RE: Possibly Unknown Virus? Care to help me analyze?!?

From: Arnold, Jamie (harnoldat_private)
Date: Mon Mar 10 2003 - 16:55:34 PST

Next message: Darwin: "Re: UPDATE: Possibly Unknown Virus? Care to help me analyze?!?"

Previous message: Curt Wilson: "Re: [Full-Disclosure] Bypassing Black Ice PC protection?"
Maybe in reply to: Jeremy Junginger: "Possibly Unknown Virus? Care to help me analyze?!?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Kinda sounds like elkern.

"Imagination is more important than knowledge"
 
Albert Einstein


-----Original Message-----
From: Jeremy Junginger [mailto:jjat_private] 
Sent: Monday, March 10, 2003 1:44 PM
To: incidentsat_private
Subject: Possibly Unknown Virus? Care to help me analyze?!?


Hey guys, I have come upon a funny little virus that's hogging CPU cycles
and basically creating a DoS condition on a Windows XP machine. There were a
couple of classic symptoms:

hklm\software\microsoft\windows\current version\run\onylje.exe

c:\Documents and Settings\All Users\Start Menu\Programs\Startup\onylje.exe

This executable appears to be a pseudo-randum name, and it called another
file within the same directory called pcoo.exe.  These two processes showed
up in task manager, and gobbled up all the CPU cycles. I also saw some other
weird things under task manager.  These two processes appeared to be keeping
Norton from launching:

~A.exe
After I killed this one, 
~9.exe appeared.  Again, this looks like a pseudo-random name for these
processes.  I have run strings against the executables, and saw some Delphi
B.S. in there as well as the following strings:

<Cut from running "strings onylje.exe">
KERNEL32.DLL
ADVAPI32.dll
MPR.dll
SHELL32.dll
USER32.dll
WSOCK32.dll
LoadLibraryA
GetProcAddress
ExitProcess
RegCloseKey
WNetAddConnection2A
ShellExecuteA
PeekMessageA
</Cut>

<Cut from running "strings pcoo.exe">
KERNEL32.DLL
ADVAPI32.dll
MPR.dll
SHELL32.dll
USER32.dll
WSOCK32.dll
LoadLibraryA
GetProcAddress
ExitProcess
RegCloseKey
WNetAddConnection2A
ShellExecuteA
PeekMessageA
</Cut>

Both files are 69K, and may very well be the same executable referred to by
different names.  The output from running strings against these are
identical as far as I can tell.  

Perhaps one of you guys might have a suggestion for dissassembling the
executables and taking a closer look.  This may be a common virus, but
Norton doesn't recognize it and I'd like to know for sure what it is.  I can
get you the file upon request.  Thanks,

-Jeremy

----------------------------------------------------------------------------

<Pre>Lose another weekend managing your IDS?
Take back your personal time.
15-day free trial of StillSecure Border Guard.</Pre>
<A href="http://www.securityfocus.com/stillsecure">
http://www.securityfocus.com/stillsecure </A>




----------------------------------------------------------------------------

<Pre>Lose another weekend managing your IDS?
Take back your personal time.
15-day free trial of StillSecure Border Guard.</Pre>
<A href="http://www.securityfocus.com/stillsecure"> http://www.securityfocus.com/stillsecure </A>

Next message: Darwin: "Re: UPDATE: Possibly Unknown Virus? Care to help me analyze?!?"
Previous message: Curt Wilson: "Re: [Full-Disclosure] Bypassing Black Ice PC protection?"
Maybe in reply to: Jeremy Junginger: "Possibly Unknown Virus? Care to help me analyze?!?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Mar 11 2003 - 08:17:54 PST