM
my AV doeesnt pick it up ethier, sounds didgy tho!
i have a close relationship with my AV company, will send it off to them for you, suggest you do the same to whoever your AV is,....
sometimes you can get it names fater you if you are first to discover a new virus in the wild,
in meantime might try opening it with ahex editor.
vnet576
Jan 15 2004, 02:55 AM
I sent it to symantec. Also I tried hex editing it and dissasembling it but it appears packed, it did have this though. [ HidePE by BGCorp ]=-
zero-maitimax
Jan 15 2004, 11:29 AM
my doesn't find it either but what i cee it has a injection in the file :s
beardednose
Jan 15 2004, 07:58 PM
Did you run highjackthis to see what else might be floating about on your PC?
vnet576
Jan 15 2004, 08:30 PM
| QUOTE (beardednose @ Jan 15 2004, 02:58 PM) |
| Did you run highjackthis to see what else might be floating about on your PC? |
Haven't heard of that program before..gonna run it and see what it shows.
vnet576
Jan 16 2004, 09:15 PM
Well symantec sent me a reply about this file..it is in fact an existing trojan, however it is strange that the AV didn't pick it up. I wanna have the packer that whoever made this file used.
| CODE |
We have analyzed your submission. The following is a report of our
findings for each file you have submitted:
filename: iexplorer.exe
machine: AVCAutomation:
result: This file is infected with Trojan.Digits
Developer notes:
iexplorer.exe is non-repairable threat. NAV with the latest beta definition detects this. Please delete this file and replace it if neccessary. Please follow the instruction at the end of this email message to install the latest beta definitions. |
Faceless Master
Jan 17 2004, 08:10 AM
| QUOTE (vnet576 @ Jan 15 2004, 02:55 AM) |
| I sent it to symantec. Also I tried hex editing it and dissasembling it but it appears packed, it did have this though. [ HidePE by BGCorp ]=- |
Well if it's pack unpack it using the -d switch using UPX(If its packed with it)
Anyhow,hope your problem has been solved now after getting the reply from NAV.
Regards,
~Faceless Master
SyN/AcK
Jan 20 2004, 05:11 AM
Probably somebody just packaged it with the real iexplorer.exe file using elitewrap or silk rope 2000 or something.
MrRobot
Jan 22 2004, 06:11 AM
----
Sorry I couldn't post this as a thread, since I just signedup.
But am looking for all trojans/bots/virus which have a master password.
Along with the command to remove the bot.
I plan on making a script to connecto to the bots port, login via the master pwd. Then send the command to remove said bot.
Any ideas where to start?
---
Sorry for posting in this thread as an off subject post
vnet576
Jan 22 2004, 08:20 PM
I don't know of any trojans/virii having a master password, but I wouldn't be surprised if a few of the trojan writers built some kind of backdoor in.
This is the most complete database of information on all trojans 0-day and older, kinda like the nforce of trojans. I suggest you check it out to see all the trojans that are out there, then do research on the trojans that you suspect might have a master password.
http://www.megasecurity.org/Main.html
jubbly
Jan 22 2004, 09:03 PM
I have been looking into virii and trojans and never heard of them having master passwords although I wouldn't be suprised if there was. I know a couple of guys who have written their own and are quite exeperienced and they have never heard of people using master passwords.
Hope thats helpful.
Greetz jubbly
supermax
Jan 22 2004, 09:31 PM
I have see on some site some troajn master password but I dunno why you cna do with ti and why use those.... look on google
Axl
Jan 23 2004, 01:36 AM
| QUOTE (vnet576 @ Jan 15 2004, 02:55 AM) |
| I sent it to symantec. Also I tried hex editing it and dissasembling it but it appears packed, it did have this though. [ HidePE by BGCorp ]=- |
if this is what i think it is, it's an mirc virus. spams through /mirccmd... can't cleanly disassemble since the include tables were intentionaly destroyed and u actually have to have it running to get imprec to do it (and i did but it wouldn't fix it.)
walker
Jan 24 2004, 05:30 PM
Yesterday my system was infected by a different kind of the same code, it causes an error message opening a text document via explorer and execute a program, y.exe that appaers in the root of the system disk for a few seconds.
The file size is the same of iexplorer.exe and it has -=[ HidePE by BGCorp ]=- at the end of it and it is spreading around system with multiple copies named
notepad32.exe
users32.exe
directx32.exe
explorer32.exe
Now i am trying to remove these files and registry keys
anyone has any idea of this virii???
thanks
p.s. my antivirus say that iexplorer.exe, posted at the top of this topic is a
win32/SpyBot.qz
jos40
Jan 24 2004, 06:49 PM
Try CWshredder.
Had such a problem in my pc too.
My was called smartsearch.ws and changed names whenever i deleted it.
Also my favourites tab was infected.
With this proggie i removed it.
http://216.180.233.153/~merijn/files/CWShredder.exe
MrRobot
Jan 25 2004, 06:09 AM
Sub7 has a master password.
Kuang2 has a master pwd,I believe.
Netbus did too.. again I believe.
Reason being i want to right a script to clean the pc via this method as the startup keys are not the same everytime.
Krogoth
Jan 25 2004, 03:01 PM
i believe it's a mirc virus too. i've seen it on a stro, maybe you should check the dates in the dir of the iexplorer is residing. there are other files associated with it.
hope you've sorted that m8.
vnet576
Jan 25 2004, 05:03 PM
This got all sorted, and I had very limited damage since I use a registry protection script, so all I had to do was just delete the various files it created. I don't think its an mirc virus, since you have to accept the virus on the onjoin popup, and I never do that.
walker
Jan 25 2004, 05:50 PM
I don't know the way i received this virus but removing registry keys and the relative files created i solved this problem.
I use Hijackthis (http://www.spywareinfo.com/~merijn/index.html).....
Tanks...
MrRobot
Jan 25 2004, 08:56 PM
http://www.sysinternals.com/ has a nice list of tools..
autorun
regmon
filemon
psexec
etc.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please
click here.
