Email worm... need help identifying. - epjvwek.gif (0/1)

[NightRunner]

Hey all,

I got NAILED bigtime yesterday whilst carousing on a site I should
have known better than to use MSIE on. I aquired MANY infections, but
have I think all but one contained now... I just noticed today that a
netstat -an command is showing a huge number of connections to various
IP addresses. Soooo I got myself a packet sniffer, and found out that
my machine is spamming like MAD through Outlook Express. I can't seem
to find the causative program, and none of my various Spyware/Adware
or AV programs are catching it, so this is where I REALLY need help.
The basic content of each email follows:

From: Mcnamara (this is randomly generated it seems)
To: (e-mail address removed) (also apparantly random)
Subject: Online

Message body --

Hey, epjvwek


Attached file:

epjvwek.gif

Contents of this file appears to be drug advertisements... It's
harmless enough, so I've attached it in the prayer that someone will
recognize it and know what it is and how to get rid of it from my
system. NERVE WRACKING.

I should also mention that winlogon.exe is consuming very high cpu
resources, like 80-90%, and it shows up on TDIMon as the program doing
all the accessing of those IP addresses.

Thanks for any help!!!

Rick

"The usual approach of science of constructing a mathematical
model cannot answer the questions of why there should be a
universe for the model to describe. Why does the universe go
to all the bother of existing?"

- Stephen Hawking

---------------------------------------
Amateur Astronomy Page:
http://www.angelfire.com/alt2/nightrunner/skyview.html

Our Webcam:
http://web.infoave.net/~missy1/cam/webcam.html

 

[David H. Lipman]

From: "NightRunner" <[email protected]>

| Hey all,
|
| I got NAILED bigtime yesterday whilst carousing on a site I should
| have known better than to use MSIE on. I aquired MANY infections, but
| have I think all but one contained now... I just noticed today that a
| netstat -an command is showing a huge number of connections to various
| IP addresses. Soooo I got myself a packet sniffer, and found out that
| my machine is spamming like MAD through Outlook Express. I can't seem
| to find the causative program, and none of my various Spyware/Adware
| or AV programs are catching it, so this is where I REALLY need help.
| The basic content of each email follows:
|
| From: Mcnamara (this is randomly generated it seems)
| To: (e-mail address removed) (also apparantly random)
| Subject: Online
|
| Message body --
|
| Hey, epjvwek
|
| Attached file:
|
| epjvwek.gif
|
| Contents of this file appears to be drug advertisements... It's
| harmless enough, so I've attached it in the prayer that someone will
| recognize it and know what it is and how to get rid of it from my
| system. NERVE WRACKING.
|
| I should also mention that winlogon.exe is consuming very high cpu
| resources, like 80-90%, and it shows up on TDIMon as the program doing
| all the accessing of those IP addresses.
|
| Thanks for any help!!!
|
| Rick
|
| "The usual approach of science of constructing a mathematical
| model cannot answer the questions of why there should be a
| universe for the model to describe. Why does the universe go
| to all the bother of existing?"
|
| - Stephen Hawking
|
| ---------------------------------------
| Amateur Astronomy Page:
| http://www.angelfire.com/alt2/nightrunner/skyview.html
|
| Our Webcam:
| http://web.infoave.net/~missy1/cam/webcam.html

This is a text ONLY News Group !

Posting attachments is a violation of the alt.comp.anti-virus charter !
http://www.stormpages.com/eaegis/antivirus.htm

Specifically stated... "No attachments of any kind are permitted. "


Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file. http://www.ik-cs.com/multi-av.htm


* * * Please report back your results * * *

 

[Max Wachtel]

