malware? spenserNK

[polonus]

Hi danihart01,

Well the only link I could google up is in my first reply. We just have to wait what the co-malware fighters from geek2go come up with. I am also anxious about how "essexboy" is going to tackle this.
What is the information on the icon, right click on it and then go all the way down, what info does this turn up?

polonus

[danihart01]

Hi  Polonus,
When I right click  the whole view comes up and not the normal scroll down written info.
Top task bar has "general "on the left and "mode "on the right with an activity circle next to it
Then Drives with selector box next to it.Green arrow and advanced box.
Instructions uderneath
1.minimise me while you working
2.For advanced option turn to mode advanced.
3.When you finish just safe remove the pen
If it hard to remove pen,Pause me for five seconds
Then :Spenser NK developed by Pandula Gayaba
E:mail Kalupahana 11@gmail.com
St Mary's College Grade 12 Maths 2008

Read my message box on left


This is what comes up -very strange
Thanks

[YoKenny]

A HijackThis log would help:
http://download.cnet.com/Trend-Micro-HijackThis/3000-8022_4-10227353.html

[danihart01]

Have used hijack this at the beginning- is this something different
Thanks

[danihart01]

Hi ,
Has anyone got any info about spenser Nk. Can I safely use the internet. It is troubling me greatly not knowing how to remove this thing from my taskbar nad computer
Please help
Thanks

[micky77]

Looking at your log, the entry     F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\Spenser.exe

would appear highly suspicious, make sure ' show hidden files is enabled,

http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/hiddenfiles.mspx

navigate to C:\WINDOWS\system32\Spenser.exe, if you can locate spenser.exe,copy/paste it to your desktop, then send it to V.T for inspection

http://www.virustotal.com/

I am still looking at the log

Actually I think someone already sent this file , it only got 1/40 so i will be interested to see if more pick it up now
http://www.virustotal.com/analisis/bdd0138e582bced398d0d221150345db

http://www.threatexpert.com/report.aspx?md5=20c7d5e00d86b0004097af8ae6460490

note, if VT says this file has already been analysed, make sure you click re-analyse file

[danihart01]

Hi
Found file and sent to virustotal
File Spenser.exe received on 04.15.2009 03:33:37 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


 

Antivirus Version Last Update Result
a-squared 4.0.0.101 2009.04.15 -
AhnLab-V3 5.0.0.2 2009.04.14 -
AntiVir 7.9.0.143 2009.04.14 TR/VB.hho
Antiy-AVL 2.0.3.1 2009.04.14 -
Authentium 5.1.2.4 2009.04.14 -
Avast 4.8.1335.0 2009.04.14 -
AVG 8.5.0.285 2009.04.14 Worm/VB.FHW
BitDefender 7.2 2009.04.15 -
CAT-QuickHeal 10.00 2009.04.14 -
ClamAV 0.94.1 2009.04.15 -
Comodo 1113 2009.04.14 -
DrWeb 4.44.0.09170 2009.04.15 -
eSafe 7.0.17.0 2009.04.13 -
eTrust-Vet 31.6.6455 2009.04.14 Win32/VMalum.FDQR
F-Prot 4.4.4.56 2009.04.14 -
F-Secure 8.0.14470.0 2009.04.15 -
Fortinet 3.117.0.0 2009.04.15 W32/Agent.JMS!tr
GData 19 2009.04.15 -
Ikarus T3.1.1.49.0 2009.04.15 -
K7AntiVirus 7.10.703 2009.04.14 Trojan.Win32.Malware.1
Kaspersky 7.0.0.125 2009.04.15 -
McAfee 5584 2009.04.14 -
McAfee+Artemis 5584 2009.04.14 -
McAfee-GW-Edition 6.7.6 2009.04.14 Trojan.VB.hho
Microsoft 1.4502 2009.04.14 -
NOD32 4008 2009.04.15 -
Norman 6.00.06 2009.04.14 -
nProtect 2009.1.8.0 2009.04.15 -
Panda 10.0.0.14 2009.04.14 -
PCTools 4.4.2.0 2009.04.14 -
Prevx1 V2 2009.04.15 -
Rising 21.25.14.00 2009.04.14 -
Sophos 4.40.0 2009.04.15 Troj/Agent-JMS
Sunbelt 3.2.1858.2 2009.04.15 -
Symantec 1.4.4.12 2009.04.15 -
TheHacker 6.3.4.0.308 2009.04.14 -
TrendMicro 8.700.0.1004 2009.04.14 -
ViRobot 2009.4.14.1692 2009.04.14 -
VirusBuster 4.6.5.0 2009.04.14 -
Additional information
File size: 741419 bytes
MD5...: 20c7d5e00d86b0004097af8ae6460490
SHA1..: 07423c1b11b51acda530a9d0f22c3deb6473f066
SHA256: c1ad04b9d64c8726eb373b0a53cda278114e15e91371c0352d9420f9ed07220d
SHA512: 3ff807f47c858e701f033c7068a4cd7c99bba0089bff578e8495333ba74fa69d
7a699a898c03f14ff75f0903acd6bc94306af9375f9fa28fd9525d820eb8da46
ssdeep: 6144:A0tukSS3LTYlINf/vMC5sMe1sI0Kp3UqtbFYmGiXCcGuF4p13bY:akSSbTY
lINf/vPqsIVpEqtbFY3p1rY
 
