Question

ff.exe, nf.exe, lz.exe, zg.exe, za.exe, etc. Viruses? Worms? Trojans?

Asked by: spyder713

I have come across these executable files on many of my servers.  There are multiple files on each server, some of which are different and some of which are the same.  They all have the following characteristics in common: they are all in the system32 folder, they are all 2 letters followed by .exe, they were all created between 1/5/2009 and 1/7/2009, and none of them include a description or company name.  Additionally, thew all have a common file size unique to each server (ie on one server they are all 29 kb, on another they are all 12 kb, etc.)  They are also not detected by my antivirus or spyware scanner.  I have found very little information by searching google.  I always get information from Prevx that states that it is a harmful virus/worm/etc.  If this is true why do other antivirus softwares not have information on these files?  Can someone give me some information regarding what these files are?

This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.

Subscribe now for full access to Experts Exchange and get

Instant Access to this Solution

  • Plus...
  • 30 Day FREE access, no risk, no obligation
  • Collaborate with the world's top tech experts
  • Unlimited access to our exclusive solution database
  • Never be left without tech help again

Subscribe Now

Asked On
2009-09-03 at 12:09:29ID24705700
Tags

virus

,

spyware

Topics

Anti-Virus

,

Anti-Spyware

,

Networking Security Vulnerabilities

Participating Experts
3
Points
500
Comments
21

Trusted by hundreds of thousands everyday for fast, accurate and reliable tech support.

  • "The time we save is the biggest benefit of Experts Exchange to Warner Bros. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange." Mike Kapnisakis, Warner Bros.
  • "Our team likes having a resource that is more secure than just using Google and most experts using this service really know their stuff. It's nice to look here first versus using Google." Dayna Sellner, Lockheed Martin
  • "Anytime that I've been stumped with a problem, 9 out of 10 times Experts Exchange has either the accepted solution or an open discussion of the potential solution to the problem." Kenny Red, eBay Inc.

See what Experts Exchange can do for you.

Got a question?

We've got the answer.

Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.

Screenshot of Experts Exchange Knowledgebase

Need individual assistance?

Our experts are ready to help.

If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.

Screenshot of Experts Exchange Knowledgebase

Want to learn from the best?

Read articles from industry experts.

Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.

Screenshot of an Article

Working on a long term project?

Store your work and research.

Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.

Screenshot of Experts Exchange Knowledgebase

Access the answers to your technology questions today.

Subscribe Now

30-day free trial. Register in 60 seconds.

What Makes Experts Exchange Unique?

Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.

Trusted by the world's most respected brands.

image of each brand's logo

Faithfully serving IT professionals since 1996.

Experts Exchange Logo

Try it out and discover for yourself.

Subscribe Now

30-day free trial. Register in 60 seconds.

Related Solutions

  1. Anti virus vs. Anti trojan
    Most of the anti virus software can identify most of the trojans So what is the point in having a scanner for trojan ?
  2. Virus/Spyware
    Recently when i did a virus/spyware scan i found out that i had several spyware on my registery keys and viruses located in E:\WINNT\system32\netcmd.exe \files.exe \winhelpp32.exe. I didint remove them because of the fear that if i did it, my OS would malfunction or not run p...
  3. trojan virus and spyware
    I dont know if this is the right forum, but i seem to have a trojan virus or some sort of spyware on my system because i keep getting popups, how can i remove this or can someone direct me to a free tool that can thanks.
  4. Trojan virus & installation of Spyware Sheriff
    Running XP Pro w/ service pack I received a virus/trojan which will not go away. At the same time "Spyware Sheriff" was downloaded. In Control Panel I removed Spyware Sheriff program. Now I get a big box in the middle ...
  5. What are Virus, Malware, Spyware and Trojan ?
    Hi friends ! What are these terms ? 1. Virus, 2. Worms, 3. Malwares 4. Spy wares 5. Trojan How they are different from each other? And how can I remove them from my computer. There are many sites on the internet offering efficient products but the prices are high. I am...

