Re: Alleged virus I can't detect



VirusTotal results:


File WR7E44.bin received on 02.17.2009 20:41:52 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Result: 0/39 (0%)

Antivirus Version Last Update Result
a-squared 4.0.0.93 2009.02.17 -
AhnLab-V3 2009.2.17.2 2009.02.17 -
AntiVir 7.9.0.83 2009.02.17 -
Authentium 5.1.0.4 2009.02.17 -
Avast 4.8.1335.0 2009.02.16 -
AVG 8.0.0.237 2009.02.17 -
BitDefender 7.2 2009.02.17 -
CAT-QuickHeal 10.00 2009.02.17 -
ClamAV 0.94.1 2009.02.17 -
Comodo 982 2009.02.17 -
DrWeb 4.44.0.09170 2009.02.17 -
eSafe 7.0.17.0 2009.02.17 -
eTrust-Vet 31.6.6361 2009.02.17 -
F-Prot 4.4.4.56 2009.02.17 -
F-Secure 8.0.14470.0 2009.02.17 -
Fortinet 3.117.0.0 2009.02.17 -
GData 19 2009.02.17 -
Ikarus T3.1.1.45.0 2009.02.17 -
K7AntiVirus 7.10.582 2009.01.09 -
Kaspersky 7.0.0.125 2009.02.17 -
McAfee 5528 2009.02.16 -
McAfee+Artemis 5528 2009.02.16 -
Microsoft 1.4306 2009.02.17 -
NOD32 3862 2009.02.17 -
Norman 6.00.06 2009.02.17 -
nProtect 2009.1.8.0 2009.02.17 -
Panda 9.4.3.20 2009.02.17 -
PCTools 4.4.2.0 2009.02.17 -
Prevx1 V2 2009.02.17 -
Rising 21.17.12.00 2009.02.17 -
SecureWeb-Gateway 6.7.6 2009.02.17 -
Sophos 4.38.0 2009.02.17 -
Sunbelt 3.2.1855.2 2009.02.17 -
Symantec 10 2009.02.17 -
TheHacker 6.3.2.2.259 2009.02.17 -
TrendMicro 8.700.0.1004 2009.02.17 -
VBA32 3.12.8.13 2009.02.17 -
ViRobot 2009.2.17.1611 2009.02.17 -
VirusBuster 4.5.11.0 2009.02.17 -
Additional information
File size: 296224 bytes
MD5...: e87c01a56df3cf7c680db722b000110c
SHA1..: be9313ab7e0e0ae5bfd9ca9ac8d59f1c65e587e7
SHA256: 0da78125502b153390a6a2f0f22eaff75813a908bbd412c605b1d1f3952385f0
SHA512: 75af512502f0e866359e537bf2020383eecf43bbcaad1dfc0bb27d994293db8d
2b5ab59b7828817dd6dfe7f8981c051b81ce0df2592fd59836a8983c03adae0d
ssdeep: 6144:DMHxQEeBbRS7gPKudvJNKxG7is6pKJabJUn13Lr9WfopDJwF:SxQEMbJ3NK
FGSJm1WfaY

PEiD..: -
TrID..: File type identification
Win32 Executable MS Visual C++ (generic) (65.2%)
Win32 Executable Generic (14.7%)
Win32 Dynamic Link Library (generic) (13.1%)
Generic Win/DOS Executable (3.4%)
DOS Executable Generic (3.4%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x41df09
timedatestamp.....: 0x48f461d9 (Tue Oct 14 09:09:45 2008)
machinetype.......: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
..text 0x1000 0x354cb 0x36000 6.62 0ab523966d49694195b94cf9feb4edb8
..rdata 0x37000 0xb7f3 0xc000 5.02 f496276b852d914783e616320012954e
..data 0x43000 0xb760 0x3000 3.15 8948fa9c9c7fa78654bfe009577f9478
..rsrc 0x4f000 0xaf8 0x1000 4.42 2bcf1a70016ed06b5a10b8e00bc88603

