What virus is this?

Found an executable on my windows\system dir: mpwzojgl.exe, though
earlier it had a different name, so it seems to spawn random names.
Size is 453K . Norton didn't turn up anything, neither did spybot or
adaware. First saw it while running a check on my running processes in
proport(recommended BTW) Pretty sure it knocked out my Norton
installation first time round and had to reinstall. Can't find any
suspicious HKLM or HKCU run, runonce or runservices. Oh, and running
the exec gives the error "can't load ak32dll.dll"(did a find file..no
luck) after which the exec deletes itself! WTF? Any ideas out there?

On Sun, 11 Jan 2004 19:51:36 GMT, Modecate <nospam@here.pls> wrote:

> Found an executable on my windows\system dir: mpwzojgl.exe, though
> earlier it had a different name, so it seems to spawn random names.
> Size is 453K . Norton didn't turn up anything, neither did spybot or

Submit a copy for them to examine. See
http://groups.google.com/groups?q=s...fncis.de&rnum=3
for a list of addresses.

> adaware. First saw it while running a check on my running processes in
> proport(recommended BTW) Pretty sure it knocked out my Norton
> installation first time round and had to reinstall. Can't find any
> suspicious HKLM or HKCU run, runonce or runservices. Oh, and running
> the exec gives the error "can't load ak32dll.dll"(did a find file..no
> luck) after which the exec deletes itself! WTF? Any ideas out there?

See http://users.iafrica.com/c/cq/cquirke/startup.htm for most of the
places it could be starting. Also check the task scheduler.

Regards, Dave Hodgins

--
Change nomail.afraid.org to rogers.com to reply by email.
(nomail.afraid.org has been set up specfically for
use in usenet. Feel free to use it yourself.)

On Sun, 11 Jan 2004 20:52:42 GMT, "David W. Hodgins"
<dhodgin1661@nomail.afraid.org> wrote:

>On Sun, 11 Jan 2004 19:51:36 GMT, Modecate <nospam@here.pls> wrote:
>
>> Found an executable on my windows\system dir: mpwzojgl.exe, though
>> earlier it had a different name, so it seems to spawn random names.
>> Size is 453K . Norton didn't turn up anything, neither did spybot or
>
>Submit a copy for them to examine. See
>http://groups.google.com/groups?q=s...fncis.de&rnum=3
>for a list of addresses.
>
>> adaware. First saw it while running a check on my running processes in
>> proport(recommended BTW) Pretty sure it knocked out my Norton
>> installation first time round and had to reinstall. Can't find any
>> suspicious HKLM or HKCU run, runonce or runservices. Oh, and running
>> the exec gives the error "can't load ak32dll.dll"(did a find file..no
>> luck) after which the exec deletes itself! WTF? Any ideas out there?
>
>See http://users.iafrica.com/c/cq/cquirke/startup.htm for most of the
>places it could be starting. Also check the task scheduler.
>
>Regards, Dave Hodgins
Would it be ok to rename it as a dat file and post it to
alt.binaries.test? This is some text I found in it:

Id: UPX 1.01 Copyright (C) 1996-2000 the UPX Team. All Rights Info:
This file is packed with the UPX executable packer http://upx.tsx.org
Reserved. $

On Sun, 11 Jan 2004 20:58:20 GMT, modecate <nospam@here.pls> wrote:

> Would it be ok to rename it as a dat file and post it to
> alt.binaries.test? This is some text I found in it:
>
> Id: UPX 1.01 Copyright (C) 1996-2000 the UPX Team. All Rights Info:
> This file is packed with the UPX executable packer http://upx.tsx.org
> Reserved. $

You can email a copy to me if you like.

Regards, Dave Hodgins

--
Change nomail.afraid.org to rogers.com to reply by email.
(nomail.afraid.org has been set up specfically for
use in usenet. Feel free to use it yourself.)

modecate wrote:
[snip]
> Would it be ok to rename it as a dat file and post it to
> alt.binaries.test? This is some text I found in it:

no, it would not be alright...

it would in fact be downright irresponsible of you to put a suspected
virus in a place where anyone could get it...

--
"hungry people don't stay hungry for long
they get hope from fire and smoke as the weak grow strong
hungry people don't stay hungry for long
they get hope from fire and smoke as they reach for the dawn"

On Sun, 11 Jan 2004 19:41:16 -0500, kurt wismer <kurtw@sympatico.ca>
wrote:

>modecate wrote:
>[snip]
>> Would it be ok to rename it as a dat file and post it to
>> alt.binaries.test? This is some text I found in it:
>
>no, it would not be alright...
>
>it would in fact be downright irresponsible of you to put a suspected
>virus in a place where anyone could get it...
That's why I asked first,

Thanks

On Sun, 11 Jan 2004 19:51:36 GMT, Modecate <nospam@here.pls> wrote:

>Found an executable on my windows\system dir: mpwzojgl.exe, though
>earlier it had a different name, so it seems to spawn random names.
>Size is 453K . Norton didn't turn up anything, neither did spybot or
>adaware. First saw it while running a check on my running processes in
>proport(recommended BTW) Pretty sure it knocked out my Norton
>installation first time round and had to reinstall. Can't find any
>suspicious HKLM or HKCU run, runonce or runservices. Oh, and running
>the exec gives the error "can't load ak32dll.dll"(did a find file..no
>luck) after which the exec deletes itself! WTF? Any ideas out there?
OK, I found out what it was....an anti keylogger demo that I thought
had been disabled. I have to say this use of random file names is
unusual though. I'm not suggestibg this is a virus, far from it, it
seems to be the most widely used akl around.