I think I'm infected

I found a file in my usenet download folder called busty_stripper.scr. Because the extension looked harmless I clicked on it, thinking I would get an idea what it is. I don't remember if I saw anything, but next thing I knew Zone Alarm was asking permission for it to call out. I denied this and deleted the file. Then WinPatrol told me it had inserted into a startup area, but WinPatrol did not seem to be able to remove it. So I searched and found it in c:\winnt\system32. I thought I removed and tried to get at my startup with regedit but it closed as soon as it launched.

Anyway, I can give more details but I am afraid my message is getting too long. As it stands now, some of my startup programs don't seem to be starting. That file is back in c:\winnet\system32 folder. A search of the internet on "scr" said that badtrans can use that extension. I'm running AVG, but it is not sounding an alarm.

I could use some advice about what to do. I also have the file in a zip if anyone would like to test it.

 

Andrew,

Unfortunately, I think .scr is involved in a lot of worm and probably other kinds of nasties. I can't help you but a number of the experts here are located in Europe/Australia and should be online fairly soon.

Since, at the moment, you still have e-mail, I would just check back shortly and see if they can't start helping you unravel this. There are many experts here but those with special interests in this problem are often in the TDS formums dealing with anti trojan, anti worm software,

Good luck,
Best wishes

Bdiamond

 

>Unfortunately, I think .scr is involved in a lot of worm

I'm finding that out. I used to be active here (username: Andrew) some time ago, and I guess I should have stayed active.

If it helps someone solve this, here is what else I discovered. I searched and I do not have gone.scr (goner) or Kernel32.exe or kdll.dll (badtrans). And I read nothing about these being stealthed. But here's something else that happened:

After deleting the scr file from the system folder again, it did not come back on reboot. But I had also removed it from from RUN using a startup manager called Starter so maybe that helped. After I rebooted, avgcc32.exe was able to start by itself. This is the control center for AVG anti virus, and it was not running at startup as it is supposed to. But there are other things that are sitting in the RUN spot that used to put icons in my tray but no longer do that, unless I run them manually. Like ICQs ndetect.exe and soundmax smtray.exe.

 

TDS formums? Is there also a TDS fordads version? DCS is known to be very women friendly, btw.
Sorry, i just love this typo, i'm not making fun of you.

Anyway, found in one newsgroup a description of the nasty and removal:
here

 

Well. Andrew, I should have mentioned some of the TDS people really kmow how to hurt a guy!

As usual, it looks like Jooske may have come up with a "lifesaver" solution. I don't know that much about about these kinds of problems but I know for sure I would never have thought to delete the thing file from DOS.

Can you imagine finding this out after reformatting and reinstalling your system?

And Jooske, really nice to see you again! Look forward to seeing you in the TDS foruncle.

Good luck Andrew!

Bdiamond

 

Oops! It was not for hurting:
some people are somehow noticable by their writing style, spelling or typos. I make a lot, some i see in time to correct.
Recently we discussed in the "General" in the DCS forums women and security, where i argumented in the age groups over 45 the % of women on internet is higher per age group then men. Also in our "Female operators" thread there was this a subject.
So, seeing the "TDS formums" opened my heart, as i know very well it was "forums" of course and normally i would never have mentioned it, but this one was so very sweet and adequate, as indeed TDS is for women too, not only reserved for high security power educated persons. In fact lots of women from every background have joined the registered operators team and know to use the stuff.
So an extra stimulation for DCS to add new tools for us and educate us more in using them.
If you felt hurt, i apologize as of course that was never the intention.
The only thing TDS users like to hurt are nasties, we fight them, snipe them inside out and put them through the shredders to being recycled into nice clean electrons for our system. If possible additioned with freshly squeezed orange juice without artificial preservatives.
But we are very user friendly, most of us, most of time, i guess....

TDS forwholefamily; (make sure they all have their own registered copy) why do you think most of the nasty-writers themselves use TDS to protect them for their own kind? TDS from downyunder foralloverthere.
Just TDS, you know why

Hope the nasty was deleted from the system in the meantime without any other damage!

 

Jooskie,

I understood completely the context of your note and that you were just having some fun. No offense was taken at all! I was just trying to do the same thing. I enjoyed your comment and understood it fully. So please do not think I misunderstood or was hurt in any way.

