jerra
asked on
Strange .exe files appearing under c:\windows\temp\ when logging in via Terminal Services
The server which is used as domain controller/file server has had a major infection of viruses & trojans and I seem to have become overly suspicious after the whole ordeal... Two weeks ago we seemed to have gotten rid of all the nasty bits of software.
Anyways the other day when I was looking in the c:\windows\temp\ folder I saw perhaps 20 .exe files all having 4 digits in their name e.g. 1388.exe and being for kb big. I decided to delete them and then F-Secure prompted stating that this and that file contains a trojan. About five of the files where infected and I don't know whether they were recently infected or leftovers from when the server had various infections.
I noticed that a new .exe file is created each time you log into the server using Terminal Services. Repeated logins after that only modifies the file's modification attribute. I opened the 3 files that were there today using Textpad in binary mode and they all contained what seemed like an IP number and port. I don't have the specific number right now but it was something like 54.xxx.xxx.xxx:339. I think it started with 54 but the others I don't remember.
What is this, anyone have any idea?
Anyways the other day when I was looking in the c:\windows\temp\ folder I saw perhaps 20 .exe files all having 4 digits in their name e.g. 1388.exe and being for kb big. I decided to delete them and then F-Secure prompted stating that this and that file contains a trojan. About five of the files where infected and I don't know whether they were recently infected or leftovers from when the server had various infections.
I noticed that a new .exe file is created each time you log into the server using Terminal Services. Repeated logins after that only modifies the file's modification attribute. I opened the 3 files that were there today using Textpad in binary mode and they all contained what seemed like an IP number and port. I don't have the specific number right now but it was something like 54.xxx.xxx.xxx:339. I think it started with 54 but the others I don't remember.
What is this, anyone have any idea?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
One more thing, all problems started this July when the ISP made a migration to new hardware and they left the firewall open on port 80. Firewall is located at ISP and managed by the ISP.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
OK will do. I'll be at the office in a few days.
AVG can scan in command line from safe mode...
ASKER
OK, files analysed using virustotal.
Of three existing files one got a hit (1384.exe):
Prevx1 V2 2008.10.18 Malicious Software
Files 1380.exe & 1388.exe contains following information in binary --> 58.63.40.3:316
Directory listing of the suspicious files:
17.10.2008 15:06 14 1380.exe
20.10.2008 13:45 1 308 1384.exe
16.10.2008 23:29 14 1388.exe
-------------------------- ---------- ---------- ---------- ---------- ---------
HiJackThis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:48:25, on 21.10.2008
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.e xe
C:\WINDOWS\system32\winlog on.exe
C:\WINDOWS\system32\servic es.exe
C:\WINDOWS\system32\lsass. exe
C:\WINDOWS\system32\svchos t.exe
C:\WINDOWS\System32\svchos t.exe
C:\Program Files\Lavasoft\Ad-Aware\aa wservice.e xe
C:\WINDOWS\system32\spools v.exe
C:\Program Files\Adaptec\Adaptec RAID Services\StorServ.exe
C:\WINDOWS\system32\svchos t.exe
C:\WINDOWS\system32\Dfssvc .exe
C:\WINDOWS\System32\svchos t.exe
C:\Program Files\F-Secure\Anti-Virus\ fsgk32st.e xe
C:\Program Files\F-Secure\Anti-Virus\ FSGK32.EXE
C:\Program Files\F-Secure\Common\FSMA 32.EXE
C:\Program Files\F-Secure\Common\FSMB 32.EXE
C:\Program Files\HP\HP Storage Manager\StorServ.exe
