Another One Bites The Dust

sk3tch

Nov 4 2004, 11:26 PM

Caught this guy in my honeypot today -

WORM_SDBOT.ACT:
http://www.sk3tch.com/files/et3rd_mini.zip
Zip password is infected. Both files included are identical..but are uploaded to infected systems for some reason.

et3rd.exe comes in via 445, executes, connects to an IRC channel, then goes crazy downloading adware/spyware/keyloggers/trojans.

I've got all the files for this one if anyone is interested. I just didn't want to post a link to it since it is 22MB of crap!!

I scanned all the files earlier today (before the WORM_SDBOT.ACT detection was added by Trend Micro) using Sysclean and the 238 defs and here were the results:

QUOTE

/--------------------------------------------------------------\
| Trend Micro Sysclean Package |
| Copyright 2002, Trend Micro, Inc. |
| http://www.trendmicro.com |
\--------------------------------------------------------------/

2004-11-04, 16:04:44, Running scanner "C:\sysclean\TSC.BIN"...
2004-11-04, 16:05:16, Scanner "C:\sysclean\TSC.BIN" has finished running.
2004-11-04, 16:05:16, TSC Log:

Damage Cleanup Engine (DCE) 3.6(Build 1120)
Windows XP(Build 2600: Service Pack 1)

Start time : Thu Nov 04 2004 16:04:48

Load Damage Cleanup Template (DCT) "C:\sysclean\tsc.ptn" (version 440) [success]

Complete time : Thu Nov 04 2004 16:05:16
Execute pattern count(1324), Virus found count(0), Virus clean count(0), Clean failed count(0)

2004-11-04, 16:05:17, Running scanner "C:\sysclean\VSCANTM.BIN"...
2004-11-04, 16:07:43, Files Detected:
Copyright © 1990 - 2004 Trend Micro Inc.
Report Date : 11/4/2004 16:05:17
VSAPI Engine Version : 7.000-1004
VSCANTM Version : 1.1-1001
Virus Pattern Version : 238 (74522 Patterns) (2004/11/04) (223800)
Command Line: C:\sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LAPPEND /LD /LC /LCF /NM /NB C:\virus\et3rd_v2_virus\*.* /P=C:\sysclean

