What is happening to NOD32 - Is this a virus?

I had occasion this weekend to try and bring a friends computer up to date and explain a little about security. I took the opportunity to load ZA Free on WinXP home after doing many updates from Windows update. The system is now bang up to date with patches. As I was doing this from behind my NAT router I did not bother too much about protection as the system had been on the NET for some months My other systems were fully protected and nothing has happened or was spotted by any monitoring I had running.

However on loading ZAF A program popped up asking to connect to 25.0.0.0:SMTP it was called winkdp.exe installed (as I eventually found out) as a hidden system file in Windows/system32 I decided to disallow access as what it was asking did not "smell" right. I then decided to try and find out what it was and where it had come from.

I tried to start task manager to see what processes were running, as soon as it was started it was terminated. Given the file system is
NTFS I cannot use a DOS virus scanner at boot time so I decided to load up NOD32 V2 Beta as the most recent single install I could use. (lay my hands on) However when I tried to run nod32.exe I discovered that the file had been deleted. I installed it again over the top (having been asked to re-boot before) I then tried to run the program again and it was again immediatly deleted.

I took the step of renaming the winkdp.exe to something else to see if anything was affected. All seems to run OK but then after a couple of re-boots I get asked to allow winkdc.exe access to the same location.

Has anyone any ideas on what this may be and what the best way to eradicate it if it is not bona fide?

Thanks for any suggestions.

 

Hello,

At first glance, a variant of Klez.

Rgds,

JacK

 

Paul,

Thanks for you reply

It seems it is a KLEZ infection. I found out from a post elsewhere. I assume therefore that there will be no need to send the file.

BTW I did not consider asking the same question in two forums as cross posting. One was a trojan forum and one a virus I did not know and had been unsuccessful in searching for the problem. I have no idea who reads what I was covering all bases. It seem that whatever I do here in the Wilders forum is wrong. For that I apologise. I will try not to post too often.

 

Here is some info you may need.. and i would follow pauls instructions..but will tell you that the panda tool is good for this one since it work in the PAVDOS Mode...

This destructive, memory-resident variant of the WORM_KLEZ.H mass-mailing worm propagates via email and network shared drives. It uses SMTP to propagate via email. Both variants differ mainly in the type of email they compose.

It drops a WINK*.EXE file and a WQK.EXE file in the Windows System folder of the infected system and then creates corresponding registry entries to execute these dropped files at every system startup. It also infects .EXE files. To infect, it encrypts (compresses) the target file and then modifies the file extension with a random name. It also modifies the attributes of the file and sets these to Read-only, Hidden, System, and Archive. Thereafter, this worm copies itself to the original filename of the infected file. This worm's file size is the same as that of the infected file.

In the wild: Yes


--------------------------------------------------------------------------------

Payload 1: (drops the file WQK.EXE and WINK.EXE)

Trigger condition 1: Upon execution


--------------------------------------------------------------------------------

Payload 2: Deletes Files (deletes files associated with antivirus programs)

Trigger condition 1: Upon execution


--------------------------------------------------------------------------------

Payload 3: (overwrites files with certain extensions)

Trigger condition 1: (on the sixth day of any odd-numbered month


--------------------------------------------------------------------------------

Language: English

Platform: Windows

Encrypted: Yes

Size of virus: 85 KB

Pattern file needed: 204

Scan engine needed: 5.200

Discovered: Jan. 17, 2002

Detection available: Jan. 17, 2002



--------------------------------------------------------------------------------

Details:

Upon execution, this worm decodes its data in the memory and then copies itself to a WINK*.EXE file, with the hidden attribute, in the Windows System directory. * is a random number of random characters.

It creates the following registry entry so that it executes upon system startup. * is any random character:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run, Wink*, "wink*.exe"

Similar to WORM_KLEZ.A, this worm also has several threads that accomplish its spreading and payload mechanisms. Its main features are as follows:
Dropping of PE_ELKERN.B
On Windows 9x machines, the worm drops a WQK.EXE file (approximately 13 KBytes) in the Windows System folder. On Windows 2K machines, the worm drops a WQK.DLL file (approximately 13 KBytes) in the Windows System folder. These files have the hidden, system and read-only attributes set. The worm then executes or spawns WQK.EXE or WQK.DLL as a separate process.

Trend Micro antivirus detects WQK.EXE and WQK.DLL as PE_ELKERN.B.

