Re: NORTON Firewall doesn't detect TROJAN, !!WARNING TROJAN ATTACHED!! - first_3sum.wri (0/1)

From: Duane Arnold (darnold92@Insightbb.com)
Date: 12/21/02 

From: "Duane Arnold" <darnold92@Insightbb.com>
Date: Sat, 21 Dec 2002 13:49:51 GMT

If you are using OE, then you should know how to enable some of OE's
protection features. That and some common sense will help a lot.

Duane :)

"Hunter Watson" <djgka876@keocm.net> wrote in message
news:lsmtvuobuhdh66m7jt0mrhnerd9lrm5bhn@4ax.com...
> WARNING!!! ATTACHED FILE IS INFECTED WITH A TROJAN.
> DON'T OPEN UNLESS YOU KNOW WHAT YOUR DOING.
>
> Below is my reply to Symantec were they said there was no problem with
> the trojan I sent to them for inspection. Maybe I'm wrong. Please
> read my post and tell me what you think. For you guys that know your
> stuff please check out the attached infected file and please give me
> some advise on how to completely remove the infection.
> Thanks
>
> Below is my reply to Symantec>>>>>>
>
>
> This is a response to Tracking #2291036 which is pasted at the end of
> this note.
>
> My OS is Windows ME. I am using Norton Internet Security(NIS)2002.
>
> If you read below and repeat the steps I outline below you will see
> that the file I'm sending is a trojan and NIS 2002 did not find this
> trojan that infected my computer. Please open " view statistics" in
> NIS and record the executables running in the "network connections"
> window. Then open "first_3sum.wri" with MicroSoft(MS)Wordpad. Then
> double click on the icon for "Amy_orgasm.ram". and you will see "ms
> spool32.exe" has a port open in "network connections".
>
>
> I Received an e-mail with a file called "pictures.zip" attached.
> Inside the .zip file was a file called "first_3sum.wri". I opened the
> .wri file with MS Wordpad. There are 3 objects packaged inside the
> file "first_3sum.wri" and no text. The first 2 objects were jpeg files
> which opened OK when I double clicked on them. The third object was a
> video file called "Amy_orgasm.ram". When I double clicked on the .ram
> file the computer did nothing for 10 seconds then "Realplayer" came up
> and said there was a problem with the file. I went online to Real.com
> and NIS was warning me that a file called "ms spool32.exe" was trying
> to connect to the internet. The log entries from NIS 2002 are pasted
> here>>>
>
> Alert 12/16/2002 17:49:07 IP Filter This one time, the user has chosen
> to "block" communications. Details:
> Outbound TCP connection
> Remote address,service is (wwp.mirabilis.com(205.188.248.25),http(80))
> Process name is "C:\WINDOWS\MS SPOOL32.EXE"
>
> Alert 12/16/2002 17:49:13 IP Filter This one time, the user has chosen
> to "block" communications. Details:
> Outbound TCP connection
> Remote address,service is
> (messenger.hotmail.com(207.46.104.20),msnp(1863))
> Process name is "C:\WINDOWS\MS SPOOL32.EXE"
>
> This type of alert only happens after I instal new software that can
> access the internet. I haven't installed any new software in months.
>
> I went offline and restarted my computer. The first thing I did after
> re booting was check "view statistics" with NIS. Normally the only
> connection open after re booting is "symproxysvc.exe". But there were
> 2 connections opened, "ms spool32.exe" and "symproxysvc.exe". I did a
> search for "ms spool32.exe" and found it in the windows folder along
> with 2 other files I never seen before, "MS SPOOL32.dat" and "MS
> SPOOL32k.dat". I checked properties and all 3 files were created at
> the time I double clicked on "Amy_orgasm.ram". I opened
> "first_3sum.wri" again in MS Wordpad and highlighted "Amy_orgasm.ram"
> and selected "edit package". The appearance window said
> "Amy_orgasm.ram" but the content window said "copy of dynu.exe". "MS
> SPOOL32.dat" contains a list of .exe files I think "ms spool32.exe" is
> trying to shutdown. A few samples from "MS SPOOL32.dat">>>>
> (NAVAPW32.EXE, IAMAPP.EXE, ZONEALARM.EXE, VSHWIN32.EXE, REGEDIT.EXE,
> DRWATSON.EXE, SYSEDIT.EXE, NETSTAT.EXE, SCONFIG.EXE, GUARD.EXE,
> UPDATE.EXE, AUTOUPDATE.EXE, CLEANER.EXE, UPDATE.EXE, ANTI-TROJAN.EXE,
> WATCHDOG.EXE, BLACKICE.EXE, LUCOMSERVER.EXE, TASKMGR.EXE,
> GUARDDOG.EXE). "MS SPOOL32k.dat" contained by date and time all the
> programs that were opened and the keystrokes I made in those programs.
> I could see my sign on password, my social security number and
> password for my 401K web site. I'm lucky I blocked "ms spool32.exe"
> from connecting to the internet. I tried to delete the 3 new files
> but windows wouldn't let me. I checked the windows registry>>>>
> hkey_local_machine\software\microsoft\windows\currentversion\run
> and found a line for "ms spool32.exe". I deleted the entry but it
> comes back after I reboot and "ms spool32.exe" is loaded. The only way
> I could keep "ms spool32.exe" from loading and able to delete the 3
> files that were created is if I do a system restore to an earlier
> point in time.
>
> Before I deleted the files I did a "Scan with Norton AntiVirus" on
> the files>> "first_3sum.wri", "Amy_orgasm.ram" and "ms spool32.exe".
> Norton AntiVirus said they were all OK. I did an application scan and
> NIS did not detect that "ms spool32.exe" is internet enabled program.
> I think NIS should have detected the trojan when it was put on my hard
> drive and detected "ms spool32.exe" as an internet enabled
> application. You can tell by the logs that "ms spool32.exe" was trying
> to connect to the internet.
>
> I hope Symantec will show more interest this time and tell me how to
> remove everything that the trojan put on my hard drive, registry,
> start, up files(etc.) and update your product to detect this trojan.
>
>
>
> Symantec's reply to my first attempt below.
>
>
>
> Date sent: Mon, 9 Dec 2002 03:12:03 UT
> From: SecurityResponse@symantec.com
> To: --------@prodigy.net
> Subject: [CLOSING]: Symantec Security Response
> Automation: Tracking #2291036
>
> Below is a status update on your virus submission:
>
> Date: December 8, 2002
>
> Dear Watson Engler,
>
> We have analyzed your submission. The following is a report of our
> findings for each file you have submitted:
>
> filename: C:\temp\first_3sum.wri
> machine:
> result: This file is clean
>
> Developer notes:
> C:\temp\first_3sum.wri is a clean file.
>
> We have determined that no virus exists on the samples provided.

Relevant Pages