My Trojan Horse is dead, BUT .....

[Robert]

Hello everyone, Yes the old nag has at last gone to the knacker's yard.
No thanks to Norton, McAfee, Kaspersky, Sysclean, Spybot, A-squared
and other scanners with which my PC has been excoriated for weeks, in
Safe Mode and Normal, and with System Restore held in abeyance.

In fact the Trojan (W32.Qhosts.df) was found using a tiny little
utility, (donation ware from Mike Lin ( www.mlin.net ), and called
StartUp Control Panel. This tool displays what starts up with Windows
and can stop it doing so. Using it I saw the file C:\WINDOWS\System32\
dmyic.exe not having any obvious connection to my usual software so
decided to block its startup. This immediately prevented the
reinstallation of a Registry Value at each bootup. System Restore was
not the culprit, but this little file.

Can anyone tell me, please, whether this System32\dmyic.exe file is a
genuine Windows file with a job to do or simply a stable for the Horse?
I would like to delete it if possible: the ordure remains offensive.
Advice please. Many thanks.
Robert.

 

[David H. Lipman]

From: "Robert" <[email protected]>

| Hello everyone, Yes the old nag has at last gone to the knacker's yard.
| No thanks to Norton, McAfee, Kaspersky, Sysclean, Spybot, A-squared
| and other scanners with which my PC has been excoriated for weeks, in
| Safe Mode and Normal, and with System Restore held in abeyance.
|
| In fact the Trojan (W32.Qhosts.df) was found using a tiny little
| utility, (donation ware from Mike Lin ( www.mlin.net ), and called
| StartUp Control Panel. This tool displays what starts up with Windows
| and can stop it doing so. Using it I saw the file C:\WINDOWS\System32\
| dmyic.exe not having any obvious connection to my usual software so
| decided to block its startup. This immediately prevented the
| reinstallation of a Registry Value at each bootup. System Restore was
| not the culprit, but this little file.
|
| Can anyone tell me, please, whether this System32\dmyic.exe file is a
| genuine Windows file with a job to do or simply a stable for the Horse?
| I would like to delete it if possible: the ordure remains offensive.
| Advice please. Many thanks.
| Robert.

dmyic.exe is not a legitimate OS file.

I suggest you submit a sample to Virus Total --
http://www.virustotal.com/flash/index_en.html
The submission will then be tested against many different AV vendor's scanners.
That will give you an idea what it is and who recognizes it. In addition, unless told
otherwise, Virus Total will provide the sample to all participating vendors.

You can also submit a suspect, one at a time, via the following email URL...
mailto:[email protected]?subject=SCAN

When you get the report, please post back the exact results.

 

[NewScience]

Is there any Version information? Right click | Properties | Version.

 

[David H. Lipman]

From: "NewScience" <[email protected]>

| Is there any Version information? Right click | Properties | Version.
|

What if it is NOT digitally signed but has faked version information ?

 

[NewScience]

You never know ... does hurt to check.
You also would get Creation, Access, and Modification dates which may jog
some people's memories.

 

[David H. Lipman]

From: "NewScience" <[email protected]>

| You never know ... does hurt to check.
| You also would get Creation, Access, and Modification dates which may jog
| some people's memories.
|

Therer are also databases of legitimate OS files and this is not listed on them.

The problem is if it is malware and it falkes the source of creation, and this has been
done, then it can lead one into a false sense of security. That is why I suggested sending
it to Virus Total. Then the file will be checked by signature and heuristics to see if it
is truly malware by more than two dozen anti virus scanners.

 

[Robert]

From: "NewScience" <[email protected]>

| You never know ... does hurt to check.
| You also would get Creation, Access, and Modification dates which may jog
| some people's memories.
|

Therer are also databases of legitimate OS files and this is not listed on them.

The problem is if it is malware and it falkes the source of creation, and this has been
done, then it can lead one into a false sense of security. That is why I suggested sending
it to Virus Total. Then the file will be checked by signature and heuristics to see if it
is truly malware by more than two dozen anti virus scanners.

Thanks to David Lipman and New Science for their interest and response.
There's not a lot of information in Properties for this file, but here
is everything available.
C:\WINDOWS\System32\dmyic.exe
Application. 44kB
Created 11 May 2003. Modified 04 August 2004
Attributes: Archive-ready
Version information: None.

Hope this helps, and renewed thanks.
Robert.