Network Infection
This worm can replicate via shared drives/folders with read/write access. To accomplish this, it enumerates all the shared resources of the network. For shared folders with read/write access, it copies itself to files with randomly generated filenames. The dropped files have the following extensions:

EXE
PIF
COM
BAT
SCR
RAR
Occasionally, the worm copies itself to a random filename with two file extensions. The first extension name can be any of these:

MP8
EXE
SCR
PIF
BAT
TXT
HTM
HTML
WAB
DOC
XLS
CPP
C
PAS
MPQ
MPEG
BAK
MP3
The second extension can be any of these:

EXE
PIF
COM
BAT
SCR
RAR
Mail Distribution:
To propagate copies of itself, it sends an email containing its executable program using its own SMTP engine. It has several ways of collecting its spoofed source email address and target email addresses.

It gathers email addresses from the entries of the default Windows Address Book (WAB). The path and filename of the WAB are identified in the following registry entry:

HKEY_CURRENT_USER\Software\Microsoft\
WAB\WAB4\Wab File Name = “<pathname of WAB file>

The worm also gathers a list of addresses from the following files of the infected computer:
MP8
EXE
SCR
PIF
BAT
TXT
HTM
HTML
WAB
DOC
XLS
CPP
C
PAS
MPQ
MPEG
BAK
MP3
The worm randomly chooses from this pool of email addresses its target user and the email address that it uses in the “From:” field of the email it sends.

Randomly, it may also choose its “From:” field from this list of addresses in the worm body:

pw246@columbia.edu
queen@helix.com.hk
yaya@wfc.com.tw
atoz@2911.net
anti@helix.com.hk
graph@helix.com.hk
street@verizon.net
sani@2911.net
santurn@verizon.net
andy@verizon.net
little@hitel.net
gigi@helix.com.hk
bet@helix.com.hk
lily@88win.com
sun@verizon.net
linda@verizon.net
raise@wfc.com.tw
rainrainman@hongkong.com
karala@hongkong.com
sammychen@wfc.com.tw
flywind@wfc.com.tw
suck@wfc.com.tw
urlove@wfc.com.tw
utu@88win.com
cheu@2911.net
xyz@2911.net
pet@2911.net
girl@edirect168.com
littlecat@hongkong.com
panshugang@chinese.com
pipti@21cn.com
certpass@21cn.com
powerhero@263.net
CR7269CH@terra.es
RUBENSOTOAGUI@terra.es
ACAMDR@terra.es
ol-petech@terra.es
ROSANAMOLTO@terra.es
MANUEL23@terra.es
cristian_soto@terra.es
carlos_nuevo@terra.es
It then constructs the HTML mail, which contains the worm copy. It randomly generates the filename of the attachment.

It obtains its SMTP server using the domain name of the email address it used in the “From:” field of the email it sends. For example, if the “From:” field of the email is any_user@somewhere.com, then it uses smtp.somewhere.com to send its spoofed email. It sends out SMTP commands to this SMTP server to create and send an email. It also randomly composes the actual subject and message body of the email it sends. It randomly selects the email subject from this list:

how are you
let's be friends
darling
don't drink too much
your password
honey
some questions
please try again
welcome to my hometown
the Garden of Eden
introduction on ADSL
meeting notice
questionnaire
congratulations
japanese girl VS playboy
look,my beautiful girl friend
eager to see you
spice girls' vocal concert
japanese lass' sexy pictures
It sends out SMTP commands to this SMTP server to create and send an email. It also randomly composes the actual subject and message body of the email.

It does not require the email receiver to open the attachment for it to execute. It uses a known vulnerability in Internet Explorer-based email clients to execute the file attachment automatically. This is also known as Automatic Execution of Embedded MIME type.

The infected email contains the executable attachment registered as content-type of audio/x-wav or sometimes audio/x-midi. When its email recipients view the infected email, the default application associated with audio files is opened. This is usually the Windows Media Player. The embedded EXE file cannot be viewed in Microsoft Outlook.

More information about this vulnerability is available at Microsoft’s Security Bulletin.

