Re: New virus? Timelock, sys32.exe, sysUser32.exe, msexec32.dll

From: 'spam' -> 'mail' (spam.up@yours.com)
Date: 02/20/03 

From: <spam.up@yours.com ( 'spam' -> 'mail' )>
Date: Thu, 20 Feb 2003 16:16:18 +0100

Thanks for the advise.

> You didn't mention which antivirus you're running and whether you recently
> updated your virus signature files. I'm assuming you've already done
this,
> but if not, this should be done. www.grisoft.com is free.
>
Norton AV 2001 but virusdef were 1 day old.

> After this is done, you can try submitting the files to any antivirus
vendor
> [preferably the one that makes your antivirus, or www.sarc.com] using the
> instructions on their web site.
>
I will if it seems to be a virus/trojan, but thinking all this over I think
I have installed a chinese version of a 'lock-program'.
However this is weird about it:
- spontaneous installation while extracting the .exe
- no program-files (the files appear to become part of the system)
- behaves simular to other trojans/viruses (search for sys32.exe and
sysUser32.exe at Symantec's for instance)

> You could also try one or more anti-trojan scanners like
www.pestpatrol.com
> if you haven't already. Note that their free mini-scanner just looks at
> listening ports and is not at all the same product as their full version.
>
1. There are so many of these specialised scanners.
2. NAV should detect a virus/trojans too (I hope)
3. It's doubtable whether it's a virus/trojan. I think it isn't. (But
ofcourse can be wrong).
About the ports: No extra rules have been made, so in case of a trojan it
should abuse another service on my system. Possible.

> Here are some other things you could do to try to investigate whether or
not
> this is malicious:
>
> http://securityadmin.info/faq.htm#hacked
>
I will look at this later today. There's so much information I just saw.

> ... you could also try using strings which is free from
> www.foundstone.com/knowledge, and/or open the files up in Notepad,
>
I don't know what strings to use of what file in what program (there are
many I just saw) and I have 6 'strange' files.

> and/or
> try running them with the /? switch by dragging them to a command prompt.
>
I haven't tried that yet, but that would mean I have to open/install these
files again. I will do this just before I re-install my OS (if needed).

> There's also articles on investigating trojans at www.cert.org [the
article
> focues on Unix if I remember correctly] and at
> http://online.securityfocus.com The book Incident Response also goes into
> some of these things... but all of these sources more or less say similar
> things to the URL above in different ways.
>
> However, if you installed this program yourself, I'm not sure I see
anything
> here to indicate that this is anything other than a legitimate program.
>
I agree. But first I really thought it was. What I have installed may also
be a combination of a chinese 'service/app-locker' and malicious code.

If people like to investigate it: BEWARE!
(If this posting will be deleted from the group because I referred to
malicious code, I understand and apologise for it.
 I downloaded filelock.zip from
h**p://www.goldxinyi.com.cn/7005/LTA/DownLoad.htm (note this syntax!)

Again thanks for the advise.

--------------------
Original posting:
> > I was looking for a program that enables applictions/services for a
while
> > after a user enters a password.
> >
> > I found socalled 'Timelock'. In this first message I prefer not to give
> the
> > URL, because I do not hope you will have the same problems:
> >
> > After I scanned the file and was unpacked it, it suddenly started and
> seems
> > to have installed itself.
> > A screen popped up: All '?'-chars in it and some buttons. Now it won't
> leave
> > my pc anymore. Never it seems.
> >
> > In Further research ik found out it were chinese files that were
> installed:
> >
> > sys32.exe, sysUser32.exe, msexec32.dll, tlinvoff.tte, xmielkni.tte,
> > kwykcexu.tte
> >
> > I tried to 'clean the register' from the names above. But in no time
> they're
> > back..
> > Later, in Safe Mode I managed to remove all files but one:
> >
> > msexec32.dll
> >
> > And from that time a new Windows '!'-screen pops up with everything I
> > start/open. Reading from the next URL, I make up that my system is now
> > regular telling me (in chinese) that on of these file is missing.
> >
> >
>
http://groups.google.com/groups?q="sysrun32.exe"&hl=en&lr=&ie=UTF-8&oe=UTF8&
> > safe=off&selm=O1OF2cxkCHA.2632@tkmsftngp12
> >
> > I searched the whole internet for the files sys32 en sysUser32:
> >
> > -
> >
>
http://support.centralcommand.com/cgi-bin/command.cfg/php/enduser/std_adp.ph
> > p?p_refno=020204-000001
> > looks like it.
> >
> > -
> >
>
http://securityresponse.symantec.com/avcenter/venc/data/backdoor.darksun.htm
> > l
> > does too.
> >
> >
> > Oh! In safe mode I could see that sys32 and sysUser32 are called
> > 'Administractor' v.nr. 4.3.1.46.
> >
> > Can anybody help me to get rid of the annoying popups or tell me whether
> it
> > looks like my pc is still infected?