Avast WEBforum
Other => Viruses and worms => Topic started by: 10nico on October 03, 2006, 11:31:33 AM
-
I've just found a new trojan on some of our pcs:
It keeps opening the iexplore.exe process, in fact the only symptom is that the Avast! popup blocker keeps opening and closing.
It creates the following files:
1 *.exe in the user's IE temporary files
2 "some numbers".exe in WINNT (or WINDOWS) folder
3 service32.exe in WINNT\System32 folder
4 syst32.dll in WINNT\System32 folder
It is currently identified as: (from jotty's page)
AntiVir Found Trojan/Click.Small.FU.4
ArcaVir Found Trojan.Clicker.Small.Mc
Avast Found nothing
AVG Antivirus Found Clicker.DCH
BitDefender Found Trojan.Clicker.Small.FU
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found W32/Downloader.AFSM@dr
Fortinet Found W32/Dloader.ECW!tr
Kaspersky Anti-Virus Found Trojan-Clicker.Win32.Small.mc
NOD32 Found nothing
Norman Virus Control Found W32/W.B
UNA Found nothing
VirusBuster Found nothing
VBA32 Found Trojan-Clicker.Win32.Small.mc
Plus I can add that we found it using VirIt Explorer and it detects it as Win32.Small.NE
I'm sending it to virus@avast.com
Thank you all
-
I suggest you try VirusTotal - Multi engine on-line virus scanner (http://www.virustotal.com/xhtml/index_en.html) as this uses the windows version of avast, which includes more unpackers and has 27 different scanners.
What I find strange is that Jotti finds nothing with avast yet your comment is possibly at odds with that.
It keeps opening the iexplore.exe process, in fact the only symptom is that the Avast! popup blocker keeps opening and closing.
avast doesn't have a pop-up blocker unless you are talking about something different (behaviour Blocker if you have been tweaking avast, see image) can you be more specific or post a screenshot of it.
In any case zipping and password protecting the attachment and sending the sample to avast as you have done is advisable.
-
OPS!
I *wrote* popup blocker but i *meant* script blocker (the one that opens up when you open IE).
Sorry
-
If malware is getting into your system32 folder then it needs permission to do this. So some preventative measures might be in order.
Whilst browsing or collecting email, etc. if you get infected then the malware by default inherits the same permissions that you have for your user account. So if the user account has administrator rights, the malware has administrator rights and can reap havoc. With limited rights the malware can't put files in the system folders, create registry entries, etc. This greatly reduces the potential harm that can be done by an undetected or first day virus, etc.
Check out the link to DropMyRights (in my signature below) - Browsing the Web and Reading E-mail Safely as an Administrator. This obviously applies to those NT based OSes that have administrator settings, winNT, win2k, winXP.
-
The curious thing is that the clients where I found the trojan are all corporate pcs , and the users are only members of the Power Users group and have all M$ patches already applied...
Not exactly the most attracting situation for malware...
Bye
Michele
-
Just a little comforting update:
with today's VPS 0641-0 the trojan is finally detected as:
Win32:Agent-CAA [Trj]
Not too bad since I sent the sample only a week ago ;)
Goodbye!
Michele