Is this a virus?

[EmmettPower]

Hi,

I'm running Windows XP, Firefox for my browser and Sygate Personal
Firwall. Over the past couple of days I've noticed a file called
47exmodulbk.exe is trying to access the internet. I've set Sygate to
block the file.

The firewall backtrace on the access attempt comes up with different
destination IP addresses but they all seem to be innocent, for example,
64.233.163.27/Google.

The 47exmodulbk.exe file is located in the local settings\temp folder.
A number of files with similar names, for example 15exmodulbi.exe,
21exinjjaaf.exe etc are also in the temp folder.

Other than this the computer seems to be working normally.

A McAfee virusscan doesn't come up with anything and I can't find
anything in the virus databases that looks like this - though of course
if the file name is randomly generated it makes looking for information
about it difficult.

I'd appreciate any suggestions about what's going on here?

Thanks

Emmett

 

[David H. Lipman]

From: <[email protected]>

| Hi,
|
| I'm running Windows XP, Firefox for my browser and Sygate Personal
| Firwall. Over the past couple of days I've noticed a file called
| 47exmodulbk.exe is trying to access the internet. I've set Sygate to
| block the file.
|
| The firewall backtrace on the access attempt comes up with different
| destination IP addresses but they all seem to be innocent, for example,
| 64.233.163.27/Google.
|
| The 47exmodulbk.exe file is located in the local settings\temp folder.
| A number of files with similar names, for example 15exmodulbi.exe,
| 21exinjjaaf.exe etc are also in the temp folder.
|
| Other than this the computer seems to be working normally.
|
| A McAfee virusscan doesn't come up with anything and I can't find
| anything in the virus databases that looks like this - though of course
| if the file name is randomly generated it makes looking for information
| about it difficult.
|
| I'd appreciate any suggestions about what's going on here?
|
| Thanks
|
| Emmett

An odd named file like "47exmodulbk.exe" executed from the TEMP folder is certainly
suspicious and is likley to be malware.

Please submit a sample of "47exmodulbk.exe" to Virus Total --
http://www.virustotal.com/flash/index_en.html
The submission will then be tested against many different AV vendor's scanners.
That will give you an idea what it is and who recognizes it. In addition, unless told
otherwise, Virus Total will provide the sample to all participating vendors.

You can also submit a suspect, one at a time, via the following email URL...
mailto:[email protected]?subject=SCAN

When you get the report, please post back the exact results.

Generic removal instructions...


If you are using any version of Sun Java that is prior to JRE Version 5.0,
then you are strongly urged to remove any/all versions that are prior to JRE
Version 5.0. There are vulnerabilities in them and they are actively being exploited.
It is possible that is how you got infected with malware.

Therefore, it is highly suggested that if there are any prior versions of Sun Java
to Version 5 on the PC that they be removed and Sun Java JRE Version 5.0 Update 6
be installed ASAP.

http://www.java.com/en/download/manual.jsp


For non-viral malware...

Please download, install and update the following software...

* Ad-aware SE v1.06
http://www.lavasoft.de/
http://www.lavasoftusa.com/
http://www.lavasoft.de/ms/index.htm

* SpyBot Search and Destroy v1.4
http://security.kolla.de/
http://www.safer-networking.org/microsoft.en.html

* SuperAntiSpyware
http://www.superantispyware.com/superantispywarefreevspro.html

After the software is updated, I suggest scanning the system in Safe Mode.

I also suggest downloading, installing and updating BHODemon for any Browser Helper Objects
that may be on the PC.

* BHODemon

http://www.majorgeeks.com/downloadget.php?id=3550&file=11&evp=245a87539eea8ed6904332b4b8b8442d

For viral malware...

* Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file. http://www.ik-cs.com/multi-av.htm

Additional Instructions:
http://harrisonrj.home.comcast.net/step_by_step_pc_cleaning_process.htm#Step_3_%96_Getting_Help


* * * Please report back your results * * *

 

[Sanjaya]

Hi,

I'm running Windows XP, Firefox for my browser and Sygate Personal
Firwall. Over the past couple of days I've noticed a file called
47exmodulbk.exe is trying to access the internet. I've set Sygate to
block the file.

[snippage]

What did your anti-virus program say about the file?