C:\virus\et3rd_v2_virus\malware\c_documents_and_settings_default_user_local_settings\Temporary Internet Files\Content.IE5\0OGRLO8Q\protector[1].exe [TROJ_STARTPAG.NK]
C:\virus\et3rd_v2_virus\malware\c_documents_and_settings_default_user_local_settings\Temporary Internet Files\Content.IE5\77UHRVD4\silent[1].exe [TROJ_SMALL.ZO]
C:\virus\et3rd_v2_virus\malware\c_documents_and_settings_user\Local Settings\Temp\OOxY8.exe [TROJ_STILEN.A]
C:\virus\et3rd_v2_virus\malware\c_winnt\Downloaded Program Files\v3.dll [TROJ_SMALL.XO]
C:\virus\et3rd_v2_virus\malware\c_winnt\systb.dll [TROJ_IMISERV.C]
C:\virus\et3rd_v2_virus\malware\c_winnt\systb.exe [TROJ_IMISERV.C]
C:\virus\et3rd_v2_virus\malware\c_winnt_system32\bkmsf32.dat [TROJ_STARTPAG.NK]
C:\virus\et3rd_v2_virus\malware\c_winnt_system32\FrnZ6Q.exe [BKDR_SANDBOX.A]
C:\virus\et3rd_v2_virus\malware\c_winnt_system32\ghtbtfr\beird.exe [BKDR_IRCFLOOD.CD]
C:\virus\et3rd_v2_virus\malware\c_winnt_system32\ghtbtfr\emoti.bat [BAT_RANDON.B]
C:\virus\et3rd_v2_virus\malware\c_winnt_system32\ghtbtfr\hosts [DOS_QHOSTS.C]
C:\virus\et3rd_v2_virus\malware\c_winnt_system32\ghtbtfr\wshield.exe [BKDR_FLOOD.J]
C:\virus\et3rd_v2_virus\malware\c_winnt_system32\ghtbtfr\ymnz.exe [TROJ_SMALL.QD]
C:\virus\et3rd_v2_virus\malware\c_winnt_system32\IfavwLE.exe [BKDR_SANDBOX.A]
C:\virus\et3rd_v2_virus\malware\c_winnt_system32\KdfL6BY.exe [BKDR_SANDBOX.A]
C:\virus\et3rd_v2_virus\malware\c_winnt_system32\NuaK63G.exe [BKDR_SANDBOX.A]
C:\virus\et3rd_v2_virus\malware\c_winnt_system32\PhyX2W8D.exe [BKDR_SANDBOX.A]
C:\virus\et3rd_v2_virus\malware\c_winnt_system32\Tth9525X.exe [BKDR_SANDBOX.A]
C:\virus\et3rd_v2_virus\malware\c_winnt_system32\winbhi32.exe [TROJ_STARTPAG.NK]
C:\virus\et3rd_v2_virus\malware\c_winnt_system32\Wwe1X.exe [BKDR_SANDBOX.A]
C:\virus\et3rd_v2_virus\malware\c_winnt_system32\YwcV.exe [BKDR_SANDBOX.A]
C:\virus\et3rd_v2_virus\malware\c_winnt_system32\ZejdW.exe [BKDR_SANDBOX.A]
1121 files have been read.
1121 files have been checked.
794 files have been scanned.
813 files have been scanned. (including files in archived)
23 files containing viruses.
Found 23 viruses totally.
Maybe 0 viruses totally.
Stop At : 11/4/2004 16:07:43
---------*---------*---------*---------*---------*---------*---------*---------*
2004-11-04, 16:07:43, Files Clean:
Copyright © 1990 - 2004 Trend Micro Inc.
Report Date : 11/4/2004 16:05:17
VSAPI Engine Version : 7.000-1004
VSCANTM Version : 1.1-1001
Virus Pattern Version : 238 (74522 Patterns) (2004/11/04) (223800)
Command Line: C:\sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LAPPEND /LD /LC /LCF /NM /NB C:\virus\et3rd_v2_virus\*.* /P=C:\sysclean

