Win32:Medbot-AM

[Fib]

Hi,

My warning log contains:

03/11/2006   21:23:12   1162585392   SYSTEM   1772   Sign of "Win32:Medbot-AM [Trj]" has been found in "C:\Documents and Settings\All Users\Documents\setup.exe\[UPX]" file. 

and I found a file named "autorun.inf" in the shared folder containing the lines :
[autorun]
open=setup.exe
icon=setup.exe,0

The modification date of the file was 21:22 and when I was warn by Avast, I suppress the setup.exe file.
I can't know if the exe file may have been executed on my machine, could I ?

I try to get more information on this "troyan", I search the web for a description .... unsuccessfully

I remove the rigth to write in the "Shared Documents" folder.

I try to understand how my computer has been infected. : I was running "Google" in IE and a 3D navigator called ActiveWorlds. Can a simple web page install a Setup ?

What are the effect of this troyan if the setup is run ?

I dont know in wich cases the autorun file can launch the setup file, is it when I open the folder, or when another computer try to conect a drive on this folder ?

help would be appreciated.

Fib

[Spiritsongs]

   Hi Fib :

      I feel it would be best to get a "2nd Opinion" by running
      scans of a couple of reliable antiSPYWARE/antiTROJAN
      programs ; do you have those kinds of programs on your
      computer ? If yes, what has their Scan results shown ?
      If you do NOT have such a program, I recommend you
      use the "FREE" version of "SUPERantispyware" from
      www.superantispyware.com .

      It is ALWAYS wise to mention the NAME of your Operating
      System. though the "Win32" I saw implies it is probably
      Windows XP !?

[FreewheelinFrank]

Hi Fib,

In virtual world games like ActiveWorlds, cybercrime is becoming a problem: thieves try to steal your virtual possession, money etc and sell them to other players of the game.

See this story here:

http://www.f-secure.com/weblog/archives/archive-102006.html#00000987

It seems the same thing is also happening in ActiveWorlds:

http://www.cyberwolfman.com/awttrojn.htm

http://www.cyberwolfman.com/awtcrack.htm

https://www.activeworlds.com/help/file_transfer.html

I suspect someone has passed you a password stealing bot through ActiveWorlds.

There's no specific information on Medbot-AM I can find, except that it is a backdoor:

http://www.viruslist.com/en/viruses/encyclopedia?virusid=119316

But a backdoor program would allow a hacker to steal information including your password.

This is probably a variant of previous Medbots:

http://www.sophos.com/security/analyses/trojmedbote.html

The effects would be as described in the Sophos write-up, ie 'functionality to access the internet and communicate with a remote server via HTTP.' In other words, the malware can steal information and send it to the person who placed it on your computer.

autorun.inf is usually used to auto-start a program on a CD: I guess this is some sort of attempt to auto-start the malware.

Looks like avast! saved your bacon here!

In future, heed the advice fron ActiveWorlds:

Be aware that damaging programs such as computer viruses can be communicated to your computer from other users by sending files. For this reason, if you are offered a file from someone you do not know and trust very well, you are strongly encouraged to reject the file!

In particular, never run executable programs (e.g. files ending in the .exe extension) sent to you by another user. Once running, executable programs can do anything to your computer, including (for example) deleting your entire hard disk!

A good free program to double check with would be a-Squared:

http://www.emsisoft.com/en/software/free/

[Fib]

Thank you for your responses and advises.
note that I never run .exe from any unknown source, and I am very carefull with mail...
Thats why I didn't understand how a malware could have been copied to this folder.

I run Windows Defender and did a full scan : all seems good.
I will try a-Squarred.

Avast 4 and Windows Defender seem to be able to run both at the same time,
is there any incompatibility between them ?

Thank you,
Fib

[FreewheelinFrank]

I never had any problem with Widows Defender and avast!

You may want to use your firewall to block FTP traffic with other users of ActiveWorlds, if you do not actually need to transfer files.

[ayal]

Hi

my system is already infected with this torjan Medbot-AM
Avast finds many infected files, they keep popping up,
and Avast can't stop them so far,
what can I do, please?

[FreewheelinFrank]

Hi ayal,

Have you tried a boot time scan with avast!?

You could also try these free scanners:

DrWeb CureIT!:

http://download.drweb.com/drweb+cureit/

a-Squared free:

http://www.emsisoft.com/en/software/free/

[ayal]

thank you for your reply,

I've tried the Square thing, it didn't find it,
and the cureit I can't download for some reason.

I'm going to format this whole comp tomorrow....

I wont have someone play around with it.

thank you again,
and for future referances, this trojan is one hell of a trojan,
it sits very strong connected with System Restore
and System Volume Information,
and Windows sys32, via the printer share on the LAN.

for what I can see, with my very limited computer knowledge.

Peace.

[DavidR]

When you do get up and running again. You might also consider proactive protection, in order to place files in the system folders and create registry entries you need permission. Prevention is much better and theoretically easier than cure.

Whilst browsing or collecting email, etc. if you get infected then the malware by default inherits the same permissions that you have for your user account. So if the user account has administrator rights, the malware has administrator rights and can reap havoc. With limited rights the malware can't put files in the system folders, create registry entries, etc. This greatly reduces the potential harm that can be done by an undetected or first day virus, etc.

Check out the link to DropMyRights (in my signature below) - Browsing the Web and Reading E-mail Safely as an Administrator. This obviously applies to those NT based OSes that have administrator settings, winNT, win2k, winXP.