( 7 imports )
WS2_32.dll: -, -, -
ADVAPI32.dll: SetSecurityDescriptorDacl, InitializeSecurityDescriptor, StartServiceA,
QueryServiceStatus, CloseServiceHandle, OpenServiceA, OpenSCManagerA, RegCloseKey,
RegQueryValueExA, RegOpenKeyExA, RegSetValueExA, RegDeleteValueA, RegCreateKeyExA,
QueryServiceConfigA, RegNotifyChangeKeyValue
KERNEL32.dll: GlobalUnlock, GlobalLock, GlobalAlloc, GlobalFree, lstrcmpA, TlsGetValue,
GlobalReAlloc, GlobalHandle, TlsAlloc, TlsSetValue, LocalReAlloc, TlsFree, InterlockedDecrement,
InterlockedIncrement, GlobalGetAtomNameA, GetThreadLocale, ResumeThread, GlobalFlags, lstrcmpW,
GlobalDeleteAtom, GlobalFindAtomA, GlobalAddAtomA, GetLocaleInfoA, GetCPInfo, GetOEMCP,
SetFilePointer, FlushFileBuffers, FormatMessageA, CreateFileA, GetFileAttributesA, RaiseException,
RtlUnwind, ExitThread, CreateThread, GetSystemTimeAsFileTime, UnhandledExceptionFilter,
SetUnhandledExceptionFilter, IsDebuggerPresent, HeapAlloc, HeapFree, HeapReAlloc, GetCommandLineA,
GetProcessHeap, GetStartupInfoA, HeapSize, ExitProcess, GetACP, IsValidCodePage, LCMapStringA,
LCMapStringW, VirtualFree, HeapDestroy, HeapCreate, GetStdHandle, FreeEnvironmentStringsA,
GetEnvironmentStrings, FreeEnvironmentStringsW, GetEnvironmentStringsW, SetHandleCount,
GetFileType, QueryPerformanceCounter, GetStringTypeA, GetStringTypeW, GetUserDefaultLCID,
EnumSystemLocalesA, IsValidLocale, GetConsoleCP, GetConsoleMode, GetLocaleInfoW, SetStdHandle,
WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, SetLastError, GetCurrentProcess, LoadLibraryW,
CreateFileW, WaitNamedPipeW, SetNamedPipeHandleState, WriteFile, SetWaitableTimer,
GetOverlappedResult, ReadFile, GetCurrentThreadId, CreateEventW, CreateNamedPipeW,
DisconnectNamedPipe, ConnectNamedPipe, lstrlenA, CompareStringA, MultiByteToWideChar,
InterlockedExchange, WaitForMultipleObjects, LocalAlloc, LocalFree, CreateProcessA,
GetModuleFileNameA, GetTickCount, CopyFileA, TerminateProcess, MoveFileExA, GetVersion,
VirtualAlloc, DeleteFileA, ResetEvent, SetEvent, TerminateThread, DeleteCriticalSection,
CreateEventA, InitializeCriticalSection, GetCurrentDirectoryA, GetComputerNameA, GetTempPathA,
GetTempFileNameA, GetSystemDirectoryA, FindFirstFileA, FindNextFileA, FindClose, lstrcmpiA,
OpenFile, WideCharToMultiByte, GetVersionExA, EnterCriticalSection, _lclose, LeaveCriticalSection,
GetPrivateProfileIntA, FreeLibrary, FindResourceA, LoadResource, LockResource, SizeofResource,
CreateMutexA, OpenMutexA, Sleep, ReleaseMutex, GetModuleHandleA, WaitForSingleObject,
GetExitCodeThread, lstrcpyA, GetLastError, GetCurrentProcessId, OpenProcess, CloseHandle,
ReadProcessMemory, WriteProcessMemory, GetProcAddress, LoadLibraryA, InterlockedCompareExchange
USER32.dll: DestroyMenu, PostQuitMessage, RegisterWindowMessageA, LoadIconA, WinHelpA, GetCapture,
GetClassLongA, SetPropA, GetPropA, RemovePropA, GetForegroundWindow, GetTopWindow, DestroyWindow,
GetMessageTime, GetMessagePos, MapWindowPoints, SetForegroundWindow, GetClientRect, GetMenu,
PostMessageA, CreateWindowExA, GetClassInfoExA, GetClassInfoA, RegisterClassA, AdjustWindowRectEx,
CopyRect, DefWindowProcA, CallWindowProcA, SystemParametersInfoA, IsIconic, GetWindowPlacement,
SetMenuItemBitmaps, GetMenuCheckMarkDimensions, LoadBitmapA, ModifyMenuA, EnableMenuItem,
CheckMenuItem, SetWindowPos, SetWindowLongA, IsWindow, GetDlgItem, GetFocus, ClientToScreen,
GetWindow, GetDlgCtrlID, GetWindowRect, GetClassNameA, PtInRect, SetWindowTextA, UnregisterClassA,
SetWindowsHookExA, CallNextHookEx, GrayStringA, DrawTextExA, DispatchMessageA, GetKeyState,
ValidateRect, GetWindowTextA, LoadCursorA, GetSystemMetrics, GetDC, ReleaseDC, GetSysColor,
GetSysColorBrush, UnhookWindowsHookEx, GetWindowThreadProcessId, SendMessageA, GetParent,
GetWindowLongA, GetLastActivePopup, IsWindowEnabled, EnableWindow, MessageBoxA, GetMenuState,
GetMenuItemID, GetMenuItemCount, GetSubMenu, wsprintfA, DrawTextA, TabbedTextOutA, PeekMessageA
GDI32.dll: TextOutA, ExtTextOutA, Escape, SelectObject, SetViewportOrgEx, OffsetViewportOrgEx,
SetViewportExtEx, ScaleViewportExtEx, SetWindowExtEx, ScaleWindowExtEx, RectVisible, DeleteDC,
GetStockObject, PtVisible, DeleteObject, GetDeviceCaps, SetMapMode, RestoreDC, SaveDC, SetBkColor,
SetTextColor, GetClipBox, CreateBitmap
WINSPOOL.DRV: OpenPrinterA, DocumentPropertiesA, ClosePrinter
OLEAUT32.dll: -, -, -

