Very tricky trojan?????

Discussion in 'Trojan Defence Suite' started by winetou, May 22, 2003.

Thread Status:
Not open for further replies.
  1. winetou

    winetou Registered Member

    Joined:
    May 22, 2003
    Posts:
    13
    A couple of days ago my firewall caught sysreg.exe trying to acces IP 127.0.0.1 from my computer

    Of course I denied and tried to find out what the hell sysreg.exe is.

    The only search results seem to point at it being a server part of CCInvader2 trojan ( there doesn't seem to be any mention of sysreg.exe as a legitimate application ). I deleted it, as well as it's registry entry.

    Then 10 hours or so later, it appeared again. I downloaded TDS and Anti-Trojan, both are supposed to be able to detect CCInvader2 trojan, but scanning doesn't give me any warnings even with sysreg.exe sitiing right there in my Windows/System folder and Registry entry in widows/currentversion/run : windows/system/sysreg.exe

    So question is what exactly is this and why do sysreg.exe and that registry entry keep appearing even after I delete them ( after a day or so they come back.

    I am running ZoneLabs firewall, NortonAntiVirus, everything is up to date, I am also running trial versions of TDS3 and Anti-Trojan, but scans with these do not give me any warnings about sysreg.exe ( scaning the file itself as well , no warnings at all.

    The only warning I get is about restore.exe being a possible web downloader.
    ( also in the windows/system folder )This restore.exe seems to be a legitimate file though and that file name is used by many different applications ( I am running Windows ME )

    Some info here: http://www.ntsecurity.net/Panda/Index.cfm?FuseAction=Virus&VirusID=27

    As I said I deleted it as well as its registry entries ( I only found one mentioned above and it was in a different place from that listed in above pandasoftware link.

    But it appears again the next day
     
  2. Patrice

    Patrice Registered Member

    Joined:
    Apr 15, 2003
    Posts:
    571
    Location:
    Antarctica
    Hi winetou,

    In my opinion this is a file from Windows... That's why TDS-3 doesn't alarm you about that file. And that explains as well why this file always reappears.

    Regards,

    Patrice
     
  3. winetou

    winetou Registered Member

    Joined:
    May 22, 2003
    Posts:
    13
    Thanks,

    I thought so too. The thing that bothers me is that it never tried to dial out until 2 days ago ( and I've had the same machine for 2 years, same OS ).

    Why all of a sudden and why no mention of sysreg.exe when I do a search on google. The only results I get are related to CCInvder trojan and a whole lot of Japanese language links.
     
  4. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Welcome Winetou,
    i like you to have a look at this page and screenshot
    http://www.google.nl/search?q=cache:Ohweu-CamKQJ:www.ntsecurity.net/Panda/Index.cfm%3FFuseAction%3DVirus%26VirusID%3D27+%22sysreg+exe%22+&hl=nl&ie=UTF-8
    After installing TDS, did you immediately after that go for the manually update of the Radius and reloaded TDS after that?
    22-5 19:12:09 [Init] • Systems Initialised [24913 references - 8122 primaries/6637 traces/10154 variants/other]
    should be your database now.

    Configure the scanning with all options checked and highest sensitivity.
    When you scanned the file, did TDS not say anything at all, suspicious or anything?
    If i were you, since the thing does reappear anyway, send it please to the TDS lab fior deeper investigation submit@diamondcs.com.au (zipped if possible).

    You are on winME, system restore eh?
    Clean out the system, disable system restore, reboot, enable system restore again if you want and make manually a new restore point. This action should have removed all the former restore points, including the infection and you should be clean since. You might like to do a new scan to check if you're really brandnew clean.
    In such cases i also get one of the online scans.
    In case you're not sure if this file is legit or not, you might like to either zip or rename it on your system so it can't run till you get a TDS answer and you can see soon enough if your system runs ok or not.
    If it is the infection you think --which has self updating capacities, so never the whole payload of your variant is known-- you see on the pages as well which other files to look for and the registry key to delete.
     