PEiD..: -
TrID..: File type identification
Win32 Executable Microsoft Visual Basic 6 (90.9%)
Win32 Executable Generic (6.1%)
Generic Win/DOS Executable (1.4%)
DOS Executable Generic (1.4%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x46dc
timedatestamp.....: 0x491cf001 (Fri Nov 14 03:26:57 2008)
machinetype.......: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0xa0890 0xa1000 4.57 ade0041c25428c2476bca85fca677461
.data 0xa2000 0x5fa8 0x1000 0.00 620f0b67a91f7f74151bc5be745b7110
.rsrc 0xa8000 0x113c8 0x12000 4.38 40f2b818c23a59a4ac3f7162583e0d95

( 1 imports )
> MSVBVM60.DLL: __vbaVarSub, __vbaVarTstGt, -, __vbaStrI2, _CIcos, _adj_fptan, __vbaVarMove, __vbaStrI4, __vbaVarVargNofree, __vbaFreeVar, __vbaStrVarMove, __vbaLenBstr, __vbaLineInputStr, __vbaEnd, __vbaFreeVarList, _adj_fdiv_m64, __vbaNextEachVar, __vbaFreeObjList, _adj_fprem1, -, __vbaRecAnsiToUni, __vbaCopyBytes, __vbaStrCat, __vbaVarCmpNe, __vbaLsetFixstr, __vbaSetSystemError, __vbaHresultCheckObj, __vbaLenVar, _adj_fdiv_m32, __vbaAryDestruct, __vbaOnError, __vbaObjSet, -, _adj_fdiv_m16i, __vbaObjSetAddref, _adj_fdivr_m16i, -, -, -, __vbaFpR8, __vbaVarTstLt, __vbaBoolVarNull, _CIsin, -, __vbaChkstk, __vbaFileClose, EVENT_SINK_AddRef, -, __vbaGenerateBoundsError, -, __vbaStrCmp, __vbaVarTstEq, __vbaObjVar, __vbaI2I4, DllFunctionCall, __vbaVarLateMemSt, __vbaVarOr, _adj_fpatan, __vbaR4Var, __vbaLateIdCallLd, __vbaRedim, __vbaStrR8, __vbaRecUniToAnsi, EVENT_SINK_Release, _CIsqrt, __vbaVarAnd, EVENT_SINK_QueryInterface, __vbaExceptHandler, __vbaStrToUnicode, _adj_fprem, _adj_fdivr_m64, -, -, -, -, __vbaFPException, __vbaStrVarVal, -, __vbaVarCat, __vbaI2Var, -, -, _CIlog, __vbaErrorOverflow, __vbaFileOpen, __vbaR8Str, -, __vbaNew2, -, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaI4Str, __vbaVarNot, __vbaVarCmpLt, __vbaFreeStrList, -, _adj_fdivr_m32, _adj_fdiv_r, -, -, -, __vbaVarTstNe, __vbaVarSetVar, __vbaI4Var, -, __vbaVarCmpEq, __vbaAryLock, __vbaLateMemCall, __vbaVarAdd, __vbaVarDup, __vbaStrToAnsi, __vbaFpI2, -, __vbaVarCopy, __vbaFpI4, __vbaVarLateMemCallLd, -, _CIatan, __vbaStrMove, -, __vbaForEachVar, -, _allmul, _CItan, __vbaAryUnlock, _CIexp, -, __vbaFreeObj, __vbaFreeStr, -

