This is getting pretty fun. Check this out. In addition to these two (or four) files, we have noticed that there are several other "interesting" characteristics. The following Reg Keys have been modified: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "W1N32.DLL"="C:\\WINDOWS\\WINLOGON .exe" (Note the space) "Windows Explorer"="Explorer .exe" (Note the space) [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices] "Windows Explorer"="Explorer .exe" (Again, note the space) We found the files that these keys refer to and I'm taking a look at them. If you would like to get a copy, let me know, and I'll get it out to you on request. Thanks again for the many helpful responses I've received. What a fun way to spend a Monday! ;-) -Jeremy -----Original Message----- From: Jeremy Junginger Sent: Monday, March 10, 2003 11:44 AM To: incidentsat_private Subject: Possibly Unknown Virus? Care to help me analyze?!? Hey guys, I have come upon a funny little virus that's hogging CPU cycles and basically creating a DoS condition on a Windows XP machine. There were a couple of classic symptoms: hklm\software\microsoft\windows\current version\run\onylje.exe c:\Documents and Settings\All Users\Start Menu\Programs\Startup\onylje.exe This executable appears to be a pseudo-randum name, and it called another file within the same directory called pcoo.exe. These two processes showed up in task manager, and gobbled up all the CPU cycles. I also saw some other weird things under task manager. These two processes appeared to be keeping Norton from launching: ~A.exe After I killed this one, ~9.exe appeared. Again, this looks like a pseudo-random name for these processes. I have run strings against the executables, and saw some Delphi B.S. in there as well as the following strings: <Cut from running "strings onylje.exe"> KERNEL32.DLL ADVAPI32.dll MPR.dll SHELL32.dll USER32.dll WSOCK32.dll LoadLibraryA GetProcAddress ExitProcess RegCloseKey WNetAddConnection2A ShellExecuteA PeekMessageA </Cut> <Cut from running "strings pcoo.exe"> KERNEL32.DLL ADVAPI32.dll MPR.dll SHELL32.dll USER32.dll WSOCK32.dll LoadLibraryA GetProcAddress ExitProcess RegCloseKey WNetAddConnection2A ShellExecuteA PeekMessageA </Cut> Both files are 69K, and may very well be the same executable referred to by different names. The output from running strings against these are identical as far as I can tell. Perhaps one of you guys might have a suggestion for dissassembling the executables and taking a closer look. This may be a common virus, but Norton doesn't recognize it and I'd like to know for sure what it is. I can get you the file upon request. Thanks, -Jeremy ---------------------------------------------------------------------------- <Pre>Lose another weekend managing your IDS? Take back your personal time. 15-day free trial of StillSecure Border Guard.</Pre> <A href="http://www.securityfocus.com/stillsecure"> http://www.securityfocus.com/stillsecure </A>
This archive was generated by hypermail 2b30 : Mon Mar 10 2003 - 14:12:15 PST