SYMANTEC doesn't detect TROJAN, !!WARNING TROJAN ATTACHED!! - first_3sum.wri (0/1)

From: Hunter Watson (djgka876@keocm.net)
Date: 12/27/02 

From: Hunter Watson <djgka876@keocm.net>
Date: Thu, 26 Dec 2002 22:01:23 -0800

WARNING!!! ATTACHED FILE IS INFECTED WITH A TROJAN.
DON'T OPEN UNLESS YOU KNOW WHAT YOUR DOING.

This is my second attempt at this post. I bought an outside news
service because even I didn't see the attachment when I sent the first
post through Prodigy's news server.

Below is my first reply to Symantec when they said there was no
problem with the trojan I sent to them for inspection. Then another
try got me the reply pasted at the end of this post. Maybe I'm wrong.
Please read my post and tell me what you think. For you guys that know
your stuff please check out the attached infected file and please give
me some advise on how to completely remove the infection.
Since then I have played around with the infected file and my notes
are below this first reply.
Thanks

Below is my reply to Symantec>>>>>>

 This is a response to Tracking #2291036 which is pasted at the end of
this note.
  
My OS is Windows ME. I am using Norton Internet Security(NIS)2002.
 
If you read below and repeat the steps I outline below you will see
that the file I'm sending is a trojan and NIS 2002 did not find this
trojan that infected my computer. Please open " view statistics" in
NIS and record the executables running in the "network connections"
window. Then open "first_3sum.wri" with MicroSoft(MS)Wordpad. Then
double click on the icon for "Amy_orgasm.ram". and you will see
"ms spool32.exe" has a port open in "network connections".

 I Received an e-mail with a file called "pictures.zip" attached.
Inside the .zip file was a file called "first_3sum.wri". I opened the
.wri file with MS Wordpad. There are 3 objects packaged inside the
file "first_3sum.wri". The first 2 objects were jpeg files which
opened OK when I double clicked on them. The third object was a video
file called "Amy_orgasm.ram". When I double clicked on the .ram file
the computer did nothing for 10 seconds then "Realplayer" came up and
said there was a problem with the file. I went online to Real.com and
NIS was warning me that a file called "ms spool32.exe" was trying to
connect to the internet. The log entries from NIS 2002 are pasted
here>>>

Alert 12/16/2002 17:49:07 IP Filter This one time, the user has chosen
to "block" communications. Details:
Outbound TCP connection
Remote address,service is (wwp.mirabilis.com(205.188.248.25),http(80))
Process name is "C:\WINDOWS\MS SPOOL32.EXE"
 
Alert 12/16/2002 17:49:13 IP Filter This one time, the user has chosen
to "block" communications. Details:
Outbound TCP connection
Remote address,service is
(messenger.hotmail.com(207.46.104.20),msnp(1863))
Process name is "C:\WINDOWS\MS SPOOL32.EXE"

This type of alert only happens after I instal new software that can
access the internet. I haven't installed any new software in months.
 
 I went offline and restarted my computer. The first thing I did after
re booting was check "view statistics" with NIS. Normally the only
connection open after re booting is "symproxysvc.exe". But there were
2 connections opened, "ms spool32.exe" and "symproxysvc.exe". I did a
search for "ms spool32.exe" and found it in the windows folder along
with 2 other files I never seen before, "MS SPOOL32.dat" and "MS
SPOOL32k.dat". I checked properties and all 3 files were created at
the time I double clicked on "Amy_orgasm.ram".

I opened "first_3sum.wri" again in MS Wordpad and highlighted
"Amy_orgasm.ram" and selected "edit package". The appearance window
said "Amy_orgasm.ram" but the content window said "copy of DYNU.EXE".

"MS SPOOL32.dat" contains a list of .EXE files I think "ms
spool32.exe" is trying to shutdown. A few samples from "MS
SPOOL32.dat">>>> (NAVAPW32.EXE, IAMAPP.EXE, ZONEALARM.EXE,
VSHWIN32.EXE, REGEDIT.EXE, DRWATSON.EXE, SYSEDIT.EXE, NETSTAT.EXE,
SCONFIG.EXE, GUARD.EXE, UPDATE.EXE, AUTOUPDATE.EXE, CLEANER.EXE,
UPDATE.EXE, ANTI-TROJAN.EXE, WATCHDOG.EXE, BLACKICE.EXE,
LUCOMSERVER.EXE, TASKMGR.EXE, GUARDDOG.EXE).

"MS SPOOL32k.dat" contained by date and time all the programs that
were opened and the keystrokes I made in those programs. I could see
my sign on password, my social security number and password for my
401K web site. I'm lucky I blocked "ms spool32.exe" from connecting to
the internet.

I tried to delete the 3 new files but windows wouldn't let me. I
checked the windows registry>>>>
hkey_local_machine\software\microsoft\windows\currentversion\run
and found a line for "ms spool32.exe". I deleted the entry but it
comes back after I reboot and "ms spool32.exe" is loaded. The only way
I could keep "ms spool32.exe" from loading and able to delete the 3
files that were created is if I do a system restore to an earlier
point in time.

 Before I deleted the files I did a "Scan with Norton AntiVirus" on
the files>> "first_3sum.wri", "Amy_orgasm.ram" and "ms spool32.exe".
Norton AntiVirus said they were all OK. I did an application scan and
NIS did not detect that "ms spool32.exe" is internet enabled program.
I think NIS should have detected the trojan when it was put on my hard
drive and detected "ms spool32.exe" as an internet enabled
application. You can tell by the logs that "ms spool32.exe" was trying
to connect to the internet.

