Were these really Trojans?

Some odd activity on my machine sent me on a hunt. Began with a d/loaded zipfile, NOD said it was OK, but as it contained a small executable, I scanned this, & again NOD said it was OK. When I clicked on the executable, the file "disappeared" from its folder, and I became suss. Fired up WinPatrol, which told me a new program had been added plus a restart command, whch I of course disallowed, then began my hunt.

I found ZoneLockup.exe [19KB] in my running processes, its date was 24/7/04, so I ended task. Then I found the same file & date in Program Files in TDS3, also in my temp folder, so I deleted these. When I fired up TDS3, it stalled each time when it got to Memory scan started. AdAware wouldn't start at all.

Then Windows said that "warpigs.exe" had performed an illegal & was to be shut down. Found 2 of these, one in C:\ which I deleted, & another in C:\Windows\System which I couldn't delete or rename - access denied. TDS3 worked now, & kept saying that it can't read this locked file.

A full NOD scan then showed -

Warpigs.exe – Win32/trojanDownloader.Agent.AO trojan
C:\program files\Defence\xDtnamic\TDS.Unpk\zonelockup.exe –Win32/Hackerarmy.Ztrojan
And the 2 in the recycle bin are
C:\Recycled\DC1.exe – Win32/Hackerarmy.Ztrojan

Dunno why NOD didn't tell me anything amiss in the 1st place, but at least it cleaned them all up after the full scan, apart from the original zipped file in My Docs, which I'll delete.

Are these trojans seeing as TDS3 didn't find them?

 

Hi Dee, Did you scan with TDS3 as well before clicking on an unknown executable?
TDS has obiously tried to unpack it as it was in the unpack folder, it is possible that the .exe was corrupt and that caused TDS3 to hiccup.

TDS3 does pick up a lot of downloaders but some ar legitimate or of a minor type that TDS does not detect.

Also if you have the full version then Execution protection would probably have stopped it, especially if you have the Generic detection set to full

We will have to await Gavins reply in the morning.

If you have a copy (possibly in your recycle bin?) of any of the files please send them to submit@diamondcs.com.au for analysis.

Pilli

 

Yes I do have the reg'd TDS3 & resident protection is installed & generic set highest - but I run it "on demand" & update its database 2 or 3 times a week. It was updated the day before, & again after this happened.

Actually I was a bit peeved that NOD32 said the files were OK when I scanned before opening the files, then on a full scan, it found these. I've posted in the Opera newsgroup a warning about the link to the zipfile, & I hope they remove it.

The only thing in my Recycle Bin is the warpigs.exe file that TDS3 couldn't read & I couldn't delete, but NOD did. I also have the original zipfile in My Documents. But would anyone really want to look at it?

If the executable hadn't "disappeared" from its folder, I'd have been totally unaware of this - until "warpigs.exe" performed an illegal, cos that name was unknown to me until then. Actually I don't feel quite as secure as I used to now!

 

Please send the original .zip file to DCS at the email address above, Gavin will reply to you about it's contents.
BTW it may be an idea to send it to Eset to in case it is a new variant,

Thanks Pilli.

 

I forgot to say - that ZoneLockup.exe really worried me because of its name, and I wonder if this was gonna disable ZAPro? WinPatrol seemed to give the quickest warning, & I've now set it to run on startup.

 

OK, I sent the zipfile to Gavin.

The idea of sending it to Eset confuses me [but that's easily done!]
NOD did detect it on a full scan, so how could it be a variant - or is that why NOD stayed Mum about the "disappearing" executable?

I found a Trojan name on Symantec's website that sounded rather similar, Backdoor. Hacarmy, at http://securityresponse.symantec.com/avcenter/venc/data/backdoor.hacarmy.html and I mentioned this in the email.

Still wondering about that zoneLockup.exe though.

