service pack1.exe a virus?

Discussion in 'NOD32 version 2 Forum' started by windstrings, Oct 31, 2005.

Thread Status:
Not open for further replies.
  1. windstrings

    windstrings Registered Member

    Joined:
    Oct 20, 2004
    Posts:
    337
    I got a CD from a friend who says he just copied his whole directory over to give me a file..... inside the directory was "service pack1.exe" He said he originally downloaded it from Microsoft's page?

    I can copy and do as I will to any of the other files on the disk he gave me..
    However this one file which is 137,161kb in size is found to have a virus?
    I cannot quaranteen it to send for analysis.
    I get an error that says "error quaranteening"

    Now I can't even copy the file to my hardrive "after a reboot even" and after turning NOD off because it says the file cannot be copied because it is either read only or is in use?
    Well the other files are read only too.. "they are on a CD" but I can copy them just fine?

    Has NOD locked up this file so I cannot copy it now... even though I turn NOD off?
    I have done a full scan of my system after playing with this and I am clean.. settings turned up full blast.

    The worm name is not found anywhere else on the net except in NOD related sites?
    Is this worm legit?.. and if so why can't I find it?... has the name been changed by NOD to protect the guilty?
    Or is NOD the only VS on the planet that sees this?

    The virus name is...
    Time Module Object Name Threat Action User Information
    10/31/2005 20:23:00 PM AMON file F:\service pack1.exe Win32/MScr.V worm Error quarantining the object - WINDSTRINGS\Alan Event occurred at an attempt to access the file by the application: C:\WINDOWS\Explorer.EXE.

    Any great revelations would be appreciated... I"m just curious whats up..
    I"ve never had such a thing happen with NOD?
     
  2. rumpstah

    rumpstah Registered Member

    Joined:
    Mar 19, 2003
    Posts:
    486
    Hi windstrings:

    How about taking a look here.

    Most likely the file is too large to send for analysis. ;)
     
  3. windstrings

    windstrings Registered Member

    Joined:
    Oct 20, 2004
    Posts:
    337
    I figured out how to copy... NOD was locking it up.. In AMON settings there is a setting to "prohibit access".. once I excluded it, I was able to copy and quaranteen it.

    Only problem now.. I guess I can't send in a file 127 mb?
    So just how do we get it tested?
     
  4. windstrings

    windstrings Registered Member

    Joined:
    Oct 20, 2004
    Posts:
    337
    I didn't get too far on that page... I clicked on the link for "Win32/MScr.V worm" and on the page it brought me too... I went everywhere and did a search for "Win32/MScr.V worm" with no results.
     
  5. windstrings

    windstrings Registered Member

    Joined:
    Oct 20, 2004
    Posts:
    337
    I must admit.. pretty impressive..... I zipped the affected file.... removed the extension of .zip and then rezipped it again.... upon scanning NOD still found the worm!

    I"m just not convinced its a worm.
     
  6. Happy Bytes

    Happy Bytes Guest

    It's a Filesharing worm. Overwrites the start of executables and puts the worm code at the start - then later drops the original executable and runs it.
    There are lots of different versions, but if i remember right they were all developed in Delphi and packed by UPX. Some of them are also repacked by Yoda Crypt. Just take a look into the fileheader. Make a screenshot of the first bytes from this file here (with a hexeditor).
     
  7. dog

    dog Guest

    If you need a free hexeditor there are a few available here
     
  8. windstrings

    windstrings Registered Member

    Joined:
    Oct 20, 2004
    Posts:
    337
    Thanks.. Ill check that out.. If I find something wierd it will be obvious the person who gave it to me has been exposed to corruption.
    Whats funny is he has no AV protection professing he has never needed it and his system works fine?
    I would actually like to find something wrong with this file and be able to show him proving his need for AV... well see.
     
  9. alglove

    alglove Registered Member

    Joined:
    Jan 17, 2005
    Posts:
    904
    Location:
    Houston, Texas, USA
  10. windstrings

    windstrings Registered Member

    Joined:
    Oct 20, 2004
    Posts:
    337
    Well I've never used a hex editor.. if I change the extension "exe" to doc and try to open it in word.. then DMON catches it... I'm not sure I should be playing with this with my AV disabled?.. yet if I dont' disable it.... I cant do anything with it because amon prevents access?

    any suggestions...
    Maybe you can suggest which hexeditor thats simple.. I downloaded and installed "AEdiX v3.05" but its too complex ... I dont understand how to use it and it doesn't even want to open "exe" files?

    Sorry but hex editing is an area I've never yet delved into.
     
  11. alglove

    alglove Registered Member

    Joined:
    Jan 17, 2005
    Posts:
    904
    Location:
    Houston, Texas, USA
  12. windstrings

    windstrings Registered Member

    Joined:
    Oct 20, 2004
    Posts:
    337
    Ok.. I managed to get it opened with my original text editor as well as the trial version you suggested....

    I just don't see anything intelligent that I can discern as being a problem...
    I will copy the first bit... but as you know .. 137 meg is a lot of txt and I just don't see anything in all of it I can make sense of.
    All that will copy and paste are the first 3 letters...
    MZP
     
  13. Happy Bytes

    Happy Bytes Guest

    Make screenshot and post this - that helps more
     
  14. windstrings

    windstrings Registered Member

    Joined:
    Oct 20, 2004
    Posts:
    337
    Service pack1.exe screenshot#1

    Ok.. I"ve made screenshots of the first 5 pages... there appear to be hundreds more to get to the end!.....

    I hope this helps....

    thanks for your suggestions...
     

    Attached Files:

  15. windstrings

    windstrings Registered Member

    Joined:
    Oct 20, 2004
    Posts:
    337
    Service pack1.exe screenshot#2
     

    Attached Files:

  16. windstrings

    windstrings Registered Member

    Joined:
    Oct 20, 2004
    Posts:
    337
    Service pack1.exe screenshot#3
     

    Attached Files:

  17. windstrings

    windstrings Registered Member

    Joined:
    Oct 20, 2004
    Posts:
    337
    Service pack1.exe screenshot#4
     

    Attached Files:

  18. windstrings

    windstrings Registered Member

    Joined:
    Oct 20, 2004
    Posts:
    337
    And last but not the least most exciting!!!
    Service pack1.exe screenshot#5!
     

    Attached Files:

Thread Status:
Not open for further replies.