jewed.exe

Discussion in 'malware problems & news' started by rickdebrux, Sep 9, 2004.

Thread Status:
Not open for further replies.
  1. rickdebrux

    rickdebrux Registered Member

    Joined:
    Sep 9, 2004
    Posts:
    4
    Has anyone come across this new bug?

    It's called jewed.exe

    It runs from root:\windows\system32\

    It only came to light on a fresh install of XP Pro, after SP2 installed. That's when MS firewall detected and blocked it. I then installed Zonealarm after MS Firewall disabled. Zone then detected and asked what to do (ie. allow or block), I blocked access. Then as experiment, (as I could do a fresh install if any problems), I allowed access. About ten minutes later Zone detected my ISP doing a scanner abuse detection.

    I killed process "jewed.exe", (running under SYSTEM), and renamed file to jewed.bak.

    When you double click it (jewed.exe), it starts and tries to access internet. It also appears to be able to start on boot-up. I'm checking registry at present. I also checked thru Google etc before requesting here with the same results as yourself. Only some reference to some (possible) anti-semetic slang word, as in "being JEWED".

    It's an odd one, it definately does not exist on another install on another PC in XP SP2. So it has come in on the clean install somewhere, with no other software installed.

    Like I say it's odd, hope I can get to bottom of it.

    Heres some of the registry entries:
    HKEY_CURRENT_USER\Software\Microsoft\Search Assistant\ACMru\5603

    Value = 005 REG_Z jewed
    value = 006 REG_Z jewed.exe

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

    Win32 Configuration REG_Z jewed.exe

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

    Win32 Configuration REG_Z jewed.exe

    HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache

    G:\WINDOWS\system32\jewed.exe

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    Win32 Configuration jewed.exe

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

    Win32 Configuration jewed.exe

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices

    Win32 Configuration jewed.exe

    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\
    FirewallPolicy\StandardProfile\AuthorizedApplications\List

    G:\WINDOWS\system32\jewed.exe G:\WINDOWS\system32\jewed.exe:*:Enabled:jewed

    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\
    FirewallPolicy\StandardProfile\AuthorizedApplications\List

    G:\WINDOWS\system32\jewed.exe G:\WINDOWS\system32\jewed.exe:*:Enabled:jewed

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\
    FirewallPolicy\StandardProfile\AuthorizedApplications\List

    G:\WINDOWS\system32\jewed.exe G:\WINDOWS\system32\jewed.exe:*:Enabled:jewed

    HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run

    Win32 Configuration jewed.exe

    HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce

    Win32 Configuration jewed.exe

    HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\ShellNoRoam\MUICache

    G:\WINDOWS\system32\jewed.exe jewed


    and on and on........


    Is it a new pesto_O

    Any advice appreciated

    o_O

    Rick
     
  2. GlobalForce

    GlobalForce Regular Poster

    Joined:
    Jun 30, 2004
    Posts:
    3,581
    Location:
    Garden State, USA
    Hi Rick, and Welcome to the Forums,

    I'm a little short on computer time (time on a computer that is) and can't say I've heard of this one, but have a look at
    these two pages. On the first one run it down near the bottom and you'll find "System Information (Msinfo32)",
    use this as a starting point. The other you'll probably have to juggle some file names, the list is huge.

    http://www.kellys-korner-xp.com/xp_abc.htm

    http://www.sysinfo.org/startuplist.php

    I hope this helps till someone more familiar can intervene...
    GF
     
  3. Tassie_Devils

    Tassie_Devils Global Moderator

    Joined:
    May 8, 2002
    Posts:
    2,514
    Location:
    State Queensland, Australia
    Hey Rick, welcome to the forums from me. :)

    Great first post hey? ;)

    OK... the second link from GF :) of sysinfo has no information on jewed.exe I just checked [I also use that as a reference, may want to bookmark it]

    Now... You still have the file?
    rename it back to the .exe then upload to here:

    JOTTI'S ONLINE MALWARE SCAN

    It uses several scanners at once, all recognised top names. ;)
    Although this "may" be a new baddie. :)

    Also, would you like to submit it to the DCS boys for analysis.

    ZIP and send to: submit(at)diamondcs.com.au [ @ ] with a reference link to this thread.

