This is what I found from the files you sent me: ----- Original Message ----- From: "Jeremy Junginger" <jjat_private> >c:\Documents and Settings\All Users\Start Menu\Programs\Startup\onylje.exe Seems to be a copy of pcoo.exe. Contains IRC commands, most certainly includes a IRC client embedded. Possibly a variant of "Randon": http://www.viruslist.com/eng/index.html?tnews=1001&id=59750 or a variant of Agobot worm: http://www.alerta-antivirus.es/virus/detalle_virus.html?cod=2307 Many references to antivirus processes - most certainly to locate and kill them. Possibly a variant of Trojan.KKiller. http://securityresponse.symantec.com/avcenter/venc/data/trojan.kkiller.html The Trojan.KKiller Trojan Horse terminates many processes, including those of popular antivirus and firewall programs. It also modifies a registry key, so that it runs when you try to execute any .exe file Includes a reference to advapi in the body. Maybe a variant of Backdoor.IE_Patch. http://www.f-secure.com/v-descs/ie_patch.shtml "Capabilities of IE_Patch backdoor include sending and receiving data (files), monitoring of existing application windows, listening to keystrokes. The backdoor has an empty e-mail form inside. " Found also the word "Buag", maybe a nickname or a reference. BUAG // n. [abbreviation, from alt.fan.warlord] Big Ugly ASCII Graphic. Pejorative term for ugly ASCII art, especially as found in sig blocks. For some reason, mutations of the head of Bart Simpson are particularly common in the least imaginative sig blocks. See warlording. http://www.antionline.com/jargon/BUAG.php > task manager. These two processes appeared to be keeping Norton from launching: See the article about Trojan.KKiller. ><Cut from running "strings onylje.exe"> >ADVAPI32.dll Maybe it's a genuine reference to the dll, but just in case check the article about Backdoor.IE_Patch. Overall it seems like a pack of old worms reassembled in a new one. I think the threads "New ddos client" and "New virus outbreak" are also dealing with something similar to this. Also Bitdefender, the antivirus I'm currently using, did not identify anything wrong with the files you sent me. Can you possibly send me a suspicious executable? Cheers, Paulo ---------------------------------------------------------------------------- <Pre>Lose another weekend managing your IDS? Take back your personal time. 15-day free trial of StillSecure Border Guard.</Pre> <A href="http://www.securityfocus.com/stillsecure"> http://www.securityfocus.com/stillsecure </A>
This archive was generated by hypermail 2b30 : Tue Mar 11 2003 - 08:21:39 PST