(e-mail address removed) AKA NightRunner on 1/7/2006 in

Hey all,

I got NAILED bigtime yesterday whilst carousing on a site I should
have known better than to use MSIE on. I aquired MANY infections, but
have I think all but one contained now... I just noticed today that a
netstat -an command is showing a huge number of connections to various
IP addresses. Soooo I got myself a packet sniffer, and found out that
my machine is spamming like MAD through Outlook Express. I can't seem
to find the causative program, and none of my various Spyware/Adware
or AV programs are catching it, so this is where I REALLY need help.
The basic content of each email follows:
snip <

******************Reply Separator*************************

I receive 20 or more of those "drug" e-mails every day in each of my
accounts-no infections. Must be the e-mail client I use(Thunderbird)
that is helping to prevent infestations. You can be safe too! Read this-
Keeping Windows Clean: http://home.neo.rr.com/manna4u/keepingclean.html
For cleaning up your mess,read this-
Virus Removal Instructions: http://home.neo.rr.com/manna4u/

max
--
Windows Help: http://home.neo.rr.com/manna4u/tools.html
Specific Fixes: http://home.neo.rr.com/manna4u/fixes.html
Forums for HiJackThis Logs:
http://home.neo.rr.com/manna4u/forums_for_hijackthis_logs.html
To reply by e-mail change nomail.afraid.org to gmail.com
nomail.afraid.org is setup specifically for use in USENET
feel free to use it yourself. Registered Linux User #393236

 

[Beauregard T. Shagnasty]

and found out that
my machine is spamming like MAD through Outlook Express.

Yes, I've gotten at least two dozen spams from you today.

At least, unplug your internet connection until you get rid of the
trojan.

More than half of my spam comes from computers like yours.

 

[NightRunner]

Brilliant idea, cut myself off from my sole source of tools and help!
I know, I'll take my machine out back, dig a hole, fill it in with
concrete, and stick the machine smack in the middle, so people like
you don't have to go out of your way to post bitch and fuss messages
on Usenet! Thanks!

But wait... that's no solution at all.. What will you do with your
freetime then?

- NR

Yes, I've gotten at least two dozen spams from you today. <--- prove it

At least, unplug your internet connection until you get rid of the
trojan.

More than half of my spam comes from computers like yours.

"The usual approach of science of constructing a mathematical
model cannot answer the questions of why there should be a
universe for the model to describe. Why does the universe go
to all the bother of existing?"

- Stephen Hawking

---------------------------------------
Amateur Astronomy Page:
http://www.angelfire.com/alt2/nightrunner/skyview.html

Our Webcam:
http://web.infoave.net/~missy1/cam/webcam.html

 

[NightRunner]

Well see that's the thing... I'm not receiving any, I'm frigging
sending them. I still can't find the offending process, and
winlogon.exe is still hammering my CPU like mad. In fact, I've now got
AVG, F-Prot, Ad-Ware SE, and Spybot S/D all on the job and not a one
of them is even detecting this. I've also got TDIMon, Regmon, Filemon,
and Process Explorer running and the only suspicious target I seem to
be able to find is winlogon.exe, but that's part of the system. I've
also replaced THAT file with a clean copy, and still nothing. Oh, I
should also mention that i crippled Outlook Express to see if that had
anything to do with it, and alas no, it still keeps on a goin. Clearly
this is thing has it's own built in email engine. Since a day ago I am
now down to keeping OFF the Internet 99% of my computer time, only
allowing it to connect when I have to send another desperate request
for info, and that's really hurting my ability to do reasearch and AV
installation to fix the problem. I hate to do it, but I am considering
redoing the whole OS. I haven't done that in years for two reasons:

1) I have so much stuff now on my main HD that it's going to be a
monumental job I don't have time for.

2) Simply put, I don't want to be beaten by this. I have had the
occasional virus over the last 14 years of PC use, but I always won
out in the end, and never by burning the system down.

Computers are simple enough, they consist of hardware with programs
stored on them to do various tasks. Viruses/trojans/worms/scripts/etc
that are designed to hijack these normal functions are also simple:
Execute and assume partial control. All one has to do to fix any such
infection is break that controlling program or script, et voila,
problem over. I just can't isolate the causative factor. If I could
get the name of it somehow, which is why I rashly posted the .gif
attachment in the first place (I *am* sorry about that, I should have
stuck it on a webspace), then I could find the info I need on the web
to kill this thing off properly.

