Author Topic: 365 infected files in sysWOW64 -- HELP! (Read 15688 times)

nogoodreason · « **on:** June 16, 2008, 11:56:36 AM »

Hey guys

I have a *serious* problem. Up until last night my PC had never had a single virus, yet all of a sudden this happens:

Full size image: http://www.flickr.com/photos/nogoodreason/2583755820/sizes/o/

While Avast reports it moved most (but not all) successfully to the virus chest, I really don't believe the problem's gone for good. I started emailing the infected files to Avast, but gave up after I realised there were 365 of them!

Erm... help?? :'(

FreewheelinFrank · « **Reply #1 on:** June 16, 2008, 01:36:38 PM »

Extract 1.exe, 2.exe and aajxit.exe (or one of the other files detected as Win32:DCom-F [Expl]) from the chest to the desktop, temporarily disable avast! and send the files to VirusTotal.

Post the results here.

If other AV's are detecting the files, then it's probably a real detection; if avast! seems to be the only one, see the thread below.

How to deal with false positives: [Mini Sticky] False Positives

Maxx_original · « **Reply #2 on:** June 16, 2008, 01:51:49 PM »

the names are randomly generated.. that's suspicious... the detection is right imho..

nogoodreason · « **Reply #3 on:** June 16, 2008, 04:41:26 PM »

1.exe:
VirusTotal reports 'virus has already been analysed', but interestingly enough it shows up on my desktop as the likely culprit... a keygen I downloaded last night! The keygen was on an entirely separate hard drive, so it could only have wound up in the Windows folder if there was something evil lurking inside it.

Result: 14/33 (42.43%)
Loading server information...
Your file is queued in position: 4.
Estimated start time is between 51 and 73 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Compact
Print results Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:

Antivirus    Version    Last Update    Result
AhnLab-V3   2008.6.13.1   2008.06.16   -
AntiVir   7.8.0.55   2008.06.16   TR/Proxy.Horst.aae.11
Authentium   5.1.0.4   2008.06.16   -
Avast   4.8.1195.0   2008.06.15   Win32:Horst-AAE
AVG   7.5.0.516   2008.06.16   -
BitDefender   7.2   2008.06.16   -
CAT-QuickHeal   9.50   2008.06.14   TrojanProxy.Horst.aae
ClamAV   0.93.1   2008.06.16   -
DrWeb   4.44.0.09170   2008.06.16   BackDoor.PcClient.571
eSafe   7.0.15.0   2008.06.15   suspicious Trojan/Worm
eTrust-Vet   31.6.5878   2008.06.16   -
Ewido   4.0   2008.06.16   -
F-Prot   4.4.4.56   2008.06.12   -
F-Secure   6.70.13260.0   2008.06.16   -
Fortinet   3.14.0.0   2008.06.16   -
GData   2.0.7306.1023   2008.06.16   Win32:Horst-AAE
Ikarus   T3.1.1.26.0   2008.06.16   Trojan-Proxy.Win32.Horst.aae
Kaspersky   7.0.0.125   2008.06.16   -
McAfee   5317   2008.06.13   -
Microsoft   1.3604   2008.06.16   -
NOD32v2   3191   2008.06.16   -
Norman   5.80.02   2008.06.16   -
Panda   9.0.0.4   2008.06.15   -
Prevx1   V2   2008.06.16   Cloaked Malware
Rising   20.49.02.00   2008.06.16   -
Sophos   4.30.0   2008.06.16   Mal/Generic-A
Sunbelt   3.0.1153.1   2008.06.15   Trojan-Proxy.Horst.aae.11
Symantec   10   2008.06.16   Trojan.Horst
TheHacker   6.2.92.351   2008.06.16   -
TrendMicro   8.700.0.1004   2008.06.16   PAK_Generic.001
VBA32   3.12.6.7   2008.06.16   Trojan-Proxy.Win32.Horst.aae
VirusBuster   4.3.26:9   2008.06.12   -
Webwasher-Gateway   6.6.2   2008.06.16   Trojan.Proxy.Horst.aae.11
Additional information
File size: 148992 bytes
MD5...: 9d2a457ca634cd7de847a73cf1dc46b9
SHA1..: de58f47844c499b8af581daa5046f04e95e379cd
SHA256: 42ec9d8838c1d6f60a035add58500d0c046f95bf3e02b6bf13d96cf4ae090ff6
SHA512: fd81eda96dfc10dbe3b5b019708850658ce9fd78a5856b85601a2bb8ecaf641b
6c00cf350932463b3db4b87b17543bdb6e0430f64e1894a2555d6bc4f6e093a9
PEiD..: UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x4465e0
timedatestamp.....: 0x46290412 (Fri Apr 20 18:18:58 2007)
machinetype.......: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
UPX0 0x1000 0x3a000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
UPX1 0x3b000 0xc000 0xb800 7.93 87e040c7b6910cafeb99a953f13ba121
.rsrc 0x47000 0x19000 0x18a00 4.54 f1f7c03fee24d71e4516d0d29a4ab293