( 0 exports )
 
RDS...: NSRL Reference Data Set
-
ThreatExpert info: <a href='http://www.threatexpert.com/report.aspx?md5=20c7d5e00d86b0004097af8ae6460490' target='_blank'>http://www.threatexpert.com/report.aspx?md5=20c7d5e00d86b0004097af8ae6460490</a>
Thanks

[micky77]

Well im not sure what ' Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED ' means. Maybe you should try again.It would seem we are on the right track,spenser.exe is definitley bad. I will  look back later today, obviously i think it advisable  to fix that entry. see you later 

[danihart01]

Hi
Re did virus total check
Thanks

File Spenser.exe received on 04.15.2009 08:30:00 (CET)Antivirus Version Last Update Result
a-squared 4.0.0.101 2009.04.15 -
AhnLab-V3 5.0.0.2 2009.04.15 -
AntiVir 7.9.0.143 2009.04.14 TR/VB.hho
Antiy-AVL 2.0.3.1 2009.04.15 -
Authentium 5.1.2.4 2009.04.14 -
Avast 4.8.1335.0 2009.04.14 -
AVG 8.5.0.285 2009.04.14 Worm/VB.FHW
BitDefender 7.2 2009.04.15 -
CAT-QuickHeal 10.00 2009.04.15 Trojan.Agent.ATV
ClamAV 0.94.1 2009.04.15 -
Comodo 1113 2009.04.14 -
DrWeb 4.44.0.09170 2009.04.15 -
eSafe 7.0.17.0 2009.04.13 -
eTrust-Vet 31.6.6455 2009.04.14 Win32/VMalum.FDQR
F-Prot 4.4.4.56 2009.04.14 -
F-Secure 8.0.14470.0 2009.04.15 -
Fortinet 3.117.0.0 2009.04.15 W32/Agent.JMS!tr
GData 19 2009.04.15 -
Ikarus T3.1.1.49.0 2009.04.15 -
K7AntiVirus 7.10.703 2009.04.14 Trojan.Win32.Malware.1
Kaspersky 7.0.0.125 2009.04.15 -
McAfee 5584 2009.04.14 -
McAfee+Artemis 5584 2009.04.14 -
McAfee-GW-Edition 6.7.6 2009.04.14 Trojan.VB.hho
Microsoft 1.4502 2009.04.15 -
NOD32 4008 2009.04.15 -
Norman 6.00.06 2009.04.14 -
nProtect 2009.1.8.0 2009.04.15 -
Panda 10.0.0.14 2009.04.14 -
PCTools 4.4.2.0 2009.04.14 -
Prevx1 V2 2009.04.15 -
Rising 21.25.20.00 2009.04.15 -
Sophos 4.40.0 2009.04.15 Troj/Agent-JMS
Sunbelt 3.2.1858.2 2009.04.15 -
Symantec 1.4.4.12 2009.04.15 -
TheHacker 6.3.4.0.309 2009.04.15 -
TrendMicro 8.700.0.1004 2009.04.15 -
VBA32 3.12.10.2 2009.04.12 -
ViRobot 2009.4.15.1693 2009.04.15 -
VirusBuster 4.6.5.0 2009.04.14 -
 
