What the hell is AAAAAAAAA

Discussion in 'Trojan Defence Suite' started by aaaaaa, Apr 14, 2003.

Thread Status:
Not open for further replies.
  1. aaaaaa

    aaaaaa Guest

    Ok I am just borred so instead of watching my grass grow on the paint dry I decided to watch my Anti-Virus at work (real time), and once in a while I see it scan a file called AAAAAAAAAAAAAA.exe (not to sure about the extension though). But when I do a search for the file I don't seem to locate it.

    I've done an AV Test (NOD32, BITDEFENDER, NORTON, PC-CiLLIn 2003) along with AT test (TDS-3, BO realtime, TH) but to no avail. I've also tested it in SafeMode still come up with nothing, but the file does get scanned. (No I am not running OS2-Warp and not looking at .gif or bitmaps :)) It's an WInXP (although they did barrow some OS2 code from IBM oh well).

    Can someone shine some light on this dilema?

    Thank You

    P.S.
    I can't find it thus I can't send it. :)
     
  2. MickeyTheMan

    MickeyTheMan Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    1,016
    Have you done a search just under aaa.
    I suspect this might be aaaamon.dll
    Aaaa Monitor DLL 5.1.2600.0 (xpclient.010817-114:cool:

    For additional info : http://www.microsoft.com/hwdq/hwtest/default.asp
     
  3. aaaaaa

    aaaaaa Guest

    Yes I thought so too, but when I've see it scanned it's A^21 with no extension in sight and it's too fast for me to catch it, all I know is that A's take over the whole path nameview..that's a lot of A's :)

    Whoa and that's a really creepy spider crawling on my shirt sleave!!! BRR Creepy flicked the bugger off and stepped on it...boy I've never stepped on any spider that size...kind of feels weird...Also what's weird is why would there be a spider in a lab?

    Sorry just had to share it, my andrenalie just went through the room when I cought the bugger in my peripheral vision. Phew thank you flight or fight response (great that I reacted with fight and not flight :) )
     
  4. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Do all those scanners scan the file and you see it coming up or just a few?
    Are you on XP?
    I mean: do all those scanners scan possible hidden NTFS ADS streams?
    Is there any alert on it? guess not, for then you would have seen it in for instance the tds-3 alerts and be able to click to it.

    Suppose you configured your system to display all files, including the hidden ones and extensions?

    Lots of nasties we see in emails code contain looooooooooots of AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAaaa etc but suppose you don't scan text files with all those scanners like pestpatrol would do for you.

    I wonder the reason why you post in the TDS forum here, where you're welcome, of course, so i wonder how we can help you in the best ways.

    Any ideas if it is doing something nasty? You might like to try Port Explorer to see if there is any AAAAAAAAAAAAAAAaa calling to the outside world somehow and block it, sniff the packets, if so, etc etc.
     
  5. aaaaa

    aaaaa Guest

    Pinpointed it to an AIC.exe trojan for AOL AIM. :) It took a while bastard trojan. :) All it does it crashes the AIM due to illegal icon length.

    Thank you for you help.
     
  6. Wayne - DiamondCS

    Wayne - DiamondCS Security Expert

    Joined:
    Jul 19, 2002
    Posts:
    1,533
    Location:
    Perth, Oz
    aaaaa: could you kindly forward a copy to support@diamondcs.com.au ? Thanks
     
  7. aaaa

    aaaa Guest

    I think I did a few days ago (I thought I got rid of that sucker but guess not), you probably goit it as Snail Mail from SPAMMAIL_Viraltestaccount@yahoo.comSPAMMAIL
     
  8. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    aaaa - It'll be a wonder if DCS's mail filters didn't throw that one in the trash with a return address like that! :)

    Glad you found out what it was. Pete
     
  9. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    And, since you piqued my curiousity about the file, I did a "Search" on my computer (since my son uses AIM).

    I used *aaaa for the search parameter and came up with five files.

    If anyone wants them to examine, just let me know. Pete
     

    Attached Files:

  10. aaaaa

    aaaaa Guest

    Oh, no the mail I've sent was regular the reason why I placed smapmail in the forum is to at least try confuse spambots searching forums for blahh@blahh.com and adding the lists to "double fisted c f with a strp On mailing lists" :)

    The trojan wasn't much but still it was an annoyance, apperently it still does effect some of the aol AIM version 5 clients ( I havne't sued AOL AIM for a while but it was still on my pc, hence the reason why it didn't affect me much... I tend to use trillian Pro for it's Secure IM transmission).

    Thank You for all your help.
     
  11. aaaa

    aaaa Guest

    oh yeah and I do have an account here but I forogot my password and just donw't want to go through the trouble of actually getting it, if I can just post as a guest. :)


    "Tempnexus" is/was the name. :)
     
  12. aaa

    aaa Guest

    mmm a play on words...I didn't mean sue AOL AIM I meant use. :) No I am not a lawyer ;) :)
     
  13. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    AAAAA for the password on this board can you still please try to go through that feature of the board or mail the webmaster@wilders.org for that?
    If it is for passwords on the DCS forum www.diamondcs.com.au/forum/index.php where also is a password retrieval feature support@diamondcs.com.au would be the place.
    This thread is not the place, even though DCS has in their free tools section several very handy and useful tools also for password matters among others.


    For email addresses in the open it seems to help replacing @ with _AT_ in general for the addressharvesters, although one might think they have that programmed out already, so maybe the combination with your name.remove_AT_spam.domain could help a bit.
     
Thread Status:
Not open for further replies.