  5. Patrice

    Patrice Registered Member

    Joined:
    Apr 15, 2003
    Posts:
    571
    Location:
    Antarctica
    Hi winetou,

    Actually the IP 127.0.0.1 is an internal IP, which means it's your computer. I don't believe that you have a trojan or something like that. ;)

    Best regards,

    Patrice
     
  6. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    The googling i did only showed me several nasties, which are all in the updated radius database, and one legit as part of an IR software.
    So it is not a known part of the normal MS system files.
    I really recommend to do the actions i just described to be super sure and safe.
    Look with Port Explorer what is calling out or connecting, the trial version is nice for that to start with too!
    I've seen trojan uploader sites 127.0.0.1 making you think it's your own local machine but it can be theirs to configure the nasty.
    Do you remember if it used for instance ftp port 21 ?
     
  7. Patrice

    Patrice Registered Member

    Joined:
    Apr 15, 2003
    Posts:
    571
    Location:
    Antarctica
    Jooske,

    relax! :D I was googling myself and I found some nice information about sysreg.exe. It's indeed a system file and it was also, there you're right, missused as a nasty. Go check out the Microsoft TechNet site for further info, I'm sure you'll find more about it.

    Winetou already did a full scan and he didn't find anything suspicious. And something which calls 127.0.0.1 won't be a trojan if my brain doesn't mislead me. ;)

    Best regards,

    Patrice
     
  8. winetou

    winetou Registered Member

    Joined:
    May 22, 2003
    Posts:
    13
    I know exactly which port it used: Port 3338 / IP 127.0.01

    I did all those things after the 1st reappearance ( disable system restore, delete file and registry entry, scan with TDS, I did download the most current update for TDS as soon as I installed it, etc.........

    The only warning I got was on restore.exe as a possible web downloader and I thought maybe that one was downloading this sysreg.exe at certain intervals although restore.exe seems to be a legit file ( any thoughts on that one ? )

    Second time it reappeared I scanned the file itself with TDS before deleting it
    No alarms, just says TDS scanning file sysreg.exe

    If it reappears again I will send it to you, it's only 48K
     
  9. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Yes, I agree Jooske, we must not dismiss things like this until every aspect has been tested, the blackhats use many fooling tools too try to make you feel secure.

    Winetou, Try a couple of the on line scans as well just to be sure.

    If you are using XP the system will restore system files on reboot if they have been deleted, that is possibly why it keeps reapearing. If you are using XP or ME you could try a system restore to a point prior to your problem.

    HTH Pilli
     
  10. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi winetou,

    Even if sysreg.exe is a MS file, if it is in your msconfig run-keys it is probably a "baddie".
    Did you check Start > Run > msconfig OK to see if it is in the list of programs starting up?

    Regards,

    Pieter
     
  11. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    IMHO by far the soundest advice.

    Patrice,

    Let's agree on one thing: we won't jump to conclusions. In cases like these, there's merely obe proof a the pudding: the one jooske mentioned as quoted above. I'm all for letting the knowledgeable and dedicated DCS mods handling an issue first - they are good at it ;)

    regards.

    paul
     
  12. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Winetou, Another thing springs to mind, as you have a trial version, have you downloaded the latest radius update for TDS from here?: http://tds.diamondcs.com.au/radius.td3 Drop the file as it is into your main TDS3 directory, then do a full scan with everything checked in the configuration window (except the first item which is for NT) Initialisation & start up scanning.
     
  13. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    I know an old DOS virus using that restore.exe filename.
    You might like the online scanner www.bitdefender.com , they might produce false positives between other alerts, be forewarned for that, so don't get frustrated immediately.
    If your file is part of one of the nasties, it might be a clean looking thing itself, but part could be activating another file which does the actual downloading and updating and modification of the trojan.
    Now you have that d/l infection, maybe, it is really getting suspicious so please do submit that restore.exe too to the DCS lab for advice.
    They don't mind a kb more or less, zipped is just prefered that no email scanner can damage the sample. All what counts is your security and a good advice to avoid any damage and frustration.

    Was there asked already to post a startup file, like from hijackthis? Pieter is expert among others in looking into those files and he knows the d/l location for that tool by heart.
     
  14. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    That 127.0.0.1 -- using HOSTS file and thus blocking a know suspicious site?
    Can you look in your windows at the HOSTS file?
    Now i really think the nasty should be sent, to snipe out the possible update locations.

    With that port 3338 it can't be the original invader that comes on port 21, but something else or a variant is still possible.
    Are there any other sysreg files on your system?

    Looking forward to Gavin's analyses of both the files.
     