Can not Clean [TROJ_STARTPAG.NK]( 1) from C:\virus\et3rd_v2_virus\malware\c_documents_and_settings_default_user_local_settings\Temporary Internet Files\Content.IE5\0OGRLO8Q\protector[1].exe
Can not Clean [ TROJ_SMALL.ZO]( 1) from C:\virus\et3rd_v2_virus\malware\c_documents_and_settings_default_user_local_settings\Temporary Internet Files\Content.IE5\77UHRVD4\silent[1].exe
Can not Clean [ TROJ_SMALL.XO]( 1) from C:\virus\et3rd_v2_virus\malware\c_documents_and_settings_default_user_local_settings\Temporary Internet Files\Content.IE5\QGXH83C1\v3cab[1].cab,(v3.dll)
Can not Clean [ TROJ_STILEN.A]( 1) from C:\virus\et3rd_v2_virus\malware\c_documents_and_settings_user\Local Settings\Temp\OOxY8.exe
Can not Clean [ TROJ_SMALL.XO]( 1) from C:\virus\et3rd_v2_virus\malware\c_winnt\Downloaded Program Files\v3.dll
Can not Clean [ TROJ_IMISERV.C]( 1) from C:\virus\et3rd_v2_virus\malware\c_winnt\systb.dll
Can not Clean [ TROJ_IMISERV.C]( 1) from C:\virus\et3rd_v2_virus\malware\c_winnt\systb.exe
Can not Clean [TROJ_STARTPAG.NK]( 1) from C:\virus\et3rd_v2_virus\malware\c_winnt_system32\bkmsf32.dat
Can not Clean [ BKDR_SANDBOX.A]( 1) from C:\virus\et3rd_v2_virus\malware\c_winnt_system32\FrnZ6Q.exe
Can not Clean [BKDR_IRCFLOOD.CD]( 1) from C:\virus\et3rd_v2_virus\malware\c_winnt_system32\ghtbtfr\beird.exe
Can not Clean [ BAT_RANDON.B]( 1) from C:\virus\et3rd_v2_virus\malware\c_winnt_system32\ghtbtfr\emoti.bat
Can not Clean [ DOS_QHOSTS.C]( 1) from C:\virus\et3rd_v2_virus\malware\c_winnt_system32\ghtbtfr\hosts
Can not Clean [ BKDR_FLOOD.J]( 1) from C:\virus\et3rd_v2_virus\malware\c_winnt_system32\ghtbtfr\wshield.exe
Can not Clean [ TROJ_SMALL.QD]( 1) from C:\virus\et3rd_v2_virus\malware\c_winnt_system32\ghtbtfr\ymnz.exe
Can not Clean [ BKDR_SANDBOX.A]( 1) from C:\virus\et3rd_v2_virus\malware\c_winnt_system32\IfavwLE.exe
Can not Clean [ BKDR_SANDBOX.A]( 1) from C:\virus\et3rd_v2_virus\malware\c_winnt_system32\KdfL6BY.exe
Can not Clean [ BKDR_SANDBOX.A]( 1) from C:\virus\et3rd_v2_virus\malware\c_winnt_system32\NuaK63G.exe
Can not Clean [ BKDR_SANDBOX.A]( 1) from C:\virus\et3rd_v2_virus\malware\c_winnt_system32\PhyX2W8D.exe
Can not Clean [ BKDR_SANDBOX.A]( 1) from C:\virus\et3rd_v2_virus\malware\c_winnt_system32\Tth9525X.exe
Can not Clean [TROJ_STARTPAG.NK]( 1) from C:\virus\et3rd_v2_virus\malware\c_winnt_system32\winbhi32.exe
Can not Clean [ BKDR_SANDBOX.A]( 1) from C:\virus\et3rd_v2_virus\malware\c_winnt_system32\Wwe1X.exe
Can not Clean [ BKDR_SANDBOX.A]( 1) from C:\virus\et3rd_v2_virus\malware\c_winnt_system32\YwcV.exe
Can not Clean [ BKDR_SANDBOX.A]( 1) from C:\virus\et3rd_v2_virus\malware\c_winnt_system32\ZejdW.exe
1121 files have been read.
1121 files have been checked.
794 files have been scanned.
813 files have been scanned. (including files in archived)
23 files containing viruses.
Found 23 viruses totally.
Maybe 0 viruses totally.
Stop At : 11/4/2004 16:07:43 2 minutes 25 seconds (145.71 seconds) has elapsed.

---------*---------*---------*---------*---------*---------*---------*---------*
2004-11-04, 16:07:43, Clean Fail:
Copyright © 1990 - 2004 Trend Micro Inc.
Report Date : 11/4/2004 16:05:17
VSAPI Engine Version : 7.000-1004
VSCANTM Version : 1.1-1001
Virus Pattern Version : 238 (74522 Patterns) (2004/11/04) (223800)
Command Line: C:\sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LAPPEND /LD /LC /LCF /NM /NB C:\virus\et3rd_v2_virus\*.* /P=C:\sysclean

