NORTON Firewall doesn't detect TROJAN, !!WARNING TROJAN ATTACHED!! - first_3sum.wri (0/1)

From: Hunter Watson (djgka876@keocm.net)
Date: 12/17/02 

From: Hunter Watson <djgka876@keocm.net>
Date: Tue, 17 Dec 2002 03:56:42 GMT

WARNING!!! ATTACHED FILE IS INFECTED WITH A TROJAN.
DON'T OPEN UNLESS YOU KNOW WHAT YOUR DOING.

Below is my reply to Symantec were they said there was no problem with
the trojan I sent to them for inspection. Maybe I'm wrong. Please
read my post and tell me what you think. For you guys that know your
stuff please check out the attached infected file and please give me
some advise on how to completely remove the infection.
Thanks

Below is my reply to Symantec>>>>>>

 This is a response to Tracking #2291036 which is pasted at the end of
this note.
  
My OS is Windows ME. I am using Norton Internet Security(NIS)2002.
 
If you read below and repeat the steps I outline below you will see
that the file I'm sending is a trojan and NIS 2002 did not find this
trojan that infected my computer. Please open " view statistics" in
NIS and record the executables running in the "network connections"
window. Then open "first_3sum.wri" with MicroSoft(MS)Wordpad. Then
double click on the icon for "Amy_orgasm.ram". and you will see "ms
spool32.exe" has a port open in "network connections".

 I Received an e-mail with a file called "pictures.zip" attached.
Inside the .zip file was a file called "first_3sum.wri". I opened the
.wri file with MS Wordpad. There are 3 objects packaged inside the
file "first_3sum.wri" and no text. The first 2 objects were jpeg files
which opened OK when I double clicked on them. The third object was a
video file called "Amy_orgasm.ram". When I double clicked on the .ram
file the computer did nothing for 10 seconds then "Realplayer" came up
and said there was a problem with the file. I went online to Real.com
and NIS was warning me that a file called "ms spool32.exe" was trying
to connect to the internet. The log entries from NIS 2002 are pasted
here>>>

Alert 12/16/2002 17:49:07 IP Filter This one time, the user has chosen
to "block" communications. Details:
Outbound TCP connection
Remote address,service is (wwp.mirabilis.com(205.188.248.25),http(80))
Process name is "C:\WINDOWS\MS SPOOL32.EXE"
 
Alert 12/16/2002 17:49:13 IP Filter This one time, the user has chosen
to "block" communications. Details:
Outbound TCP connection
Remote address,service is
(messenger.hotmail.com(207.46.104.20),msnp(1863))
Process name is "C:\WINDOWS\MS SPOOL32.EXE"

This type of alert only happens after I instal new software that can
access the internet. I haven't installed any new software in months.
 
 I went offline and restarted my computer. The first thing I did after
re booting was check "view statistics" with NIS. Normally the only
connection open after re booting is "symproxysvc.exe". But there were
2 connections opened, "ms spool32.exe" and "symproxysvc.exe". I did a
search for "ms spool32.exe" and found it in the windows folder along
with 2 other files I never seen before, "MS SPOOL32.dat" and "MS
SPOOL32k.dat". I checked properties and all 3 files were created at
the time I double clicked on "Amy_orgasm.ram". I opened
"first_3sum.wri" again in MS Wordpad and highlighted "Amy_orgasm.ram"
and selected "edit package". The appearance window said
"Amy_orgasm.ram" but the content window said "copy of dynu.exe". "MS
SPOOL32.dat" contains a list of .exe files I think "ms spool32.exe" is
trying to shutdown. A few samples from "MS SPOOL32.dat">>>>
(NAVAPW32.EXE, IAMAPP.EXE, ZONEALARM.EXE, VSHWIN32.EXE, REGEDIT.EXE,
DRWATSON.EXE, SYSEDIT.EXE, NETSTAT.EXE, SCONFIG.EXE, GUARD.EXE,
UPDATE.EXE, AUTOUPDATE.EXE, CLEANER.EXE, UPDATE.EXE, ANTI-TROJAN.EXE,
WATCHDOG.EXE, BLACKICE.EXE, LUCOMSERVER.EXE, TASKMGR.EXE,
GUARDDOG.EXE). "MS SPOOL32k.dat" contained by date and time all the
programs that were opened and the keystrokes I made in those programs.
I could see my sign on password, my social security number and
password for my 401K web site. I'm lucky I blocked "ms spool32.exe"
from connecting to the internet. I tried to delete the 3 new files
but windows wouldn't let me. I checked the windows registry>>>>
hkey_local_machine\software\microsoft\windows\currentversion\run
and found a line for "ms spool32.exe". I deleted the entry but it
comes back after I reboot and "ms spool32.exe" is loaded. The only way
I could keep "ms spool32.exe" from loading and able to delete the 3
files that were created is if I do a system restore to an earlier
point in time.

 Before I deleted the files I did a "Scan with Norton AntiVirus" on
the files>> "first_3sum.wri", "Amy_orgasm.ram" and "ms spool32.exe".
Norton AntiVirus said they were all OK. I did an application scan and
NIS did not detect that "ms spool32.exe" is internet enabled program.
I think NIS should have detected the trojan when it was put on my hard
drive and detected "ms spool32.exe" as an internet enabled
application. You can tell by the logs that "ms spool32.exe" was trying
to connect to the internet.

 I hope Symantec will show more interest this time and tell me how to
remove everything that the trojan put on my hard drive, registry,
start, up files(etc.) and update your product to detect this trojan.

Symantec's reply to my first attempt below.

Date sent: Mon, 9 Dec 2002 03:12:03 UT
From: SecurityResponse@symantec.com
To: --------@prodigy.net
Subject: [CLOSING]: Symantec Security Response
Automation: Tracking #2291036

Below is a status update on your virus submission:

Date: December 8, 2002

Dear Watson Engler,

We have analyzed your submission. The following is a report of our
findings for each file you have submitted:

filename: C:\temp\first_3sum.wri
machine:
result: This file is clean

Developer notes:
C:\temp\first_3sum.wri is a clean file.

We have determined that no virus exists on the samples provided.

Relevant Pages