Re: New virus? Timelock, sys32.exe, sysUser32.exe, msexec32.dll

From: 'spam' -> 'mail' (spam.up@yours.com)
Date: 02/20/03

  • Next message: Sister Sean FOley: "Security on "My Documents" folder" 
    From: <spam.up@yours.com ( 'spam' -> 'mail' )>
Date: Thu, 20 Feb 2003 17:36:41 +0100

    Pproblem is solved by translating parent directories and installing the
    enlish version.

    Tnx for the advise.

    "'mail' )>" <spam.up@yours.com ( 'spam' -> schreef in bericht
    news:b32rek$pa0$1@news.hccnet.nl...
    > Thanks for the advise.
    >
    > > You didn't mention which antivirus you're running and whether you
    recently
    > > updated your virus signature files. I'm assuming you've already done
    > this,
    > > but if not, this should be done. www.grisoft.com is free.
    > >
    > Norton AV 2001 but virusdef were 1 day old.
    >
    > > After this is done, you can try submitting the files to any antivirus
    > vendor
    > > [preferably the one that makes your antivirus, or www.sarc.com] using
    the
    > > instructions on their web site.
    > >
    > I will if it seems to be a virus/trojan, but thinking all this over I
    think
    > I have installed a chinese version of a 'lock-program'.
    > However this is weird about it:
    > - spontaneous installation while extracting the .exe
    > - no program-files (the files appear to become part of the system)
    > - behaves simular to other trojans/viruses (search for sys32.exe and
    > sysUser32.exe at Symantec's for instance)
    >
    > > You could also try one or more anti-trojan scanners like
    > www.pestpatrol.com
    > > if you haven't already. Note that their free mini-scanner just looks at
    > > listening ports and is not at all the same product as their full
    version.
    > >
    > 1. There are so many of these specialised scanners.
    > 2. NAV should detect a virus/trojans too (I hope)
    > 3. It's doubtable whether it's a virus/trojan. I think it isn't. (But
    > ofcourse can be wrong).
    > About the ports: No extra rules have been made, so in case of a trojan it
    > should abuse another service on my system. Possible.
    >
    > > Here are some other things you could do to try to investigate whether or
    > not
    > > this is malicious:
    > >
    > > http://securityadmin.info/faq.htm#hacked
    > >
    > I will look at this later today. There's so much information I just saw.
    >
    > > ... you could also try using strings which is free from
    > > www.foundstone.com/knowledge, and/or open the files up in Notepad,
    > >
    > I don't know what strings to use of what file in what program (there are
    > many I just saw) and I have 6 'strange' files.
    >
    > > and/or
    > > try running them with the /? switch by dragging them to a command
    prompt.
    > >
    > I haven't tried that yet, but that would mean I have to open/install these
    > files again. I will do this just before I re-install my OS (if needed).
    >
    > > There's also articles on investigating trojans at www.cert.org [the
    > article
    > > focues on Unix if I remember correctly] and at
    > > http://online.securityfocus.com The book Incident Response also goes
    into
    > > some of these things... but all of these sources more or less say
    similar
    > > things to the URL above in different ways.
    > >
    > > However, if you installed this program yourself, I'm not sure I see
    > anything
    > > here to indicate that this is anything other than a legitimate program.
    > >
    > I agree. But first I really thought it was. What I have installed may also
    > be a combination of a chinese 'service/app-locker' and malicious code.
    >
    > If people like to investigate it: BEWARE!
    > (If this posting will be deleted from the group because I referred to
    > malicious code, I understand and apologise for it.
    > I downloaded filelock.zip from
    > h**p://www.goldxinyi.com.cn/7005/LTA/DownLoad.htm (note this syntax!)
    >
    > Again thanks for the advise.
    >
    >
    > --------------------
    > Original posting:
    > > > I was looking for a program that enables applictions/services for a
    > while
    > > > after a user enters a password.
    > > >
    > > > I found socalled 'Timelock'. In this first message I prefer not to
    give
    > > the
    > > > URL, because I do not hope you will have the same problems:
    > > >
    > > > After I scanned the file and was unpacked it, it suddenly started and
    > > seems
    > > > to have installed itself.
    > > > A screen popped up: All '?'-chars in it and some buttons. Now it won't
    > > leave
    > > > my pc anymore. Never it seems.
    > > >
    > > > In Further research ik found out it were chinese files that were
    > > installed:
    > > >
    > > > sys32.exe, sysUser32.exe, msexec32.dll, tlinvoff.tte, xmielkni.tte,
    > > > kwykcexu.tte
    > > >
    > > > I tried to 'clean the register' from the names above. But in no time
    > > they're
    > > > back..
    > > > Later, in Safe Mode I managed to remove all files but one:
    > > >
    > > > msexec32.dll
    > > >
    > > > And from that time a new Windows '!'-screen pops up with everything I
    > > > start/open. Reading from the next URL, I make up that my system is now
    > > > regular telling me (in chinese) that on of these file is missing.
    > > >
    > > >
    > >
    >
    http://groups.google.com/groups?q="sysrun32.exe"&hl=en&lr=&ie=UTF-8&oe=UTF8&
    > > > safe=off&selm=O1OF2cxkCHA.2632@tkmsftngp12
    > > >
    > > > I searched the whole internet for the files sys32 en sysUser32:
    > > >
    > > > -
    > > >
    > >
    >
    http://support.centralcommand.com/cgi-bin/command.cfg/php/enduser/std_adp.ph
    > > > p?p_refno=020204-000001
    > > > looks like it.
    > > >
    > > > -
    > > >
    > >
    >
    http://securityresponse.symantec.com/avcenter/venc/data/backdoor.darksun.htm
    > > > l
    > > > does too.
    > > >
    > > >
    > > > Oh! In safe mode I could see that sys32 and sysUser32 are called
    > > > 'Administractor' v.nr. 4.3.1.46.
    > > >
    > > > Can anybody help me to get rid of the annoying popups or tell me
    whether
    > > it
    > > > looks like my pc is still infected?
    >
    >

    • Quantcast