Can not Clean [TROJ_STARTPAG.NK]( 1) from C:\virus\et3rd_v2_virus\malware\c_documents_and_settings_default_user_local_settings\Temporary Internet Files\Content.IE5\0OGRLO8Q\protector[1].exe
Can not Clean [ TROJ_SMALL.ZO]( 1) from C:\virus\et3rd_v2_virus\malware\c_documents_and_settings_default_user_local_settings\Temporary Internet Files\Content.IE5\77UHRVD4\silent[1].exe
Can not Clean [ TROJ_SMALL.XO]( 1) from C:\virus\et3rd_v2_virus\malware\c_documents_and_settings_default_user_local_settings\Temporary Internet Files\Content.IE5\QGXH83C1\v3cab[1].cab,(v3.dll)
Can not Clean [ TROJ_STILEN.A]( 1) from C:\virus\et3rd_v2_virus\malware\c_documents_and_settings_user\Local Settings\Temp\OOxY8.exe
Can not Clean [ TROJ_SMALL.XO]( 1) from C:\virus\et3rd_v2_virus\malware\c_winnt\Downloaded Program Files\v3.dll
Can not Clean [ TROJ_IMISERV.C]( 1) from C:\virus\et3rd_v2_virus\malware\c_winnt\systb.dll
Can not Clean [ TROJ_IMISERV.C]( 1) from C:\virus\et3rd_v2_virus\malware\c_winnt\systb.exe
Can not Clean [TROJ_STARTPAG.NK]( 1) from C:\virus\et3rd_v2_virus\malware\c_winnt_system32\bkmsf32.dat
Can not Clean [ BKDR_SANDBOX.A]( 1) from C:\virus\et3rd_v2_virus\malware\c_winnt_system32\FrnZ6Q.exe
Can not Clean [BKDR_IRCFLOOD.CD]( 1) from C:\virus\et3rd_v2_virus\malware\c_winnt_system32\ghtbtfr\beird.exe
Can not Clean [ BAT_RANDON.B]( 1) from C:\virus\et3rd_v2_virus\malware\c_winnt_system32\ghtbtfr\emoti.bat
Can not Clean [ DOS_QHOSTS.C]( 1) from C:\virus\et3rd_v2_virus\malware\c_winnt_system32\ghtbtfr\hosts
Can not Clean [ BKDR_FLOOD.J]( 1) from C:\virus\et3rd_v2_virus\malware\c_winnt_system32\ghtbtfr\wshield.exe
Can not Clean [ TROJ_SMALL.QD]( 1) from C:\virus\et3rd_v2_virus\malware\c_winnt_system32\ghtbtfr\ymnz.exe
Can not Clean [ BKDR_SANDBOX.A]( 1) from C:\virus\et3rd_v2_virus\malware\c_winnt_system32\IfavwLE.exe
Can not Clean [ BKDR_SANDBOX.A]( 1) from C:\virus\et3rd_v2_virus\malware\c_winnt_system32\KdfL6BY.exe
Can not Clean [ BKDR_SANDBOX.A]( 1) from C:\virus\et3rd_v2_virus\malware\c_winnt_system32\NuaK63G.exe
Can not Clean [ BKDR_SANDBOX.A]( 1) from C:\virus\et3rd_v2_virus\malware\c_winnt_system32\PhyX2W8D.exe
Can not Clean [ BKDR_SANDBOX.A]( 1) from C:\virus\et3rd_v2_virus\malware\c_winnt_system32\Tth9525X.exe
Can not Clean [TROJ_STARTPAG.NK]( 1) from C:\virus\et3rd_v2_virus\malware\c_winnt_system32\winbhi32.exe
Can not Clean [ BKDR_SANDBOX.A]( 1) from C:\virus\et3rd_v2_virus\malware\c_winnt_system32\Wwe1X.exe
Can not Clean [ BKDR_SANDBOX.A]( 1) from C:\virus\et3rd_v2_virus\malware\c_winnt_system32\YwcV.exe
Can not Clean [ BKDR_SANDBOX.A]( 1) from C:\virus\et3rd_v2_virus\malware\c_winnt_system32\ZejdW.exe
1121 files have been read.
1121 files have been checked.
794 files have been scanned.
813 files have been scanned. (including files in archived)
23 files containing viruses.
Found 23 viruses totally.
Maybe 0 viruses totally.
Stop At : 11/4/2004 16:07:43 2 minutes 25 seconds (145.71 seconds) has elapsed.

---------*---------*---------*---------*---------*---------*---------*---------*
2004-11-04, 16:07:43, Scanner "C:\sysclean\VSCANTM.BIN" has finished running.

All that as part of the payload of one little bitty file - et3rd.exe!

SyN/AcK

Nov 5 2004, 12:24 AM

QUOTE(sk3tch @ Nov 4 2004, 11:26 PM)

Caught this guy in my honeypot today -

WORM_SDBOT.ACT:
http://www.sk3tch.com/files/et3rd_mini.zip
Zip password is infected. Both files included are identical..but are uploaded to infected systems for some reason.

et3rd.exe comes in via 445, executes, connects to an IRC channel, then goes crazy downloading adware/spyware/keyloggers/trojans.

I've got all the files for this one if anyone is interested. I just didn't want to post a link to it since it is 22MB of crap!!