( 5 imports )
> KERNEL32.DLL: LoadLibraryA, GetProcAddress, VirtualProtect, ExitProcess
> COMCTL32.dll: -
> MFC42.DLL: -
> MSVCRT.dll: exit
> USER32.dll: IsIconic

( 0 exports )
Prevx info: http://info.prevx.com/aboutprogramtext.asp?PX5=078B554E005ABE4F465B02DB7C10BB003A120027
packers (Kaspersky): PE_Patch.UPX, UPX
packers (F-Prot): UPX[/size]

2.exe:

Antivirus    Version    Last Update    Result
AhnLab-V3   2008.6.13.1   2008.06.16   Dropper/Xema.215154
AntiVir   7.8.0.55   2008.06.16   TR/Crypt.XPACK.Gen
Authentium   5.1.0.4   2008.06.16   W32/Backdoor.BUXL
Avast   4.8.1195.0   2008.06.15   Win32:VB-FFZ
AVG   7.5.0.516   2008.06.16   Dropper.Generic.PJX
BitDefender   7.2   2008.06.16   Trojan.Dropper.VB.AAM
CAT-QuickHeal   9.50   2008.06.14   -
ClamAV   0.93.1   2008.06.16   Trojan.Dropper-4959
DrWeb   4.44.0.09170   2008.06.16   Trojan.MulDrop.12129
eSafe   7.0.15.0   2008.06.15   -
eTrust-Vet   31.6.5878   2008.06.16   -
Ewido   4.0   2008.06.16   Dropper.VB.rl
F-Prot   4.4.4.56   2008.06.12   W32/Backdoor.BUXL
F-Secure   6.70.13260.0   2008.06.16   Trojan-Dropper.Win32.VB.ud
Fortinet   3.14.0.0   2008.06.16   W32/VB.UD!tr
GData   2.0.7306.1023   2008.06.16   Trojan-Dropper.Win32.VB.ud
Ikarus   T3.1.1.26.0   2008.06.16   MemScanTrojan.Dropper.VB.AAM
Kaspersky   7.0.0.125   2008.06.16   Trojan-Dropper.Win32.VB.ud
McAfee   5317   2008.06.13   BackDoor-CEP.gen.b
Microsoft   1.3604   2008.06.16   TrojanDropper:Win32/Agent
NOD32v2   3191   2008.06.16   probably a variant of Win32/TrojanDropper.VB
Norman   5.80.02   2008.06.16   W32/Smalldrp.MRA
Panda   9.0.0.4   2008.06.15   Suspicious file
Prevx1   V2   2008.06.16   Cloaked Malware
Rising   20.49.02.00   2008.06.16   Dropper.Win32.VB.rl
Sophos   4.30.0   2008.06.16   Troj/Dropper-SM
Sunbelt   3.0.1153.1   2008.06.15   Trojan-Dropper.VB.AAM
Symantec   10   2008.06.16   Trojan Horse
TheHacker   6.2.92.351   2008.06.16   Trojan/Dropper.Small.azv
TrendMicro   8.700.0.1004   2008.06.16   TROJ_DROPPER.NAJ
VBA32   3.12.6.7   2008.06.16   Trojan-Dropper.Win32.VB.ud
VirusBuster   4.3.26:9   2008.06.12   Trojan.DR.VB.AAZW
Webwasher-Gateway   6.6.2   2008.06.16   Trojan.Crypt.XPACK.Gen
Additional information
File size: 366732 bytes
MD5...: 643e2e6764770cc94691a88ac2e23562
SHA1..: 572e60e065320fe39b191b3212b8e5a224c5770e
SHA256: 41ef20fb23860363ac5c4d0449fe793608a668074ac836e5fa43b2ed27e15310
SHA512: c3617ba9fffca77fd7fef8af1b380e87450762dd39af71396d8bc866ae3e57cc
150ee346fba923cf8569f953264add9c12d09e3ee6b9f6b174b383e61fc7e54f
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x4014f4
timedatestamp.....: 0x46c84758 (Sun Aug 19 13:36:24 2007)
machinetype.......: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x3c98 0x4000 5.57 62ce940b63ddc00724558ebb1a2777c9
.data 0x5000 0xab4 0x1000 0.00 620f0b67a91f7f74151bc5be745b7110
.rsrc 0x6000 0x10 0x1000 0.01 a85d039edc3540b108709278812b252a

