Avast WEBforum

Other => Viruses and worms => Topic started by: 10nico on October 03, 2006, 11:31:33 AM

Title: New virus/trojan
Post by: 10nico on October 03, 2006, 11:31:33 AM
I've just found a new trojan on some of our pcs:

It keeps opening the iexplore.exe process, in fact the only symptom is that the Avast! popup blocker keeps opening and closing.
It creates the following files:

1 *.exe in the user's IE temporary files
2 "some numbers".exe in WINNT (or WINDOWS) folder
3 service32.exe in WINNT\System32 folder
4 syst32.dll in WINNT\System32 folder

It is currently identified as: (from jotty's page)

AntiVir        Found Trojan/Click.Small.FU.4
ArcaVir       Found Trojan.Clicker.Small.Mc
Avast          Found nothing
AVG Antivirus       Found Clicker.DCH
BitDefender       Found Trojan.Clicker.Small.FU
ClamAV          Found nothing
Dr.Web          Found nothing
F-Prot Antivirus   Found W32/Downloader.AFSM@dr
Fortinet       Found W32/Dloader.ECW!tr
Kaspersky Anti-Virus    Found Trojan-Clicker.Win32.Small.mc
NOD32          Found nothing
Norman Virus Control    Found W32/W.B
UNA          Found nothing
VirusBuster       Found nothing
VBA32          Found Trojan-Clicker.Win32.Small.mc

Plus I can add that we found it using VirIt Explorer and it detects it as Win32.Small.NE

I'm sending it to virus@avast.com

Thank you all
Title: Re: New virus/trojan
Post by: DavidR on October 03, 2006, 02:47:47 PM
I suggest you try VirusTotal - Multi engine on-line virus scanner (http://www.virustotal.com/xhtml/index_en.html) as this uses the windows version of avast, which includes more unpackers and has 27 different scanners.

What I find strange is that Jotti finds nothing with avast yet your comment is possibly at odds with that.
Quote
It keeps opening the iexplore.exe process, in fact the only symptom is that the Avast! popup blocker keeps opening and closing.

avast doesn't have a pop-up blocker unless you are talking about something different (behaviour Blocker if you have been tweaking avast, see image) can you be more specific or post a screenshot of it.

In any case zipping and password protecting the attachment and sending the sample to avast as you have done is advisable.
Title: Re: New virus/trojan
Post by: 10nico on October 03, 2006, 03:20:12 PM
OPS!
I *wrote* popup blocker but i *meant* script blocker (the one that opens up when you open IE).

Sorry
Title: Re: New virus/trojan
Post by: DavidR on October 03, 2006, 03:33:14 PM
If malware is getting into your system32 folder then it needs permission to do this. So some preventative measures might be in order.

Whilst browsing or collecting email, etc. if you get infected then the malware by default inherits the same permissions that you have for your user account. So if the user account has administrator rights, the malware has administrator rights and can reap havoc. With limited rights the malware can't put files in the system folders, create registry entries, etc. This greatly reduces the potential harm that can be done by an undetected or first day virus, etc.

Check out the link to DropMyRights (in my signature below) - Browsing the Web and Reading E-mail Safely as an Administrator. This obviously applies to those NT based OSes that have administrator settings, winNT, win2k, winXP.

Title: Re: New virus/trojan
Post by: 10nico on October 03, 2006, 03:45:34 PM
The curious thing is that the clients where I found the trojan are all corporate pcs , and the users are only members of the Power Users group and have all M$ patches already applied...

Not exactly the most attracting situation for malware...

Bye
       Michele
Title: Re: New virus/trojan
Post by: 10nico on October 10, 2006, 02:36:51 PM
Just a little comforting update:

with today's VPS 0641-0 the trojan is finally detected as:

Win32:Agent-CAA [Trj]

Not too bad since I sent the sample only a week ago  ;)

Goodbye!
        Michele