 

[EmmettPower]

David/Sanjay,

Thanks for your help. I have to confess that I deleted the .exe files,
on the basis that they were almost certainly up to no good but if they
come back I will scan the files and come back to you. In the meantime I
came across two files sometimes associated with viruses and created on
my computer today.

smss.exe was created in the windows/system directory and nvsvcd.exe was
created in the windows/system32 directory. I scanned these on
http://www.virustotal.com. The results were as follows:

File: nvsvcd.exe
-----------------------
Date: 04/13/2006 19:47:26 (CET)
AntiVir 6.34.0.24/20060413 found nothing
Avast 4.6.695.0/20060403 found nothing
AVG 386/20060413 found nothing
Avira 6.34.0.56/20060413 found nothing
BitDefender 7.2/20060413 found nothing
CAT-QuickHeal 8.00/20060413 found nothing
ClamAV devel-20060202/20060413 found nothing
DrWeb 4.33/20060413 found nothing
eTrust-InoculateIT 23.71.128/20060412 found nothing
eTrust-Vet 12.4.2162/20060413 found nothing
Ewido 3.5/20060413 found nothing
Fortinet 2.71.0.0/20060412 found nothing
F-Prot 3.16c/20060413 found [W32/Methodbod.A - Packed]
Ikarus 0.2.59.0/20060413 found nothing
Kaspersky 4.0.2.24/20060413 found nothing
McAfee 4740/20060413 found nothing
NOD32v2 1.1487/20060413 found nothing
Norman 5.90.15/20060413 found nothing
Panda 9.0.0.4/20060413 found nothing
- Hide quoted text -
Sophos 4.04.0/20060413 found nothing
Symantec 8.0/20060413 found nothing
TheHacker 5.9.7.129/20060413 found nothing
UNA 1.83/20060413 found nothing
VBA32 3.10.5/20060413 found nothing

File: smss.exe
---------------------
Date: 04/13/2006 19:45:20 (CET)
AntiVir 6.34.0.24/20060413 found [Worm/Caimbot]
Avast 4.6.695.0/20060403 found nothing
AVG 386/20060413 found nothing
Avira 6.34.0.56/20060413 found [Worm/Caimbot]
BitDefender 7.2/20060413 found nothing
CAT-QuickHeal 8.00/20060413 found nothing
ClamAV devel-20060202/20060413 found nothing
DrWeb 4.33/20060413 found [DLOADER.Trojan]
eTrust-InoculateIT 23.71.128/20060412 found nothing
eTrust-Vet 12.4.2162/20060413 found nothing
Ewido 3.5/20060413 found nothing
Fortinet 2.71.0.0/20060412 found nothing
F-Prot 3.16c/20060413 found [W32/Methodbod.A@dr - Packed]
Ikarus 0.2.59.0/20060413 found nothing
Kaspersky 4.0.2.24/20060413 found nothing
McAfee 4740/20060413 found nothing
NOD32v2 1.1487/20060413 found [a variant of Win32/Agent.TV]
Norman 5.90.15/20060413 found nothing
Panda 9.0.0.4/20060413 found [Suspicious file]
Sophos 4.04.0/20060413 found nothing
Symantec 8.0/20060413 found nothing
TheHacker 5.9.7.129/20060413 found nothing
UNA 1.83/20060413 found nothing
VBA32 3.10.5/20060413 found nothing

Should I be deleting these two files?

Thanks

Emmett

 

[David H. Lipman]

From: <[email protected]>

| David/Sanjay,
|
| Thanks for your help. I have to confess that I deleted the .exe files,
| on the basis that they were almost certainly up to no good but if they
| come back I will scan the files and come back to you. In the meantime I
| came across two files sometimes associated with viruses and created on
| my computer today.
|
| smss.exe was created in the windows/system directory and nvsvcd.exe was
| created in the windows/system32 directory. I scanned these on
| http://www.virustotal.com. The results were as follows:
|
| File: nvsvcd.exe
| -----------------------

< snip >

| F-Prot 3.16c/20060413 found [W32/Methodbod.A - Packed]

< snip >

|
| File: smss.exe
| ---------------------
< snip >

| F-Prot 3.16c/20060413 found [W32/Methodbod.A@dr - Packed]

< snip >

|
| Should I be deleting these two files?
|
| Thanks
|
| Emmett

They are definitely new and based upon the fact that F-prot is calling them both the same
base name W32/Methodbod they are certainly related and should be removed. What kind of
hooks they have into the OS is unknown.