  15. Bowserman

    Bowserman Infrequent Poster

    Joined:
    Apr 15, 2003
    Posts:
    510
    Location:
    South Australia

    Could't agree more!

    In the meantime Winetou, you could also try some of the great links on Tassie_Devils post for some more online scans. Don't know if all the links still work though. And remember, post the results here for expert advice. Heres the post:

    http://www.wilderssecurity.com/showthread.php?t=6341;start=msg42297#msg42297

    Best of luck :), Jade.
     
  16. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Yep, just send the EXE in and we will let you know

    Possibly a trojan, but surely not CCInvader, noone uses that. More likely is an SDBot recompiled
     
  17. winetou

    winetou Registered Member

    Joined:
    May 22, 2003
    Posts:
    13
    Well, it just appeared again.

    I e-mailed it to submit@diamondcs.com.au

    See if you can figure out what it is.

    Thanks guys
     
  18. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Great Winetou, hope you send in the restore.exe too.

    Fingers crossed!
     
  19. winetou

    winetou Registered Member

    Joined:
    May 22, 2003
    Posts:
    13
    Thanks for your help guys.

    I'll let you know if it comes back, but I think we figured it out.

    As Gavin e-mailed most likely adware not a trojan.
    Got rid of some registry keys and it should do the trick

    Thanks again ( I did e-mail restore.exe as well )
     
  20. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Sounds good Winetou!

    Like to know if that explains the connection to your localhost 127.0.0.1 too or that you might have HOSTS file in use?
     
  21. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    If you still feel for an opinion about your startups, maybe depending on Gavin's finds, told you Pieter is the expert.
    Pieter writes so often his advice and how to, i copied it here for you his instruction:
    Please go to http://www.tomcoyote.org/hjt/, and download 'Hijack This!'. An explanation on how it works can be found at the same page.
    Unzip, doubleclick HijackThis.exe, and hit "Scan".
    When the scan is finished, the "Scan" button will change into a "Save Log" button.
    Press that, save the log as a .txt file, and copy and paste its contents into your next post.

    Hope all the rest is ok, but maybe you like expert opinion!
     
  22. winetou

    winetou Registered Member

    Joined:
    May 22, 2003
    Posts:
    13
    I'll let you know if it reappears again, but I'm pretty sure we solved the problem.

    I checked my HOSTS file yesterday and just now again, there is nothing in it, completely blank.

    HOSTS.SAM has one entry and that is 127.0.0.1 localhost ( since it's a sample file I don't know if it actually does anything. There is also LMHOSTS.SAM, seems to be just a sample from Microsoft.

    I'll check Pieter's page for startups thing.

    Thanks again
     
  23. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Sounds better and better.

    I mean indeed the HOSTS without SAM extension.
    FanJ knows everything about it, so do several others.
    You might like to add a line like from the sample file
    127.0.0.1 localhost
    if you have a permanent IP address you might like to add a line like
    x.x.x.x (which is that IP address) www.my888888domain.com
    for which you might like any phantasy name you like.
    I have a few lines so i know which connection Port Explorer is displaying, as it can be a local host, 0.0.0.0 is another localhost, the computer name, the user name, the IP address, if you use a router maybe more addresses, the current public IP address so these are nice to add the permanent ones to the file.
    If you for example know your nasty bot wants to connect to www.somenastysite.com you would point it to your localhost
    127.0.0.1 www.somenastysite.com and it can never connect there.
    I don't use the whole HOSTS file and updates etc., but it is an extra safety possibility.

    *edited phantasynames as they were real nasty sites, sorry! Anyway, make sure if you put such a name it doesn't excist elsewhere*
     
  24. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    HOSTS file is irrelevant in this but of course useful later :)

    Just use Autostart viewer ! :eek:

    http://www.diamondcs.com.au/index.php?page=asguard

    Turn on all options - show services, drivers, activex
    And then SAVE the results. All known startups taken care of, so we can spot possibly trojan entries ;)
     
  25. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    OK, ASV then, looking forward to results.
    Have to get used to it overhere :)

    A little thing for the HOSTS part (indeed less important at this point) i made those entries because i like to see which connections PE is displaying: as there are the various things i mentioned, and i want to know which is which. Not sure if a possible intruder would get the phantasy info too or would still get the real one.
    (intruder, i mean also spyware with this)
     
Thread Status:
Not open for further replies.