Hi All,
I have discovered a new variant this AM of Win32/TrojanDownloader.Agent.AWF trojan. The virus infects exe's including nod32kui.exe which in turn becomes disabled. The administrative alerts are still sent, but no local warnings are given. The files become hideen and are not visible from command line or win explorer. Ineterestingly they can be copied via the command line, but it is still not possible to view them and they can not be archived either. I was forced to copy the files via a mapped drive to a Linux samba share ans zip them from the shell.
Rootkit cloaking is not evedent using rootkit revealer.

Anyone else seen this yet?

Where you able to upload a sample to www.virustotal.com and send a zipped sample to samples @ eset.com?

Cheers ;D

As requested by Blackspear, please send such an infected file to samples @ eset.com as we have not received anything yet.

I've sent the samples to eset some time ago.
The submission for scan to virus total failed as I sent the zip pwd encrypted. I'm reluctant to send from a windows machine without it.
I'll try from the firewall without the pwd.

Cheers,

Lew

Here's the output from virus total...

omplete scanning result of "Archive.zip", processed in VirusTotal at
09/28/2006 09:18:06 (CET).

[ file data ]
* name: Archive.zip
* size: 80486
* md5.: 88286b7fb8db74fb9787261f357dfe39
* sha1: 9a85db325fad00d89473fb309f57fa0863be87a4

[ scan result ]
AntiVir 7.2.0.18/20060928 found [HEUR/Malware]
Authentium 4.93.8/20060928 found nothing
Avast 4.7.892.0/20060927 found [Win32:Agent-BVS]
AVG 386/20060927 found [Downloader.Agent.FVH]
BitDefender 7.2/20060928 found [Trojan.Downloader.Agent.ANA]
CAT-QuickHeal 8.00/20060927 found [TrojanDownloader.Agent.awf]
ClamAV devel-20060426/20060927 found [Trojan.Downloader.Small-2715]
DrWeb 4.33/20060927 found [Trojan.DownLoader.12953]
eTrust-InoculateIT 23.73.7/20060928 found [Win32/Secdrop.4rf!Trojan]
eTrust-Vet 30.3.3103/20060927 found [Win32/Secdrop.MM]
Ewido 4.0/20060927 found [Downloader.Agent.awf]
F-Prot 3.16f/20060928 found nothing
F-Prot4 4.2.1.29/20060928 found nothing
Fortinet 2.82.0.0/20060928 found [suspicious]
Ikarus 0.2.65.0/20060928 found nothing
Kaspersky 4.0.2.24/20060928 found [Trojan-Downloader.Win32.Agent.awf]
McAfee 4861/20060927 found nothing
Microsoft 1.1603/20060928 found nothing
NOD32v2 1.1780/20060927 found [a variant of Win32/TrojanDownloader.Agent.AWF]
Norman 5.80.02/20060927 found [W32/Agent.ALTU]
Panda 9.0.0.4/20060927 found [Trj/Lowzones.SU]
Sophos 4.10.0/20060928 found nothing
Symantec 8.0/20060928 found nothing
TheHacker 6.0.1.085/20060928 found nothing
UNA 1.83/20060927 found [TrojanDownloader.Win32.Agent.5840]
VBA32 3.11.1/20060927 found [Trojan-Downloader.Win32.Agent.awf]
VirusBuster 4.3.7:9/20060927 found nothing

[ notes ]
packers: UPX
packers: UPX
packers: UPX, UPX, UPX, UPX
packers: UPX

good to see NOD32 detects it.

{QUOTE-> good to see NOD32 detects it. <-QUOTE}yes, however, this is only one part of the story, you need to read the first post again.

Cheers ;D

{QUOTE-> yes, however, this is only one part of the story, you need to read the first post again.

Cheers ;D <-QUOTE}
I've read it... hope ESET received the sample and added proper detection or cleaning. ;D

{QUOTE-> I've read it... hope ESET received the sample and added proper detection or cleaning. ;D <-QUOTE}Better than that, I'd like to see it properly detected and NOD32 back up and running on those machines, because it certainly isn't running at the moment on them :blink:

{QUOTE-> Better than that, I'd like to see it properly detected and NOD32 back up and running on those machines, because it certainly isn't running at the moment on them :blink: <-QUOTE}

Well, it sounds as if the kernel is still running, just the UI has been shot down. He may be able to run the scan from the command line to get it cleaned, then it may be OK, or at the worst, have to reinstall NOD.

Running a scan only detects the virus modified files, it does not clean.
There's no signature against the underalying causative viral agent as it is yet to be identified.

Lew

{QUOTE-> Running a scan only detects the virus modified files, it does not clean.
There's no signature against the underalying causative viral agent as it is yet to be identified.

Lew <-QUOTE}

Virus modified files? It's a trojan downloader/installer, not a file-infector. The file(s) flagged as trojans are in their entirety malicious code. Just delete/quarantine. Run a HijackThis scan and paste the log at this site (http://www.hijackthis.eu/). See if you can clear some things up then (look/click at the ratings/stars if there is anything you are unsure about when it has analysed your log).

Here's the hijackthis log....
Looks pretty clean to me.
I'm confused as to how the infected files were modified to become trojan downloaders. Perhaps an HTML exploit that no patch exists for?
All machines were patched with the latest available for IE prior to infection...

~HJT log removed....Bubba~

Hello fasttrack,

Wilders no longer analyzes hijack logs per this announcement. (http://www.wilderssecurity.com/showthread.php?t=42148)

Go to this site, follow instructions, and they will help you clean your computer. >> http://bfccomputerhelp.com/index.php?showtopic=323