( 1 imports )
> MSVBVM60.DLL: EVENT_SINK_GetIDsOfNames, _CIcos, _adj_fptan, __vbaVarMove, -, __vbaAryMove, __vbaFreeVar, __vbaLenBstr, __vbaStrVarMove, __vbaFreeVarList, __vbaEnd, __vbaPut3, _adj_fdiv_m64, EVENT_SINK_Invoke, __vbaRaiseEvent, __vbaFreeObjList, _adj_fprem1, __vbaI2Abs, __vbaStrCat, __vbaHresultCheckObj, _adj_fdiv_m32, -, __vbaAryVar, Zombie_GetTypeInfo, __vbaAryDestruct, __vbaExitProc, __vbaOnError, __vbaObjSet, -, _adj_fdiv_m16i, __vbaObjSetAddref, _adj_fdivr_m16i, -, _CIsin, __vbaErase, -, -, __vbaChkstk, __vbaFileClose, EVENT_SINK_AddRef, __vbaGenerateBoundsError, __vbaStrCmp, __vbaGet3, __vbaPutOwner3, __vbaI2I4, __vbaLbound, __vbaRedimPreserve, _adj_fpatan, Zombie_GetTypeInfoCount, __vbaRedim, EVENT_SINK_Release, __vbaNew, -, __vbaUI1I2, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, -, _adj_fprem, _adj_fdivr_m64, -, __vbaFPException, -, __vbaGetOwner3, __vbaStrVarVal, __vbaUbound, __vbaVarCat, _CIlog, __vbaErrorOverflow, __vbaFileOpen, -, __vbaVar2Vec, __vbaNew2, -, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, -, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, -, -, __vbaVarDup, -, __vbaVarCopy, _CIatan, __vbaStrMove, __vbaAryCopy, _allmul, _CItan, _CIexp, __vbaFreeObj, __vbaFreeStr

( 0 exports )
Prevx info: http://info.prevx.com/aboutprogramtext.asp?PX5=5A33E9248C337F66981305294FCA9B0010825BC9

nogoodreason · « **Reply #4 on:** June 16, 2008, 04:42:42 PM »

aajxit.exe:

Result: 31/33 (93.94%)
Loading server information...
Your file is queued in position: ___.
Estimated start time is between ___ and ___ .
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Compact
Print results Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:

