What is happening to NOD32 - Is this a virus?

Discussion in 'NOD32 Early v2 Beta' started by rayg, Jan 12, 2003.

Thread Status:
Not open for further replies.
  1. rayg

    rayg Registered Member

    Joined:
    Oct 24, 2002
    Posts:
    41
    I had occasion this weekend to try and bring a friends computer up to date and explain a little about security. I took the opportunity to load ZA Free on WinXP home after doing many updates from Windows update. The system is now bang up to date with patches. As I was doing this from behind my NAT router I did not bother too much about protection as the system had been on the NET for some months My other systems were fully protected and nothing has happened or was spotted by any monitoring I had running.

    However on loading ZAF A program popped up asking to connect to 25.0.0.0:SMTP it was called winkdp.exe installed (as I eventually found out) as a hidden system file in Windows/system32 I decided to disallow access as what it was asking did not "smell" right. I then decided to try and find out what it was and where it had come from.

    I tried to start task manager to see what processes were running, as soon as it was started it was terminated. Given the file system is
    NTFS I cannot use a DOS virus scanner at boot time so I decided to load up NOD32 V2 Beta as the most recent single install I could use. (lay my hands on) However when I tried to run nod32.exe I discovered that the file had been deleted. I installed it again over the top (having been asked to re-boot before) I then tried to run the program again and it was again immediatly deleted.

    I took the step of renaming the winkdp.exe to something else to see if anything was affected. All seems to run OK but then after a couple of re-boots I get asked to allow winkdc.exe access to the same location.

    Has anyone any ideas on what this may be and what the best way to eradicate it if it is not bona fide?

    Thanks for any suggestions.
     
  2. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Rayg,

    Seems your friend has an infected system. Please:

    - zip the file and send us a copy (support@wilders.org);
    - download, install, update a good antitrojan (TDS for
    example) and perform a full system scan;
    - give an online free scan a try - Panda and/or Trend, as
    available on our free services page.

    Please post the result(s).

    regards,

    paul
     
  3. JacK

    JacK Registered Member

    Joined:
    Jun 20, 2002
    Posts:
    737
    Location:
    Belgium -Li?ge
    Hello,

    At first glance, a variant of Klez.

    Rgds,

    JacK
     
  4. rayg

    rayg Registered Member

    Joined:
    Oct 24, 2002
    Posts:
    41
    Paul,

    Thanks for you reply

    It seems it is a KLEZ infection. I found out from a post elsewhere. I assume therefore that there will be no need to send the file.

    BTW I did not consider asking the same question in two forums as cross posting. One was a trojan forum and one a virus I did not know and had been unsuccessful in searching for the problem. I have no idea who reads what I was covering all bases. It seem that whatever I do here in the Wilders forum is wrong. For that I apologise. I will try not to post too often.
     
  5. Primrose

    Primrose Registered Member

    Joined:
    Sep 21, 2002
    Posts:
    2,743
    Here is some info you may need.. and i would follow pauls instructions..but will tell you that the panda tool is good for this one since it work in the PAVDOS Mode...

    This destructive, memory-resident variant of the WORM_KLEZ.H mass-mailing worm propagates via email and network shared drives. It uses SMTP to propagate via email. Both variants differ mainly in the type of email they compose.

    It drops a WINK*.EXE file and a WQK.EXE file in the Windows System folder of the infected system and then creates corresponding registry entries to execute these dropped files at every system startup. It also infects .EXE files. To infect, it encrypts (compresses) the target file and then modifies the file extension with a random name. It also modifies the attributes of the file and sets these to Read-only, Hidden, System, and Archive. Thereafter, this worm copies itself to the original filename of the infected file. This worm's file size is the same as that of the infected file.