Sincerely,

Bdiamond

 

I know, you just offered an extra opportunity for more fun and some promotional talk and a reminder to have the whole family well protected, remote controlled if necessary, with your own secure chatline, whatever.

I'm just happy the nasty it was all about is located and hopefully completely recycled BEFORE reformat and reinstalling the system was even considered without talking to us overhere first to prevent all that trouble!
Imagine how we could deal with real nasties, like the private forum unveils somewhat in the scripting area among others

Dealing with nasties from DOS or in the safe mode to make sure the nasty can't be running is done more often.
And make sure it is really completely away from system restore too, so disable restore - reboot - enable restore and make manually a new restore point from the clean position.

 

Hi Jooske. Thanks for the link. I didn't think to seach usenet.

I already removed the file using the method I mentioned in my second message. And it hasn't come back after several reboots.

But there are still programs that usually put icons in the tray at startup and they are no longer doing this. And they are sitting where they should be in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.

So I am wondering if it is possible that something got hijacked.

 

Hi AndrewB.,

If it makes you feel better if I have a look. Could you post your HijackThis log
Download, Unzip and run HijackThis, Then click Scan > Save log, save the log as a .txt file and copy & paste its content into your next post.
Don´t fix anything yet. Most of what it finds is harmless.

Regards,

Pieter

 

Hi Pieter. Thanks for your very generous offer. I think I might have used the word hijack wrong; I was thinking of sometime that takes over a file name for its own use. But here is a copy of the log. I don't recognize either of those IP addresses. If they have something to do with my computer, I'm not aware of it.

Also, if anyone wants to test the file I have it in a zip and can send it. I can find mention of it in usenet, but nobody seems to have identified what this is.

Logfile of HijackThis v1.95.1
Scan saved at 9:55:05 AM, on 7/19/2003
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
d:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\mgabg.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
d:\Program Files\Photodex\CompuPicPro\ScsiAccess.exe
C:\WINNT\System32\Tablet.exe
C:\WINNT\system32\ZONELABS\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
D:\Program Files\Grisoft\AVG6\avgcc32.exe
D:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
D:\Program Files\3M\PSN2Lite\Psn2Lite.exe
D:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
C:\WINNT\system32\ntvdm.exe
C:\WINNT\system32\ntvdm.exe
D:\PROGRA~1\BILLPS~1\WINPAT~1\WINPAT~1.EXE
C:\Documents and Settings\me\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 208.197.77.40
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\System32\blank.htm
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - d:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - Global Startup: Acrobat Assistant.lnk = D:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Shortcut to WP Office 3.1 Calendar.pif = D:\pro_dos\Office31\CL.EXE
O4 - Global Startup: Post-it® Software Notes Lite.lnk = D:\Program Files\3M\PSN2Lite\Psn2Lite.exe
O4 - Global Startup: ZoneAlarm.lnk = D:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: ICQ (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: WebWorks Help 2.0 - file://D:\Program Files\Painter 7 Trial Version\Help\wwhelp2.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37531.7787384259
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4E99DAAF-6211-4299-ACC2-FE483260C468}: NameServer = 206.13.29.12,206.13.30.12

 

Proxyserver:
Colfax International UU-208-197-77 (NET-208-197-77-0-1) 208.197.77.0 - 208.197.77.255

Nameservers:
Pac Bell Internet Services PBI-NET (NET-206-13-0-0-1)
206.13.0.0 - 206.13.127.255
FE Net - lsan03 (servers) SBCIS-051203164003 (NET-206-13-29-0-1)
206.13.29.0 - 206.13.29.255

Could you send the file to the e-mailaddres in my profile.
I'll see what I can make of it.

Regards,

Pieter

 

This might be what hit me:

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SPYBOT.GEN&VSect=T

Here is what I have in common with this one:

1. I could not launch regedit when it first hit.

2. There is a folder under my system folder called "kazaabackupfiles" that has the files listed at this link.

They say it is not in the wild, but I picked it up from usenet.


Added URL tags

 

This is getting weird. I have tested the scr file that started it all, and some of the exe files it created under my system folder. And they come up clean.