Antivirus    Version    Last Update    Result
AhnLab-V3   2008.6.13.1   2008.06.16   Win32/IRCBot.worm.Gen
AntiVir   7.8.0.55   2008.06.16   Worm/Rbot.210944
Authentium   5.1.0.4   2008.06.16   W32/Ircbot.1!Generic
Avast   4.8.1195.0   2008.06.15   Win32:DCom-F
AVG   7.5.0.516   2008.06.16   BackDoor.Agent.11.Y
BitDefender   7.2   2008.06.16   Generic.Malware.G!K!WX!!g.1E3C4782
CAT-QuickHeal   9.50   2008.06.14   Backdoor.Rbot.aea
ClamAV   0.93.1   2008.06.16   Exploit.DCOM.Gen
DrWeb   4.44.0.09170   2008.06.16   Win32.HLLW.MyBot.based
eSafe   7.0.15.0   2008.06.15   -
eTrust-Vet   31.6.5878   2008.06.16   Win32/Rbot!generic
Ewido   4.0   2008.06.16   Backdoor.Rbot.aea
F-Prot   4.4.4.56   2008.06.12   W32/Ircbot.1!Generic
F-Secure   6.70.13260.0   2008.06.16   W32/Backdoor
Fortinet   3.14.0.0   2008.06.16   -
GData   2.0.7306.1023   2008.06.16   Backdoor.Win32.Rbot.aea
Ikarus   T3.1.1.26.0   2008.06.16   Backdoor.Win32.Rbot.aeu
Kaspersky   7.0.0.125   2008.06.16   Backdoor.Win32.Rbot.aea
McAfee   5317   2008.06.13   W32/Sdbot.worm.gen.g
Microsoft   1.3604   2008.06.16   Backdoor:Win32/Rbot.gen
NOD32v2   3191   2008.06.16   a variant of Win32/Rbot
Norman   5.80.02   2008.06.16   W32/Backdoor
Panda   9.0.0.4   2008.06.15   W32/Gaobot.gen.worm
Prevx1   V2   2008.06.16   Suspicious
Rising   20.49.02.00   2008.06.16   Backdoor.SdBot.vdd
Sophos   4.30.0   2008.06.16   W32/Rbot-Fam
Sunbelt   3.0.1153.1   2008.06.15   Backdoor.Rbot
Symantec   10   2008.06.16   W32.Spybot.Worm
TheHacker   6.2.92.351   2008.06.16   W32/SdBot.worm.gen
TrendMicro   8.700.0.1004   2008.06.16   WORM_SPYBOT.GEN
VBA32   3.12.6.7   2008.06.16   suspected of Backdoor.xBot.1 (paranoid heuristics)
VirusBuster   4.3.26:9   2008.06.12   Worm.RBot.Gen.5
Webwasher-Gateway   6.6.2   2008.06.16   Worm.Rbot.210944
Additional information
File size: 337999 bytes
MD5...: f14f8ea00d6cf22025bf6f6e81d892f5
SHA1..: 3fb657e6c7acdc7893db6ce3558faceb838525e3
SHA256: 395af7da8e737c4441c2e6dc4850a37614d63862d0b62dedb82a07f634690739
SHA512: b25b521df00518a4d4881e5d7fa7ce84f0b2e07f3944f10d3ce4cc003cd8fc62
353cec9b93ef15faf7f9b0ab182c7e3fa7aa22667c7f01d05cf4d5bd2d5a7967
PEiD..: InstallShield 2000
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x4253d0
timedatestamp.....: 0x477b39d1 (Wed Jan 02 07:14:25 2008)
machinetype.......: 0x14c (I386)

( 5 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x3ca2f 0x3cc00 6.20 52ed25731b8ca45450dc2318ce63f5a1
.rdata 0x3e000 0x1fa8 0x2000 5.88 d75c06da22bdff01419dd56008734f3f
.data 0x40000 0x3b9e8 0xea00 4.89 e752818b40e1ab8767039d70582c17c5
.idata 0x7c000 0xe8c 0x1000 5.24 5b563fd69393d6427e10e1889e71c0b0
.reloc 0x7d000 0x3c6a 0x3e00 6.59 0b0bc1c8800355df7b892db945cee5d6

( 2 imports )
> USER32.dll: wsprintfA
> KERNEL32.dll: CreateMutexA, SetEnvironmentVariableA, GetLastError, Sleep, CreateThread, GetModuleFileNameA, ExitThread, LeaveCriticalSection, EnterCriticalSection, GetTickCount, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, GetLocalTime, CloseHandle, WriteFile, CreateFileA, ReadFile, SetFilePointer, GetFileSize, GetSystemDirectoryA, MultiByteToWideChar, TransactNamedPipe, QueryPerformanceCounter, QueryPerformanceFrequency, ExitProcess, CreateProcessA, FindClose, FindNextFileA, FindFirstFileA, FreeLibrary, GetEnvironmentVariableW, GetProcAddress, LoadLibraryA, HeapFree, HeapAlloc, GetProcessHeap, FileTimeToSystemTime, FileTimeToLocalFileTime, VirtualQueryEx, ReadProcessMemory, GetSystemInfo, OpenProcess, GetTimeFormatA, GetDateFormatA, GetFileAttributesA, GetModuleHandleA, FormatMessageA, GlobalUnlock, GlobalLock, UnmapViewOfFile, MapViewOfFile, CreateFileMappingA, SetFileTime, GetFileTime, ExpandEnvironmentStringsA, SetFileAttributesA, GetTempPathA, WideCharToMultiByte, GetComputerNameA, CopyFileA, CreateDirectoryA, GetCurrentProcess, TerminateProcess, lstrcpynA, lstrcmpA, lstrcpyA, lstrlenA, DeleteFileA, GetCurrentProcessId, WaitForSingleObject, MoveFileA, TerminateThread, GetExitCodeProcess, PeekNamedPipe, DuplicateHandle, CreatePipe, SetConsoleCtrlHandler, GetLocaleInfoA, GetVersionExA, GetLogicalDrives, WaitForMultipleObjects, GenerateConsoleCtrlEvent, GlobalMemoryStatus, IsBadWritePtr, IsBadReadPtr, HeapValidate, InterlockedDecrement, InterlockedIncrement, RtlUnwind, GetStartupInfoA, GetCommandLineA, GetVersion, DebugBreak, GetStdHandle, OutputDebugStringA, GetCurrentThreadId, TlsSetValue, TlsAlloc, TlsFree, SetLastError, TlsGetValue, GetCurrentThread, InitializeCriticalSection, FatalAppExitA, HeapReAlloc, VirtualFree, VirtualAlloc, GetEnvironmentVariableA, HeapDestroy, HeapCreate, LCMapStringA, LCMapStringW, GetCPInfo, GetACP, GetOEMCP, UnhandledExceptionFilter, FreeEnvironmentStringsA, FreeEnvironmentStringsW, GetEnvironmentStrings, GetEnvironmentStringsW, SetHandleCount, GetFileType, GetStringTypeA, GetStringTypeW, SetStdHandle, FlushFileBuffers, IsValidLocale, IsValidCodePage, EnumSystemLocalesA, GetUserDefaultLCID, SetUnhandledExceptionFilter, IsBadCodePtr, SetEndOfFile, GetTimeZoneInformation, GetLocaleInfoW, CompareStringA, CompareStringW

