Help - rogue RNAAPP

Discussion in 'malware problems & news' started by WorkIt, Mar 8, 2002.

Thread Status:
Not open for further replies.
  1. WorkIt

    WorkIt Registered Member

    Joined:
    Mar 8, 2002
    Posts:
    2
    Location:
    USA
    arrrgghhh!  if anybody could aid me in determining *where* my trouble is coming from, I'd certainly appreciate it!   I currently use Norton Internet Security (among others, hehe).  I keep getting a recurring warning, which I am of course blocking:

    Date: 3/7/02 Time: 15:46:29
    This one time, the user has chosen to "block" communications.  Details:
    Outbound UDP packet
    Local address,service is (151.201.152.161,nbname)
    Remote address,service is (151.201.152.39,1026)
    Process name is "C:\WINDOWS\SYSTEM\RNAAPP.EXE"

    Date: 3/7/02 Time: 23:00:49
    Outbound UDP packet
    Local address,service is (matt-s-i1,nbname)
    Remote address,service is (12.79.128.70,1157)
    Process name is "C:\WINDOWS\SYSTEM\RNAAPP.EXE"

    Date: 3/8/02 Time: 12:53:34
    Outbound UDP packet
    Local address,service is (matt-s-i1,nbname)
    Remote address,service is (63.215.227.152,1029)
    Process name is "C:\WINDOWS\SYSTEM\RNAAPP.EXE"

    Date: 3/8/02 Time: 13:03:21
    Outbound UDP packet
    Local address,service is (matt-s-i1,nbname)
    Remote address,service is (213.22.73.52,1029)
    Process name is "C:\WINDOWS\SYSTEM\RNAAPP.EXE"

    Date: 3/8/02 Time: 13:23:48
    Outbound UDP packet
    Local address,service is (matt-s-i1,nbname)
    Remote address,service is (64.130.215.189,1036)
    Process name is "C:\WINDOWS\SYSTEM\RNAAPP.EXE"

    as you can see, it is not non-stop, just enough to annoy me.  what makes it REALLY annoying is that i can't figure it out!  I have run virus scans.  I have downloaded and run every instance of trojan detection software available (including a deep scan with TDS-3).
    I am not an expert, but I am not a novice...I have looked to see what processes are running, this is the usual list:
    Files, which are currently running:
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\PROGRAM FILES\IBM\CLIENT ACCESS\CWBBS.EXE
    C:\PROGRAM FILES\IBM\CLIENT ACCESS\CWBNPRED.EXE
    C:\PROGRAM FILES\NORTON INTERNET SECURITY\NISSERV.EXE
    C:\PROGRAM FILES\NORTON INTERNET SECURITY\IAMAPP.EXE
    C:\PROGRAM FILES\NORTON INTERNET SECURITY\NISUM.EXE
    C:\WINDOWS\SYSTEM\EXSHOW95.EXE
    C:\WINDOWS\SYSTEM\EXSHOW.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SYSTEM\ATITASK.EXE
    C:\WINDOWS\SYSTEM\ATICWD32.EXE
    C:\PROGRAM FILES\IBM\CLIENT ACCESS\CWBUITSK.EXE
    C:\PROGRAM FILES\IBM\CLIENT ACCESS\CWBSVD.EXE
    C:\PROGRAM FILES\MICROSOFT HARDWARE\KEYBOARD\SPEEDKEY.EXE
    C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
    C:\PROGRAM FILES\VERIZONDSL\WINPOET\WINPPPOVERETHERNET.EXE
    C:\PROGRAM FILES\CREATIVE\SBLIVE\AUDIOHQ\AHQTB.EXE
    C:\PROGRAM FILES\NORTON ANTIVIRUS\POPROXY.EXE
    C:\PROGRAM FILES\TROJANHUNTER 2.5\TH_GUARD.EXE
    C:\QUICKENW\QWDLLS.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\PROGRAM FILES\IBM\CLIENT ACCESS\CWBCSD.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\PROGRAM FILES\IBM\CLIENT ACCESS\EMULATOR\PCSWS.EXE
    C:\PROGRAM FILES\IBM\CLIENT ACCESS\EMULATOR\PCSCM.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\PROGRAM FILES\TROJANHUNTER 2.5\TROJANHUNTER.EXE
    C:\DOWNLOADS\TFAK5\TFAK.EXE

    I have looked everywhere for any kind of modification to these files, in the .ini files, in the registry...nothing unusual in the load or run statements.  

    My concern is that it's an OUTBOUND occurence.  On each event, i have traced the remote address.  On two of the events that were traced, the network was BIZSVRCS for verizon, who happens to be my internet provider.

    I have tried using a really neat tool that comes with Trojan hunter that extracts memory strings for processes.  Unfortunately, I cannot read them too well (I'm an ancient mainframe programmer!)...but I did see some unusual things.  For example, would RNAAPP really have an "Impersonate" subroutine?  But my knowledge is scarce, and I'm at wits end..

    any clues?

    *sigh*...i really should go back to school...
     
  2. UNICRON

    UNICRON Technical Expert

    Joined:
    Feb 14, 2002
    Posts:
    1,935
    Location:
    Nanaimo BC Canada
    I found some resources on this exe:

    http://www.modemhelp.net/newsletter/dun/combatrnaapp.shtml

    http://the-it-mercenary.com/forums/Help/posts/50.html

    There is also a trojan names rmaapp.exe Note the 'M' instead of 'N' Info found here:

    http://antitrojan.silverhelix.com/page39.html

    you seem to be usingDSL as noted by this:

    C:\PROGRAM FILES\VERIZONDSL\WINPOET\WINPPPOVERETHERNET.EXE

    which means rnaapp.exe isn't even nessessary (so I've read anyhow. better verify that)
     
  3. WorkIt

    WorkIt Registered Member

    Joined:
    Mar 8, 2002
    Posts:
    2
    Location:
    USA
    hi, and thanks...i did look to see if it was perhaps the 'renamed' RNAAPP (RMAAPP), but i'm fine there :)
    i know that since i don't use dialup, there is no reason for RNAAPP to load.  but i was thinking that i have bigger concerns...like what is trying to get outbound?  i read the article suggested, but i doubt if it's a memory issue.  the outgoing attempts are just all over the place (so far today, RNAAPP has tried to connect to IP addresses in Riga (Russia), Islamabad and Mexico City).
    there must be *something* directing RNAAPP to these IP addresses...but that's the frustrating part...even if i were to stop RNAAPP from loading, i am still leaving something that is not good on my pc, but what?

    Symantec says to run an antivirus (I did this)
    I also ran *numerous* trojan detection programs, as well as Ad-Aware...
    since it is outgoing, i have to assume that it is something that is residing on my PC...
    am i correct?
    nuts.
     
Loading...
Thread Status:
Not open for further replies.