I found this on one of my client's computers. Does anyone have any ideas what this is? Once it gets in memory you can't see the file anymorein explorer. Its process doesn't show up in Task Manager, but shows up for a second in Process Explorer. Below is a zip with with the trojan. Please feel free to contact me at if you have any questions. Deleted URL & emaill address. Pilli
I did some reading and I don't think it's the f0r0r trojan. NAV Corp, AVG, and TDS-3 couldn't detect it. In all my years this is the strangest little "program" I've ever seen.
Hi there Zechlin, welcome to the forum. Feel free to register as a member (free) so people can PM you. Please never post links to malware in any forum, where less experienced users could get themselves into big trouble. Just submit the zip to developers laboratories, like submit@diamondcs.com.au where they will come back with you with proper analysis and advice. Pilli beat me to removing the link and your addy, and made sure the link is in Gavin's hands indeed Yes, we're all interested to know about the report. Was there more on your client's system? As many nasties don't come alone!
Welcome as a new member and congratulations with your first member posting! Glad you are cleaning out the system. It can take a few hours for Gavin to get back to us but fortunately they are in Perth half a day ahead of many!
I downloaded that file earlier. McAfee, Bitdefender, Escan, A2, Ewido, Virus Total and Jottis all reported nothing. Although jotti did report a long time sandboxing and advised caution. Looks suspect though.
From DvK01. "It's very possible it's a new varient of BUBE as that tries to infect explorer.exe and some of the strings inside the file look remarkably similar ( but then most malware ones do ) and that hides itself when it has installed as well" HTH Pilli
According to Jotti it's been packed with Yoda Protector http://yodap.cjb.net/. That's why you can't find any strings in it. Yoda Protection features: * Compress Sections. * Polymorphism encryption. * Import Table encryption/destruction. * Anti Debug API's. * SoftICE detection. * CRC checking. * API Redirection. * Anti Dumping. * Erase PE Header. * Anti Debugger. * Destroy relocation information. * Destroy debug information. * Eliminate DOS header. * Optimize DOS header. * Support OCX, DLL, and SCR files.
it is packed with yodaprotector. just checked it with a disassembler. beside of this the file shows "yP" as section name, that is the default section name for this protector. I'll take a look at it tomorrow.
I've had someone do a partial unpack of it & found some interesting strings inside it seems to be connected with this one here http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_WINTRIM.CD and will almost certainly attempt to if it hasn't already download these files at least and probably a lot of others mslagent_.exe mslagent.exe msclock32.dll msplock32.dll
Nice can o' worms Dvk It's a bank holidy in Western australia today so Gavin might not respond until tomorrow (Tuesday)
They seem to have more Public Holidays in Western Australia than I have hot dinners I suppose that is where the laid back happy approach we see in all the Aussie visitors to the UK comes from. Perhaps we should have a few more Public Holidays here as well http://www.smilies.our-local.co.uk/index_files/haphol.gif
Ah cricket, Now that is a serious game that the Aussies pinched from us Brits and now think they own it Off topic Pilli
Just recieved the following email from Gavin: Hi, Definitely malicious, some sort of spyware or adware Nuke it, I'll have to unpack it and analyse it much more before being able to add detection Best regards, Gavin
I recieved a reply from McAfee today. ------------------------------------------------------------ Potentially Unwanted Program added: Adware-StripPlayer AVERT(tm) Labs, Aylesbury Synopsis - The thread is related to a backdoor but the sample sumbitted doesn't seem to be related to that. However, we found a dialer embedded into the encrypted body so we added detection as Adware. Please note that Adware are not viruses. This detection requires either the command-line scanner (with /PROGRAM) or VirusScan 7 or later. Users running VirusScan 7 or later can enable application or joke detection via the configuration option "Find potentially unwanted programs" within the VirusScan GUI.