C:\WINDOWS\System32\ismser v.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.e xe
C:\WINDOWS\system32\tcpsvc s.exe
C:\WINDOWS\system32\sfmpri nt.exe
C:\Program Files\Microsoft SQL Server\MSSQL$BKUPEXEC\Binn \sqlservr. exe
C:\WINDOWS\system32\ntfrs. exe
C:\Program Files\F-Secure\Common\FCH3 2.EXE
C:\Program Files\F-Secure\Anti-Virus\ fsqh.exe
C:\Program Files\F-Secure\Common\FAME H32.EXE
C:\WINDOWS\System32\snmp.e xe
C:\WINDOWS\System32\svchos t.exe
C:\WINDOWS\System32\svchos t.exe
C:\WINDOWS\System32\wins.e xe
C:\Program Files\F-Secure\Common\FNRB 32.EXE
C:\Program Files\F-Secure\Anti-Virus\ fssm32.exe
C:\Program Files\F-Secure\Common\FIH3 2.EXE
C:\Program Files\F-Secure\FSAUA\progr am\fsaua.e xe
C:\Program Files\F-Secure\Anti-Virus\ fsav32.exe
C:\WINDOWS\System32\svchos t.exe
C:\WINDOWS\system32\winlog on.exe
C:\WINDOWS\system32\rdpcli p.exe
C:\WINDOWS\system32\ctfmon .exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\F-Secure\Common\FSM3 2.EXE
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlma ngr.exe
C:\Program Files\F-Secure\FSGUI\fsgui dll.exe
C:\Program Files\Trend Micro\HijackThis\HijackThi s.exe
R1 - HKCU\Software\Microsoft\In ternet Explorer\Main,Default_Page _URL = res://shdoclc.dll/hardAdmi n.htm
R0 - HKCU\Software\Microsoft\In ternet Explorer\Main,Start Page = res://shdoclc.dll/hardAdmi n.htm
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Default_Page _URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Default_Sear ch_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\In ternet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
F2 - REG:system.ini: UserInit=C:\WINDOWS\system 32\userini t.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-7 84B7D6BE0B 3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.d ll
O4 - HKLM\..\Run: [XeroxRegistation] "C:\DOCUME~1\ADMINI~1\LOCA LS~1\Temp\ 2\Xerox\ER eg\opbreg. exe" /Startup
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure\Common\FSM3 2.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\F-Secure\FSGUI\TNBUt il.exe" /CHECKALL /WAITFORSW
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon .exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON .EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscu pgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON .EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscu pgrd.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-2329229114-3 049913970- 3677540923 -1132\..\R un: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON .EXE (User 'fsms_TARJA')
O4 - HKUS\S-1-5-21-2329229114-3 049913970- 3677540923 -1132\..\R unOnce: [tscuninstall] %systemroot%\system32\tscu pgrd.exe (User 'fsms_TARJA')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON .EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscu pgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON .EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscu pgrd.exe (User 'Default user')
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlma ngr.exe
O15 - ESC Trusted Zone: http://runonce.msn.com
O15 - ESC Trusted Zone: http://ftp.sunet.se
O15 - ESC Trusted Zone: http://entsearch.symantec.com
O15 - ESC Trusted Zone: http://seer.entsupport.symantec.com
O15 - ESC Trusted Zone: http://www.symantec.com
O15 - ESC Trusted Zone: http://www4.symantec.com
O15 - ESC Trusted Zone: http://ftp.support.veritas.com
O15 - ESC Trusted Zone: http://softwareupdate.veritas.com
O15 - ESC Trusted Zone: http://download.windowsupdate.com
O15 - ESC Trusted Zone: http://*.windowsupdate.com
O15 - ESC Trusted Zone: http://*.windowsupdate.com (HKLM)
O16 - DPF: {6414512B-B978-451D-A0D8-F CFDF33E833 C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1131707945779
O17 - HKLM\System\CCS\Services\T cpip\Param eters: Domain = hallimestarinkatu.teollisu ustyokalut .fi