I scanned all the files earlier today (before the WORM_SDBOT.ACT detection was added by Trend Micro) using Sysclean and the 238 defs and here were the results:

QUOTE

/--------------------------------------------------------------\
| Trend Micro Sysclean Package |
| Copyright 2002, Trend Micro, Inc. |
| http://www.trendmicro.com |
\--------------------------------------------------------------/

2004-11-04, 16:04:44, Running scanner "C:\sysclean\TSC.BIN"...
2004-11-04, 16:05:16, Scanner "C:\sysclean\TSC.BIN" has finished running.
2004-11-04, 16:05:16, TSC Log:

Damage Cleanup Engine (DCE) 3.6(Build 1120)
Windows XP(Build 2600: Service Pack 1)

Start time : Thu Nov 04 2004 16:04:48

Load Damage Cleanup Template (DCT) "C:\sysclean\tsc.ptn" (version 440) [success]

Complete time : Thu Nov 04 2004 16:05:16
Execute pattern count(1324), Virus found count(0), Virus clean count(0), Clean failed count(0)

2004-11-04, 16:05:17, Running scanner "C:\sysclean\VSCANTM.BIN"...
2004-11-04, 16:07:43, Files Detected:
Copyright © 1990 - 2004 Trend Micro Inc.
Report Date : 11/4/2004 16:05:17
VSAPI Engine Version : 7.000-1004
VSCANTM Version : 1.1-1001
Virus Pattern Version : 238 (74522 Patterns) (2004/11/04) (223800)
Command Line: C:\sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LAPPEND /LD /LC /LCF /NM /NB C:\virus\et3rd_v2_virus\*.* /P=C:\sysclean

C:\virus\et3rd_v2_virus\malware\c_documents_and_settings_default_user_local_settings\Temporary Internet Files\Content.IE5\0OGRLO8Q\protector[1].exe [TROJ_STARTPAG.NK]
C:\virus\et3rd_v2_virus\malware\c_documents_and_settings_default_user_local_settings\Temporary Internet Files\Content.IE5\77UHRVD4\silent[1].exe [TROJ_SMALL.ZO]
C:\virus\et3rd_v2_virus\malware\c_documents_and_settings_user\Local Settings\Temp\OOxY8.exe [TROJ_STILEN.A]
C:\virus\et3rd_v2_virus\malware\c_winnt\Downloaded Program Files\v3.dll [TROJ_SMALL.XO]
C:\virus\et3rd_v2_virus\malware\c_winnt\systb.dll [TROJ_IMISERV.C]
C:\virus\et3rd_v2_virus\malware\c_winnt\systb.exe [TROJ_IMISERV.C]
C:\virus\et3rd_v2_virus\malware\c_winnt_system32\bkmsf32.dat [TROJ_STARTPAG.NK]
C:\virus\et3rd_v2_virus\malware\c_winnt_system32\FrnZ6Q.exe [BKDR_SANDBOX.A]
C:\virus\et3rd_v2_virus\malware\c_winnt_system32\ghtbtfr\beird.exe [BKDR_IRCFLOOD.CD]
C:\virus\et3rd_v2_virus\malware\c_winnt_system32\ghtbtfr\emoti.bat [BAT_RANDON.B]
C:\virus\et3rd_v2_virus\malware\c_winnt_system32\ghtbtfr\hosts [DOS_QHOSTS.C]
C:\virus\et3rd_v2_virus\malware\c_winnt_system32\ghtbtfr\wshield.exe [BKDR_FLOOD.J]
C:\virus\et3rd_v2_virus\malware\c_winnt_system32\ghtbtfr\ymnz.exe [TROJ_SMALL.QD]
C:\virus\et3rd_v2_virus\malware\c_winnt_system32\IfavwLE.exe [BKDR_SANDBOX.A]
C:\virus\et3rd_v2_virus\malware\c_winnt_system32\KdfL6BY.exe [BKDR_SANDBOX.A]
C:\virus\et3rd_v2_virus\malware\c_winnt_system32\NuaK63G.exe [BKDR_SANDBOX.A]
C:\virus\et3rd_v2_virus\malware\c_winnt_system32\PhyX2W8D.exe [BKDR_SANDBOX.A]
C:\virus\et3rd_v2_virus\malware\c_winnt_system32\Tth9525X.exe [BKDR_SANDBOX.A]
C:\virus\et3rd_v2_virus\malware\c_winnt_system32\winbhi32.exe [TROJ_STARTPAG.NK]
C:\virus\et3rd_v2_virus\malware\c_winnt_system32\Wwe1X.exe [BKDR_SANDBOX.A]
C:\virus\et3rd_v2_virus\malware\c_winnt_system32\YwcV.exe [BKDR_SANDBOX.A]
C:\virus\et3rd_v2_virus\malware\c_winnt_system32\ZejdW.exe [BKDR_SANDBOX.A]
1121 files have been read.
1121 files have been checked.
794 files have been scanned.
813 files have been scanned. (including files in archived)
23 files containing viruses.
Found 23 viruses totally.
Maybe 0 viruses totally.
Stop At : 11/4/2004 16:07:43
---------*---------*---------*---------*---------*---------*---------*---------*
2004-11-04, 16:07:43, Files Clean:
Copyright © 1990 - 2004 Trend Micro Inc.
Report Date : 11/4/2004 16:05:17
VSAPI Engine Version : 7.000-1004
VSCANTM Version : 1.1-1001
Virus Pattern Version : 238 (74522 Patterns) (2004/11/04) (223800)
Command Line: C:\sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LAPPEND /LD /LC /LCF /NM /NB C:\virus\et3rd_v2_virus\*.* /P=C:\sysclean

