I think I'm infected

Discussion in 'malware problems & news' started by Andrew B., Jul 17, 2003.

Thread Status:
Not open for further replies.
  1. Andrew B.

    Andrew B. Registered Member

    Joined:
    Jul 17, 2003
    Posts:
    34
    I found a file in my usenet download folder called busty_stripper.scr. Because the extension looked harmless I clicked on it, thinking I would get an idea what it is. I don't remember if I saw anything, but next thing I knew Zone Alarm was asking permission for it to call out. I denied this and deleted the file. Then WinPatrol told me it had inserted into a startup area, but WinPatrol did not seem to be able to remove it. So I searched and found it in c:\winnt\system32. I thought I removed and tried to get at my startup with regedit but it closed as soon as it launched.

    Anyway, I can give more details but I am afraid my message is getting too long. As it stands now, some of my startup programs don't seem to be starting. That file is back in c:\winnet\system32 folder. A search of the internet on "scr" said that badtrans can use that extension. I'm running AVG, but it is not sounding an alarm.

    I could use some advice about what to do. I also have the file in a zip if anyone would like to test it.
     
  2. Bdiamond

    Bdiamond Registered Member

    Joined:
    Apr 26, 2002
    Posts:
    74
    Location:
    N Carolina, USA
    Andrew,

    Unfortunately, I think .scr is involved in a lot of worm and probably other kinds of nasties. I can't help you but a number of the experts here are located in Europe/Australia and should be online fairly soon.

    Since, at the moment, you still have e-mail, I would just check back shortly and see if they can't start helping you unravel this. There are many experts here but those with special interests in this problem are often in the TDS formums dealing with anti trojan, anti worm software,

    Good luck,
    Best wishes

    Bdiamond
     
  3. Andrew B.

    Andrew B. Registered Member

    Joined:
    Jul 17, 2003
    Posts:
    34
    >Unfortunately, I think .scr is involved in a lot of worm

    I'm finding that out. I used to be active here (username: Andrew) some time ago, and I guess I should have stayed active.

    If it helps someone solve this, here is what else I discovered. I searched and I do not have gone.scr (goner) or Kernel32.exe or kdll.dll (badtrans). And I read nothing about these being stealthed. But here's something else that happened:

    After deleting the scr file from the system folder again, it did not come back on reboot. But I had also removed it from from RUN using a startup manager called Starter so maybe that helped. After I rebooted, avgcc32.exe was able to start by itself. This is the control center for AVG anti virus, and it was not running at startup as it is supposed to. But there are other things that are sitting in the RUN spot that used to put icons in my tray but no longer do that, unless I run them manually. Like ICQs ndetect.exe and soundmax smtray.exe.
     
  4. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    TDS formums? Is there also a TDS fordads version? DCS is known to be very women friendly, btw.
    Sorry, i just love this typo, i'm not making fun of you.

    Anyway, found in one newsgroup a description of the nasty and removal:
    here
     
  5. Bdiamond

    Bdiamond Registered Member

    Joined:
    Apr 26, 2002
    Posts:
    74
    Location:
    N Carolina, USA
    Well. Andrew, I should have mentioned some of the TDS people really kmow how to hurt a guy!

    As usual, it looks like Jooske may have come up with a "lifesaver" solution. I don't know that much about about these kinds of problems but I know for sure I would never have thought to delete the thing file from DOS.

    Can you imagine finding this out after reformatting and reinstalling your system?

    And Jooske, really nice to see you again! Look forward to seeing you in the TDS foruncle.

    Good luck Andrew!

    Bdiamond
     
  6. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Oops! It was not for hurting:
    some people are somehow noticable by their writing style, spelling or typos. I make a lot, some i see in time to correct.
    Recently we discussed in the "General" in the DCS forums women and security, where i argumented in the age groups over 45 the % of women on internet is higher per age group then men. Also in our "Female operators" thread there was this a subject.
    So, seeing the "TDS formums" opened my heart, as i know very well it was "forums" of course and normally i would never have mentioned it, but this one was so very sweet and adequate, as indeed TDS is for women too, not only reserved for high security power educated persons. In fact lots of women from every background have joined the registered operators team and know to use the stuff.
    So an extra stimulation for DCS to add new tools for us and educate us more in using them.
    If you felt hurt, i apologize as of course that was never the intention.
    The only thing TDS users like to hurt are nasties, we fight them, snipe them inside out and put them through the shredders to being recycled into nice clean electrons for our system. If possible additioned with freshly squeezed orange juice without artificial preservatives.
    But we are very user friendly, most of us, most of time, i guess....

    TDS forwholefamily; (make sure they all have their own registered copy) why do you think most of the nasty-writers themselves use TDS to protect them for their own kind? TDS from downyunder foralloverthere.
    Just TDS, you know why :D

    Hope the nasty was deleted from the system in the meantime without any other damage!
     
