Heads up: Stealth Virus Attack

[Skookum]

In KAV Personal Pro, the Kaspersky Inspector gave me a Stealth Virus alert for PED0D6~1.DAT file size 16384 kb.
This turned out to be Perfib_Perfdata_628.dat in C:\WINNT\System32\

When discovered ie: my using file operations on it, the file kept reproducing itself as .dat files then changed to a .tmp extension size is the one constant that being 16384 kb. Some of the file names are
{MSIMGIZ.dat , Index.dat} { ~DF274D.tmp , ~ DF37D7.tmp and several other ~DF followed by a Intiger}

Noticed something interesting. There are other files of like names and different sizes

~DFEAA9.tmp is 49152 kb or 3 times 16384 kb
Created: Friday, October 01, 2004, 5:46:41 PM
Accessed: Yesterday, October 10, 2004, 11:47:47 PM

~DF3998.tmp is 81920 kb or 5 times 16384 kb
Created: Monday, October 04, 2004, 9:12:41 PM
Accessed Yesterday,October 10, 2004, 11:47:47 PM

There are 12 variations of ~DF3998.tmp such as ~DF4658.tmp and other intigers
with the ~DF lead in, in my machine, all created at a different times and
all accessed yesterday, October 10, 2004, 11:47:47 PM.

Thats when I was running file search operations by size and extension, on the 16384 kb files and deleting them.

Looks like this file adapts to various methods of locating and removing it.
How clever.

I did manage to get a couple files into a 3.5 floppy for research on the thing.
Would like to submit these files to help get a handle on this monster. Any ideas?

What a mess this is.

[Blackspear]

Can you please send a zipped sample of the virus to samples@nod32.com

Cheers

[Don Pelotas]

And also newvirus@kaspersky.com .

[dvk01]

I think you will find that they are harmless files being created by windows when it does whatever it does

I assume that they are in the local settings/temp folder

everybody with XP gets them and the number and file sizes cahnfge with the wind

You can run them through any scanner and they come up harmless,

It's a waste of time deleting them as they get recreated by windows

just every few days or so clear out that temp folder comp[letely

[dvk01]

As this doesn't seem to be a NOD issue and is more general virus I will move it to the appropriate forum

[dvk01]

and perflib data is a windows system file

http://forums.computing.co.uk/thread...0&thread=18596

its the performance counter library

PS:

See also posting from Skookum here in the TDS-forum:
http://www.wilderssecurity.com/showthread.php?t=49753


Edit :

I just saw that Derek already pointed in that thread to this one
Sorry Derek

[Skookum]

Yes I see your point. I'm just beginning to ues KAV PRO and considered the
possability of a false alarm. Just felt the best thing was to get it out here with the pros for some feedback. Still would like to have it looked at by someone with the proper skills. Guess what got my attention was the way so many files, with different names and extentions had the exact size and appeared as quickly as I would delete the suspect files. also all the performance dat files in sys32 had the same size and the size never changed. That still gives me pause. I just checked my wifes machine and the only perf type .dat file to have the same file size is this one and it was just created Perflib_Perfdata_4c4.dat (16,384 bytes created: Today, October 11, 2004, 4:50:33 Ill send a zipped copy to Blackspear
and Kaspersky


Heres to life May all live well