( 61 exports )
__0TmProcessGuard@@QAE@KHH@Z, __0TmProcessGuard@@QAE@PBD0HH@Z, __0TmProcessGuard@@QAE@XZ,
__0TmServiceGuard@@QAE@PBD00HH@Z, __0TmServiceGuard@@QAE@PBDKHH@Z, __0TmServiceGuard@@QAE@XZ,
__1TmProcessGuard@@UAE@XZ, __1TmServiceGuard@@UAE@XZ, __4TmProcessGuard@@QAEXAAV0@@Z,
__4TmServiceGuard@@QAEXAAV0@@Z, ___7TmProcessGuard@@6B@, ___7TmServiceGuard@@6B@,
_BackupService@TmServiceGuard@@IAEXXZ, _CheckProcess@TmProcessGuard@@QAE_NAAVCStringArray@@H@Z,
_GetGuardInfo@TmProcessGuard@@QBEXAAKAAV_$CStringT@DV_$StrTraitMFC@DV_$ChTraitsCRT@D@ATL@@@@@ATL@@1AAH2@Z,
_GetService@TmServiceGuard@@QAE_AV_$CStringT@DV_$StrTraitMFC@DV_$ChTraitsCRT@D@ATL@@@@@ATL@@XZ,
_IsIPChanged@@YA_NPBDPADH@Z, _IsMonitor@TmProcessGuard@@IBE_NXZ, _IsNTPlatform@@YA_NXZ,
_IsProcessAlive@TmProcessGuard@@MAE_NXZ, _IsProcessAlive@TmServiceGuard@@MAE_NXZ,
_IsRetryNow@TmProcessGuard@@IBE_NXZ,
_IsTheSame@TmProcessGuard@@QBE_NABV_$CStringT@DV_$StrTraitMFC@DV_$ChTraitsCRT@D@ATL@@@@@ATL@@0@Z,
_IsTheSame@TmProcessGuard@@QBE_NK@Z, _IsTheSame@TmProcessGuard@@QBE_NPBV1@@Z,
_IsValidProcess@TmProcessGuard@@QBE_NXZ, _QueryAllLog@TmProcessGuard@@QBEXAAVCStringArray@@@Z,
_RegWatchDog_Ofc@@YA_NXZ, _RegWatchDog_Ofc_95@@YA_NXZ, _RegWatchDog_Ofc_NTRT@@YA_NXZ,
_RegWatchDog_Ofc_PCCNTMON@@YA_NXZ, _RegWatchDog_Ofc_TMLISTEN@@YA_NXZ,
_RegWatchDog_Ofc_TMPROXY@@YA_NXZ, _ResetMonitor@TmProcessGuard@@IAEXXZ,
_ResetRetryCount@TmProcessGuard@@QAEXXZ, _ResetRetryTick@TmProcessGuard@@QAEXXZ,
_ResetRetryVar@TmProcessGuard@@QAEXXZ, _RetryWakeupProcess@TmProcessGuard@@MAE_NXZ,
_RetryWakeupProcess@TmServiceGuard@@MAE_NXZ, _SetMonitor@TmProcessGuard@@IAEXXZ,
_SetProcessID@TmProcessGuard@@QAEXK@Z, _SetRetryCountLimit@TmProcessGuard@@QAEXH@Z,
_SetRetryTickLimit@TmProcessGuard@@QAEXH@Z, _StepMonitor@TmProcessGuard@@IAEXXZ,
_StepRetry@TmProcessGuard@@IAEXXZ, _UnRegWatchDog_Ofc@@YA_NXZ, _UnRegWatchDog_Ofc_95@@YA_NXZ,
_UnRegWatchDog_Ofc_NTRT@@YA_NXZ, _UnRegWatchDog_Ofc_PCCNTMON@@YA_NXZ,
_UnRegWatchDog_Ofc_TMLISTEN@@YA_NXZ, _UnRegWatchDog_Ofc_TMPROXY@@YA_NXZ, C_IsIPChanged,
C_OfcDogLockFiles, C_RegWatchDog_Ofc, C_RegWatchDog_Ofc_PCCNTMON, C_RegWatchDog_Ofc_TMLISTEN,
C_RegWatchDog_Ofc_TMPROXY, C_UnRegWatchDog_Ofc, C_UnRegWatchDog_Ofc_PCCNTMON,
C_UnRegWatchDog_Ofc_TMLISTEN, C_UnRegWatchDog_Ofc_TMPROXY

