Is this a virus / trojan / worm ?

[frank]

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Hello,

Sorry if this is not the right group.

Someone who works for me received an email today with a zip file attachment
called "Original.zip" with the subject line "This picture is sent on SMS"
Inside the zip was a file called "F5434.EXE"

Even though I have warned this person again and again about opening zips
from unknown parties and running unknown executable files the idiot unzipped
the file and ran the exe.
At least he had the common sense to unplug his PC from the network when he
realized what he did.
I copied the zip to a 3-1/2" floppy and then copied it to a PC not on the
network but with Symantec current virus defs (June 22/05)
SAV reports no infection.

The funny thing is that the icon for the file is that of a jpeg.

If I run the exe it does nothing (that I can see) but it does show up in the
Task Manager as a running process. It runs for a short while then
drwatsn32.exe starts running and soon all the desktop icons disappear and
then reappear. At this point the F5434.EXE is no longer running nor is
drwatsn32.EXE.

If I look in the EventVwr it says "The application c:\windows\explorer.exe
generated an application error. The error occurred on (The Date) at (The
Time). The exception generated was 80000007 at 00000000 (ntdll!
KilFastSystemCallRet)
The next event in the Event Vwr "The shell stopped unexpectedly and
Explorer.exe was restarted"

Does anyone have a clue about what this is? I've searched with Google, I
searched at Symantec.com with no luck at all.

Thanks
Frank Klassen

 

[Guest]

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

"Frank" <someone@microsoft.com> wrote in message
news:O$HRyU3eFHA.2420@TK2MSFTNGP10.phx.gbl...
> Hello,
>
> Sorry if this is not the right group.
>
> Someone who works for me received an email today with a zip file
> attachment called "Original.zip" with the subject line "This picture is
> sent on SMS"
> Inside the zip was a file called "F5434.EXE"
>
> Even though I have warned this person again and again about opening zips
> from unknown parties and running unknown executable files the idiot
> unzipped the file and ran the exe.
> At least he had the common sense to unplug his PC from the network when he
> realized what he did.
> I copied the zip to a 3-1/2" floppy and then copied it to a PC not on the
> network but with Symantec current virus defs (June 22/05)
> SAV reports no infection.
>
> The funny thing is that the icon for the file is that of a jpeg.
>
> If I run the exe it does nothing (that I can see) but it does show up in
> the Task Manager as a running process. It runs for a short while then
> drwatsn32.exe starts running and soon all the desktop icons disappear and
> then reappear. At this point the F5434.EXE is no longer running nor is
> drwatsn32.EXE.
>
> If I look in the EventVwr it says "The application c:\windows\explorer.exe
> generated an application error. The error occurred on (The Date) at (The
> Time). The exception generated was 80000007 at 00000000 (ntdll!
> KilFastSystemCallRet)
> The next event in the Event Vwr "The shell stopped unexpectedly and
> Explorer.exe was restarted"
>
> Does anyone have a clue about what this is? I've searched with Google, I
> searched at Symantec.com with no luck at all.
>
> Thanks
> Frank Klassen
>
>
>

It is a new variation of the bagle virus.

http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=129512

Kerry

 

[Guest]

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

From: "Frank" <someone@microsoft.com>

| Hello,
|
| Sorry if this is not the right group.
|
| Someone who works for me received an email today with a zip file attachment
| called "Original.zip" with the subject line "This picture is sent on SMS"
| Inside the zip was a file called "F5434.EXE"
|
| Even though I have warned this person again and again about opening zips
| from unknown parties and running unknown executable files the idiot unzipped
| the file and ran the exe.
| At least he had the common sense to unplug his PC from the network when he
| realized what he did.
| I copied the zip to a 3-1/2" floppy and then copied it to a PC not on the
| network but with Symantec current virus defs (June 22/05)
| SAV reports no infection.
|
| The funny thing is that the icon for the file is that of a jpeg.
|
| If I run the exe it does nothing (that I can see) but it does show up in the
| Task Manager as a running process. It runs for a short while then
| drwatsn32.exe starts running and soon all the desktop icons disappear and
| then reappear. At this point the F5434.EXE is no longer running nor is
| drwatsn32.EXE.
|
| If I look in the EventVwr it says "The application c:\windows\explorer.exe
| generated an application error. The error occurred on (The Date) at (The
| Time). The exception generated was 80000007 at 00000000 (ntdll!
| KilFastSystemCallRet)
| The next event in the Event Vwr "The shell stopped unexpectedly and
| Explorer.exe was restarted"
|
| Does anyone have a clue about what this is? I've searched with Google, I
| searched at Symantec.com with no luck at all.
|
| Thanks
| Frank Klassen
|

There are anti virus News Groups specifically for this type of discussion.

microsoft.public.scripting.virus.discussion
microsoft.public.security.virus
alt.comp.virus
alt.comp.anti-virus

As Frank note it is most likely a new Bagle variant.

* * You NEVER, ever, run an EXE attachment if you don't expect it ! * *

NOW you have an infected computer !