Can not Clean [TROJ_STARTPAG.NK]( 1) from C:\virus\et3rd_v2_virus\malware\c_documents_and_settings_default_user_local_settings\Temporary Internet Files\Content.IE5\0OGRLO8Q\protector[1].exe
Can not Clean [ TROJ_SMALL.ZO]( 1) from C:\virus\et3rd_v2_virus\malware\c_documents_and_settings_default_user_local_settings\Temporary Internet Files\Content.IE5\77UHRVD4\silent[1].exe
Can not Clean [ TROJ_SMALL.XO]( 1) from C:\virus\et3rd_v2_virus\malware\c_documents_and_settings_default_user_local_settings\Temporary Internet Files\Content.IE5\QGXH83C1\v3cab[1].cab,(v3.dll)
Can not Clean [ TROJ_STILEN.A]( 1) from C:\virus\et3rd_v2_virus\malware\c_documents_and_settings_user\Local Settings\Temp\OOxY8.exe
Can not Clean [ TROJ_SMALL.XO]( 1) from C:\virus\et3rd_v2_virus\malware\c_winnt\Downloaded Program Files\v3.dll
Can not Clean [ TROJ_IMISERV.C]( 1) from C:\virus\et3rd_v2_virus\malware\c_winnt\systb.dll
Can not Clean [ TROJ_IMISERV.C]( 1) from C:\virus\et3rd_v2_virus\malware\c_winnt\systb.exe
Can not Clean [TROJ_STARTPAG.NK]( 1) from C:\virus\et3rd_v2_virus\malware\c_winnt_system32\bkmsf32.dat
Can not Clean [ BKDR_SANDBOX.A]( 1) from C:\virus\et3rd_v2_virus\malware\c_winnt_system32\FrnZ6Q.exe
Can not Clean [BKDR_IRCFLOOD.CD]( 1) from C:\virus\et3rd_v2_virus\malware\c_winnt_system32\ghtbtfr\beird.exe
Can not Clean [ BAT_RANDON.B]( 1) from C:\virus\et3rd_v2_virus\malware\c_winnt_system32\ghtbtfr\emoti.bat
Can not Clean [ DOS_QHOSTS.C]( 1) from C:\virus\et3rd_v2_virus\malware\c_winnt_system32\ghtbtfr\hosts
Can not Clean [ BKDR_FLOOD.J]( 1) from C:\virus\et3rd_v2_virus\malware\c_winnt_system32\ghtbtfr\wshield.exe
Can not Clean [ TROJ_SMALL.QD]( 1) from C:\virus\et3rd_v2_virus\malware\c_winnt_system32\ghtbtfr\ymnz.exe
Can not Clean [ BKDR_SANDBOX.A]( 1) from C:\virus\et3rd_v2_virus\malware\c_winnt_system32\IfavwLE.exe
Can not Clean [ BKDR_SANDBOX.A]( 1) from C:\virus\et3rd_v2_virus\malware\c_winnt_system32\KdfL6BY.exe
Can not Clean [ BKDR_SANDBOX.A]( 1) from C:\virus\et3rd_v2_virus\malware\c_winnt_system32\NuaK63G.exe
Can not Clean [ BKDR_SANDBOX.A]( 1) from C:\virus\et3rd_v2_virus\malware\c_winnt_system32\PhyX2W8D.exe
Can not Clean [ BKDR_SANDBOX.A]( 1) from C:\virus\et3rd_v2_virus\malware\c_winnt_system32\Tth9525X.exe
Can not Clean [TROJ_STARTPAG.NK]( 1) from C:\virus\et3rd_v2_virus\malware\c_winnt_system32\winbhi32.exe
Can not Clean [ BKDR_SANDBOX.A]( 1) from C:\virus\et3rd_v2_virus\malware\c_winnt_system32\Wwe1X.exe
Can not Clean [ BKDR_SANDBOX.A]( 1) from C:\virus\et3rd_v2_virus\malware\c_winnt_system32\YwcV.exe
Can not Clean [ BKDR_SANDBOX.A]( 1) from C:\virus\et3rd_v2_virus\malware\c_winnt_system32\ZejdW.exe
1121 files have been read.
1121 files have been checked.
794 files have been scanned.
813 files have been scanned. (including files in archived)
23 files containing viruses.
Found 23 viruses totally.
Maybe 0 viruses totally.
Stop At : 11/4/2004 16:07:43 2 minutes 25 seconds (145.71 seconds) has elapsed.