CWSandbox info: <a
href='http://research.sunbelt-software.com/partnerresource/MD5.aspx?md5=e87c01a56df3cf7c680db722b000110c'
target='_blank'>http://research.sunbelt-software.com/partnerresource/MD5.aspx?md5=e87c01a56df3cf7c680db722b000110c</a>








--
"1PW" <barcrnahgjuvfgyr@xxxxxxx> wrote in message news:gnf37p$b4i$1@xxxxxxxxxxxxxxxxxxxxxx
On 02/17/2009 09:25 AM, Saga sent:
Hello all, I have a Win XP SP2 on an office PC. A few weeks ago the enterprise was
infected with Sallity virus. Removal was a pain, to say the least. The virus evaded the
firewall and the McAfee Enterprise virus suite.

My PC has been disinfected, but still show signs of something that I can't identify.
Perhaps by describing its behavior here someone can offer an opinion.

I can get into Task Manager (Ctrl-Alt-Del->Task Manager and Right-Click Taskbar->
Task Manager). When I do and examine the processes that are running one stands
out. This is an EXE whose name is a combination of letters and numbers, always
upper cap, such as RE34YO.EXE. I Google the EXE name but find nothing which
leads me to believe that the name is a random selection of numbers and letters.

I search for the EXE file and find that it is happily living in the C:\WINDOWS\TEMP
folder. Its icon is that of a side view of a small brown dog with the letters NT in the
right bottom corner.

When I stop the service the EXE file in the windows\temp folder mysteriously
disappears.

After a given amount of time after stopping the process I once again look at the
running processes and find another process that is running and the file name is
again a combination of letters and numbers, but a different name than the previous
one.

All this that I mention raises alarms all over, but when I run a scan on the disc
or on the folder where the EXE file is located, the Trend Micro anti virus does not
detect anything. (To run the scan, I copied the suspect EXE file to another folder
and changed its extension to bin.) I suspect that it might be a root kit, but am not
sure. I am going to download some utilities to further test my work PC, but thought
I'd ask here in case anyone is familiar with these (somewhat troubling) symptoms.

Thank you, Saga

Hello Saga

Your investigation was well done. Please upload the file to:

http://www.virustotal.com/>

When the result is available, cut & paste the full report to this thread.

In the meantime begin to think about downloading, installing, updating
and running the free versions of these two antimalware scanners:

MBAM: <http://www.malwarebytes.org/mbam.php>

SAS: <http://www.superantispyware.com/download.html>

If the file comes back from VirusTotal as a true positive, I would
recommend that you run the above two antimalware scans. I'd further
recommend your colleagues do the same on their systems without delay.

Have all copies of your Microsoft Office suites brought up to date.

Furthermore, please give much more consideration into installing SP3 for
your XP and any follow on patches from Microsoft.

Please post a follow up with your progress.

Pete
--
1PW @?6A62?FEH9:DE=6o2@=]4@> [r4o7t]


.