O17 - HKLM\Software\..\Telephony : DomainName = hallimestarinkatu.teollisu ustyokalut .fi
O17 - HKLM\System\CCS\Services\T cpip\..\{5 491FD7D-17 AB-44C2-99 DF-EDE3265 F0ADA}: NameServer = 192.168.2.1
O17 - HKLM\System\CS1\Services\T cpip\Param eters: Domain = hallimestarinkatu.teollisu ustyokalut .fi
O17 - HKLM\System\CS2\Services\T cpip\Param eters: Domain = hallimestarinkatu.teollisu ustyokalut .fi
O17 - HKLM\System\CS3\Services\T cpip\Param eters: Domain = hallimestarinkatu.teollisu ustyokalut .fi
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aa wservice.e xe
O23 - Service: Adaptec Storage Manager Agent (AdaptecStorageManagerAgen t) - Adaptec Incorporated - C:\Program Files\Adaptec\Adaptec RAID Services\StorServ.exe
O23 - Service: Backup Exec Remote Agent for Windows Servers (BackupExecAgentAccelerato r) - VERITAS Software Corporation - D:\programs\VERITAS\Backup Exec\NT\beremote.exe
O23 - Service: Backup Exec Agent Browser (BackupExecAgentBrowser) - VERITAS Software Corporation - D:\programs\VERITAS\Backup Exec\NT\benetns.exe
O23 - Service: Backup Exec Device & Media Service (BackupExecDeviceMediaServ ice) - VERITAS Software Corporation - D:\programs\VERITAS\Backup Exec\NT\pvlsvr.exe
O23 - Service: Backup Exec Job Engine (BackupExecJobEngine) - VERITAS Software Corporation - D:\programs\VERITAS\Backup Exec\NT\bengine.exe
O23 - Service: Backup Exec Server (BackupExecRPCService) - VERITAS Software Corporation - D:\programs\VERITAS\Backup Exec\NT\beserver.exe
O23 - Service: F-Secure Gatekeeper Handler Starter - F-Secure Corporation - C:\Program Files\F-Secure\Anti-Virus\ fsgk32st.e xe
O23 - Service: F-Secure Network Request Broker - F-Secure Corporation - C:\Program Files\F-Secure\Common\FNRB 32.EXE
O23 - Service: F-Secure Automatic Update Agent (FSAUA) - F-Secure Corporation - C:\Program Files\F-Secure\FSAUA\progr am\fsaua.e xe
O23 - Service: F-Secure Automatic Update Server (FSAUS) - BackWeb - C:\Program Files\F-Secure\FSAUS.PM\bi n\server.e xe
O23 - Service: FSMA - F-Secure Corporation - C:\Program Files\F-Secure\Common\FSMA 32.EXE
O23 - Service: F-Secure Policy Manager Server (fsms) - Unknown owner - C:\Program Files\F-Secure\Management Server 5\apache.exe
O23 - Service: F-Secure Policy Manager Web Reporting (fspmwr) - Unknown owner - C:\Program Files\F-Secure\Management Server 5\Web Reporting\bin\fspmwrservic e.exe
O23 - Service: HP Storage Manager Agent (HPStorageManagerAgent) - Adaptec Incorporated - C:\Program Files\HP\HP Storage Manager\StorServ.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.e xe
--
End of file - 8024 bytes
Of three existing files one got a hit (1384.exe):
Prevx1 V2 2008.10.18 Malicious Software
Files 1380.exe & 1388.exe contains following information in binary --> 58.63.40.3:316
Directory listing of the suspicious files:
17.10.2008 15:06 14 1380.exe
20.10.2008 13:45 1 308 1384.exe
16.10.2008 23:29 14 1388.exe
--------------------------
HiJackThis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:48:25, on 21.10.2008
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.e
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\servic
C:\WINDOWS\system32\lsass.
C:\WINDOWS\system32\svchos
C:\WINDOWS\System32\svchos
C:\Program Files\Lavasoft\Ad-Aware\aa
C:\WINDOWS\system32\spools
C:\Program Files\Adaptec\Adaptec RAID Services\StorServ.exe
C:\WINDOWS\system32\svchos
C:\WINDOWS\system32\Dfssvc
C:\WINDOWS\System32\svchos
C:\Program Files\F-Secure\Anti-Virus\
C:\Program Files\F-Secure\Anti-Virus\
C:\Program Files\F-Secure\Common\FSMA
C:\Program Files\F-Secure\Common\FSMB
C:\Program Files\HP\HP Storage Manager\StorServ.exe
C:\WINDOWS\System32\ismser
C:\Program Files\Common Files\LightScribe\LSSrvc.e
C:\WINDOWS\system32\tcpsvc
C:\WINDOWS\system32\sfmpri
C:\Program Files\Microsoft SQL Server\MSSQL$BKUPEXEC\Binn
C:\WINDOWS\system32\ntfrs.