( 0 exports )
Norman Sandbox: [ General information ]
* **IMPORTANT: PLEASE SEND THE SCANNED FILE TO: ANALYSIS@NORMAN.NO - REMEMBER TO ENCRYPT IT (E.G. ZIP WITH PASSWORD)**.
* **Locates window \"NULL [class mIRC]\" on desktop.
* File length: 337999 bytes.

[ Changes to filesystem ]
* Creates file C:\WINDOWS\SYSTEM32\rbraci.exe.
* Deletes file 43.

[ Changes to registry ]
* Creates value \"Microsoft Update Machine\"=\"rbraci.exe\" in key \"HKLM\Software\Microsoft\Windows\CurrentVersion\Run\".
* Creates value \"Microsoft Update Machine\"=\"rbraci.exe\" in key \"HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\".
* Creates value \"Microsoft Update Machine\"=\"rbraci.exe\" in key \"HKCU\Software\Microsoft\Windows\CurrentVersion\Run\".

[ Network services ]
* Looks for an Internet connection.
* Connects to \"shadow.incomplete-warez.com\" on port 6667 (TCP).
* Connects to IRC server.

[ Process/window information ]
* Creates a mutex 11.
* Creates process \"rbraci.exe\".
* Will automatically restart after boot (I'll be back...).

Prevx info: http://info.prevx.com/aboutprogramtext.asp?PX5=09ADD66E4F92057C280C059D1E36590042F150CE

nogoodreason · « **Reply #5 on:** June 16, 2008, 04:45:53 PM »

tmp.tmp.tmp1:
Only file found in C:\WINDOWS (as opposed to WINDOWS\SysWOW64\)

Result: 31/33 (93.94%)