    Cheers, and once again, welcome. :)
    TAS
     
  4. Tassie_Devils

    Tassie_Devils Global Moderator

    Joined:
    May 8, 2002
    Posts:
    2,514
    Location:
    State Queensland, Australia
    Rick... bit more for you to play with seeing as you seem familiar with your system and already have it blocked from accessing.

    Download Trojan Defense Suite 3.2 [TDS3] from HERE

    Then go to HERE to get the latest radius.td3 [database] file. Follow the instructions on that page. ;)

    Install TDS, don't run, navigate to the main TDS folder, put the new downloaded radius.td3 file in [say YES to overwrite], then start TDS.

    You can do one/or both :) of two things. Navigate to the file, right click and scan with TDS. [or the folder itself].

    Have the GUI open to see if anything found.

    To do full system scan, make sure you have my highlighted option [in pic] checked and Save Configuration.

    Then on top of GUI, under System Testing.. select Full System Scan and go and have a cup of coffe. :)

    Cheers, TAS

    Note: You can use TDS as a fully functional program, you just won't have the Real Time Monitoring option [Exec. Protect] enabled on unregistered version, and you cannot update the database through the program and will have to do it manually as described above.
    Also you will see in the interface command lines something like: Warning radius file not up to date, etc. This is to let you know it's not a fully auto update registered optioned version. Try it. :)
     

    Attached Files:

  5. GlobalForce

    GlobalForce Regular Poster

    Joined:
    Jun 30, 2004
    Posts:
    3,581
    Location:
    Garden State, USA
    Thanks Tas,

    That's a notable reply, got some education myself I did...

    Rick, here's the "Original" bookmark. Hope you don't mind Tas, only stole a bit o'fire :D ,
    I still refer to that great post of your's...

    GF ;)
    *Beat me in on that!
     
  6. Tassie_Devils

    Tassie_Devils Global Moderator

    Joined:
    May 8, 2002
    Posts:
    2,514
    Location:
    State Queensland, Australia
    In the same configuration, under Generic TAB. Check the slider is set to HIGH. ;)

    TAS
     

    Attached Files:

    • 095.GIF
      095.GIF
      File size:
      14.1 KB
      Views:
      142
  7. Tassie_Devils

    Tassie_Devils Global Moderator

    Joined:
    May 8, 2002
    Posts:
    2,514
    Location:
    State Queensland, Australia
    LOL.. no probs GF... :)

    Cheers, TAS
     
  8. rickdebrux

    rickdebrux Registered Member

    Joined:
    Sep 9, 2004
    Posts:
    4
    Thanks for the great response.. Sorry for not replying sooner, I've been away for the weekend, I'm getting onto all your advice now and report back as soon as possible.. Thanks guys

    Rick
     
  9. rickdebrux

    rickdebrux Registered Member

    Joined:
    Sep 9, 2004
    Posts:
    4
    virusscan.jotti.dhs.org returned :

    This, TrojanSpy.Win32.Harverster.11

    F-Secure Anti-Virus Backdoor.Win32.Wootbot.gen (5.80 seconds taken)

    Hope this helps

    Rick
     
  10. Tassie_Devils

    Tassie_Devils Global Moderator

    Joined:
    May 8, 2002
    Posts:
    2,514
    Location:
    State Queensland, Australia
    hmmm...Rick.. I don't recall seeing that first name anywhere... and I did a VB Vgrep search [ HERE
    and nothing found...

    Can you get a copy of the file, zip and send to:

    submit[at]diamondcs.com.au [at] replaced by @ :)

    Give them some details, not the lot, and make sure you put a link in the email to this thread... thanks.

    TAS :)
     
  11. rickdebrux

    rickdebrux Registered Member

    Joined:
    Sep 9, 2004
    Posts:
    4
    Hi,

    I've received a reply re "jewed.exe".

    Here's the text:

    Thanks for the file, it is a new variant of "Wootbot"
    These are bots which use many exploits to try to infect a system, so ensure you have a firewall up before getting online at all, and anything which is installed could be vulnerable - so install the latest patches for everything. Firewall rules are of course very important, perhaps something is being allowed which shouldnt.. NETBIOS ?


    Thanks for all your help here!!! :-*
     
    Last edited: Sep 15, 2004
Thread Status:
Not open for further replies.