 

Hi,

That file zoneLockup.exe might also well be related to Backdoor.Hacarmy.D according to the Greatis-site:
http://www.greatissoftware.com/regrun3dz.htm#zonelockup.exe

 

Well fancy that - exactly what I read at Symantec:-

"zonelockup.exe
Backdoor.Hacarmy.D is a Backdoor Trojan horse that gives an attacker control over a compromised computer.

When Backdoor.Hacarmy.D runs, it does the following:
Copies itself as %System%\ZoneLockup.exe.

Adds the value: "Winsock32driver"="ZoneLockup.exe"
to the registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Attempts to connect to an IRC server at port 6667. If successful, it allows the remote attacker to perform some of the following actions:
- Download and execute files
- Terminate processes
- Steal system information, such as operating system information, system uptime, current user name, IP address, and host name"

That sounds nasty, though it doesn't say for sure that it affects ZAPro, but the file name sorts of says so - I think. I wonder if I should search out that registry key? I wonder if NOD really wamts to know about this. And I wonder whether TDS3 should have been able to do more. Or am I supposed to run TDS3 permanently instead of on-demand?

 

Yes, I think that would be a good idea.
If I understood you right, you started WinPatrol; did you let WinPatrol maybe take care of that?
Maybe also a good idea to wait for Gavin's advice !!!

Sure, let them know

Yes, most definitely !!!
You have to run an AT resident, just like your AV.
And just like you do with your AV: keep your AT updated and run a full system scan with it regularly.

 

No WinPatrol can take care of running tasks, startup info & restart commands & tell you when a new program's been added, plus a few minor things like cookies, but nothing on registry.

EDIT - Just rec'd email from Gavin -

"this is a new variant of Hackarmy a trojan bot
Will be adding detection today"

Sounds as if TDS3 couldn't have done anything even if it had been running when I clicked that executable. And NOD said that file was OK before I clicked it, then announced Trojans afterwards, fat lotta good that is. Both TDS & NOD had been updated the day before.

Not real happy.

 

You can post a link to this thread in the NOD forum if you like? Spares lot of double posting.

What kind of file did you think to download and what made you do so? Thinking it to be a new game or such a thing?
You might like to give the URL in your emails to Gavin and Eset.

 

Hi again Dee, If you are running XP I would start TDS3 manually or on a delayed start schedule after boot up.
For execution protection to be active TDS3 must be running but can be minimised to the systray.
Execution protection uses very little resources as it only hooks programs as they start.

Just point them to this thread or copy and paste!

HTH Pilli

 

You got a quick reply from Gavin! and the update for it in today's radius.
Look, there are several thousands of new nasties created every day somewhere in the world, ald you see Gavin and Eset add many to their detection on a daily basis, so submitting anything suspicious is important.
You have still one more place to test files, like www.kaspersky.com/remoteviruschk.html where you have in a few seconds another opinion. You might like to try with thiw file if you still have it.
In fact i suppose TDS Exec Protection if TDS was running would have blocked the file from executing at all, it would certainly do after today's update.
Glad you found and submitted it, thanks in name of the internet community as a whole!
Is TDS running and scanning ok now again or still hanging in a certain place?

 

You both read my mind - I was gonna ask if it'd be cool to post a link about this on NOD forum!

No Jooske, I don't go for games, This was a link posted in 2 Opera n/groups,
"Osama Bin Ladin was found hanged by two CNN journalists early
> Wedensday evening. As evidence they took several photos, some of
> which i have included here. As yet, this information has not hit the
> headlines due to Bush wanting confirmation of his identity but the
> journalists have released some early photos over the internet"

Those posts & links are being removed from Opera n'groups as I type.

Atthe moment I'm running win98.
Also if I minimise TDS3, how will I know when some warning is displayed in its interface?

 

Yes, TDS3 behaved normally again as soon as the full system scan with NOD had removed the offending files. I doubt that TDS3 could have done anything before this Trojan was added to its database.

The original zipped file is still in My Documents & I don't wawnt to try it again anywhere, sorry! But I'll ask NOD if they want it before I delete it forever.