---------*---------*---------*---------*---------*---------*---------*---------*
2004-11-04, 16:07:43, Clean Fail:
Copyright © 1990 - 2004 Trend Micro Inc.
Report Date : 11/4/2004 16:05:17
VSAPI Engine Version : 7.000-1004
VSCANTM Version : 1.1-1001
Virus Pattern Version : 238 (74522 Patterns) (2004/11/04) (223800)
Command Line: C:\sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LAPPEND /LD /LC /LCF /NM /NB C:\virus\et3rd_v2_virus\*.* /P=C:\sysclean

Can not Clean [TROJ_STARTPAG.NK]( 1) from C:\virus\et3rd_v2_virus\malware\c_documents_and_settings_default_user_local_settings\Temporary Internet Files\Content.IE5\0OGRLO8Q\protector[1].exe
Can not Clean [ TROJ_SMALL.ZO]( 1) from C:\virus\et3rd_v2_virus\malware\c_documents_and_settings_default_user_local_settings\Temporary Internet Files\Content.IE5\77UHRVD4\silent[1].exe
Can not Clean [ TROJ_SMALL.XO]( 1) from C:\virus\et3rd_v2_virus\malware\c_documents_and_settings_default_user_local_settings\Temporary Internet Files\Content.IE5\QGXH83C1\v3cab[1].cab,(v3.dll)
Can not Clean [ TROJ_STILEN.A]( 1) from C:\virus\et3rd_v2_virus\malware\c_documents_and_settings_user\Local Settings\Temp\OOxY8.exe
Can not Clean [ TROJ_SMALL.XO]( 1) from C:\virus\et3rd_v2_virus\malware\c_winnt\Downloaded Program Files\v3.dll
Can not Clean [ TROJ_IMISERV.C]( 1) from C:\virus\et3rd_v2_virus\malware\c_winnt\systb.dll
Can not Clean [ TROJ_IMISERV.C]( 1) from C:\virus\et3rd_v2_virus\malware\c_winnt\systb.exe
Can not Clean [TROJ_STARTPAG.NK]( 1) from C:\virus\et3rd_v2_virus\malware\c_winnt_system32\bkmsf32.dat
Can not Clean [ BKDR_SANDBOX.A]( 1) from C:\virus\et3rd_v2_virus\malware\c_winnt_system32\FrnZ6Q.exe
Can not Clean [BKDR_IRCFLOOD.CD]( 1) from C:\virus\et3rd_v2_virus\malware\c_winnt_system32\ghtbtfr\beird.exe
Can not Clean [ BAT_RANDON.B]( 1) from C:\virus\et3rd_v2_virus\malware\c_winnt_system32\ghtbtfr\emoti.bat
Can not Clean [ DOS_QHOSTS.C]( 1) from C:\virus\et3rd_v2_virus\malware\c_winnt_system32\ghtbtfr\hosts
Can not Clean [ BKDR_FLOOD.J]( 1) from C:\virus\et3rd_v2_virus\malware\c_winnt_system32\ghtbtfr\wshield.exe
Can not Clean [ TROJ_SMALL.QD]( 1) from C:\virus\et3rd_v2_virus\malware\c_winnt_system32\ghtbtfr\ymnz.exe
Can not Clean [ BKDR_SANDBOX.A]( 1) from C:\virus\et3rd_v2_virus\malware\c_winnt_system32\IfavwLE.exe
Can not Clean [ BKDR_SANDBOX.A]( 1) from C:\virus\et3rd_v2_virus\malware\c_winnt_system32\KdfL6BY.exe
Can not Clean [ BKDR_SANDBOX.A]( 1) from C:\virus\et3rd_v2_virus\malware\c_winnt_system32\NuaK63G.exe
Can not Clean [ BKDR_SANDBOX.A]( 1) from C:\virus\et3rd_v2_virus\malware\c_winnt_system32\PhyX2W8D.exe
Can not Clean [ BKDR_SANDBOX.A]( 1) from C:\virus\et3rd_v2_virus\malware\c_winnt_system32\Tth9525X.exe
Can not Clean [TROJ_STARTPAG.NK]( 1) from C:\virus\et3rd_v2_virus\malware\c_winnt_system32\winbhi32.exe
Can not Clean [ BKDR_SANDBOX.A]( 1) from C:\virus\et3rd_v2_virus\malware\c_winnt_system32\Wwe1X.exe
Can not Clean [ BKDR_SANDBOX.A]( 1) from C:\virus\et3rd_v2_virus\malware\c_winnt_system32\YwcV.exe
Can not Clean [ BKDR_SANDBOX.A]( 1) from C:\virus\et3rd_v2_virus\malware\c_winnt_system32\ZejdW.exe
1121 files have been read.
1121 files have been checked.
794 files have been scanned.
813 files have been scanned. (including files in archived)
23 files containing viruses.
Found 23 viruses totally.
Maybe 0 viruses totally.
Stop At : 11/4/2004 16:07:43 2 minutes 25 seconds (145.71 seconds) has elapsed.