 I hope Symantec will show more interest this time and tell me how to
remove everything that the trojan put on my hard drive, registry,
start, up files(etc.) and update your product to detect this trojan.

*** NOTES ***
WHAT I FOUND>>>>>>>>>>>>>>>>>

This trojan seems to be a variant of >>> Backdoor.assasin.c ,
also Known As: Backdoor.Assasin.11 [KAV], Backdoor-AGS [McAfee]
which you can read about here((Thanks to "Ralph A. Jones")) >>>
http://securityresponse.symantec.com/avcenter/venc/data/backdoor.assasin.c.html

But instead of opening port # 6595, this variant opens port # 4985.

It creates 2 files right away named>>
"MS SPOOL32.dat" and "ms spool32.exe"

Then I started MS NotePad, made a few key strokes, saved the file and
close notepad and another file is created called>>>
"MS SPOOL32k.dat". In this file I could see my keystrokes from
NotepPad and what I am typing here in Agent News Reader.

There is a line in the registry>>>>
( hkey_local_machine\software\microsoft\windows\currentversion\run )
to load>> "ms spool32.exe"

You can delete this entry but it comes back after re-boot and
"ms spool32.exe" is running with port # 4985 open.

You can delete the 2 .DAT files but Windows won't let you delete the
.EXE file. The 2 .DAT files come back after re-boot. And
"ms spool32k.dat" contains all the keystrokes it stored before
deleting it. My recycle bin is set to remove all deleted files and not
store them.

The URL above says Backdoor.assasin.c also puts the following items in
the registry>>>>>>>
HKEY_LOCAL_MACHINE\SOFTWARE\AUFOBK\
HKEY_LOCAL_MACHINE\SOFTWARE\AUFOBK\eu%t{efn74+fzb\

But this variant puts this in the registry>>>>>
HKEY_LOCAL_MACHINE\SOFTWARE\KIHW^^LP\
HKEY_LOCAL_MACHINE\SOFTWARE\KIHW^^LP\eu%t{efn74+fzb\

Also after I double click on the .RAM file these files are put in my
C:\windows\temp folder. >>
~51A5.exe
~51A5.TMP
~51B0.ram
~51B0.TMP
The file name is always different after I load the trojan but the
extensions remain the same.

If I do a "system restore" to an earlier point in time the trojan
does't load. And of course the registry values are gone too.

Of interest>> When I check "first_3sum.wri" with NAV it tells me
there are 7 files contained inside. But I only see 3 objects packaged
and some text in the .WRI file. I expected only 4 files were inside.

I am concerned because after the restore operation
"ms spool32.exe" is no longer in the Windows folder but
the 2 .DAT files are. Is there another file on my HD that puts
"ms spool32.exe" in the windows folder? And why does
"ms spool32k.dat" contain the info that was there before I deleted it?
The info seems to be stored somewhere else. Is there a key logger
program lurking on my HD or is it contained in "ms spool32.exe".

Thanks in advance for any help or info.

 

________________________________________________________

Symantec's reply to my first attempt below were I submitted the file
through SARC which is a program I D/L'ed from their Web site.

Date sent: Mon, 9 Dec 2002 03:12:03 UT
From: SecurityResponse@symantec.com
To: --------@prodigy.net
Subject: [CLOSING]: Symantec Security Response
Automation: Tracking #2291036

Below is a status update on your virus submission:

Date: December 8, 2002

Dear Watson Engler,

We have analyzed your submission. The following is a report of our
findings for each file you have submitted:

filename: C:\temp\first_3sum.wri
machine:
result: This file is clean

Developer notes:
C:\temp\first_3sum.wri is a clean file.

We have determined that no virus exists on the samples provided.

_______________________________________________________________

Then I replied back by going through Symantecs tech database and kept
selecting "other" until I got to a page to notify Symantecs tech dept.
Here is their second response which is way off base claiming
"ms spool32.exe" is a Microsoft file. They never bothered to run a
search on "ms spool32.exe" or they would have found this on their own
website((Thanks to > "Ralph A. Jones")) >>>>>
http://securityresponse.symantec.com/avcenter/venc/data/backdoor.assasin.c.html

Here is their second reply>>>>>>>>>>>>>

Date sent: Sat, 21 Dec 2002 06:44:58 -0600
From: symantec_support@spectrumcontactservices.com
Subject: RE:Other [#73372]
To: ________@prodigy.net

Hi Watson,

Thank you for contacting Symantec Online Technical Support.

In your message you wrote:
>Remote address service is wwp.mirabilis.com 205.188.248.25, http 80 Process name is C:\WINDOWS\MS SPOOL32.EXE

The files you have mentioned are Microsoft files and you have to
contact
Microsoft to resolve the issue:

However, if you wish the file to block Internet connection, please
follow
the steps provided below:

1. Open Norton Internet Security console.

2. Click on Personal Firewall feature.

3. Click on Internet Access Control.

4. Click on Configure button.

5. Select Application Scan option.

6. Click on the drives to be scanned.

7. After the scan is finished, list of applications displayed.

8. Select the particular application.

9. Change the Internet Access type to "Automatic" or
"Permit All" or "Block" or "Notify".

Please feel free to contact us for further assistance.

Regards,

Shubhadeepta Panda
Symantec Authorized Technical Support