Possibly Unknown Virus? Care to help me analyze?!?

From: Jeremy Junginger (jjat_private)
Date: Mon Mar 10 2003 - 10:44:29 PST

Next message: Barry Kokotailo: "RE: Real-world attacks on sendmail CA-2003-07 seen"

Previous message: Jeff Kell: "Re: Real-world attacks on sendmail CA-2003-07 seen"
Next in thread: Arnold, Jamie: "RE: Possibly Unknown Virus? Care to help me analyze?!?"
Reply: Arnold, Jamie: "RE: Possibly Unknown Virus? Care to help me analyze?!?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hey guys, I have come upon a funny little virus that's hogging CPU
cycles and basically creating a DoS condition on a Windows XP machine.
There were a couple of classic symptoms:

hklm\software\microsoft\windows\current version\run\onylje.exe

c:\Documents and Settings\All Users\Start
Menu\Programs\Startup\onylje.exe

This executable appears to be a pseudo-randum name, and it called
another file within the same directory called pcoo.exe. These two
processes showed up in task manager, and gobbled up all the CPU cycles.
I also saw some other weird things under task manager. These two
processes appeared to be keeping Norton from launching:

~A.exe
After I killed this one,
~9.exe appeared. Again, this looks like a pseudo-random name for these
processes. I have run strings against the executables, and saw some
Delphi B.S. in there as well as the following strings:

<Cut from running "strings onylje.exe">
KERNEL32.DLL
ADVAPI32.dll
MPR.dll
SHELL32.dll
USER32.dll
WSOCK32.dll
LoadLibraryA
GetProcAddress
ExitProcess
RegCloseKey
WNetAddConnection2A
ShellExecuteA
PeekMessageA
</Cut>

<Cut from running "strings pcoo.exe">
KERNEL32.DLL
ADVAPI32.dll
MPR.dll
SHELL32.dll
USER32.dll
WSOCK32.dll
LoadLibraryA
GetProcAddress
ExitProcess
RegCloseKey
WNetAddConnection2A
ShellExecuteA
PeekMessageA
</Cut>

Both files are 69K, and may very well be the same executable referred to
by different names. The output from running strings against these are
identical as far as I can tell.

Perhaps one of you guys might have a suggestion for dissassembling the
executables and taking a closer look. This may be a common virus, but
Norton doesn't recognize it and I'd like to know for sure what it is. I
can get you the file upon request. Thanks,

-Jeremy

----------------------------------------------------------------------------

<Pre>Lose another weekend managing your IDS?
Take back your personal time.
15-day free trial of StillSecure Border Guard.</Pre>
<A href="http://www.securityfocus.com/stillsecure"> http://www.securityfocus.com/stillsecure </A>

Next message: Barry Kokotailo: "RE: Real-world attacks on sendmail CA-2003-07 seen"
Previous message: Jeff Kell: "Re: Real-world attacks on sendmail CA-2003-07 seen"
Next in thread: Arnold, Jamie: "RE: Possibly Unknown Virus? Care to help me analyze?!?"
Reply: Arnold, Jamie: "RE: Possibly Unknown Virus? Care to help me analyze?!?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Mar 10 2003 - 12:04:35 PST