---------*---------*---------*---------*---------*---------*---------*---------*
2004-11-04, 16:07:43, Scanner "C:\sysclean\VSCANTM.BIN" has finished running.

All that as part of the payload of one little bitty file - et3rd.exe!

Thing sounds nasty as hell!

sk3tch

Nov 5 2004, 03:28 AM

Description is up from Trend Micro:

http://www.trendmicro.com/vinfo/virusencyc...BOT.ACT&VSect=T

They forgot to look at my 22MB package of love...so they'll have more on that later.

Oh, and to expand on how nasty this is SyN/AcK - the box was an unpatched Windows 2000 Professional box, but it was running Symantec Antivirus Corporate Edition 9.0.2.1000 with the 11/3 definitions! SAV caught n o t h i n g. Just sad. I submitted to them and they didn't look at my link to the 22MB files either...so I guess it may slip through again!

spook

Nov 5 2004, 08:46 PM

Didn't they even look at your link?
lol nice service they have

saetji

Nov 6 2004, 05:37 PM

service? lol
the "service" they provide is letting unsuspecting people who dont know anything about viruses THINK that they are protected when in actual fact, they aren't. Its just a way of stealing people's money by making them believe they're protected.

Titus

Nov 6 2004, 10:34 PM

good to know not to waste time with their "support" =)

sk3tch

Nov 7 2004, 12:29 AM

QUOTE(saetji @ Nov 6 2004, 05:37 PM)

service? lol
the "service" they provide is letting unsuspecting people who dont know anything about viruses THINK that they are protected when in actual fact, they aren't. Its just a way of stealing people's money by making them believe they're protected.

I see your point, however I do not completely agree with you. Obviously, if you just plug-in Anti-Virus protection on your system and use no other security strategies, you'll be getting a false sense of security for the most part.

Anyone who deals in security knows that you must have a layered strategy.

The Anti-Virus portion is essential, especially for end-users...they're just too dumb to protect themselves.

RE: the service, Trend Micro is generally good. You have to realize when they're given 22MB of files to analyze it'll take extra time.