Free Tech Articles

  1. WARNING: 5 Reasons why you should NEVER fix a computer for free.
    It is in our nature to love the puzzle. We are obsessed. The lot of us. We love puzzles. We love the challenge. We thrive on finding the answer. We hate disarray. It bothers us deep in our soul. W...
  2. SCCM OSD Basic troubleshooting
    SCCM 2007 OSD is a fantastic way to deploy operating systems, however, like most things SCCM issues can sometimes be difficult to resolve due to the sheer volume of logs to sift through and the dispe...
  3. Migrate Small Business Server 2003 to Exchange 2010 and Windows 2008 R2
    This guide is intended to provide step by step instructions on how to migrate from Small Business Server 2003 to Windows 2008 R2 with Exchange 2010. For this migration to work you will need the fo...
  4. Create a Win7 Gadget
    This article shows you how to create a simple "Gadget" -- a sort of mini-application supported by Windows 7 and Vista. Gadgets can be dropped anywhere on the desktop to provide instant information, ...
  5. Outlook continually prompting for username and password
    There have been a lot of questions recently regarding Outlook prompting for a username and password whilst using Exchange 2007. There are a few reasons why this would happen and I will try to cover t...
  6. Backup Exchange 2010 Information Store using Windows Backup
    There seems to be quite a lot of confusion around the ability to backup Exchange 2010 using the built in Windows Backup feature. This stems from the omission of this feature prior to Exchange 2007 s...

Cloud Class Webinars

  1. Avoiding Bugs in Microsoft Access
    Alison Balter takes and in-depth look at avoiding bugs in Access. In this webinar you will learn about using the immediate window to debug your applications, invoking the debugger, using breakpoints to troubleshoot, stepping through code, setting the next statement to execute, ...
  2. Top 10 Best New Features in Visio 2010
    Scott Helmers gives live demonstrations of the top 10 new features in Visio 2010. This webinar will teach you how to create compelling diagrams by adding shapes to the page with a single click, linking the shapes in a diagram to data in Excel (or SQL Server, or SharePoint), ...
  3. IT Consultant Business Secrets Revealed
    Michael Munger, Experts Exchange tech pro and IT consultant, pulls back the curtain on his very successful businesses and answers question on every IT consultant and business owner should know about. He shares secrets on what he did to solve the 5 most common problems in IT, ...
  4. Disaster Recovery and Business Continuity
    Quest CTO, Mike Billon, gives an overview of the steps involved in building a dunamic disaster recovery plan. Through case studies and an examination of software/hardware tooles for monitoring and testing, you'll gain a better understandin of where you are, where you want ...
  5. Organize Your Visio Diagrams with Containers and Lists
    Scott Helmers uses cross functional flowcharts, wireframe diagrams, data graphic legends and seating charts to teach you: how to ustilize all three new structured diagram components in Visio 2010, the best practices for organizeing shapes in previous version of Visio, how to organize ...
  6. How to Us Objects, Properties, Events and Methods in Microsoft Access
    Alison Dalter gives an in-depbth look at objects, properties, events and methods in Microsoft Access. In this webinar you will learn about using the object browser, referring to objects, working with properties and methods, working with object variables, understanding the ...

Join the Community

Give a Little. Get a Lot.

Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.

Join the Community

Answers

 

by: warturtlePosted on 2009-09-03 at 13:42:50ID: 25254742

Upload those file(s) on www.virustotal.com and report back with findings. Scan your server (Windows 2003 server only) with MalwareBytes Anti-Malware (www.malwarebytes.org) to remove any possible spyware infections.

Hope it helps.

 

by: spyder713Posted on 2009-09-03 at 14:53:34ID: 25255351

Here is the output from one of the scans.  When I scan the other files they come back with the same results.  I think they are copies of themselves.  Is this a new virus?