This is a support group specifically dedicated to anti-virus topics...
Surely someone on here knows what worm generates all those little gif
image adds that we've all seen a thousand times. Even I have seen them
every so often in my email. Barring that, I am willing to try any AV
or adware/spyware killer program I haven't already, so long as I don't
have to put myself in debt for no good reason buying AV packages that
may or may not even help. So, please, keep the suggestions rolling for
me. I'm desperate here, I've got a LOT to lose.

Again, thanks for any help. When I get this one fixed, I'll do my best
to write a little page or message detailing what the problem was,
where I got it from, and how I fixed it, so that others may benefit.

- NR

(e-mail address removed) AKA NightRunner on 1/7/2006 in

******************Reply Separator*************************

I receive 20 or more of those "drug" e-mails every day in each of my
accounts-no infections. Must be the e-mail client I use(Thunderbird)
that is helping to prevent infestations. You can be safe too! Read this-
Keeping Windows Clean: http://home.neo.rr.com/manna4u/keepingclean.html
For cleaning up your mess,read this-
Virus Removal Instructions: http://home.neo.rr.com/manna4u/

max

"The usual approach of science of constructing a mathematical
model cannot answer the questions of why there should be a
universe for the model to describe. Why does the universe go
to all the bother of existing?"

- Stephen Hawking

---------------------------------------
Amateur Astronomy Page:
http://www.angelfire.com/alt2/nightrunner/skyview.html

Our Webcam:
http://web.infoave.net/~missy1/cam/webcam.html

 

[Hoosier Daddy]

Hey all,

I got NAILED bigtime yesterday whilst carousing on a site I should
have known better than to use MSIE on. I aquired MANY infections, but
have I think all but one contained now... I just noticed today that a
netstat -an command is showing a huge number of connections to various
IP addresses. Soooo I got myself a packet sniffer, and found out that
my machine is spamming like MAD through Outlook Express. I can't seem
to find the causative program, and none of my various Spyware/Adware
or AV programs are catching it, so this is where I REALLY need help.
The basic content of each email follows:

You have become a spam zombie, this is not a virus or worm though it
may have been installed by one.

The best suggestion I have for you is to get the updated versions of the
anti-adware and anti-spyware programs in the hopes that detection for
this (new?) malware has been recently added.

Have you used a process explorer utility to find the culprit? If you do,
then submitting the offending program file to scanning at "virustotal"
may give more clues.

If the offending code isn't hiding within legitimate programs like some
viruses and trojans do, then "HiJackThis" may help you to find its
method of self-starting - of course use the HJT forums for help in
analyzing the log.

 

[Offbreed]

Yes, I've gotten at least two dozen spams from you today.

Re read his post. He is staying off the net, except for quick checks.

In his place, I would install an internet capable OS to a spare hard
drive or try one of the "Live Linux" or "Live BSD" CDs and use that to
check the net for further information.

 

[Beauregard T. Shagnasty]

Re read his post. He is staying off the net, except for quick checks.

Sorry, I don't see that in any of his posts.

In his place, I would install an internet capable OS to a spare hard
drive or try one of the "Live Linux" or "Live BSD" CDs and use that
to check the net for further information.

That's a good idea. Knoppix is good for this. I carry a Knoppix CD in my
kit.

 

[John Coutts]

Hey all,

I got NAILED bigtime yesterday whilst carousing on a site I should
have known better than to use MSIE on. I aquired MANY infections, but
have I think all but one contained now... I just noticed today that a
netstat -an command is showing a huge number of connections to various
IP addresses. Soooo I got myself a packet sniffer, and found out that
my machine is spamming like MAD through Outlook Express. I can't seem
to find the causative program, and none of my various Spyware/Adware
or AV programs are catching it, so this is where I REALLY need help.