    In the wild: Yes


    --------------------------------------------------------------------------------

    Payload 1: (drops the file WQK.EXE and WINK.EXE)

    Trigger condition 1: Upon execution


    --------------------------------------------------------------------------------

    Payload 2: Deletes Files (deletes files associated with antivirus programs)

    Trigger condition 1: Upon execution


    --------------------------------------------------------------------------------

    Payload 3: (overwrites files with certain extensions)

    Trigger condition 1: (on the sixth day of any odd-numbered month


    --------------------------------------------------------------------------------

    Language: English

    Platform: Windows

    Encrypted: Yes

    Size of virus: 85 KB

    Pattern file needed: 204

    Scan engine needed: 5.200

    Discovered: Jan. 17, 2002

    Detection available: Jan. 17, 2002



    --------------------------------------------------------------------------------

    Details:

    Upon execution, this worm decodes its data in the memory and then copies itself to a WINK*.EXE file, with the hidden attribute, in the Windows System directory. * is a random number of random characters.

    It creates the following registry entry so that it executes upon system startup. * is any random character:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
    CurrentVersion\Run, Wink*, "wink*.exe"

    Similar to WORM_KLEZ.A, this worm also has several threads that accomplish its spreading and payload mechanisms. Its main features are as follows:
    Dropping of PE_ELKERN.B
    On Windows 9x machines, the worm drops a WQK.EXE file (approximately 13 KBytes) in the Windows System folder. On Windows 2K machines, the worm drops a WQK.DLL file (approximately 13 KBytes) in the Windows System folder. These files have the hidden, system and read-only attributes set. The worm then executes or spawns WQK.EXE or WQK.DLL as a separate process.

    Trend Micro antivirus detects WQK.EXE and WQK.DLL as PE_ELKERN.B.

    Network Infection
    This worm can replicate via shared drives/folders with read/write access. To accomplish this, it enumerates all the shared resources of the network. For shared folders with read/write access, it copies itself to files with randomly generated filenames. The dropped files have the following extensions:

    EXE
    PIF
    COM
    BAT
    SCR
    RAR
    Occasionally, the worm copies itself to a random filename with two file extensions. The first extension name can be any of these:

    MP8
    EXE
    SCR
    PIF
    BAT
    TXT
    HTM
    HTML
    WAB
    DOC
    XLS
    CPP
    C
    PAS
    MPQ
    MPEG
    BAK
    MP3
    The second extension can be any of these:

    EXE
    PIF
    COM
    BAT
    SCR
    RAR
    Mail Distribution:
    To propagate copies of itself, it sends an email containing its executable program using its own SMTP engine. It has several ways of collecting its spoofed source email address and target email addresses.

    It gathers email addresses from the entries of the default Windows Address Book (WAB). The path and filename of the WAB are identified in the following registry entry:

    HKEY_CURRENT_USER\Software\Microsoft\
    WAB\WAB4\Wab File Name = “<pathname of WAB file>

    The worm also gathers a list of addresses from the following files of the infected computer:
    MP8
    EXE
    SCR
    PIF
    BAT
    TXT
    HTM
    HTML
    WAB
    DOC
    XLS
    CPP
    C
    PAS
    MPQ
    MPEG
    BAK
    MP3
    The worm randomly chooses from this pool of email addresses its target user and the email address that it uses in the “From:” field of the email it sends.

    Randomly, it may also choose its “From:” field from this list of addresses in the worm body:

    pw246@columbia.edu
    queen@helix.com.hk
    yaya@wfc.com.tw
    atoz@2911.net
    anti@helix.com.hk
    graph@helix.com.hk
    street@verizon.net
    sani@2911.net
    santurn@verizon.net
    andy@verizon.net
    little@hitel.net
    gigi@helix.com.hk
    bet@helix.com.hk
    lily@88win.com
    sun@verizon.net
    linda@verizon.net
    raise@wfc.com.tw
    rainrainman@hongkong.com
    karala@hongkong.com
    sammychen@wfc.com.tw
    flywind@wfc.com.tw
    suck@wfc.com.tw
    urlove@wfc.com.tw
    utu@88win.com
    cheu@2911.net
    xyz@2911.net
    pet@2911.net
    girl@edirect168.com
    littlecat@hongkong.com
    panshugang@chinese.com
    pipti@21cn.com
    certpass@21cn.com
    powerhero@263.net
    CR7269CH@terra.es
    RUBENSOTOAGUI@terra.es
    ACAMDR@terra.es
    ol-petech@terra.es
    ROSANAMOLTO@terra.es
    MANUEL23@terra.es
    cristian_soto@terra.es
    carlos_nuevo@terra.es
    It then constructs the HTML mail, which contains the worm copy. It randomly generates the filename of the attachment.