  7. Bdiamond

    Bdiamond Registered Member

    Joined:
    Apr 26, 2002
    Posts:
    74
    Location:
    N Carolina, USA
    Jooskie,

    I understood completely the context of your note and that you were just having some fun. No offense was taken at all! I was just trying to do the same thing. I enjoyed your comment and understood it fully. So please do not think I misunderstood or was hurt in any way.

    Sincerely,

    Bdiamond
     
  8. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    I know, you just offered an extra opportunity for more fun and some promotional talk :D and a reminder to have the whole family well protected, remote controlled if necessary, with your own secure chatline, whatever.

    I'm just happy the nasty it was all about is located and hopefully completely recycled BEFORE reformat and reinstalling the system was even considered without talking to us overhere first to prevent all that trouble!
    Imagine how we could deal with real nasties, like the private forum unveils somewhat in the scripting area among others :D

    Dealing with nasties from DOS or in the safe mode to make sure the nasty can't be running is done more often.
    And make sure it is really completely away from system restore too, so disable restore - reboot - enable restore and make manually a new restore point from the clean position.
     
  9. Andrew B.

    Andrew B. Registered Member

    Joined:
    Jul 17, 2003
    Posts:
    34
    Hi Jooske. Thanks for the link. I didn't think to seach usenet.

    I already removed the file using the method I mentioned in my second message. And it hasn't come back after several reboots.

    But there are still programs that usually put icons in the tray at startup and they are no longer doing this. And they are sitting where they should be in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.

    So I am wondering if it is possible that something got hijacked.
     
  10. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi AndrewB.,

    If it makes you feel better if I have a look. Could you post your HijackThis log
    Download, Unzip and run HijackThis, Then click Scan > Save log, save the log as a .txt file and copy & paste its content into your next post.
    Don´t fix anything yet. Most of what it finds is harmless.

    Regards,

    Pieter
     
  11. Andrew B.

    Andrew B. Registered Member

    Joined:
    Jul 17, 2003
    Posts:
    34
    Hi Pieter. Thanks for your very generous offer. I think I might have used the word hijack wrong; I was thinking of sometime that takes over a file name for its own use. But here is a copy of the log. I don't recognize either of those IP addresses. If they have something to do with my computer, I'm not aware of it.

    Also, if anyone wants to test the file I have it in a zip and can send it. I can find mention of it in usenet, but nobody seems to have identified what this is.

    Logfile of HijackThis v1.95.1
    Scan saved at 9:55:05 AM, on 7/19/2003
    Platform: Windows 2000 SP3 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    d:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\System32\mgabg.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    d:\Program Files\Photodex\CompuPicPro\ScsiAccess.exe
    C:\WINNT\System32\Tablet.exe
    C:\WINNT\system32\ZONELABS\vsmon.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\Explorer.EXE
    D:\Program Files\Grisoft\AVG6\avgcc32.exe
    D:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    D:\Program Files\3M\PSN2Lite\Psn2Lite.exe
    D:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
    C:\WINNT\system32\ntvdm.exe
    C:\WINNT\system32\ntvdm.exe
    D:\PROGRA~1\BILLPS~1\WINPAT~1\WINPAT~1.EXE
    C:\Documents and Settings\me\Desktop\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 208.197.77.40
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\System32\blank.htm
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - d:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - Global Startup: Acrobat Assistant.lnk = D:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Shortcut to WP Office 3.1 Calendar.pif = D:\pro_dos\Office31\CL.EXE
    O4 - Global Startup: Post-it® Software Notes Lite.lnk = D:\Program Files\3M\PSN2Lite\Psn2Lite.exe
    O4 - Global Startup: ZoneAlarm.lnk = D:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: ICQ (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: WebWorks Help 2.0 - file://D:\Program Files\Painter 7 Trial Version\Help\wwhelp2.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37531.7787384259
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{4E99DAAF-6211-4299-ACC2-FE483260C468}: NameServer = 206.13.29.12,206.13.30.12
     
  12. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Proxyserver:
    Colfax International UU-208-197-77 (NET-208-197-77-0-1) 208.197.77.0 - 208.197.77.255

    Nameservers:
    Pac Bell Internet Services PBI-NET (NET-206-13-0-0-1)
    206.13.0.0 - 206.13.127.255
    FE Net - lsan03 (servers) SBCIS-051203164003 (NET-206-13-29-0-1)
    206.13.29.0 - 206.13.29.255

    Could you send the file to the e-mailaddres in my profile.
    I'll see what I can make of it.

    Regards,

    Pieter
     
  13. Andrew B.

    Andrew B. Registered Member

    Joined:
    Jul 17, 2003
    Posts:
    34
  14. Andrew B.

    Andrew B. Registered Member

    Joined:
    Jul 17, 2003
    Posts:
    34
    This is getting weird. I have tested the scr file that started it all, and some of the exe files it created under my system folder. And they come up clean.