C:\Program Files\F-Secure\Common\FCH3
C:\Program Files\F-Secure\Anti-Virus\
C:\Program Files\F-Secure\Common\FAME
C:\WINDOWS\System32\snmp.e
C:\WINDOWS\System32\svchos
C:\WINDOWS\System32\svchos
C:\WINDOWS\System32\wins.e
C:\Program Files\F-Secure\Common\FNRB
C:\Program Files\F-Secure\Anti-Virus\
C:\Program Files\F-Secure\Common\FIH3
C:\Program Files\F-Secure\FSAUA\progr
C:\Program Files\F-Secure\Anti-Virus\
C:\WINDOWS\System32\svchos
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\rdpcli
C:\WINDOWS\system32\ctfmon
C:\WINDOWS\Explorer.EXE
C:\Program Files\F-Secure\Common\FSM3
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlma
C:\Program Files\F-Secure\FSGUI\fsgui
C:\Program Files\Trend Micro\HijackThis\HijackThi
R1 - HKCU\Software\Microsoft\In
R0 - HKCU\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
F2 - REG:system.ini: UserInit=C:\WINDOWS\system
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-7
O4 - HKLM\..\Run: [XeroxRegistation] "C:\DOCUME~1\ADMINI~1\LOCA
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure\Common\FSM3
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\F-Secure\FSGUI\TNBUt
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscu
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscu
O4 - HKUS\S-1-5-21-2329229114-3
O4 - HKUS\S-1-5-21-2329229114-3
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscu
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscu
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlma
O15 - ESC Trusted Zone: http://runonce.msn.com
O15 - ESC Trusted Zone: http://ftp.sunet.se
O15 - ESC Trusted Zone: http://entsearch.symantec.com
O15 - ESC Trusted Zone: http://seer.entsupport.symantec.com
O15 - ESC Trusted Zone: http://www.symantec.com
O15 - ESC Trusted Zone: http://www4.symantec.com
O15 - ESC Trusted Zone: http://ftp.support.veritas.com
O15 - ESC Trusted Zone: http://softwareupdate.veritas.com
O15 - ESC Trusted Zone: http://download.windowsupdate.com
O15 - ESC Trusted Zone: http://*.windowsupdate.com
O15 - ESC Trusted Zone: http://*.windowsupdate.com (HKLM)
O16 - DPF: {6414512B-B978-451D-A0D8-F
O17 - HKLM\System\CCS\Services\T
O17 - HKLM\Software\..\Telephony
O17 - HKLM\System\CCS\Services\T
O17 - HKLM\System\CS1\Services\T
O17 - HKLM\System\CS2\Services\T
O17 - HKLM\System\CS3\Services\T
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aa
O23 - Service: Adaptec Storage Manager Agent (AdaptecStorageManagerAgen
O23 - Service: Backup Exec Remote Agent for Windows Servers (BackupExecAgentAccelerato
O23 - Service: Backup Exec Agent Browser (BackupExecAgentBrowser) - VERITAS Software Corporation - D:\programs\VERITAS\Backup
O23 - Service: Backup Exec Device & Media Service (BackupExecDeviceMediaServ
O23 - Service: Backup Exec Job Engine (BackupExecJobEngine) - VERITAS Software Corporation - D:\programs\VERITAS\Backup
O23 - Service: Backup Exec Server (BackupExecRPCService) - VERITAS Software Corporation - D:\programs\VERITAS\Backup
O23 - Service: F-Secure Gatekeeper Handler Starter - F-Secure Corporation - C:\Program Files\F-Secure\Anti-Virus\
O23 - Service: F-Secure Network Request Broker - F-Secure Corporation - C:\Program Files\F-Secure\Common\FNRB
O23 - Service: F-Secure Automatic Update Agent (FSAUA) - F-Secure Corporation - C:\Program Files\F-Secure\FSAUA\progr
O23 - Service: F-Secure Automatic Update Server (FSAUS) - BackWeb - C:\Program Files\F-Secure\FSAUS.PM\bi
O23 - Service: FSMA - F-Secure Corporation - C:\Program Files\F-Secure\Common\FSMA
O23 - Service: F-Secure Policy Manager Server (fsms) - Unknown owner - C:\Program Files\F-Secure\Management Server 5\apache.exe
O23 - Service: F-Secure Policy Manager Web Reporting (fspmwr) - Unknown owner - C:\Program Files\F-Secure\Management Server 5\Web Reporting\bin\fspmwrservic
O23 - Service: HP Storage Manager Agent (HPStorageManagerAgent) - Adaptec Incorporated - C:\Program Files\HP\HP Storage Manager\StorServ.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.e
--
End of file - 8024 bytes
I can not spot any active infection in this log, not that I have noticed anyway.