Antivirus    Version    Last Update    Result
AhnLab-V3   2008.6.13.1   2008.06.16   Win32/IRCBot.worm.Gen
AntiVir   7.8.0.55   2008.06.16   Worm/Rbot.210944
Authentium   5.1.0.4   2008.06.16   W32/Ircbot.1!Generic
Avast   4.8.1195.0   2008.06.15   Win32:DCom-F
AVG   7.5.0.516   2008.06.16   BackDoor.Agent.11.Y
BitDefender   7.2   2008.06.16   Generic.Malware.G!K!WX!!g.1E3C4782
CAT-QuickHeal   9.50   2008.06.14   Backdoor.Rbot.aea
ClamAV   0.93.1   2008.06.16   Exploit.DCOM.Gen
DrWeb   4.44.0.09170   2008.06.16   Win32.HLLW.MyBot.based
eSafe   7.0.15.0   2008.06.15   -
eTrust-Vet   31.6.5878   2008.06.16   Win32/Rbot!generic
Ewido   4.0   2008.06.16   Backdoor.Rbot.aea
F-Prot   4.4.4.56   2008.06.12   W32/Ircbot.1!Generic
F-Secure   6.70.13260.0   2008.06.16   W32/Backdoor
Fortinet   3.14.0.0   2008.06.16   -
GData   2.0.7306.1023   2008.06.16   Backdoor.Win32.Rbot.aea
Ikarus   T3.1.1.26.0   2008.06.16   Backdoor.Win32.Rbot.aeu
Kaspersky   7.0.0.125   2008.06.16   Backdoor.Win32.Rbot.aea
McAfee   5317   2008.06.13   W32/Sdbot.worm.gen.g
Microsoft   1.3604   2008.06.16   Backdoor:Win32/Rbot.gen
NOD32v2   3191   2008.06.16   a variant of Win32/Rbot
Norman   5.80.02   2008.06.16   W32/Backdoor
Panda   9.0.0.4   2008.06.15   W32/Gaobot.gen.worm
Prevx1   V2   2008.06.16   Suspicious
Rising   20.49.02.00   2008.06.16   Backdoor.SdBot.vdd
Sophos   4.30.0   2008.06.16   W32/Rbot-Fam
Sunbelt   3.0.1153.1   2008.06.15   Backdoor.Rbot
Symantec   10   2008.06.16   W32.Spybot.Worm
TheHacker   6.2.92.351   2008.06.16   W32/SdBot.worm.gen
TrendMicro   8.700.0.1004   2008.06.16   WORM_SPYBOT.GEN
VBA32   3.12.6.7   2008.06.16   suspected of Backdoor.xBot.1 (paranoid heuristics)
VirusBuster   4.3.26:9   2008.06.12   Worm.RBot.Gen.5
Webwasher-Gateway   6.6.2   2008.06.16   Worm.Rbot.210944
Additional information
File size: 337999 bytes
MD5...: f14f8ea00d6cf22025bf6f6e81d892f5
SHA1..: 3fb657e6c7acdc7893db6ce3558faceb838525e3
SHA256: 395af7da8e737c4441c2e6dc4850a37614d63862d0b62dedb82a07f634690739
SHA512: b25b521df00518a4d4881e5d7fa7ce84f0b2e07f3944f10d3ce4cc003cd8fc62
353cec9b93ef15faf7f9b0ab182c7e3fa7aa22667c7f01d05cf4d5bd2d5a7967
PEiD..: InstallShield 2000
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x4253d0
timedatestamp.....: 0x477b39d1 (Wed Jan 02 07:14:25 2008)
machinetype.......: 0x14c (I386)

( 5 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x3ca2f 0x3cc00 6.20 52ed25731b8ca45450dc2318ce63f5a1
.rdata 0x3e000 0x1fa8 0x2000 5.88 d75c06da22bdff01419dd56008734f3f
.data 0x40000 0x3b9e8 0xea00 4.89 e752818b40e1ab8767039d70582c17c5
.idata 0x7c000 0xe8c 0x1000 5.24 5b563fd69393d6427e10e1889e71c0b0
.reloc 0x7d000 0x3c6a 0x3e00 6.59 0b0bc1c8800355df7b892db945cee5d6

