Microsoft.exe

Discussion in 'malware problems & news' started by GrAC3R, May 1, 2004.

Thread Status:
Not open for further replies.
  1. GrAC3R

    GrAC3R Registered Member

    Joined:
    May 1, 2004
    Posts:
    1
    Hi,

    I recently found this file running in memory after I noticed that my PC wouldn't shutdown and Norton Internet Security 2004 had been disabled.
    I've deleted the registry key(s) that cause this Microsoft.exe (135kb) from starting (was tagged as being WindowsUpdate), and also moved the file from the Windows/system32 to another dir for testing.
    Now soon as this was done, and I had rebooted Norton Internet security would load again.
    I tested the file offline and clicked the .exe which caused the file to remove itself from my current dir and place itself back into the Windows/system32 dir, the registry entries returned as well. Upon running the file it would shutdown Norton Internet Security with a Javascript error of somekind.
    I've scanned the file and my PC with NAV2004, ewido, Spybot, TDS3 and a few other programs and nothing detected the file as malicious even whilst it was running in memory. The only program to single it out was TrojanHunter, with the error message : unable to unpack UPX-packed file.
    Has anyone else encountered this file? What is it? And why aren't other programs be detecting it? Lots of questions.

    Any help appreciated :)
     
    Last edited: May 1, 2004
  2. DevilFrank

    DevilFrank Registered Member

    Joined:
    Jul 20, 2003
    Posts:
    108
  3. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    it is abrand new agobot version that that seems to have appeared yesterday
    samples have been sent to all the major antivirus vendors for updating

    it comes with it's partner scvhost.exe and if one is removed the other reinstalls it, so both need removing together or so it seems

    please follow instructions here
    https://www.wilderssecurity.com/showthread.php?t=15913
    and post a hjt log in the hiajck forum
     
Thread Status:
Not open for further replies.