I would suggest at this stage an online scan on Kaspersky website, mostly because the engine is almost 100% accurate , regardless of the fact it is not going to clean the infection, it will certainly pinpoint any existing infections for further actions.
http://www.kaspersky.com/virusscanner
I would suggest at this stage an online scan on Kaspersky website, mostly because the engine is almost 100% accurate , regardless of the fact it is not going to clean the infection, it will certainly pinpoint any existing infections for further actions.
http://www.kaspersky.com/virusscanner
ASKER
Todays scan with the online virustotal service of files found in c:\windows\temp\3664.exe found something bad. F-Secure doesn't find anything, has been set to do scheduled scanning but it seems only to fill the hydra.log until there are no disc space. Doing a "right-click" scan of the temp folder F-Secure sure reports trojans but what good is that. I'll close this now and start reinstalling this server. Too much time has already been spent on various things to get it clean. Thanks all!
One more thing, the infected files all have the same icon:
Antivirus Version Last Update Result
AhnLab-V3 2008.10.24.3 2008.10.24 -
AntiVir 7.9.0.9 2008.10.24 TR/Crypt.NSPI.Gen
Authentium 5.1.0.4 2008.10.24 -
Avast 4.8.1248.0 2008.10.25 Win32:TCPScan
AVG 8.0.0.161 2008.10.25 HackTool.EZA
BitDefender 7.2 2008.10.25 MemScan:Application.Portsc an.D
CAT-QuickHeal 9.50 2008.10.24 -
ClamAV 0.93.1 2008.10.25 PUA.Packed.NPack-2
DrWeb 4.44.0.09170 2008.10.25 Tool.TcpScan
eSafe 7.0.17.0 2008.10.23 -
eTrust-Vet 31.6.6168 2008.10.25 -
Ewido 4.0 2008.10.24 -
F-Prot 4.4.4.56 2008.10.24 -
F-Secure 8.0.14332.0 2008.10.25 W32/Packed_Nspack.A.droppe r
Fortinet 3.113.0.0 2008.10.25 -
GData 19 2008.10.25 MemScan:Application.Portsc an.D
Ikarus T3.1.1.44.0 2008.10.25 -
K7AntiVirus 7.10.506 2008.10.24 -
Kaspersky 7.0.0.125 2008.10.25 not-a-virus:NetTool.Win32. TCPScan.a
McAfee 5415 2008.10.25 potentially unwanted program HTool-SymScan
Microsoft 1.4005 2008.10.25 -
NOD32 3555 2008.10.25 Win32/NetTool.TCPScan.B
Norman 5.80.02 2008.10.24 W32/Packed_Nspack.A.droppe r
Panda 9.0.0.4 2008.10.25 -
PCTools 4.4.2.0 2008.10.24 Packed/NSPack
Prevx1 V2 2008.10.25 -
Rising 21.00.51.00 2008.10.25 Hack.Win32.Scanner.f
SecureWeb-Gateway 6.7.6 2008.10.24 Trojan.Crypt.NSPI.Gen
Sophos 4.35.0 2008.10.25 PortScan
Sunbelt 3.1.1753.1 2008.10.25 -
Symantec 10 2008.10.25 -
TheHacker 6.3.1.0.126 2008.10.25 -
TrendMicro 8.700.0.1004 2008.10.24 PAK_Generic.005
VBA32 3.12.8.8 2008.10.25 suspected of Embedded.Riskware.Win32.TC PS
ViRobot 2008.10.24.1436 2008.10.24 -
VirusBuster 4.5.11.0 2008.10.24 Packed/NSPack
Additional information
File size: 254976 bytes