    It obtains its SMTP server using the domain name of the email address it used in the “From:” field of the email it sends. For example, if the “From:” field of the email is any_user@somewhere.com, then it uses smtp.somewhere.com to send its spoofed email. It sends out SMTP commands to this SMTP server to create and send an email. It also randomly composes the actual subject and message body of the email it sends. It randomly selects the email subject from this list:

    how are you
    let's be friends
    darling
    don't drink too much
    your password
    honey
    some questions
    please try again
    welcome to my hometown
    the Garden of Eden
    introduction on ADSL
    meeting notice
    questionnaire
    congratulations
    japanese girl VS playboy
    look,my beautiful girl friend
    eager to see you
    spice girls' vocal concert
    japanese lass' sexy pictures
    It sends out SMTP commands to this SMTP server to create and send an email. It also randomly composes the actual subject and message body of the email.

    It does not require the email receiver to open the attachment for it to execute. It uses a known vulnerability in Internet Explorer-based email clients to execute the file attachment automatically. This is also known as Automatic Execution of Embedded MIME type.

    The infected email contains the executable attachment registered as content-type of audio/x-wav or sometimes audio/x-midi. When its email recipients view the infected email, the default application associated with audio files is opened. This is usually the Windows Media Player. The embedded EXE file cannot be viewed in Microsoft Outlook.

    More information about this vulnerability is available at Microsoft’s Security Bulletin.

    Antivirus Disabling
    This worm disables the running processes, and occasionally deletes the executable files of programs associated with the following names of antivirus products:

    _AVP32
    _AVPCC
    NOD32
    NPSSVC
    NRESQ32
    NSCHED32
    NSCHEDNT
    NSPLUGIN
    NAV
    NAVAPSVC
    NAVAPW32
    NAVLU32
    NAVRUNR
    NAVW32
    _AVPM
    ALERTSVC
    AMON
    AVP32
    AVPCC
    AVPM
    N32SCANW
    NAVWNT
    ANTIVIR
    AVPUPD
    AVGCTRL
    AVWIN95
    SCAN32
    VSHWIN32
    F-STOPW
    F-PROT95
    ACKWIN32
    VETTRAY
    VET95
    SWEEP95
    PCCWIN98
    IOMON98
    AVPTC
    AVE32
    AVCONSOL
    FP-WIN
    DVP95
    F-AGNT95
    CLAW95
    NVC95
    SCAN
    VIRUS
    LOCKDOWN2000
    Norton
    Mcafee
    Antivir
    TASKMGR2
    The worm also scans for the above strings and deletes them if found as values in the following registry key:

    HKEY_LOCAL_MACHINE\Software\Microsoft\
    Windows\CurrentVersion\Run

    Finally, the worm searches and deletes for the following files:
    ANTI-VIR.DAT
    CHKLIST.DAT
    CHKLIST.MS
    IVB.NTZ
    SMARTCHK.MS
    SMARTCHK.CPS
    AVGQT.DAT
    AGUARD.DAT
    Destructive Payload:
    On the system date, 6th of any odd month, this worm searches the fixed and remote drives for files having the following extensions. It then attempts to overwrite these files with garbage codes:

    TXT
    HTM
    HTML
    WAB
    DOC
    XLS
    CPP
    C
    PAS
    MPEG
    MPG
    BAK
    MP3
    JPG
    Stealth Routine
    On Windows 98/95, the worm registers itself as a service process to hide itself from the taskbar. On Windows 2000 systems, it creates a system service and registers it as a service control dispatcher. In this way, the service control manager always calls the worm service upon Windows startup.

    Others
    This worm does not run on machines that run NT 4.0 or its lower versions because of the unavailability of system functions or APIs it uses to kill the antivirus-related processes.