Additional information
File size: 741419 bytes
MD5...: 20c7d5e00d86b0004097af8ae6460490
SHA1..: 07423c1b11b51acda530a9d0f22c3deb6473f066
SHA256: c1ad04b9d64c8726eb373b0a53cda278114e15e91371c0352d9420f9ed07220d
SHA512: 3ff807f47c858e701f033c7068a4cd7c99bba0089bff578e8495333ba74fa69d<BR>7a699a898c03f14ff75f0903acd6bc94306af9375f9fa28fd9525d820eb8da46
ssdeep: 6144:A0tukSS3LTYlINf/vMC5sMe1sI0Kp3UqtbFYmGiXCcGuF4p13bY:akSSbTY<BR>lINf/vPqsIVpEqtbFY3p1rY<BR>
PEiD..: -
TrID..: File type identification<BR>Win32 Executable Microsoft Visual Basic 6 (90.9%)<BR>Win32 Executable Generic (6.1%)<BR>Generic Win/DOS Executable (1.4%)<BR>DOS Executable Generic (1.4%)<BR>Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
PEInfo: PE Structure information<BR><BR>( base data )<BR>entrypointaddress.: 0x46dc<BR>timedatestamp.....: 0x491cf001 (Fri Nov 14 03:26:57 2008)<BR>machinetype.......: 0x14c (I386)<BR><BR>( 3 sections )<BR>name viradd virsiz rawdsiz ntrpy md5<BR>.text 0x1000 0xa0890 0xa1000 4.57 ade0041c25428c2476bca85fca677461<BR>.data 0xa2000 0x5fa8 0x1000 0.00 620f0b67a91f7f74151bc5be745b7110<BR>.rsrc 0xa8000 0x113c8 0x12000 4.38 40f2b818c23a59a4ac3f7162583e0d95<BR><BR>( 1 imports ) <BR>&gt; MSVBVM60.DLL: __vbaVarSub, __vbaVarTstGt, -, __vbaStrI2, _CIcos, _adj_fptan, __vbaVarMove, __vbaStrI4, __vbaVarVargNofree, __vbaFreeVar, __vbaStrVarMove, __vbaLenBstr, __vbaLineInputStr, __vbaEnd, __vbaFreeVarList, _adj_fdiv_m64, __vbaNextEachVar, __vbaFreeObjList, _adj_fprem1, -, __vbaRecAnsiToUni, __vbaCopyBytes, __vbaStrCat, __vbaVarCmpNe, __vbaLsetFixstr, __vbaSetSystemError, __vbaHresultCheckObj, __vbaLenVar, _adj_fdiv_m32, __vbaAryDestruct, __vbaOnError, __vbaObjSet, -, _adj_fdiv_m16i, __vbaObjSetAddref, _adj_fdivr_m16i, -, -, -, __vbaFpR8, __vbaVarTstLt, __vbaBoolVarNull, _CIsin, -, __vbaChkstk, __vbaFileClose, EVENT_SINK_AddRef, -, __vbaGenerateBoundsError, -, __vbaStrCmp, __vbaVarTstEq, __vbaObjVar, __vbaI2I4, DllFunctionCall, __vbaVarLateMemSt, __vbaVarOr, _adj_fpatan, __vbaR4Var, __vbaLateIdCallLd, __vbaRedim, __vbaStrR8, __vbaRecUniToAnsi, EVENT_SINK_Release, _CIsqrt, __vbaVarAnd, EVENT_SINK_QueryInterface, __vbaExceptHandler, __vbaStrToUnicode, _adj_fprem, _adj_fdivr_m64, -, -, -, -, __vbaFPException, __vbaStrVarVal, -, __vbaVarCat, __vbaI2Var, -, -, _CIlog, __vbaErrorOverflow, __vbaFileOpen, __vbaR8Str, -, __vbaNew2, -, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaI4Str, __vbaVarNot, __vbaVarCmpLt, __vbaFreeStrList, -, _adj_fdivr_m32, _adj_fdiv_r, -, -, -, __vbaVarTstNe, __vbaVarSetVar, __vbaI4Var, -, __vbaVarCmpEq, __vbaAryLock, __vbaLateMemCall, __vbaVarAdd, __vbaVarDup, __vbaStrToAnsi, __vbaFpI2, -, __vbaVarCopy, __vbaFpI4, __vbaVarLateMemCallLd, -, _CIatan, __vbaStrMove, -, __vbaForEachVar, -, _allmul, _CItan, __vbaAryUnlock, _CIexp, -, __vbaFreeObj, __vbaFreeStr, -<BR><BR>( 0 exports ) <BR>
RDS...: NSRL Reference Data Set<BR>-
ThreatExpert info: &lt;a href='http://www.threatexpert.com/report.aspx?md5=20c7d5e00d86b0004097af8ae6460490' target='_blank'&gt;http://www.threatexpert.com/report.aspx?md5=20c7d5e00d86b0004097af8ae6460490&lt;/a&gt;