No worries, I'll recover from the shock! You see, I'm ultra ultra careful,
I don't use IE or Outlook or OE, keep my system & my security s/ware religiously updated. And this has been the very first malware I've ever had on my machine, & that's the truth [apart from the rare instances of spyware AdAware finds.]

 

Hackarmy is actually just a variant of SDBot
With TDS running, a Process Memory scan would be likely to reveal it

You definitely should send a copy to NOD32 as this one was posted on a newsgroup very recently and is obviously catching a few people. samples @ nod32.com should do fine

Be careful out there! no scanner can detect everything, the more you click...

 

I've posted about this on the NOD32 forum, with a link to here. But OK. I'll send the file to them with a covering email.

Gavin, I seem to be in some sort of trouble & I don't know what to do - this is my 1st personal experience of virus/trojan infection - plus I'm totally confused by TDS3 AND Nod32's messages now.

First of all, I asked TDS3 [which I've kept running all day[] to do Radius update so that it would have the update for ths pesky thing. Lo & behold, it said that it was already updated. [??] Then I got TDS3 to perform a scan of C drive, I have exec. protecton installed & everything set to high, incl generic, & all relevant fields checked.

And once again, TDS3 says it can't read the same file as before, it's locked. And then AMON appeared with a virus warning, but it didn't help either, instead it said -

"NOD32 A/V System warning:AMON – A/V monitor.
Virus detected.

Virus Information
File: C:\program files\defence\xDynamic\TDS.Unpk\Osama Dead.exe
Virus: Win32/Hackarmy .Z trojan
Comment: AMON cannot clean this infiltration. Error while deleting. Error while renaming. Event occurred on a newly created file"

Told AMON to quarantine the file & it didn’t say anything. But when I closed the Virus warning, I got another popup with “Error occurred when quarantining file"

I've also posted this bit in the NOD forum. I'm getting a bit upset now, because although both TDS3 & NOD32 are fully updated & running, I seem to be stuck with an infected file, and short of trying to delete it in Safe Mode, I just don't know what to do. I've very little MS-DOS know-how, & rely on my security s/ware to do this.

 

Try closing down TDS-3 then trying to quarantine or deleting the file in question.

 

Jason, I just did what you said, & was then able to delete the file. So I then scanned my system with NOD, & the file was no longer detected - the only one that was tagged was the original zipped file in My Documents, the one I'm going to submit to NOD.

But it didn't end there. I fired up TDS3 again, it did a radius update this time - & had it scan C drive. It immediately made a positive ID of AdWare Cydoor, file c:\windows\rundll32.exe. then a little later gave the same dialogue as before, and AMON did the same thing as last time. I'm attaching a screen capture this time.

Am I in an endless loop or something? I think it may be something to do with that registry key which I haven't deleted, cos although I have some idea of how to back up the whole registry to a folder, restoring's another matter, and backup/restore of a single key I don't know how to do.

Sorry I'm such a lamer & being stressed out about this.

And I'm not a "clicker", 3 years without a single virus or worm should attest to my care & paranoia! but when a file has to be opened, I scan it first. Damn this file, I wish I'd never seen it.

 

Hi Dee,

I'm really sorry for all the troubles !

May I ask you, did you let TDS-3 do that full system scan while Amon was resident?
It is a good idea to let TDS-3 do its full system scan with your other scanners (like in your case NOD32) temporarily disabled (and your internet connection closed)!
Don't forget to enable your AV afterwards !

Do you still have that original file zipped on your system?
Maybe a good idea to put it for the moment on a floppy (just in case one of the AV/AT people might ask you for it), then completely remove that zip-file from your system, clean temporary files etc, reboot, let TDS-3 do its scan again (with NOD32 disabled), then do a full scan with NOD32 (with TDS-3 temporarily disabled), then run Ad-aware.
Is then everything clean?

 

Hi dee, Switch off NOD32 completely including Imon, this should allow TDS3 to handle it properly, what appears to be happening is that as TDS3 looks at it Nod32 jumps in ans prevents TDS3 from completing it's tas.

