RE: Possibly Unknown Virus? Care to help me analyze?!?

From: Arnold, Jamie (harnoldat_private)
Date: Mon Mar 10 2003 - 16:55:34 PST

  • Next message: Darwin: "Re: UPDATE: Possibly Unknown Virus? Care to help me analyze?!?"

    Kinda sounds like elkern.
    
    "Imagination is more important than knowledge"
     
    Albert Einstein
    
    
    -----Original Message-----
    From: Jeremy Junginger [mailto:jjat_private] 
    Sent: Monday, March 10, 2003 1:44 PM
    To: incidentsat_private
    Subject: Possibly Unknown Virus? Care to help me analyze?!?
    
    
    Hey guys, I have come upon a funny little virus that's hogging CPU cycles
    and basically creating a DoS condition on a Windows XP machine. There were a
    couple of classic symptoms:
    
    hklm\software\microsoft\windows\current version\run\onylje.exe
    
    c:\Documents and Settings\All Users\Start Menu\Programs\Startup\onylje.exe
    
    This executable appears to be a pseudo-randum name, and it called another
    file within the same directory called pcoo.exe.  These two processes showed
    up in task manager, and gobbled up all the CPU cycles. I also saw some other
    weird things under task manager.  These two processes appeared to be keeping
    Norton from launching:
    
    ~A.exe
    After I killed this one, 
    ~9.exe appeared.  Again, this looks like a pseudo-random name for these
    processes.  I have run strings against the executables, and saw some Delphi
    B.S. in there as well as the following strings:
    
    <Cut from running "strings onylje.exe">
    KERNEL32.DLL
    ADVAPI32.dll
    MPR.dll
    SHELL32.dll
    USER32.dll
    WSOCK32.dll
    LoadLibraryA
    GetProcAddress
    ExitProcess
    RegCloseKey
    WNetAddConnection2A
    ShellExecuteA
    PeekMessageA
    </Cut>
    
    <Cut from running "strings pcoo.exe">
    KERNEL32.DLL
    ADVAPI32.dll
    MPR.dll
    SHELL32.dll
    USER32.dll
    WSOCK32.dll
    LoadLibraryA
    GetProcAddress
    ExitProcess
    RegCloseKey
    WNetAddConnection2A
    ShellExecuteA
    PeekMessageA
    </Cut>
    
    Both files are 69K, and may very well be the same executable referred to by
    different names.  The output from running strings against these are
    identical as far as I can tell.  
    
    Perhaps one of you guys might have a suggestion for dissassembling the
    executables and taking a closer look.  This may be a common virus, but
    Norton doesn't recognize it and I'd like to know for sure what it is.  I can
    get you the file upon request.  Thanks,
    
    -Jeremy
    
    ----------------------------------------------------------------------------
    
    <Pre>Lose another weekend managing your IDS?
    Take back your personal time.
    15-day free trial of StillSecure Border Guard.</Pre>
    <A href="http://www.securityfocus.com/stillsecure">
    http://www.securityfocus.com/stillsecure </A>
    
    
    
    
    ----------------------------------------------------------------------------
    
    <Pre>Lose another weekend managing your IDS?
    Take back your personal time.
    15-day free trial of StillSecure Border Guard.</Pre>
    <A href="http://www.securityfocus.com/stillsecure"> http://www.securityfocus.com/stillsecure </A>
    



    This archive was generated by hypermail 2b30 : Tue Mar 11 2003 - 08:17:54 PST