File aa.exe received on 2009.09.03 20:53:10 (UTC)
Current status: finished
Result: 0/41 (0.00%)
 Compact
Print results  
Antivirus      Version      Last Update      Result
a-squared      4.5.0.24      2009.09.03      -
AhnLab-V3      5.0.0.2      2009.09.03      -
AntiVir      7.9.1.8      2009.09.03      -
Antiy-AVL      2.0.3.7      2009.09.03      -
Authentium      5.1.2.4      2009.09.03      -
Avast      4.8.1335.0      2009.09.03      -
AVG      8.5.0.409      2009.09.03      -
BitDefender      7.2      2009.09.03      -
CAT-QuickHeal      10.00      2009.09.02      -
ClamAV      0.94.1      2009.09.03      -
Comodo      2196      2009.09.03      -
DrWeb      5.0.0.12182      2009.09.03      -
eSafe      7.0.17.0      2009.09.03      -
eTrust-Vet      31.6.6718      2009.09.03      -
F-Prot      4.5.1.85      2009.09.03      -
F-Secure      8.0.14470.0      2009.09.03      -
Fortinet      3.120.0.0      2009.09.03      -
GData      19      2009.09.03      -
Ikarus      T3.1.1.72.0      2009.09.03      -
Jiangmin      11.0.800      2009.09.03      -
K7AntiVirus      7.10.835      2009.09.03      -
Kaspersky      7.0.0.125      2009.09.03      -
McAfee      5730      2009.09.03      -
McAfee+Artemis      5730      2009.09.03      -
McAfee-GW-Edition      6.8.5      2009.09.03      -
Microsoft      1.5005      2009.09.03      -
NOD32      4392      2009.09.03      -
Norman      6.01.09      2009.09.03      -
nProtect      2009.1.8.0      2009.09.03      -
Panda      10.0.2.2      2009.09.03      -
PCTools      4.4.2.0      2009.09.03      -
Prevx      3.0      2009.09.03      -
Rising      21.45.14.00      2009.09.01      -
Sophos      4.45.0      2009.09.03      -
Sunbelt      3.2.1858.2      2009.09.03      -
Symantec      1.4.4.12      2009.09.03      -
TheHacker      6.3.4.3.396      2009.09.03      -
TrendMicro      8.950.0.1094      2009.09.03      -
VBA32      3.12.10.10      2009.09.03      -
ViRobot      2009.9.3.1916      2009.09.03      -
VirusBuster      4.6.5.0      2009.09.03      -
Additional information
File size: 11302 bytes
MD5   : 611cd9e0f89cf3e6957fbe209a27077a
SHA1  : 259c8711c716f0d51b71483e5f3aa08f6af194a3
SHA256: cc0fc7742c7a2fd990514e6695593c58001788f50fd61990dfcd355dac357efb
TrID  : File type identification
HyperText Markup Language with DOCTYPE (80.6%)
HyperText Markup Language (19.3%)
ssdeep: 192:SI8UIhAcwumJyTyi392+mtBpVE0lXa8DNDLoC/8DNOYXa8DNpx10LoWoF0Xep/gp:SIPLoByua
PEiD  : -
packers (Kaspersky): QuickPack
RDS   : NSRL Reference Data Set

 

by: warturtlePosted on 2009-09-03 at 15:42:56ID: 25255634

This doesn't seem to be a virus infection, if all the scanners are coming back clean. But we need to find out what this really is.

What antivirus do you use?

Have you rebooted the server in safe mode and done a full scan with the antivirus installed?

http://www.threatexpert.com/files/ff.exe.html

The above webpage says that 66 percent of times its a backdoor, but otherwise its not a problem.

What else is happening on the server? Are you able to open exe files without any problems?

 

by: spyder713Posted on 2009-09-03 at 16:07:24ID: 25255797

I ran Malwarebytes and it identified them as malware.packer.krunchy.  I searched for this and it looks like it was first noticed yesterday.  Look at this web page: http://www.malwarebytes.org/malwarenet.php?name=Malware.Packer.Krunchy.  So it is new I guess.

 

by: warturtlePosted on 2009-09-04 at 02:15:53ID: 25257848

Did MalwareBytes remove those infected filesl? or they are still around?

Yes, it seems like a new infection and this is why it wasn't detected by any scanners.

 

by: warturtlePosted on 2009-09-04 at 02:19:18ID: 25257860

If they are still around, can you open this webpage and upload them (as unknown programs) on this webpage:

http://support.kaspersky.ru/virlab/helpdesk.html?LANG=en

What is quite interesting is that the packing used is Kaspersky QuickPack.

 

by: spyder713Posted on 2009-09-04 at 08:07:41ID: 25260393

The files are removed by malwarebytes but I still have infected servers so I did upload the files to the Kaspersky for analysis.  Thanks.

 

by: warturtlePosted on 2009-09-04 at 09:50:51ID: 25261348

Try running TrendMicro Housecall: http://housecall.trendmicro.com/ on the server. It can run on Windows 2003 server as well and will remove anything malicious.