 

[micky77]

When I was looking at the VT results I assumed one detection was Kaspersky ( it was K7 ) Which I was going to ask you to do an online scan.Especially as someone submitted spenser.exe 5 days ago
http://forum.kaspersky.com/index.php?showtopic=112289 in which he also mentioned autorun.inf files. Do you use flash drives ?

The only detection that has an online scanner is eTrust-Vet, now CA 
http://www.ca.com/us/securityadvisor/virusinfo/scan.aspx which i have never used.
 First I would send a sample to virus@avast.com, zipped, and labelled new virus.
Then if you haven't already, fix the entry   F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\Spenser.exe using HijackThis.
Then I would reboot the pc in safe mode, by tapping the f 8 key before windows loads,from the advanced menu choose safe mode.
Then find spenser.exe ( including the one you may have copied/pasted to desktop. and delete.
Reboot in normal mode and post another HJT log.
You may want to scan for suspicious autorun.inf files.
http://download.cnet.com/Autorun-Eater/3000-2239_4-10752777.html?tag=mncol

AutorunEater FAQ
http://oldmcdonald.wordpress.com/frequently-asked-questions/#1

 If you have any concerns, please ask. Someone will be glad to help

Anyone elses opinion on this very welcome

[polonus]

Hi micky77,

The trojan seems to be spreading fast through autorun.inf and pen-drives, as was reported.
The following mention of spenser.exe must have been a mere coincidence, or there is where the malcreant for this Trojan/Agent got his inspiration to name it that way:
http://forums.spybot.info/showthread.php?p=305345

polonus

[danihart01]

This is the result from kaspersky
Will follow next instruction and fix and run in safe mode
Thanks

 Hello,


spenser.exe

No malicious code was found in this file.


>Sent: Apr 16 2009  3:49AM
>To: "New Virus" <newvirus@kaspersky.com>
>Subject: [VirLabSRF][Unknown malicious program][M:1][LN:EN][L:0]
>       
> description:
> SPENSER NK icon comes upin bottom toolbar when computer switched on -have run anti virus and remove tools but can not remove. have found file with help from avast forum and would like to solve problem
>
> uploaded files:
> C:\WINDOWS\system32\Spenser.exe
>
>

Best Regards, NewVirus

10/1, 1st Volokolamsky Proezd, Moscow, 123060, Russia
Tel./Fax: + 7 (495) 797 8700
http://www.kaspersky.com http://www.viruslist.com


---
avast! Antivirus: Inbound message clean.
Virus Database (VPS): 090415-0, 15/04/2009
Tested on: 16/04/2009 10:00:52 AM
avast! - copyright (c) 1988-2009 ALWIL Software.
http://www.avast.com

[danihart01]

Hi all
Do not use flash drives often-kids maybe
Fixed entry F2 and deleted File as well as put into avast chest-opened in safe mode etc and re booted- Have not checked with auto run eater yet
Icon has gone Hooray - hope that  It was not a needed file.
It has been an interesting experience!!. Thanks for the help.Will keep you posted if problem returns or something

[micky77]

hope that  It was not a needed file.

Hi, to googe a file and find little info,is unusual.to find little info on an exe file running in system32 is panic time    it means its malicious. ( especially when AV'S on  VT detect it )
I dont know if you got this from a pen drive, ( it would be ironic,as the toolbar icon seems to be an advert for pen drive software )
Autorun Eater is a simple application, simply start it,it will look for suspicious autorun.inf files, then put all flash drives into pc,  any autorun files immediately detected.By right clicking  on tray icon you can adjust settings, ( auto delete ) and stop autorun eater starting on boot.etc