Since it is new, could it be possible that you could ZIP the two EXE files into a password
protected ZIP file (password = infected) and then send the ZIP attachment to the AV
companies ?

http://www.ik-cs.com/suspicious-files.htm

 

[EmmettPower]

Dave,

Will do. I've done a bit more digging and the behaviour is also
reported together with Hijack This logs at:

http://help.lockergnome.com/lofiversion/index.php/t44706.html and at
http://www.bullguard.com/forum/5/Exmodulau_28948.html

The startup process reference was changed from
C:\WINDOWS\system32\smss.exe to C:\WINDOWS\system\smss.exe

Regards

Emmett

 

[David H. Lipman]

From: <[email protected]>

| Dave,
|
| Will do. I've done a bit more digging and the behaviour is also
| reported together with Hijack This logs at:
|
| http://help.lockergnome.com/lofiversion/index.php/t44706.html and at
| http://www.bullguard.com/forum/5/Exmodulau_28948.html
|
| The startup process reference was changed from
| C:\WINDOWS\system32\smss.exe to C:\WINDOWS\system\smss.exe
|
| Regards
|
| Emmett

Yes, I see...

O4 - HKLM\..\Run: [.nvsvc] C:\WINDOWS\system\smss.exe /w

I came across something similar within the past week related to a new IRCBot
http://www.sophos.com/virusinfo/analyses/trojircbothf.html
http://www.sophos.com/virusinfo/analyses/trojircbotgz.html

Sophos found nothing in the posted Virus Total reports so this may be a new variant of the
above.

You may want to use the following to see if there are "other" Trojans on the PC.


Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file. http://www.ik-cs.com/multi-av.htm

Additional Instructions:
http://harrisonrj.home.comcast.net/step_by_step_pc_cleaning_process.htm#Step_3_%96_Getting_Help


* * * Please report back your results * * *

 

[EmmettPower]

AVERT WebImmune has reported a new malware.j Trojan on the smss.exe
file.

 

[David H. Lipman]

From: <[email protected]>

| AVERT WebImmune has reported a new malware.j Trojan on the smss.exe
| file.

That's a heuristic detection. http://vil.nai.com/vil/content/v_134073.htm

Virus Total doesn't scan submitted files heuristically. However, the Multi AV Scanning
Tool's McAfee module is programmed to scan heuristically so it can be used on your PC.

 

[nomail]

On Thu, 13 Apr 2006 17:29:02 GMT, "David H. Lipman"

Somewhat OT

Please submit a sample of "47exmodulbk.exe" to Virus Total --
http://www.virustotal.com/flash/index_en.html

Rather strangely on my system the 'file selection' part of this
screen is obscured by an immoveable toolbar. This happens in both
IE and FF.

 

[EmmettPower]

OK,

Reporting back on this problem. I submitted the files to the major
vendor virus scanners using
http://www.virustotal.com/flash/index_en.html.

The NVSVCD.EXE file was determined to be malicious by over half of the
scanners. Aliases included W32/Methodbod.A - Packed,
Trojan-Proxy.Win32.Horst.aj and BackDoor-CMQ.

The good news is that (fingers crossed) deleting the offending files
seems to have solved the problem.

Thanks David and the others for the help.

Emmett

 

[Virus Guy]

I submitted the files to the major vendor virus scanners using
http://www.virustotal.com/flash/index_en.html.

When?

When did you do that?

Every time I submit a file to Virus Total (I tried last night,
basically once a day for the past week, and again just now) it tells
me that "virus scanning has stopped" and that it will send me the
results via e-mail (which I give it, and which it never sends the
results to).

 

[EmmettPower]

Thursday evening (7-8pm ish) GMT....I think.

But you can also email it to the addresses at
http://www.ik-cs.com/suspicious-files.htm - to be honest this was the
link that I should have put in the posting - they all got back to me
anywhere between a few hours and a few days later.

 

[EmmettPower]

I have just noticed that there is a 'Service Load' bar below the chart
labelled 'Top Ten (Last 24 Hours)' on
http://www.virustotal.com/flash/index_en.html. It looks to me as if
they are operating at 100% capacity - which would explain your problem.
Anyway, you can email the file to them at: (e-mail address removed).

 

[Virus Guy]

I have just noticed that there is a 'Service Load' bar below
the chart labelled 'Top Ten (Last 24 Hours)'

Yes, and when I submit a virus, the load bar has been 25 to 35%, and
still after uploading a file I get a screen telling me that scanning
has stopped, like just now:

http://www.virustotal.com/flash/respuesta_sav/resultado?dba2788acbd193642c7fc56df1c5a109:eng

Service load (right now) seems to be 75%.