    I tested with AVG 6.0 (latest signature update) which is already installed on my computer. Then I downloaded Trojan Hunter Trial version and manually installed the latest signature. Then tried NOD32 version 1.435 (20030611) NT. And with each test I deactivated the other scanners and pointed it right at the file.

    Could this be some sort of new variant. Or do these worms ever play a joke and deactivate their own files.

    BTW, after searching the internet for the files found on my computer, I found that spybot.gen is not the only worm that uses these as bait. So it could be something else. Here are the files I got, and they are all the exact same size as the scr file.

    AquaNox2 Crack.exe
    AVP_Crack.exe
    Battlefield1942_bloodpatch.exe
    C&C Generals_crack.exe
    FIFA2003 crack.exe
    NBA2003_crack.exe
    Porn.exe
    Unreal2_bloodpatch.exe
    UT2003_bloodpatch.exe
    zoneallarm_pro_crack.exe
     
  15. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hello Andrew,

    Looks like your first hunch was right.

    This is what NAV had to say when your mail came in:

    Source: busty_stripper.scr
    Description: the attachment busty_stripper.scr in busty_stripper.zip
    is infected with virus W32.Spybot.Worm.

    Report from Dr.Web (online scan)
    G:\Manege (KIJK UIT)\busty_stripper.scr packed by ASPACK
    G:\Manege (KIJK UIT)\busty_stripper.scr infected with Win32.HLLW.SpyBot

    Report from KAV (online scan)
    Current object: busty_stripper.scr
    busty_stripper.scr Packed: ASPack
    busty_stripper.scr Infected: Worm.P2P.SpyBot.gen

    Regards,

    Pieter
     
  16. Andrew B.

    Andrew B. Registered Member

    Joined:
    Jul 17, 2003
    Posts:
    34
    Thank you very much for your help, Pieter. With your confirmation about what this is, I can evalute better if it is gone. And it looks like I need to buy different AV software.

    Best Regards,

    Andrew
     
  17. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    You´re welcome. :)

    The virus not being recognized in a scan could be explained by the packing, but not catching it when you started it, would make me agree.

    Regards,

    Pieter
     
  18. Andrew B.

    Andrew B. Registered Member

    Joined:
    Jul 17, 2003
    Posts:
    34
    And now you just reminded me of something else. When I scanned with NOD32 and Trojan Hunter they didn't sound an alarm. But that doesn't mean they would not sound the alarm as the file unpacks.

    Of course, I don't think I want to test this by clicking on the scr file again. I've had enough of that pest.
     
  19. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi Andrew,

    I did send your file to Eset, so it should be picked up in the scans shortly. ;)
    Oh, and please don´t doubleclick it. It is a nasty one.
    Disables Taskmanager, regedit, msconfig and probably lots more.

    *Pieter wipes his brow being happy he has a second OS installed :D

    Regards,

    Pieter
     
  20. Andrew B.

    Andrew B. Registered Member

    Joined:
    Jul 17, 2003
    Posts:
    34
    After they check it, could you let us know what Eset says about NOD32 and this file?
     
  21. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Detection added.
     

    Attached Files:

  22. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Sounds like a very good job, congratulations.
    Which category is it, trojan, worm, virus, mix of them?
     
  23. Andrew B.

    Andrew B. Registered Member

    Joined:
    Jul 17, 2003
    Posts:
    34
    From what I've read about the behavior, I'd say it's a worm/trojan.
     
  24. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    CHARACTERISTICS

    Win32.Spybot is an open soure irc bot. Due to the open and modular manner in which the source for this bot is distributed, there are many slightly different variants of this bot in the wild. Most will allow a victim's machine to be controlled in some manner by a remote user via IRC (Internet Relay Chat), while others may have the ability to spread via P2P networks.

    Apart from having standard backdoor functionality, such as the ability to:
    Gather configuration information about the local machine, including connection type, cpu speed and general information regarding the local drives.
    Install or delete files on the local machine.
    Perform other miscellaneous commands on the local machine.

    Win32.Spybot may also be able to (depending on the variant):
    Spread via: KaZaA P2P networks, or by using backdoor programs, Kuang or Sub Seven
    Download files via the Internet
    Keylog (i.e. log keystrokes on the affected machine)
    Kill firewall or antivirus software processes to avoid detection
    Act as an HTTP server

    Spybot installs itself via the registry by default by modifying the following keys:

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

    These 'Bots' are a popular tool for conducting a Distributed Denial of Service against a target, although they can also be used for a number of other illegitimate purposes, such as port scanning, spamming or flooding unsuspecting targets.

    Source: http://www3.ca.com/virusinfo/virus.aspx?ID=35771
     
  25. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    There are quite a few variants in the TDS primaries list indeed, so Gavin might give each sample about a new number if we keep sending our collections to him too from our emails :)
    Glad this one is solved and another system saved on the internet community!
    Good work and good info!
     
Loading...
Thread Status:
Not open for further replies.