UPDATE: Possibly Unknown Virus? Care to help me analyze?!?
From: Jeremy Junginger (jj@act.com)
Date: 03/10/03
- Previous message: KoRe MeLtDoWn: "RE: New virus outbreak."
- Next in thread: Darwin: "Re: UPDATE: Possibly Unknown Virus? Care to help me analyze?!?"
- Reply: Darwin: "Re: UPDATE: Possibly Unknown Virus? Care to help me analyze?!?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 10 Mar 2003 13:39:07 -0700 From: "Jeremy Junginger" <jj@act.com> To: <incidents@securityfocus.com>
This is getting pretty fun. Check this out.
In addition to these two (or four) files, we have noticed that there are several other "interesting" characteristics. The following Reg Keys have been modified:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"W1N32.DLL"="C:\\WINDOWS\\WINLOGON .exe" (Note the space)
"Windows Explorer"="Explorer .exe" (Note the space)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"Windows Explorer"="Explorer .exe" (Again, note the space)
We found the files that these keys refer to and I'm taking a look at them. If you would like to get a copy, let me know, and I'll get it out to you on request. Thanks again for the many helpful responses I've received. What a fun way to spend a Monday! ;-)
-Jeremy
-----Original Message-----
From: Jeremy Junginger
Sent: Monday, March 10, 2003 11:44 AM
To: incidents@securityfocus.com
Subject: Possibly Unknown Virus? Care to help me analyze?!?
Hey guys, I have come upon a funny little virus that's hogging CPU cycles and basically creating a DoS condition on a Windows XP machine. There were a couple of classic symptoms:
hklm\software\microsoft\windows\current version\run\onylje.exe
c:\Documents and Settings\All Users\Start Menu\Programs\Startup\onylje.exe
This executable appears to be a pseudo-randum name, and it called another file within the same directory called pcoo.exe. These two processes showed up in task manager, and gobbled up all the CPU cycles. I also saw some other weird things under task manager. These two processes appeared to be keeping Norton from launching:
~A.exe
After I killed this one,
~9.exe appeared. Again, this looks like a pseudo-random name for these processes. I have run strings against the executables, and saw some Delphi B.S. in there as well as the following strings:
<Cut from running "strings onylje.exe">
KERNEL32.DLL
ADVAPI32.dll
MPR.dll
SHELL32.dll
USER32.dll
WSOCK32.dll
LoadLibraryA
GetProcAddress
ExitProcess
RegCloseKey
WNetAddConnection2A
ShellExecuteA
PeekMessageA
</Cut>
<Cut from running "strings pcoo.exe">
KERNEL32.DLL
ADVAPI32.dll
MPR.dll
SHELL32.dll
USER32.dll
WSOCK32.dll
LoadLibraryA
GetProcAddress
ExitProcess
RegCloseKey
WNetAddConnection2A
ShellExecuteA
PeekMessageA
</Cut>
Both files are 69K, and may very well be the same executable referred to by different names. The output from running strings against these are identical as far as I can tell.
Perhaps one of you guys might have a suggestion for dissassembling the executables and taking a closer look. This may be a common virus, but Norton doesn't recognize it and I'd like to know for sure what it is. I can get you the file upon request. Thanks,
-Jeremy
----------------------------------------------------------------------------
<Pre>Lose another weekend managing your IDS?
Take back your personal time.
15-day free trial of StillSecure Border Guard.</Pre>
<A href="http://www.securityfocus.com/stillsecure"> http://www.securityfocus.com/stillsecure </A>
- Previous message: KoRe MeLtDoWn: "RE: New virus outbreak."
- Next in thread: Darwin: "Re: UPDATE: Possibly Unknown Virus? Care to help me analyze?!?"
- Reply: Darwin: "Re: UPDATE: Possibly Unknown Virus? Care to help me analyze?!?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
