Author Topic: Virus (Read 4647 times)

Ashleybb · « **on:** October 31, 2009, 02:26:01 PM »

How can i delete it? Im new to avast.

FreewheelinFrank · « **Reply #1 on:** October 31, 2009, 02:44:50 PM »

What was the name and location of the file detected, and what was it detected as?

You can get this information from the avast! log.

mikaelrask · « **Reply #2 on:** October 31, 2009, 02:46:19 PM »

hey and welcome to the forum Ashleybb.

what have avast detected?
where have it detected it?

have you try send it to the chest where it can not harm your computer?

you can also try MBAB and SAS and see if they can solve your problem.

http://filehippo.com/download_malwarebytes_anti_malware/
http://filehippo.com/download_superantispyware/

Don't forget to update before scanning with SAS and MBAB.

good luck and write back if you get any problem or just need more help.

.: L' arc :. · « **Reply #3 on:** October 31, 2009, 03:04:19 PM »

Hi Ashleybb,

It would be faster to have two topics active but would be a duplication of effort in our side. Please consider sticking to your topic here.

Ashleybb · « **Reply #4 on:** October 31, 2009, 03:18:03 PM »

Quote

31/10/2009 13:17:25 SYSTEM 1664 Sign of "Win32:Spyware-gen [Spy]" has been found in "http://tigerden.uppit.com/save/ee7bc86dcb761bfcd9f9526d7f37fd14/4aec384d/0209/g8d2bplj/MASSACREDWORLD.ZIP.zip\.RunServer.exe" file.

Quote

31/10/2009 13:17:25 SYSTEM 1664 Sign of "Win32:Spyware-gen [Spy]" has been found in "http://tigerden.uppit.com/save/ee7bc86dcb761bfcd9f9526d7f37fd14/4aec384d/0209/g8d2bplj/MASSACREDWORLD.ZIP.zip\.RunServer.exe" file.

Thats the file.

polonus · « **Reply #5 on:** October 31, 2009, 11:03:52 PM »

Hi Ashleybb,

Make the malware links non-clickable like with using hxtp or wXw.

The website that you mention has a Suspicious Inline Script on it:

Script outside of <HTML>...</HTML> block
top.location.replace("ht^p://uppit.com");

Location of the site is USA:
Reported Threats: 3


Name of threat:   W32.IRCBot.Gen
Location:    hxtp://tigerden.uppit.com/save/c7914dc531441e31b3e536e14644c5f5/4ad8aa2f/0209/cim50mc2/Internet_Explorer.exe

Name of threat:   Backdoor.Trojan
Location:    htxp://tigerden.uppit.com/save/6b489270409724656eeb8c9bfcfd6933/4ad8a9d9/0209/o8k5j8ne/2.1_XR_Bot.exe

Name of threat:   Trojan Horse
Location:    hxtp://tigerden.uppit.com/save/32f199b6f05c962a87d2e2072f491289/4adbd258/0209/bxrclapy/server.exe

and for the link you mentioned I get "There was a network error accessing the requested URL: 408"
that means "Destination Set Exhausted"....

polonus

spg SCOTT · « **Reply #6 on:** October 31, 2009, 11:24:20 PM »

Quote from: polonus on October 31, 2009, 11:03:52 PM

...
and for the link you mentioned I get "There was a network error accessing the requested URL: 408"
that means "Destination Set Exhausted"....

I imagine that the link dead ends because of the backslash switch, which I think is avast's way of letting you know which file it is that is infected within the double zip file...at least that's how I understand it...

.../MASSACREDWORLD.ZIP.zip\.RunServer.exe

-Scott-

polonus · « **Reply #7 on:** October 31, 2009, 11:35:36 PM »

Hi spgSCOTT,

Good observation there even in alerting avast will keep the flak off, ta...

I think the malware is this:
http://www.prevx.com/filenames/X263214202504027998-X1/RUNSERVER.EXE.html

And it became flagged because there was a SC keylog dropper hidden....
compile.exe and runserver.exe both infected with a SC keylog dropper, nice attempt from the malcreant to hide it from virus scanners by password protecting and encrypting the zip file...

See the malcode cocktail here:

[ Changes to filesystem ]
* Creates directory C:.
* Creates directory C:\WINDOWS.
* Creates directory C:\WINDOWS\TEMP.
* Deletes file C:\WINDOWS\TEMP\open8999.tmp.
* Creates file C:\WINDOWS\TEMP\compile.bat.
* Creates file C:\WINDOWS\TEMP\zzzz.exe.
* Creates file C:\WINDOWS\SYSTEM32\iexplorer.exe.
* Creates file C:\WINDOWS\SYSTEM32\iexplorer.dll.

[ Changes to registry ]
* Creates key "HKLM\Software\Microsoft".
* Creates key "HKLM\Software\Microsoft\Windows".
* Creates key "HKLM\Software\Microsoft\Windows\CurrentVersio n".
* Creates key "HKLM\Software\Microsoft\Windows\CurrentVersion\Ru n".
* Sets value "iexplorer"="C:\WINDOWS\SYSTEM32\iexplorer.exe " in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Ru n".

[ Process/window information ]
* Attemps to open C:\WINDOWS\TEMP\compile.bat C:\WINDOWS\TEMP\.
* Attemps to open C:\WINDOWS\TEMP\zzzz.exe C:\WINDOWS\TEMP\.
* Attemps to open C:\WINDOWS\SYSTEM32\iexplorer.exe NULL.

[ Signature Scanning ]
* C:\WINDOWS\TEMP\compile.bat (59 bytes) : no signature detection.
* C:\WINDOWS\TEMP\zzzz.exe (78022 bytes) : W32/SCKeyLog.V.

pol

spg SCOTT · « **Reply #8 on:** October 31, 2009, 11:50:48 PM »

Quote from: polonus on October 31, 2009, 11:35:36 PM

Hi spgSCOTT,

Good observation there even in alerting avast will keep the flak off, ta...

No problem

Quote

nice attempt from the malcreant to hide it from virus scanners by password protecting and encrypting the zip file...

Well, that worked...

Author Topic: Virus (Read 4647 times)

Ashleybb

Virus

FreewheelinFrank

Re: Virus

mikaelrask

Re: Virus

.: L' arc :.

Re: Virus

Ashleybb

Re: Virus

polonus

Re: Virus

spg SCOTT

Re: Virus

polonus

Re: Virus

spg SCOTT

Re: Virus