Dump the contents of the IE Temporary Internet Folder cache (TIF)
Start --> Settings --> Control Panel --> Internet Options --> Delete Files

Dump the contents of the Mozilla FireFox Cache { if you use FireFox }
Tools --> Options --> Privacy --> Cache --> Clear

Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

It is a self-extracting ZIP file that contains the Kixtart Script Interpreter {
http://kixtart.org Kixtart is CareWare } two batch files, four Kixtart scripts, one Link
(.LNK) file, this PDF instruction file and two utilities; UNZIP.EXE and WGET.EXE. It will
simplify the process of using up to 3 different Anti Virus Command Line Scanners to remove
viruses and various other malware.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode. This
way all the components can be downloaded from each AV vendor’s web site.
On Win9x/ME the choices are; Trend, McAfee, Exit the menu and Reboot the PC
On NT4, Win2k, WinXP and Win2003 Server the choices are; Sophos, Trend, McAfee, Exit the
menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file.

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE and/or FTP.EXE to go
through your FireWall to allow them to download the needed AV vendor related files.

* * * Please report back your results * * *


--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

 

[Guest]

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
news:eIqnKG%23eFHA.2732@TK2MSFTNGP14.phx.gbl...
> From: "Frank" <someone@microsoft.com>
>
> | Hello,
> |
> | Sorry if this is not the right group.
> |
> | Someone who works for me received an email today with a zip file
attachment
> | called "Original.zip" with the subject line "This picture is sent on
SMS"
> | Inside the zip was a file called "F5434.EXE"
> |
> | Even though I have warned this person again and again about opening zips
> | from unknown parties and running unknown executable files the idiot
unzipped
> | the file and ran the exe.
> | At least he had the common sense to unplug his PC from the network when
he
> | realized what he did.
> | I copied the zip to a 3-1/2" floppy and then copied it to a PC not on
the
> | network but with Symantec current virus defs (June 22/05)
> | SAV reports no infection.
> |
> | The funny thing is that the icon for the file is that of a jpeg.
> |
> | If I run the exe it does nothing (that I can see) but it does show up in
the
> | Task Manager as a running process. It runs for a short while then
> | drwatsn32.exe starts running and soon all the desktop icons disappear
and
> | then reappear. At this point the F5434.EXE is no longer running nor is
> | drwatsn32.EXE.
> |
> | If I look in the EventVwr it says "The application
c:\windows\explorer.exe
> | generated an application error. The error occurred on (The Date) at (The
> | Time). The exception generated was 80000007 at 00000000 (ntdll!
> | KilFastSystemCallRet)
> | The next event in the Event Vwr "The shell stopped unexpectedly and
> | Explorer.exe was restarted"
> |
> | Does anyone have a clue about what this is? I've searched with Google,
I
> | searched at Symantec.com with no luck at all.
> |
> | Thanks
> | Frank Klassen
> |
>
> There are anti virus News Groups specifically for this type of discussion.
>
> microsoft.public.scripting.virus.discussion
> microsoft.public.security.virus
> alt.comp.virus
> alt.comp.anti-virus
>
> As Frank note it is most likely a new Bagle variant.
>
> * * You NEVER, ever, run an EXE attachment if you don't expect it ! * *
>
> NOW you have an infected computer !
>
> Dump the contents of the IE Temporary Internet Folder cache (TIF)
> Start --> Settings --> Control Panel --> Internet Options --> Delete Files
>
> Dump the contents of the Mozilla FireFox Cache { if you use FireFox }
> Tools --> Options --> Privacy --> Cache --> Clear
>
> Download MULTI_AV.EXE from the URL --
> http://www.ik-cs.com/programs/virtools/Multi_AV.exe
>
> It is a self-extracting ZIP file that contains the Kixtart Script
Interpreter {
> http://kixtart.org Kixtart is CareWare } two batch files, four Kixtart
scripts, one Link
> (.LNK) file, this PDF instruction file and two utilities; UNZIP.EXE and
WGET.EXE. It will
> simplify the process of using up to 3 different Anti Virus Command Line
Scanners to remove
> viruses and various other malware.
>
> C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
> This will bring up the initial menu of choices and should be executed in
Normal Mode. This
> way all the components can be downloaded from each AV vendor's web site.
> On Win9x/ME the choices are; Trend, McAfee, Exit the menu and Reboot the
PC
> On NT4, Win2k, WinXP and Win2003 Server the choices are; Sophos, Trend,
McAfee, Exit the
> menu and Reboot the PC.
>
> You can choose to go to each menu item and just download the needed files
or you can
> download the files and perform a scan in Normal Mode. Once you have
downloaded the files
> needed for each scanner you want to use, you should reboot the PC into
Safe Mode [F8 key
> during boot] and re-run the menu again and choose which scanner you want
to run in Safe
> Mode. It is suggested to run the scanners in both Safe Mode and Normal
Mode.
>
> When the menu is displayed hitting 'H' or 'h' will bring up a more
comprehensive PDF help
> file.
>
> To use this utility, perform the following...
> Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
> Choose; Unzip
> Choose; Close
>
> Execute; C:\AV-CLS\StartMenu.BAT
> { or Double-click on 'Start Menu' in C:\AV-CLS }
>
> NOTE: You may have to disable your software FireWall or allow WGET.EXE
and/or FTP.EXE to go
> through your FireWall to allow them to download the needed AV vendor
related files.
>
> * * * Please report back your results * * *
>
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> http://www.ik-cs.com/got-a-virus.htm
>
>

Dave was right..Bagel variant. Contacted Symantec tech support (the guy got
a bit defensive when I told him that MacAfee already knew about this one).
Downloaded current virus defs from Symantec using "intelligent updater"
(LiveUpdate files won't contain the fix for this one until the June 29 defs
are available) and it identified it as Trojan.Tooso.J and it was
quarantined.

Thanks for the help.

Frank