MD5...: cb9316e6fd2ec501fc59bdee1e 551d9d
SHA1..: 23c066971f39f4b89d036be01e 3561a6b3f2 df81
SHA256: 4881b56059f03b61df3a081792 aacc345580 2f0112b2f0 94a9c057bb ef140506
SHA512: 0e8cf2a2904c9dd8f987cbc8a0 ec8b405736 6a18bf9603 6a94828db5 e98b5e24
1f440c7b46eeebfba369f2c5f3 6c8dcf7079 5956343576 b77a366a67 d0cc38a9
PEiD..: ASPack v2.12
TrID..: File type identification
ASPack compressed Win32 Executable (generic) (90.1%)
Win32 Executable Generic (5.7%)
Win16/32 Executable Delphi generic (1.3%)
Generic Win/DOS Executable (1.3%)
DOS Executable Generic (1.3%)
PEInfo: PE Structure information
( base data )
entrypointaddress.: 0x495001
timedatestamp.....: 0x2a425e19 (Fri Jun 19 22:22:17 1992)
machinetype.......: 0x14c (I386)
( 10 sections )
name viradd virsiz rawdsiz ntrpy md5
CODE 0x1000 0x68000 0x2aa00 8.00 27d032ca1c31022d0877df454c d79e1e
DATA 0x69000 0x2000 0xc00 7.82 11b651f44474fe7bb87ab3a2c8 705e40
BSS 0x6b000 0x1000 0x0 0.00 d41d8cd98f00b204e9800998ec f8427e
.idata 0x6c000 0x3000 0xe00 7.52 3f8d00283da49b336c8b96f701 b8f0dc
.tls 0x6f000 0x1000 0x0 0.00 d41d8cd98f00b204e9800998ec f8427e
.rdata 0x70000 0x1000 0x200 0.19 63d64533d4cf8150c328ee9564 d7d709
.reloc 0x71000 0x9000 0x0 0.00 d41d8cd98f00b204e9800998ec f8427e
.rsrc 0x7a000 0x1b000 0xa400 7.82 af393b9285ff1b7938422895e2 82a1af
.aspack 0x95000 0x8000 0x7600 5.01 f3e3bd0b36bbe8658305c80139 51abc0
.adata 0x9d000 0x1000 0x0 0.00 d41d8cd98f00b204e9800998ec f8427e
( 11 imports )
> kernel32.dll: GetProcAddress, GetModuleHandleA, LoadLibraryA
> user32.dll: GetKeyboardType
> advapi32.dll: RegQueryValueExA
> oleaut32.dll: SysFreeString
> advapi32.dll: RegQueryValueExA
> version.dll: VerQueryValueA
> gdi32.dll: UnrealizeObject
> user32.dll: CreateWindowExA
> oleaut32.dll: SafeArrayPtrOfIndex
> comctl32.dll: ImageList_SetIconSize
> shell32.dll: ShellExecuteExA
( 0 exports )
Norman Sandbox: [ General information ]
* **IMPORTANT: PLEASE SEND THE SCANNED FILE TO: ANALYSIS@NORMAN.NO - REMEMBER TO ENCRYPT IT (E.G. ZIP WITH PASSWORD)**.
* File might be compressed.
* Accesses executable file from resource section.
* File length: 254976 bytes.
[ Changes to filesystem ]
* Creates file C:\WINDOWS\scan.exe.
* Creates file C:\WINDOWS\syswmi.exe.
* Creates file C:\WINDOWS\ip.txt.
[ Changes to registry ]
* Accesses Registry key \"HKCU\Software\Borland\Lo cales\".
* Accesses Registry key \"HKLM\Software\Borland\Lo cales\".
* Accesses Registry key \"HKCU\Software\Borland\De lphi\Local es\".
[ Network services ]
* Connects to \"www.y251.com\" on port 20 (IP).
* Sends data stream (151 bytes) to remote address \"www.y251.com\", port 20.
[ Process/window information ]
* Creates an event called .
* Creates a mutex Fexcep_Auto_2967_scan.
