New Virus disables control centre

Discussion in 'NOD32 version 2 Forum' started by fasttrack, Sep 28, 2006.

Thread Status:
Not open for further replies.
  1. fasttrack

    fasttrack Registered Member

    Joined:
    Sep 28, 2006
    Posts:
    5
    Hi All,
    I have discovered a new variant this AM of Win32/TrojanDownloader.Agent.AWF trojan. The virus infects exe's including nod32kui.exe which in turn becomes disabled. The administrative alerts are still sent, but no local warnings are given. The files become hideen and are not visible from command line or win explorer. Ineterestingly they can be copied via the command line, but it is still not possible to view them and they can not be archived either. I was forced to copy the files via a mapped drive to a Linux samba share ans zip them from the shell.
    Rootkit cloaking is not evedent using rootkit revealer.

    Anyone else seen this yet?
     
  2. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Where you able to upload a sample to www.virustotal.com and send a zipped sample to samples @ eset.com?

    Cheers :D
     
    Last edited: Sep 28, 2006
  3. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    As requested by Blackspear, please send such an infected file to samples @ eset.com as we have not received anything yet.
     
  4. fasttrack

    fasttrack Registered Member

    Joined:
    Sep 28, 2006
    Posts:
    5
    I've sent the samples to eset some time ago.
    The submission for scan to virus total failed as I sent the zip pwd encrypted. I'm reluctant to send from a windows machine without it.
    I'll try from the firewall without the pwd.

    Cheers,

    Lew
     
  5. fasttrack

    fasttrack Registered Member

    Joined:
    Sep 28, 2006
    Posts:
    5
    Here's the output from virus total...

    omplete scanning result of "Archive.zip", processed in VirusTotal at
    09/28/2006 09:18:06 (CET).

    [ file data ]
    * name: Archive.zip
    * size: 80486
    * md5.: 88286b7fb8db74fb9787261f357dfe39
    * sha1: 9a85db325fad00d89473fb309f57fa0863be87a4

    [ scan result ]
    AntiVir 7.2.0.18/20060928 found [HEUR/Malware]
    Authentium 4.93.8/20060928 found nothing
    Avast 4.7.892.0/20060927 found [Win32:Agent-BVS]
    AVG 386/20060927 found [Downloader.Agent.FVH]
    BitDefender 7.2/20060928 found [Trojan.Downloader.Agent.ANA]
    CAT-QuickHeal 8.00/20060927 found [TrojanDownloader.Agent.awf]
    ClamAV devel-20060426/20060927 found [Trojan.Downloader.Small-2715]
    DrWeb 4.33/20060927 found [Trojan.DownLoader.12953]
    eTrust-InoculateIT 23.73.7/20060928 found [Win32/Secdrop.4rf!Trojan]
    eTrust-Vet 30.3.3103/20060927 found [Win32/Secdrop.MM]
    Ewido 4.0/20060927 found [Downloader.Agent.awf]
    F-Prot 3.16f/20060928 found nothing
    F-Prot4 4.2.1.29/20060928 found nothing
    Fortinet 2.82.0.0/20060928 found [suspicious]
    Ikarus 0.2.65.0/20060928 found nothing
    Kaspersky 4.0.2.24/20060928 found [Trojan-Downloader.Win32.Agent.awf]
    McAfee 4861/20060927 found nothing
    Microsoft 1.1603/20060928 found nothing
    NOD32v2 1.1780/20060927 found [a variant of Win32/TrojanDownloader.Agent.AWF]
    Norman 5.80.02/20060927 found [W32/Agent.ALTU]
    Panda 9.0.0.4/20060927 found [Trj/Lowzones.SU]
    Sophos 4.10.0/20060928 found nothing
    Symantec 8.0/20060928 found nothing
    TheHacker 6.0.1.085/20060928 found nothing
    UNA 1.83/20060927 found [TrojanDownloader.Win32.Agent.5840]
    VBA32 3.11.1/20060927 found [Trojan-Downloader.Win32.Agent.awf]
    VirusBuster 4.3.7:9/20060927 found nothing

    [ notes ]
    packers: UPX
    packers: UPX
    packers: UPX, UPX, UPX, UPX
    packers: UPX
     
  6. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    good to see NOD32 detects it.
     
  7. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    yes, however, this is only one part of the story, you need to read the first post again.

    Cheers :D
     
  8. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    I've read it... hope ESET received the sample and added proper detection or cleaning. :D
     
  9. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Better than that, I'd like to see it properly detected and NOD32 back up and running on those machines, because it certainly isn't running at the moment on them :blink:
     
  10. anotherjack

    anotherjack Registered Member

    Joined:
    Jun 13, 2003
    Posts:
    224
    Location:
    Louisiana
    Well, it sounds as if the kernel is still running, just the UI has been shot down. He may be able to run the scan from the command line to get it cleaned, then it may be OK, or at the worst, have to reinstall NOD.
     
  11. fasttrack

    fasttrack Registered Member

    Joined:
    Sep 28, 2006
    Posts:
    5
    Running a scan only detects the virus modified files, it does not clean.
    There's no signature against the underalying causative viral agent as it is yet to be identified.

    Lew
     
  12. kjempen

    kjempen Registered Member

    Joined:
    May 6, 2004
    Posts:
    379
    Virus modified files? It's a trojan downloader/installer, not a file-infector. The file(s) flagged as trojans are in their entirety malicious code. Just delete/quarantine. Run a HijackThis scan and paste the log at this site. See if you can clear some things up then (look/click at the ratings/stars if there is anything you are unsure about when it has analysed your log).
     
  13. fasttrack

    fasttrack Registered Member

    Joined:
    Sep 28, 2006
    Posts:
    5
    Here's the hijackthis log....
    Looks pretty clean to me.
    I'm confused as to how the infected files were modified to become trojan downloaders. Perhaps an HTML exploit that no patch exists for?
    All machines were patched with the latest available for IE prior to infection...

    ~HJT log removed....Bubba~
     
    Last edited by a moderator: Oct 1, 2006
  14. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
Thread Status:
Not open for further replies.