Antivirus Disabling
This worm disables the running processes, and occasionally deletes the executable files of programs associated with the following names of antivirus products:

_AVP32
_AVPCC
NOD32
NPSSVC
NRESQ32
NSCHED32
NSCHEDNT
NSPLUGIN
NAV
NAVAPSVC
NAVAPW32
NAVLU32
NAVRUNR
NAVW32
_AVPM
ALERTSVC
AMON
AVP32
AVPCC
AVPM
N32SCANW
NAVWNT
ANTIVIR
AVPUPD
AVGCTRL
AVWIN95
SCAN32
VSHWIN32
F-STOPW
F-PROT95
ACKWIN32
VETTRAY
VET95
SWEEP95
PCCWIN98
IOMON98
AVPTC
AVE32
AVCONSOL
FP-WIN
DVP95
F-AGNT95
CLAW95
NVC95
SCAN
VIRUS
LOCKDOWN2000
Norton
Mcafee
Antivir
TASKMGR2
The worm also scans for the above strings and deletes them if found as values in the following registry key:

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Run

Finally, the worm searches and deletes for the following files:
ANTI-VIR.DAT
CHKLIST.DAT
CHKLIST.MS
IVB.NTZ
SMARTCHK.MS
SMARTCHK.CPS
AVGQT.DAT
AGUARD.DAT
Destructive Payload:
On the system date, 6th of any odd month, this worm searches the fixed and remote drives for files having the following extensions. It then attempts to overwrite these files with garbage codes:

TXT
HTM
HTML
WAB
DOC
XLS
CPP
C
PAS
MPEG
MPG
BAK
MP3
JPG
Stealth Routine
On Windows 98/95, the worm registers itself as a service process to hide itself from the taskbar. On Windows 2000 systems, it creates a system service and registers it as a service control dispatcher. In this way, the service control manager always calls the worm service upon Windows startup.

Others
This worm does not run on machines that run NT 4.0 or its lower versions because of the unavailability of system functions or APIs it uses to kill the antivirus-related processes.

The worm body contains the following text:

Win32 Klez V2.0 & Win32 Elkern V1.1, (There nickname is Twin Virus *^__^*
Copyright, made in Asia, announcement:
1. I will try my best to protect the user from vicious virus, Funlove,Sircam,Nimda,Codered, and even include W32.Klez.1.X
2. Well paid jobs are wanted.
3. Poor life should be unblessed.
4. Don’t accuse me, please accusse the unfair sh*t world.

 

For you immediate problem before your system crashes completely.
Here is a link to the panda tools..I would clean that thing off fast and then scan with NOD when you can get the PC stable.....then I would makes sure nothing else is on the PC.
http://www.pandasoftware.es/library/pqremove_en.htm

 

Do i remember well XP has system restore? so a deleted or disabled nasty comes back after a few reboots unless you temporary disable it.
As you poosted in the TDS forum too and i googled a bit around i come here.
I re-read your posting several times.
Suppose you mean not the winkdp file but the NOD (or AMON) file was gone, right?

From googling around my first impression was other software in the astronomical environment, using the same file names and a directory winkdp in which it would be installed, and 25.0.0.0 has to do with radar registrations so it seemed so logical, but this was before seeing other postings about klez which seem lots more logical in relation with the deleted NOD files, unfortunately.
If you're cleaned crashfree you might be interested to put an eye on the software tools descriptions and see what made me thinking this way in first instance thanks to google. http://www.maa.mhn.de/Tools/
(the file i mean is at the bottom)
Good luck with cleaning out!

 

Jooske,

Sorry I was not too clear - yes it was NOD32.exe that was deleted as soon as it was run.

 

To everyone else

Thanks for your extremly helpful suggestions and replies.

Cleaning is scheduled for some time this week. Hopefully successfully. I have a feeling that the virus was not 100% correctly installed. It does not seem to have sent anyone an infected e-mail at this time. I think the system has been like it for some time. There was a very old virus program but I could find no evidence of cleaning so it might just have been luck not too much damage was done. Time will tell.

 

Paul,

Fairly certain it's not sending e-mail. I know I am in the address list and there are several other people you regularly send/recieve e-mail - none of them (including myself) have recieved a contaminated e-mail. Now ZAF is instaled I think it is stopped in it's tracks - it does not seem to be able to get by that by stopping it. Fingers crossed...

 

Apologies for taking so long - but I did promise an update on the situation.

It was indeed the klez virus and running one of the cleaners cleaned 253 files and now the system does appear to perform as it should. No unwanted ZAF requests for access and the task manager runs as expected as does NOD32 Beta 2 - the nod32.exe file is *not* deleted after installation.

So all in all thanks to everyone who identified the correct virus for me - a successful result.