[prev in list] [next in list] [prev in thread] [next in thread] 

List:       focus-virus
Subject:    Re: Somebody saw this trojan ?
From:       Nick FitzGerald <nick () virus-l ! demon ! co ! uk>
Date:       2002-10-08 0:25:05
[Download RAW message or body]

> I have received an e-mail today that is not supposed to be sent to me (they
> were calling somebody else that I don't know ..). When I read the mail with
> Outlook Express I noticed that the popup window of dowmloading the
> attachement is invoked rapidly (Slow computer) without asking for +ACI-Open+ACI- or
> +ACI-Save as+ACI- ...

So, we know you are running an old, long-since patched version of 
Internet Explorer...

> Well, I have some basic concepts about viruses and security.  ...

Yet you use an ancient and decrepid version of the buggiest, most 
security-flawed product of recent (if not all) computing history?

Worse, you use it to open an Email message you already considered as 
being suspect?

   There was white powder leaking from the envelope, so I chose to
   open it with my trusty Leatherman rather than the standard 
   letter opener on my desk...

> ... I am using NAV
> 2001 with the virus definitions of 16/09/2002 ...

Excuse me -- 16 September DEf files?

That is ancient.  Have you any idea how many hundred new viruses, 
Trojans, and so on Symantec has added detection of between then and 
now? The AV industry averages avoer 500 a month and you are talking 
about three week old DEFs...

> ... and it generally scans the
> incoming emails.  ...

"generally" -- so that makes it safe?  

> ... but after reading that email I noticed that NAV is not
> running +ACEAIQAh-

The first rule of virus/antivirus warfare is that the bad guy gets to 
go first.  You were just got.

> With Ctrl-Alt-Del I Didn't see any +ACI-Strange+ACI- runnong program.

Well, there are features in the OS that allow processes to very 
easily hide from the standard task list.  The first virus or Trojan 
to do this was so long ago I can't even recall, nor do I care any 
more, what its name was.

> On a promt command I wrote : netstat -an and I found :
> TCP    0.0.0.0:36794          0.0.0.0:0              LISTENING
> I think it could be a trojan horse listning on the port 36794 ..

Yep.

Or it caould be a RAT.

Or a DDoS agent.

Or just a virus running some funky server for whatever purpose -- a 
potential comms channel "back home" or an update channel.

Or any other network-aware program having a use for receiving some 
kind of information across the net.

> I ran NAV manually to scan my system...but it (NAV) soon shut down.

Again, it is becoming a more common ploy among mlaware writers to 
take serious advantage of the "the bad guy gets to go first" rule. 
Of late this has increasingly been seen with malware that screws with 
AV, PFW and similar software.

> I ran a free +ACI-Process Viewer+ACI- and then I noticed a +ACI-strange+ACI- running program
> with the name +ACI-Hfyj.exe+ACI-, so I killed it.
> With the +ACI-Regedit+ACI- I deleted the key that was invoking this program in :
> HKEY+AF8-LOCAL+AF8-MACHINE+AFw-Software+AFw-Microsoft+AFw-Windows+AFw-CurrentVersion+AFw-RunOnce
> 
> I deleted the exe file and when I rebooted I noticed that it is always there
> and that Nav is not running. I killed the program again ..deleted the
> registry key... ran Nav to scan the exe file but it sayed that it is not
> infected +ACEAIQAh-

OK -- well yuou already know that three weeks out of date is way too 
out of date.  Also, you know NAV did not detect it when it arrived, 
so why do you expect it to detect it now?

Try updating NAV...

Oh, but you can't because NAV keeps getting killed.

Try also deleting the copy of the EXE (different name though -- what 
a concept!) in the Startup folder.

> Help.. The Resident Evil is always here and runing ...
> 
> Note : the mail was sent from a fake address ....and I didn't found the +ACI-To:
> +ACI- statement in the header ....How could it come to me without the +ACI-To :+ACI-
> statement.
> 
> what about sending the exe file to Symantec ???

You most likely have an entirely detectable sample of Bugbear and 
Symantec will have seen about a gazillion of them by now and probably 
not really want any more.

Update NAV so it has current DEFs, set it to update daily, upgrade 
your copy of IE to 5.5SP2 plus all post-SP2 security hotfixes or to 
IE6.0SP1, and then visit Windows Update regularly (say once a month).


-- 
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854
[prev in list] [next in list] [prev in thread] [next in thread]