* Attemps to Open scan.exe NULL.
* Creates process \"scan.exe\".
[ Signature Scanning ]
* C:\WINDOWS\scan.exe (15360 bytes) : W32/Packed_Nspack.A.
packers (Avast): ASPack, NsPack
packers (F-Prot): Aspack
packers (Kaspersky): ASPack, NSPack
<a href="http://img444.imageshack.us/my.php?image=virusicondd6.jpg" target="_blank"><img src="http://img444.imageshack.us/img444/5292/virusicondd6.th.jpg" border="0" alt="Free Image Hosting at www.ImageShack.us" /></a><br /><br /><a href="http://img604.imageshack.us/content.php?page=blogpost&files=img444/5292/virusicondd6.jpg" title="QuickPost"><img src="http://imageshack.us/img/butansn.png" alt="QuickPost" border="0"></a> Quickpost this image to Myspace, Digg, Facebook, and others!
One more thing, the infected files all have the same icon:
Antivirus Version Last Update Result
AhnLab-V3 2008.10.24.3 2008.10.24 -
AntiVir 7.9.0.9 2008.10.24 TR/Crypt.NSPI.Gen
Authentium 5.1.0.4 2008.10.24 -
Avast 4.8.1248.0 2008.10.25 Win32:TCPScan
AVG 8.0.0.161 2008.10.25 HackTool.EZA
BitDefender 7.2 2008.10.25 MemScan:Application.Portsc
CAT-QuickHeal 9.50 2008.10.24 -
ClamAV 0.93.1 2008.10.25 PUA.Packed.NPack-2
DrWeb 4.44.0.09170 2008.10.25 Tool.TcpScan
eSafe 7.0.17.0 2008.10.23 -
eTrust-Vet 31.6.6168 2008.10.25 -
Ewido 4.0 2008.10.24 -
F-Prot 4.4.4.56 2008.10.24 -
F-Secure 8.0.14332.0 2008.10.25 W32/Packed_Nspack.A.droppe
Fortinet 3.113.0.0 2008.10.25 -
GData 19 2008.10.25 MemScan:Application.Portsc
Ikarus T3.1.1.44.0 2008.10.25 -
K7AntiVirus 7.10.506 2008.10.24 -
Kaspersky 7.0.0.125 2008.10.25 not-a-virus:NetTool.Win32.
McAfee 5415 2008.10.25 potentially unwanted program HTool-SymScan
Microsoft 1.4005 2008.10.25 -
NOD32 3555 2008.10.25 Win32/NetTool.TCPScan.B
Norman 5.80.02 2008.10.24 W32/Packed_Nspack.A.droppe
Panda 9.0.0.4 2008.10.25 -
PCTools 4.4.2.0 2008.10.24 Packed/NSPack
Prevx1 V2 2008.10.25 -
Rising 21.00.51.00 2008.10.25 Hack.Win32.Scanner.f
SecureWeb-Gateway 6.7.6 2008.10.24 Trojan.Crypt.NSPI.Gen
Sophos 4.35.0 2008.10.25 PortScan
Sunbelt 3.1.1753.1 2008.10.25 -
Symantec 10 2008.10.25 -
TheHacker 6.3.1.0.126 2008.10.25 -
TrendMicro 8.700.0.1004 2008.10.24 PAK_Generic.005
VBA32 3.12.8.8 2008.10.25 suspected of Embedded.Riskware.Win32.TC
ViRobot 2008.10.24.1436 2008.10.24 -
VirusBuster 4.5.11.0 2008.10.24 Packed/NSPack
Additional information
File size: 254976 bytes
MD5...: cb9316e6fd2ec501fc59bdee1e
SHA1..: 23c066971f39f4b89d036be01e
SHA256: 4881b56059f03b61df3a081792
SHA512: 0e8cf2a2904c9dd8f987cbc8a0
1f440c7b46eeebfba369f2c5f3
PEiD..: ASPack v2.12
TrID..: File type identification
ASPack compressed Win32 Executable (generic) (90.1%)
Win32 Executable Generic (5.7%)
Win16/32 Executable Delphi generic (1.3%)
Generic Win/DOS Executable (1.3%)
DOS Executable Generic (1.3%)
PEInfo: PE Structure information
( base data )
entrypointaddress.: 0x495001