( 2 imports )
> USER32.dll: wsprintfA
> KERNEL32.dll: CreateMutexA, SetEnvironmentVariableA, GetLastError, Sleep, CreateThread, GetModuleFileNameA, ExitThread, LeaveCriticalSection, EnterCriticalSection, GetTickCount, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, GetLocalTime, CloseHandle, WriteFile, CreateFileA, ReadFile, SetFilePointer, GetFileSize, GetSystemDirectoryA, MultiByteToWideChar, TransactNamedPipe, QueryPerformanceCounter, QueryPerformanceFrequency, ExitProcess, CreateProcessA, FindClose, FindNextFileA, FindFirstFileA, FreeLibrary, GetEnvironmentVariableW, GetProcAddress, LoadLibraryA, HeapFree, HeapAlloc, GetProcessHeap, FileTimeToSystemTime, FileTimeToLocalFileTime, VirtualQueryEx, ReadProcessMemory, GetSystemInfo, OpenProcess, GetTimeFormatA, GetDateFormatA, GetFileAttributesA, GetModuleHandleA, FormatMessageA, GlobalUnlock, GlobalLock, UnmapViewOfFile, MapViewOfFile, CreateFileMappingA, SetFileTime, GetFileTime, ExpandEnvironmentStringsA, SetFileAttributesA, GetTempPathA, WideCharToMultiByte, GetComputerNameA, CopyFileA, CreateDirectoryA, GetCurrentProcess, TerminateProcess, lstrcpynA, lstrcmpA, lstrcpyA, lstrlenA, DeleteFileA, GetCurrentProcessId, WaitForSingleObject, MoveFileA, TerminateThread, GetExitCodeProcess, PeekNamedPipe, DuplicateHandle, CreatePipe, SetConsoleCtrlHandler, GetLocaleInfoA, GetVersionExA, GetLogicalDrives, WaitForMultipleObjects, GenerateConsoleCtrlEvent, GlobalMemoryStatus, IsBadWritePtr, IsBadReadPtr, HeapValidate, InterlockedDecrement, InterlockedIncrement, RtlUnwind, GetStartupInfoA, GetCommandLineA, GetVersion, DebugBreak, GetStdHandle, OutputDebugStringA, GetCurrentThreadId, TlsSetValue, TlsAlloc, TlsFree, SetLastError, TlsGetValue, GetCurrentThread, InitializeCriticalSection, FatalAppExitA, HeapReAlloc, VirtualFree, VirtualAlloc, GetEnvironmentVariableA, HeapDestroy, HeapCreate, LCMapStringA, LCMapStringW, GetCPInfo, GetACP, GetOEMCP, UnhandledExceptionFilter, FreeEnvironmentStringsA, FreeEnvironmentStringsW, GetEnvironmentStrings, GetEnvironmentStringsW, SetHandleCount, GetFileType, GetStringTypeA, GetStringTypeW, SetStdHandle, FlushFileBuffers, IsValidLocale, IsValidCodePage, EnumSystemLocalesA, GetUserDefaultLCID, SetUnhandledExceptionFilter, IsBadCodePtr, SetEndOfFile, GetTimeZoneInformation, GetLocaleInfoW, CompareStringA, CompareStringW

( 0 exports )
Prevx info: http://info.prevx.com/aboutprogramtext.asp?PX5=09ADD66E4F92057C280C059D1E36590042F150CE
Norman Sandbox: [ General information ]
* **IMPORTANT: PLEASE SEND THE SCANNED FILE TO: ANALYSIS@NORMAN.NO - REMEMBER TO ENCRYPT IT (E.G. ZIP WITH PASSWORD)**.
* **Locates window \"NULL [class mIRC]\" on desktop.
* File length: 337999 bytes.

[ Changes to filesystem ]
* Creates file C:\WINDOWS\SYSTEM32\rbraci.exe.
* Deletes file 43.

[ Changes to registry ]
* Creates value \"Microsoft Update Machine\"=\"rbraci.exe\" in key \"HKLM\Software\Microsoft\Windows\CurrentVersion\Run\".
* Creates value \"Microsoft Update Machine\"=\"rbraci.exe\" in key \"HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\".
* Creates value \"Microsoft Update Machine\"=\"rbraci.exe\" in key \"HKCU\Software\Microsoft\Windows\CurrentVersion\Run\".

[ Network services ]
* Looks for an Internet connection.
* Connects to \"shadow.incomplete-warez.com\" on port 6667 (TCP).
* Connects to IRC server.

[ Process/window information ]
* Creates a mutex 11.
* Creates process \"rbraci.exe\".
* Will automatically restart after boot (I'll be back...).

nogoodreason · « **Reply #6 on:** June 16, 2008, 04:58:49 PM »

Is this 'reinstall Windows is the best course of action' serious? :S

FreewheelinFrank · « **Reply #7 on:** June 16, 2008, 06:32:07 PM »

Try a boot time scan with avast! Right click the scanner screen, select 'schedule a boot time scan' and reboot when requested.

Try a scan with DrWeb CureIT!

If still having problems, post a HijackThis! log.

Author Topic: 365 infected files in sysWOW64 -- HELP! (Read 15688 times)

nogoodreason

365 infected files in sysWOW64 -- HELP!

FreewheelinFrank

Re: 365 infected files in sysWOW64 -- HELP!

Maxx_original

Re: 365 infected files in sysWOW64 -- HELP!

nogoodreason

Re: 365 infected files in sysWOW64 -- HELP!

nogoodreason

Re: 365 infected files in sysWOW64 -- HELP!

nogoodreason

Re: 365 infected files in sysWOW64 -- HELP!

nogoodreason

Re: 365 infected files in sysWOW64 -- HELP!

FreewheelinFrank

Re: 365 infected files in sysWOW64 -- HELP!