I should also mention that winlogon.exe is consuming very high cpu
resources, like 80-90%, and it shows up on TDIMon as the program doing
all the accessing of those IP addresses.

Thanks for any help!!!

Rick

*************** REPLY SEPARATER *****************
When a person is seeking assistance, the last thing he/she needs is a bunch of
snide comments. The advice I am about to give you works for me, and hopefully
will be of some use to yourself.

The Task Manager lists the various processes running on your machine. On my XP
I have trimmed these processes to less than a single page, and I can identify
each and every one of them. So I know if something out of the ordinary gets
loaded (theoretically). There are a couple of caveats here though. There are
programs out there that can be used to hide a task from the list (root kit),
and there is at least one service (svchost.exe) that can hide several tasks
(dll files).

The Task Manager gets it's information from a command line command
(tasklist.exe on XP, and tlist.exe on W2K). I recommned using this instead of
the graphic program, as it is more difficult to hide a task using the command
line.

Netlogon.exe is presumably active because the malware is attempting to spread
itself over the local network. The basic trouble shooting technique involves
shutting down processes until you find the one that is causing the problem. On
the average Windows machine, this can be a daunting task, as there may be
several pages of active processes. On XP (and to a lessor degree on W2K), most
of these are not needed. These are the basic processes:
Image Name PID Session Name Session# Mem Usage
========================= ====== ================ ======== ============
System Idle Process 0 0 20 K
System 4 0 220 K
SMSS.EXE 1532 0 436 K
CSRSS.EXE 1664 0 4,064 K
WINLOGON.EXE 1688 0 3,080 K
SERVICES.EXE 1732 0 3,160 K
LSASS.EXE 1744 0 1,536 K
SVCHOST.EXE 1964 0 3,076 K
SVCHOST.EXE 1052 0 2,080 K
SVCHOST.EXE 1088 0 2,200 K
SVCHOST.EXE 1144 0 13,152 K
SPOOLSV.EXE 1160 0 4,124 K
EXPLORER.EXE 164 0 29,976 K
Directcd.exe 236 0 4,828 K
CMD.EXE 1972 0 1,620 K
========================= ====== ================ ======== ============
I have included Directcd.exe above to indicate that some critical processes are
non MS and are tied to specific hardware, and CMD.EXE is active because I am
using the command line. If you are faced with multiple pages of processes, you
might be well advised to get a handle on these first. I offer many helpful
suggestions at:

http://www.yellowhead.com/security2.htm

Whatever process is sending the spam/virus will most likely be using port 25.
Kill the processes one at a time until that traffic stops (using netstat to
monitor). That will be the process that you need to eliminate or fix.

J.A. Coutts

 

[Sylvia M.]

-----------

The Task Manager lists the various processes

running on your machine.
-----------

J.A. Coutts

Is there a similar program in Windows 98?
"Find" couldn't find it for me.

Sylvia M

 

[Virus Guy]

Is there a similar program in Windows 98?

CCTask.

Get it here:

http://www.cybercreek.com/cctask/CCTask.zip

 

[David H. Lipman]

From: "Sylvia M." <[email protected]>

| -----------| running on your machine.
| -----------| Is there a similar program in Windows 98?
| "Find" couldn't find it for me.
|
| Sylvia M
|

Actually the Task Manager only shows a portion.

On NT based OS and Win9x/ME use Process Explorer to see all the running processes.
http://www.sysinternals.com/Utilities/ProcessExplorer.html

 

[Sylvia M.]

"David H. Lipman" <[email protected]>
wrote in message

From: "Sylvia M." <[email protected]>

| -----------
| running on your machine.
| -----------
| Is there a similar program in Windows 98?
| "Find" couldn't find it for me.
|
| Sylvia M
|

Actually the Task Manager only shows a portion.