    The worm body contains the following text:

    Win32 Klez V2.0 & Win32 Elkern V1.1, (There nickname is Twin Virus *^__^*
    Copyright, made in Asia, announcement:
    1. I will try my best to protect the user from vicious virus, Funlove,Sircam,Nimda,Codered, and even include W32.Klez.1.X
    2. Well paid jobs are wanted.
    3. Poor life should be unblessed.
    4. Don’t accuse me, please accusse the unfair sh*t world.
     
  6. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    rayg,

    Thanks for you reply

    Are you sure? If not, don't hesitate to send us a (zipped) copy.

    Well, the TDS Forum is a dedicated forum for TDS (trial) users - and asking one and the same question on different forums is bound to cause some havoc - but we've got that covered in this case as it is now ;).

    o_O Not at all - what makes you think that?

    No need for apologies in any way!

    I for one would sincerely be sorry if you didn't. You are welcome as ever!

    regards.

    paul
     
  7. Primrose

    Primrose Registered Member

    Joined:
    Sep 21, 2002
    Posts:
    2,743
    For you immediate problem before your system crashes completely.
    Here is a link to the panda tools..I would clean that thing off fast and then scan with NOD when you can get the PC stable.....then I would makes sure nothing else is on the PC.
    http://www.pandasoftware.es/library/pqremove_en.htm
     
  8. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Do i remember well XP has system restore? so a deleted or disabled nasty comes back after a few reboots unless you temporary disable it.
    As you poosted in the TDS forum too and i googled a bit around i come here.
    I re-read your posting several times.
    Suppose you mean not the winkdp file but the NOD (or AMON) file was gone, right?

    From googling around my first impression was other software in the astronomical environment, using the same file names and a directory winkdp in which it would be installed, and 25.0.0.0 has to do with radar registrations so it seemed so logical, but this was before seeing other postings about klez which seem lots more logical in relation with the deleted NOD files, unfortunately.
    If you're cleaned crashfree you might be interested to put an eye on the software tools descriptions and see what made me thinking this way in first instance thanks to google. http://www.maa.mhn.de/Tools/
    (the file i mean is at the bottom)
    Good luck with cleaning out!
     
  9. rayg

    rayg Registered Member

    Joined:
    Oct 24, 2002
    Posts:
    41
    Jooske,

    Sorry I was not too clear - yes it was NOD32.exe that was deleted as soon as it was run.
     
  10. rayg

    rayg Registered Member

    Joined:
    Oct 24, 2002
    Posts:
    41
    To everyone else

    Thanks for your extremly helpful suggestions and replies.

    Cleaning is scheduled for some time this week. Hopefully successfully. I have a feeling that the virus was not 100% correctly installed. It does not seem to have sent anyone an infected e-mail at this time. I think the system has been like it for some time. There was a very old virus program but I could find no evidence of cleaning so it might just have been luck not too much damage was done. Time will tell.
     
  11. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    hi rayg,

    Best of luck as for cleaning ;). Are you sure about the nastie not being installed and sending out infected emails?

    "Mail Distribution:
    To propagate copies of itself, it sends an email containing its executable program using its own SMTP engine."

    regards.

    paul
     
  12. rayg

    rayg Registered Member

    Joined:
    Oct 24, 2002
    Posts:
    41
    Paul,

    Fairly certain it's not sending e-mail. I know I am in the address list and there are several other people you regularly send/recieve e-mail - none of them (including myself) have recieved a contaminated e-mail. Now ZAF is instaled I think it is stopped in it's tracks - it does not seem to be able to get by that by stopping it. Fingers crossed...
     
  13. rayg

    rayg Registered Member

    Joined:
    Oct 24, 2002
    Posts:
    41
    Apologies for taking so long - but I did promise an update on the situation.

    It was indeed the klez virus and running one of the cleaners cleaned 253 files and now the system does appear to perform as it should. No unwanted ZAF requests for access and the task manager runs as expected as does NOD32 Beta 2 - the nod32.exe file is *not* deleted after installation.

    So all in all thanks to everyone who identified the correct virus for me - a successful result.
     
  14. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    rayg,

    Glad to hear the problem's solved ;).

    regards.

    paul
     
Thread Status:
Not open for further replies.