RE: Possibly Unknown Virus? Care to help me analyze?!?
From: Arnold, Jamie (harnold@binghamton.edu)
Date: 03/11/03
- Previous message: Thomas Schmitz: "Re: Increase in Scans of Port 445?"
- Maybe in reply to: Jeremy Junginger: "Possibly Unknown Virus? Care to help me analyze?!?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Arnold, Jamie" <harnold@binghamton.edu> To: 'Jeremy Junginger' <jj@act.com>, incidents@securityfocus.com Date: Mon, 10 Mar 2003 19:55:34 -0500
Kinda sounds like elkern.
"Imagination is more important than knowledge"
Albert Einstein
-----Original Message-----
From: Jeremy Junginger [mailto:jj@act.com]
Sent: Monday, March 10, 2003 1:44 PM
To: incidents@securityfocus.com
Subject: Possibly Unknown Virus? Care to help me analyze?!?
Hey guys, I have come upon a funny little virus that's hogging CPU cycles
and basically creating a DoS condition on a Windows XP machine. There were a
couple of classic symptoms:
hklm\software\microsoft\windows\current version\run\onylje.exe
c:\Documents and Settings\All Users\Start Menu\Programs\Startup\onylje.exe
This executable appears to be a pseudo-randum name, and it called another
file within the same directory called pcoo.exe. These two processes showed
up in task manager, and gobbled up all the CPU cycles. I also saw some other
weird things under task manager. These two processes appeared to be keeping
Norton from launching:
~A.exe
After I killed this one,
~9.exe appeared. Again, this looks like a pseudo-random name for these
processes. I have run strings against the executables, and saw some Delphi
B.S. in there as well as the following strings:
<Cut from running "strings onylje.exe">
KERNEL32.DLL
ADVAPI32.dll
MPR.dll
SHELL32.dll
USER32.dll
WSOCK32.dll
LoadLibraryA
GetProcAddress
ExitProcess
RegCloseKey
WNetAddConnection2A
ShellExecuteA
PeekMessageA
</Cut>
<Cut from running "strings pcoo.exe">
KERNEL32.DLL
ADVAPI32.dll
MPR.dll
SHELL32.dll
USER32.dll
WSOCK32.dll
LoadLibraryA
GetProcAddress
ExitProcess
RegCloseKey
WNetAddConnection2A
ShellExecuteA
PeekMessageA
</Cut>
Both files are 69K, and may very well be the same executable referred to by
different names. The output from running strings against these are
identical as far as I can tell.
Perhaps one of you guys might have a suggestion for dissassembling the
executables and taking a closer look. This may be a common virus, but
Norton doesn't recognize it and I'd like to know for sure what it is. I can
get you the file upon request. Thanks,
-Jeremy
----------------------------------------------------------------------------
<Pre>Lose another weekend managing your IDS?
Take back your personal time.
15-day free trial of StillSecure Border Guard.</Pre>
<A href="http://www.securityfocus.com/stillsecure">
http://www.securityfocus.com/stillsecure </A>
----------------------------------------------------------------------------
<Pre>Lose another weekend managing your IDS?
Take back your personal time.
15-day free trial of StillSecure Border Guard.</Pre>
<A href="http://www.securityfocus.com/stillsecure"> http://www.securityfocus.com/stillsecure </A>
- Previous message: Thomas Schmitz: "Re: Increase in Scans of Port 445?"
- Maybe in reply to: Jeremy Junginger: "Possibly Unknown Virus? Care to help me analyze?!?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