On NT based OS and Win9x/ME use Process Explorer

to see all the running processes.

http://www.sysinternals.com/Utilities/ProcessExplo
rer.html
http://www.claymania.com/removal-trojan-adware.htm
l
http://www.ik-cs.com/got-a-virus.htm

Thanks, Dave.
I went there and downloaded (also printed out
window), but I cant seem to 'open' a .zip

Sylvia M.
I know that I know not...

 

[David H. Lipman]

From: "Sylvia M." <[email protected]>


| Thanks, Dave.
| I went there and downloaded (also printed out
| window), but I cant seem to 'open' a .zip
|
| Sylvia M.
| I know that I know not...
|

http://www.winzip.com/
http://www.pkware.com/home_and_small_office/downloads/
http://nct.digitalriver.com/fulfill/0018.18



Or one of the many other ZIP archival software packages.

 

[John Coutts]

-----------
running on your machine.
-----------
Is there a similar program in Windows 98?
"Find" couldn't find it for me.

Sylvia M

************** REPLY SEPARATER ***************
Windows 9x does not operate the same way as NT based systems. NT runs various
services under the control of the kernel, and each running program can have one
or more processes attached to it as well, all running in it's own reserved
memory. There can be several of the same processes running at the same time.

Windows 9x shares processes between running programs. and that is why a reboot
is necessary when one of them hangs up. You cannot just end the problem one as
you can in NT. It is not as extensive, but there is something similar available
in Win 9x by using a single <Ctrl-Alt-Del>.

J.A. Coutts

 

[Sylvia M.]

"John Coutts" <[email protected]>
wrote in message

************** REPLY SEPARATER ***************
Windows 9x does not operate the same way as NT based systems. NT runs various
services under the control of the kernel, and

each running program can have one

or more processes attached to it as well, all running in it's own reserved
memory. There can be several of the same

processes running at the same time.

Windows 9x shares processes between running

programs. and that is why a reboot

is necessary when one of them hangs up. You

cannot just end the problem one as

you can in NT. It is not as extensive, but there is something similar available
in Win 9x by using a single <Ctrl-Alt-Del>.

J.A. Coutts

Yes, I have often used single <Ctrl-Alt-Del> in
order to close a frozen program.

Sylvia M

 

[Sylvia M.]

From: "Sylvia M." <[email protected]>


| Thanks, Dave.
| I went there and downloaded (also printed out
| window), but I cant seem to 'open' a .zip
|
| Sylvia M.
| I know that I know not...
|

http://www.winzip.com/
http://www.pkware.com/home_and_small_office/downlo
ads/
http://nct.digitalriver.com/fulfill/0018.18



Or one of the many other ZIP archival software packages.
http://www.claymania.com/removal-trojan-adware.htm
l
http://www.ik-cs.com/got-a-virus.htm

Thanks again. That did it.
Now to learn to interpret and use ;-)

Sylvia M

 

[Max Wachtel]

(e-mail address removed) AKA NightRunner on 1/8/2006 in

snip <
I am willing to try any AV or adware/spyware killer program
snip <

******************Reply Separator*************************
Have you run David's AV tool yet? If so what were the results?
max
--
Virus Removal Instructions: http://home.neo.rr.com/manna4u/
Keeping Windows Clean: http://home.neo.rr.com/manna4u/keepingclean.html
Windows Help: http://home.neo.rr.com/manna4u/tools.html
Specific Fixes: http://home.neo.rr.com/manna4u/fixes.html
Forums for HiJackThis Logs:
http://home.neo.rr.com/manna4u/forums_for_hijackthis_logs.html
To reply by e-mail change nomail.afraid.org to gmail.com
nomail.afraid.org is setup specifically for use in USENET
feel free to use it yourself. Registered Linux User #393236

 

[Virus Guy]

Now to learn to interpret and use ;-)

CCTask is easier to use.

http://www.cybercreek.com/cctask/CCTask.zip