ServU.A in dllcache33.exe

Discussion in 'NOD32 version 2 Forum' started by optigrab, Aug 14, 2003.

Thread Status:
Not open for further replies.
  1. optigrab

    optigrab Registered Member

    Joined:
    Nov 6, 2002
    Posts:
    624
    Location:
    Brooklyn/NYC USA
    Hi All,

    Just for grins, I ran an F-Prot for DOS scan on my system this morning, and was surprised by the report that it found 2 infections that NOD32 did not report during its scheduled overnight scan. F-Prot cannot disinfect, and I'm not yet ready to try the F-Prot delete option (because I really don't understand the infection completely or the files involved).

    Does anyone have any suggestions for dealing with this? Should I simply delete dllcache33.exe?

    BTW, why is F-Prot reporting 2 infections (I do realize this is not an F-Prot forum, of course, just hoping).

    Regards!
    Optigrab
    Nod32, Outpost Pro v2, Boclean, SSM
    ******************************
    Virus scanning report - 14 August 2003 @ 8:10

    F-PROT ANTIVIRUS
    Program version: 3.14a
    Engine version: 3.14.2

    VIRUS SIGNATURE FILES
    SIGN.DEF created 1 August 2003
    SIGN2.DEF created 4 August 2003
    MACRO.DEF created 4 August 2003

    Search: Local hard disks
    Action: Report only
    Files: Attempt to identify files
    Switches: /ARCHIVE /PACKED
    No viruses found in memory.
    Hard disk boot sectors were not scanned.

    Scanning C:
    C:\PAGEFILE.SYS Not scanned (in use by another application)
    C:\HIBERFIL.SYS Not scanned (in use by another application)
    C:\WINNT\SYSTEM32\DLLCAC~1.EXE->secure.bat Infection: BAT/ServU.A
    C:\WINNT\SYSTEM32\DLLCAC~1.EXE->secure.bat Infection: BAT/ServU.A
     
  2. Vigy

    Vigy Registered Member

    Joined:
    Aug 13, 2003
    Posts:
    17
    Hi optigrab,

    you should pack those files and send them to eset's team to support@eset.com . This could be a new virus, which NOD32 can't detect yet. Or it could be just some part of a security program what you've just installed...

    Vigy
     
  3. optigrab

    optigrab Registered Member

    Joined:
    Nov 6, 2002
    Posts:
    624
    Location:
    Brooklyn/NYC USA
    Thanks Vigy! :)

    I did the following: rebooted into Safe Mode, renamed dllcache33.exe to "dllcache33.old" and left it where it is - to be deleted after I can confirm it was not needed by anything. :cool:

    I sent Eset a zip file of "dllcache33.old".

    F-Prot still recognizes an infection within "dllcache33.old", but I'm assuming it can do no harm as is.

    I assume I'm now safe, but any other advice would be welcome.

    Regards!
    Optigrab
     
  4. Vigy

    Vigy Registered Member

    Joined:
    Aug 13, 2003
    Posts:
    17
    Renamed dll file is ok (prevention from loading). Now, I think it just a matter of time when eset will add the sample to the virus database and then NOD will be able to detect the virus (if it's really a virus). :)

    Regards!


    Vigy
     
  5. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    It is probably just an instance of the ServU FTP daemon. It may be that you were hacked and were being used as a FTP server. There may be other hack-related things installed. You might check the create time of the Serv-U file and search for anything with the same or similar create or modify dates.
     
  6. fryr

    fryr Registered Member

    Joined:
    Jul 15, 2003
    Posts:
    51
    Does the following line suggest anything to anyone else ?

    C:\WINNT\SYSTEM32\DLLCAC~1.EXE->secure.bat Infection: BAT/ServU.A

    To me it suggests that the DLLCAC~1.EXE file is a self extracting ZIP file that contains a file called secure.bat and it is the secure.bat file that is infected.

    This could explain why NOD32 did not detect the virus as the unpacker in NOD32 is said not to be as good as some other Anti Virus software - hopefully NOD32 would detect the virus when the file was unpacked and an attempt was made to access the infected file.
     
  7. jan

    jan Former Eset Moderator

    Joined:
    Oct 25, 2002
    Posts:
    804
    Hi,

    thx. for the sample - it'll be added in the Monday's update.

    Re. the unpackers - more info on this thread.

    Take care, :)

    jan
     
Thread Status:
Not open for further replies.