When doing a full scan with TDS3 it is better ro disable your AV.
Remember to re-enable NOD32 after the TDS3 scan

HTH Pilli

 

Thanks so much for that very necessary advice - I was near out of my mind just then when the very same thing happened when I scanned with AdAware!

OK. I'll definitely not let this happen again, I would never have realised this.I've submitted the file to NOD32, & will now move it off my computer. I'll let the rotten thing live on a floppy for a limited time.

Am quite demoralised by all this. To be on the safe side, what should I do about the AdWare Cydoor, file c:\windows\rundll32.exe that TDS3 discovered today? It's in c:\windows all right, 24KB, last modified 23/4/99.

 

Contains a backdoor trojan. Installs ipconfigS.exe and ZoneLockout.exe
in your windows system folder/system32, and 3 registry entries.
Did you find the ipconfigS.exe too?

Submit the rundll32.exe file to submit@diamondcs.com.au too to be tested please and that one you'll love to try on the kaspersky site i posted above.
I use that online file scan so often!

For some reason the scanned files have not been deleted from the Unpk folder; normally they are deleted after being scanned, those are copies of originals elsewhere on your system.
So just go to that folder in your TDS\xDynamic\TDS.Unpk folder and delete all files tehre and clean your recyclebin. Of course NOD was reacting on those copies. Once you deleted them it's ok.
For a scan with NOD32 it is not really necessary to close TDS as it's not doing a thing and the Exec Protection hook is not blockingor doing anything either unless an exe wants to be executed. But don't let TDS do a scan at the same time.
It's a good idea to try to give any scanner as much space as possible so close all unnecessary programs and browser windows and go drink some coffee or green tea if you prefer calmness

On the contrary, when doing a scan with TDS, have all other scanners and their default protection closed (like advised above) to give TDS full access to every file in your system.
It might have been NOD running or having the file protected from any access to it that it could not be found and scanned with TDS.

There are about 1200 hits in google for this nasty in the newsgroups since yesterday, many including the URL, none for the general info nor trojan description sites.

Hope you did not run the nasty, as i'm not sure about which registry keys yet to check for what exactly.

You should feel proud to be among the first to submit the nasty, and more damage has been avoided most probably.

 

This is some sort of bad dream innit? No I don't have either of those files, Jooske & I used wildcards in my search too. I googled for this backdoor thingo, & got a list of files associated with this, did a search, nada. In the file's Properties, it says Microsoft & stuff like that.

I don't have very may proggies installed, & those that are, are purchased or the "safe" freeware like IrfanView & Totl Uninstall. No games, demos or any of that rubbish. Supposing I rename it & left it a coupla weeks before deleting it?

It's never been tagged defore - could it be a false positive.

 

http://securityresponse.symantec.com/avcenter/venc/data/backdoor.hacarmy.d.html (for the zonelockdown part)
http://securityresponse.symantec.com/avcenter/venc/data/backdoor.hacarmy.c.html (for the ipconfigS part)

Click Start > Run.
Type regedit
Then click OK.
Navigate to the key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
In the right pane, delete the value:
"IPConfig"="ipconfigs.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

In the right pane, delete the value:
"Winsock32driver"="ZoneLockup.exe"
Exit the Registry Editor.
Restart the computer in Normal mode.


Here is a description, you might like to print it out and walk step by step through your system as described.
No it was no false positive, depending if you clicked to look at the file it might have been running and would have done some baddies, if you only got the file and kept it zipped and did nothiong else with it all the other stuff is not there, nor the registry keys etc.

The rundl32.exe is just to ask, could be, could be not, as there is indeed an infection using the rundll32.exe which could have come from the download site, for instance. But as your's was not modified......... not 100% sure.
Did you configure your folder settings to show all hidden files and file extensions, so nothing can be hidden nowhere at all?

When you rightclick in the TDS alerts window and look at that rundll32.exe file, does it still look the same as the original?

Did you get the latest radius update [36097 references - 14238 primaries/10056 traces/11803 variants/other]
in the meantime?