 

by: astralcomputingPosted on 2009-09-05 at 22:50:16ID: 25268830

You probably have a ZERO DAY VIRUS. http://en.wikipedia.org/wiki/Zero-day_virus. Consider this situation dangerous.

Prevx is the best zero day protection I know of. When you are talking about apps like this, if you don't find the root and clean it manually, you risk being re-infected or even believing you are clean when you are not. You are probably going to need a specialist to investigate it. I did an investigation like this last week and found the whole network was compromised. You may even have a zero day rootkit protecting these apps.

It is possible you have some strange proprietary software, but I doubt it. Occam's razor says your hit. Contact me if you want to discuss in detail confidentially, http://www.astralcomputing.net, or you can contact Foundstone or Symantec for an incident response team, but in my experience Symantec charges you alot of money to come onsite and tell you to wipe your servers clean.

 

by: spyder713Posted on 2009-09-06 at 10:06:42ID: 25270643

Trend Micro did not detect anything and Malwarebytes tagged these files as malware on some servers but not others.  I sent them to Kaspersky for evaluation and they said there was no malicious code.  I'm not sure what to think.  I just want to know what they are.

 

by: greyknight17Posted on 2009-09-06 at 10:20:15ID: 25270698

Can you check your C:\Windows\system32\wbem\ folder and see if you have a file called wmisynd.exe or wmiclisv.exe?

We have been infected with this similar virus at work and it's a pain to get rid of. Think we finally managed to remove it and patch it (at least for now). If this is the same one, I have something written up specifically to remove this nasty virus. Miss a file and it regenerates quickly.

 

by: spyder713Posted on 2009-09-06 at 10:47:38ID: 25270808

No, I don't have either of those files.

 

by: astralcomputingPosted on 2009-09-06 at 10:53:52ID: 25270830

Check for sys files in windows\system32\drivers with similar dates. That indicates rootkits hidin processes

 

by: spyder713Posted on 2009-09-06 at 11:46:48ID: 25271010

Can't find any of those either.

 

by: warturtlePosted on 2009-09-06 at 14:25:44ID: 25271575

Please send us a HijackThis log of your system:

http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis

 

by: greyknight17Posted on 2009-09-06 at 15:41:14ID: 25271882

You might also want to give us a ComboFix log so it can reveal all those exe files created. I'm sure not all of them will be running processes so all they won't show up in the HijackThis log.

Go to http://www.bleepingcomputer.com/combofix/how-to-use-combofix and follow the instructions on how to install the Recovery Console and run ComboFix. Go through all the steps until posting the log part. Post the combofix log here.

 

by: astralcomputingPosted on 2009-09-07 at 08:36:39ID: 25275736

http://www.auditmypc.com/process/ff.asp

Listed as a known irc chat bot trojan.

 

by: spyder713Posted on 2009-09-10 at 13:31:11ID: 25303957

Just removed all of the files from the servers.  Didn't want to wait for them to cause a problem.

 

by: astralcomputingPosted on 2009-09-11 at 06:23:29ID: 25309103

No point awards?

 

by: astralcomputingPosted on 2009-09-11 at 06:23:46ID: 25309108

No points here?

 

by: spyder713Posted on 2009-09-11 at 09:58:53ID: 31624609

Problem not solved

20120131-EE-VQP-002

3 Ways to Join

30-Day Free Trial

The Experts

98% positive feedback on 31,087 answers since March 2000. angeliii is a Microsoft Most Valuable Professional for his work with MS SQL Server & Develoment.

He has also proven his knowledge of Visual Basic Programming, PHP Scripting and Oracle Databases.

The Experts

97% positive feedback on 10,752 answers since July 2000. lrmoore has more than 18 years experience in the networking industry.

The six-time Mircosoft MVPs specialties include firewalls, virtual private networking, and network management.

Testimonials

"...and excellent source for support... Kind of like having your very own IT dept." Electriciansnet

Testimonials

"I was apprehensive at signing up at first. However... it has already made my life as an IT administrator much easier." JaCrews

Testimonials

"WOW! You guys have great, active, and knowledgeable people on here." moore50

Business Clients

Business Clients

In the Press

"If you’ve got a question... Experts Exchange can supply an answer.”

In the Press

"...an invaluable aid for both IT professionals and those who require tech support."

In the Press

"where IT professionals provide quick answers on just about any topic"

Business Account Plans

Loading Advertisement...