timedatestamp.....: 0x2a425e19 (Fri Jun 19 22:22:17 1992)
machinetype.......: 0x14c (I386)
( 10 sections )
name viradd virsiz rawdsiz ntrpy md5
CODE 0x1000 0x68000 0x2aa00 8.00 27d032ca1c31022d0877df454c
DATA 0x69000 0x2000 0xc00 7.82 11b651f44474fe7bb87ab3a2c8
BSS 0x6b000 0x1000 0x0 0.00 d41d8cd98f00b204e9800998ec
.idata 0x6c000 0x3000 0xe00 7.52 3f8d00283da49b336c8b96f701
.tls 0x6f000 0x1000 0x0 0.00 d41d8cd98f00b204e9800998ec
.rdata 0x70000 0x1000 0x200 0.19 63d64533d4cf8150c328ee9564
.reloc 0x71000 0x9000 0x0 0.00 d41d8cd98f00b204e9800998ec
.rsrc 0x7a000 0x1b000 0xa400 7.82 af393b9285ff1b7938422895e2
.aspack 0x95000 0x8000 0x7600 5.01 f3e3bd0b36bbe8658305c80139
.adata 0x9d000 0x1000 0x0 0.00 d41d8cd98f00b204e9800998ec
( 11 imports )
> kernel32.dll: GetProcAddress, GetModuleHandleA, LoadLibraryA
> user32.dll: GetKeyboardType
> advapi32.dll: RegQueryValueExA
> oleaut32.dll: SysFreeString
> advapi32.dll: RegQueryValueExA
> version.dll: VerQueryValueA
> gdi32.dll: UnrealizeObject
> user32.dll: CreateWindowExA
> oleaut32.dll: SafeArrayPtrOfIndex
> comctl32.dll: ImageList_SetIconSize
> shell32.dll: ShellExecuteExA
( 0 exports )
Norman Sandbox: [ General information ]
* **IMPORTANT: PLEASE SEND THE SCANNED FILE TO: ANALYSIS@NORMAN.NO - REMEMBER TO ENCRYPT IT (E.G. ZIP WITH PASSWORD)**.
* File might be compressed.
* Accesses executable file from resource section.
* File length: 254976 bytes.
[ Changes to filesystem ]
* Creates file C:\WINDOWS\scan.exe.
* Creates file C:\WINDOWS\syswmi.exe.
* Creates file C:\WINDOWS\ip.txt.
[ Changes to registry ]
* Accesses Registry key \"HKCU\Software\Borland\Lo
* Accesses Registry key \"HKLM\Software\Borland\Lo
* Accesses Registry key \"HKCU\Software\Borland\De
[ Network services ]
* Connects to \"www.y251.com\" on port 20 (IP).
* Sends data stream (151 bytes) to remote address \"www.y251.com\", port 20.
[ Process/window information ]
* Creates an event called .
* Creates a mutex Fexcep_Auto_2967_scan.
* Attemps to Open scan.exe NULL.
* Creates process \"scan.exe\".
[ Signature Scanning ]
* C:\WINDOWS\scan.exe (15360 bytes) : W32/Packed_Nspack.A.
packers (Avast): ASPack, NsPack
packers (F-Prot): Aspack
packers (Kaspersky): ASPack, NSPack
<a href="http://img444.imageshack.us/my.php?image=virusicondd6.jpg" target="_blank"><img src="http://img444.imageshack.us/img444/5292/virusicondd6.th.jpg" border="0" alt="Free Image Hosting at www.ImageShack.us" /></a><br /><br /><a href="http://img604.imageshack.us/content.php?page=blogpost&files=img444/5292/virusicondd6.jpg" title="QuickPost"><img src="http://imageshack.us/img/butansn.png" alt="QuickPost" border="0"></a> Quickpost this image to Myspace, Digg, Facebook, and others!
ASKER
ASKER
Of all these I have only been able to run Spybot in safemode. The MS Removal tool I haven't tried yet. Do Trend Micro, McAfee work in safemode?