Re: New Virus????



From: "Nate" <natedogg3991@xxxxxxxxx>

| When I came in this morning almost all users that had logged off their
| workstations last night are receving a Run Time Error 53, File Not
| Found. This is after it takes 5-10 min for them to log into the system
| in the first place. No new updates have been installed or no new
| applications in the past couple of days. Specially not to this many
| clients. There is also another error in the event log that I have
| posted below.
|
| Event Type: Information
| Event Source: DrWatson
| Event Category: None
| Event ID: 4097
| Date: 12/6/2006
| Time: 8:46:37 AM
| User: N/A
| Computer: ITOPS06
| Description:
| The application, C:\WINDOWS\ie777.exe, generated an application error
| The error occurred on 12/06/2006 @ 08:46:37.624 The exception generated
| was c0000005 at address 10019B15 (nu)
|
| We have not deployed ie 7 so I am not sure what ie777.exe is, when I
| search the net I for that I only find a chinese website that google
| translated for me.
| http://bbs.360safe.com/redirect.php?tid=50061&goto=lastpost. It talks
| about some kind of Trojan or something but I cannot find anything any
| where else.
|
| Anybody else seen this?

A friend at Prevx provided the following feedback on this to me...

---

"Got some abstract info for you.

We have seen 7 instances of this in our DB -

The file you mention is dropped By a file called "4.EXE" (57.979KB) residing in %TEMP%

This file makes an outbound HTTP connection to :

httpout, 58.215.74.70:80 CN, CHINA, JIANGSU, JIANGSU, JSINFO.NET, CHINANET JIANGSU PROVINCE
NETWORK

and downloads the following:

IE777.EXE 88SS.EXE and a DLL - NU.DLL

I am not in the office at the moment to get samples, but from the data we have it seems like
it steals passwords.

Also modifies the hostfile and sends information back to above mentioned IP."

----


So based upon this feedback from Prevx, please search for the files mentioned and
modifications to the etc/hosts file and for TCP port 80 communication to; 58.215.74.70 You
may want to summarily block that IP at the FireWall.

See if the following helps...

Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file. http://www.ik-cs.com/multi-av.htm

Additional Instructions:
http://pcdid.com/Multi_AV.htm


* * * Please report back your results * * *




--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm


.