I tested with AVG 6.0 (latest signature update) which is already installed on my computer. Then I downloaded Trojan Hunter Trial version and manually installed the latest signature. Then tried NOD32 version 1.435 (20030611) NT. And with each test I deactivated the other scanners and pointed it right at the file.

Could this be some sort of new variant. Or do these worms ever play a joke and deactivate their own files.

BTW, after searching the internet for the files found on my computer, I found that spybot.gen is not the only worm that uses these as bait. So it could be something else. Here are the files I got, and they are all the exact same size as the scr file.

AquaNox2 Crack.exe
AVP_Crack.exe
Battlefield1942_bloodpatch.exe
C&C Generals_crack.exe
FIFA2003 crack.exe
NBA2003_crack.exe
Porn.exe
Unreal2_bloodpatch.exe
UT2003_bloodpatch.exe
zoneallarm_pro_crack.exe

 

Hello Andrew,

Looks like your first hunch was right.

This is what NAV had to say when your mail came in:

Source: busty_stripper.scr
Description: the attachment busty_stripper.scr in busty_stripper.zip
is infected with virus W32.Spybot.Worm.

Report from Dr.Web (online scan)
G:\Manege (KIJK UIT)\busty_stripper.scr packed by ASPACK
G:\Manege (KIJK UIT)\busty_stripper.scr infected with Win32.HLLW.SpyBot

Report from KAV (online scan)
Current object: busty_stripper.scr
busty_stripper.scr Packed: ASPack
busty_stripper.scr Infected: Worm.P2P.SpyBot.gen

Regards,

Pieter

 

Thank you very much for your help, Pieter. With your confirmation about what this is, I can evalute better if it is gone. And it looks like I need to buy different AV software.

Best Regards,

Andrew

 

You´re welcome.

The virus not being recognized in a scan could be explained by the packing, but not catching it when you started it, would make me agree.

Regards,

Pieter

 

And now you just reminded me of something else. When I scanned with NOD32 and Trojan Hunter they didn't sound an alarm. But that doesn't mean they would not sound the alarm as the file unpacks.

Of course, I don't think I want to test this by clicking on the scr file again. I've had enough of that pest.

 

Hi Andrew,

I did send your file to Eset, so it should be picked up in the scans shortly.
Oh, and please don´t doubleclick it. It is a nasty one.
Disables Taskmanager, regedit, msconfig and probably lots more.

*Pieter wipes his brow being happy he has a second OS installed

Regards,

Pieter

 

After they check it, could you let us know what Eset says about NOD32 and this file?

 

Detection added.

 

Sounds like a very good job, congratulations.
Which category is it, trojan, worm, virus, mix of them?

 

From what I've read about the behavior, I'd say it's a worm/trojan.

 

CHARACTERISTICS

Win32.Spybot is an open soure irc bot. Due to the open and modular manner in which the source for this bot is distributed, there are many slightly different variants of this bot in the wild. Most will allow a victim's machine to be controlled in some manner by a remote user via IRC (Internet Relay Chat), while others may have the ability to spread via P2P networks.

Apart from having standard backdoor functionality, such as the ability to:
Gather configuration information about the local machine, including connection type, cpu speed and general information regarding the local drives.
Install or delete files on the local machine.
Perform other miscellaneous commands on the local machine.

Win32.Spybot may also be able to (depending on the variant):
Spread via: KaZaA P2P networks, or by using backdoor programs, Kuang or Sub Seven
Download files via the Internet
Keylog (i.e. log keystrokes on the affected machine)
Kill firewall or antivirus software processes to avoid detection
Act as an HTTP server

Spybot installs itself via the registry by default by modifying the following keys:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

These 'Bots' are a popular tool for conducting a Distributed Denial of Service against a target, although they can also be used for a number of other illegitimate purposes, such as port scanning, spamming or flooding unsuspecting targets.

Source: http://www3.ca.com/virusinfo/virus.aspx?ID=35771

 

There are quite a few variants in the TDS primaries list indeed, so Gavin might give each sample about a new number if we keep sending our collections to him too from our emails
Glad this one is solved and another system saved on the internet community!
Good work and good info!