jewed.exe

Has anyone come across this new bug?

It's called jewed.exe

It runs from root:\windows\system32\

It only came to light on a fresh install of XP Pro, after SP2 installed. That's when MS firewall detected and blocked it. I then installed Zonealarm after MS Firewall disabled. Zone then detected and asked what to do (ie. allow or block), I blocked access. Then as experiment, (as I could do a fresh install if any problems), I allowed access. About ten minutes later Zone detected my ISP doing a scanner abuse detection.

I killed process "jewed.exe", (running under SYSTEM), and renamed file to jewed.bak.

When you double click it (jewed.exe), it starts and tries to access internet. It also appears to be able to start on boot-up. I'm checking registry at present. I also checked thru Google etc before requesting here with the same results as yourself. Only some reference to some (possible) anti-semetic slang word, as in "being JEWED".

It's an odd one, it definately does not exist on another install on another PC in XP SP2. So it has come in on the clean install somewhere, with no other software installed.

Like I say it's odd, hope I can get to bottom of it.

Heres some of the registry entries:
HKEY_CURRENT_USER\Software\Microsoft\Search Assistant\ACMru\5603

Value = 005 REG_Z jewed
value = 006 REG_Z jewed.exe

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

Win32 Configuration REG_Z jewed.exe

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

Win32 Configuration REG_Z jewed.exe

HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache

G:\WINDOWS\system32\jewed.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Win32 Configuration jewed.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

Win32 Configuration jewed.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices

Win32 Configuration jewed.exe

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\List

G:\WINDOWS\system32\jewed.exe G:\WINDOWS\system32\jewed.exe:*:Enabled:jewed

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\List

G:\WINDOWS\system32\jewed.exe G:\WINDOWS\system32\jewed.exe:*:Enabled:jewed

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\List

G:\WINDOWS\system32\jewed.exe G:\WINDOWS\system32\jewed.exe:*:Enabled:jewed

HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run

Win32 Configuration jewed.exe

HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce

Win32 Configuration jewed.exe

HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\ShellNoRoam\MUICache

G:\WINDOWS\system32\jewed.exe jewed


and on and on........


Is it a new pest

Any advice appreciated



Rick

 

Hi Rick, and Welcome to the Forums,

I'm a little short on computer time (time on a computer that is) and can't say I've heard of this one, but have a look at
these two pages. On the first one run it down near the bottom and you'll find "System Information (Msinfo32)",
use this as a starting point. The other you'll probably have to juggle some file names, the list is huge.

http://www.kellys-korner-xp.com/xp_abc.htm

http://www.sysinfo.org/startuplist.php

I hope this helps till someone more familiar can intervene...
GF

 

Hey Rick, welcome to the forums from me.

Great first post hey?

OK... the second link from GF of sysinfo has no information on jewed.exe I just checked [I also use that as a reference, may want to bookmark it]

Now... You still have the file?
rename it back to the .exe then upload to here:

JOTTI'S ONLINE MALWARE SCAN

It uses several scanners at once, all recognised top names.
Although this "may" be a new baddie.

Also, would you like to submit it to the DCS boys for analysis.

ZIP and send to: submit(at)diamondcs.com.au [ @ ] with a reference link to this thread.

Cheers, and once again, welcome.
TAS

 

Rick... bit more for you to play with seeing as you seem familiar with your system and already have it blocked from accessing.

Download Trojan Defense Suite 3.2 [TDS3] from HERE

Then go to HERE to get the latest radius.td3 [database] file. Follow the instructions on that page.

Install TDS, don't run, navigate to the main TDS folder, put the new downloaded radius.td3 file in [say YES to overwrite], then start TDS.

You can do one/or both of two things. Navigate to the file, right click and scan with TDS. [or the folder itself].

Have the GUI open to see if anything found.

To do full system scan, make sure you have my highlighted option [in pic] checked and Save Configuration.

Then on top of GUI, under System Testing.. select Full System Scan and go and have a cup of coffe.

Cheers, TAS

Note: You can use TDS as a fully functional program, you just won't have the Real Time Monitoring option [Exec. Protect] enabled on unregistered version, and you cannot update the database through the program and will have to do it manually as described above.
Also you will see in the interface command lines something like: Warning radius file not up to date, etc. This is to let you know it's not a fully auto update registered optioned version. Try it.

 

Thanks Tas,

That's a notable reply, got some education myself I did...

Rick, here's the "Original" bookmark. Hope you don't mind Tas, only stole a bit o'fire ,
I still refer to that great post of your's...

GF
*Beat me in on that!

 

In the same configuration, under Generic TAB. Check the slider is set to HIGH.

TAS

 

LOL.. no probs GF...

Cheers, TAS

 

Thanks for the great response.. Sorry for not replying sooner, I've been away for the weekend, I'm getting onto all your advice now and report back as soon as possible.. Thanks guys

Rick

 

virusscan.jotti.dhs.org returned :

This, TrojanSpy.Win32.Harverster.11

F-Secure Anti-Virus Backdoor.Win32.Wootbot.gen (5.80 seconds taken)

Hope this helps

Rick

 

hmmm...Rick.. I don't recall seeing that first name anywhere... and I did a VB Vgrep search [ HERE
and nothing found...

Can you get a copy of the file, zip and send to:

submit[at]diamondcs.com.au [at] replaced by @

Give them some details, not the lot, and make sure you put a link in the email to this thread... thanks.

TAS

 

Hi,

I've received a reply re "jewed.exe".

Here's the text:

Thanks for the file, it is a new variant of "Wootbot"
These are bots which use many exploits to try to infect a system, so ensure you have a firewall up before getting online at all, and anything which is installed could be vulnerable - so install the latest patches for everything. Firewall rules are of course very important, perhaps something is being allowed which shouldnt.. NETBIOS ?


Thanks for all your help here!!!