 

[David H. Lipman]

From: "Robert" <[email protected]>

|
| Thanks to David Lipman and New Science for their interest and response.
| There's not a lot of information in Properties for this file, but here
| is everything available.
| C:\WINDOWS\System32\dmyic.exe
| Application. 44kB
| Created 11 May 2003. Modified 04 August 2004
| Attributes: Archive-ready
| Version information: None.
|
| Hope this helps, and renewed thanks.
| Robert.

No, it does not help { sigh }

Please submit a sample to Virus Total --
http://www.virustotal.com/flash/index_en.html
The submission will then be tested against many different AV vendor's scanners.
That will give you an idea what it is and who recognizes it. In addition, unless told
otherwise, Virus Total will provide the sample to all participating vendors.

You can also submit a suspect, one at a time, via the following email URL...
mailto:[email protected]?subject=SCAN

When you get the report, please post back the exact results.

 

[Robert]

When you get the report, please post back the exact results.

I am happy to oblige. May I say first what a splendid service Virus
Total provide. I had expected to wait several days for a report, but it
was back within minutes.
You mentioned "databases of authentic Windows files". Could I ask you
for a link to just one of them, please.

Thank you for your invaluable help in killing my Horse. Is it wise to
delete this file?
Here is the report on System32/ dmyic
================================================

VirusTotalVirusTotal is a free file analisys service that works using
several antivirus engines.


Select file : DistributeSSL

Enter your email, choose the file to be scanned with multiple
antivirus engines and click Send.Menu:
News Hot news in the virus/antivirus sector.
Estadisticas Statistics of VirusTotal procesing.
Virustotal More info about Virustotal.


STATUS: FINISHEDComplete scanning result of "dmyic.exe", received in
VirusTotal at 09.24.2006, 17:20:19 (CET).

Antivirus Version Update Result
AntiVir 7.2.0.18 09.24.2006 HEUR/Malware
Authentium 4.93.8 09.23.2006 Possibly a new variant of
W32/SecRisk-ProcessPatcher-based!Maximus
Avast 4.7.844.0 09.22.2006 Win32:Small-EK
AVG 386 09.22.2006 no virus found
BitDefender 7.2 09.24.2006 Trojan.Downloader.Mohbpork.B
CAT-QuickHeal 8.00 09.22.2006 Trojan.DNSChanger
ClamAV devel-20060426 09.24.2006 Trojan.Small-255
DrWeb 4.33 09.22.2006 Trojan.Iespy
eTrust-InoculateIT 23.73.4 09.24.2006 no virus found
eTrust-Vet 30.3.3093 09.22.2006 Win32/Alureon!generic
Ewido 4.0 09.24.2006 Trojan.Pakes
Fortinet 2.82.0.0 09.24.2006 suspicious
F-Prot 3.16f 09.23.2006 Possibly a new variant of
W32/SecRisk-ProcessPatcher-based!Maximus
F-Prot4 4.2.1.29 09.23.2006 W32/SecRisk-ProcessPatcher-based!Maximus
Ikarus 0.2.65.0 09.23.2006 no virus found
Kaspersky 4.0.2.24 09.24.2006 Trojan.Win32.Small.fb
McAfee 4858 09.22.2006 Downloader-ARR
Microsoft 1.1560 09.24.2006 no virus found
NOD32v2 1.1771 09.23.2006 a variant of Win32/Small.FB
Norman 5.90.23 09.22.2006 no virus found
Panda 9.0.0.4 09.24.2006 Trj/Ruins.MB
Sophos 4.09.0 09.24.2006 no virus found
Symantec 8.0 09.24.2006 no virus found
TheHacker 6.0.1.078 09.24.2006 no virus found
UNA 1.83 09.22.2006 no virus found
VBA32 3.11.1 09.24.2006 Trojan.Win32.Pakes
VirusBuster 4.3.7:9 09.24.2006 no virus found


Aditional Information
File size: 44115 bytes
MD5: 49196aff3f5ab635a87cf2becd054413
SHA1: 91613cb60b4abd8aa8f4d0c317cc91eaa71d7924

VirusTotal is a free service offered by Hispasec Sistemas. There are no
guarantees about the availability and continuity of this service.
Although the detection rate afforded by the use of multiple antivirus
engines is far superior to that offered by just one product, these
results DO NOT guarantee the harmlessness of a file. Currently, there
is not any solution that offers a 100% effectiveness rate for detecting
viruses and malware.

 

[David H. Lipman]

From: "Robert" <[email protected]>

||
| I am happy to oblige. May I say first what a splendid service Virus
| Total provide. I had expected to wait several days for a report, but it
| was back within minutes.
| You mentioned "databases of authentic Windows files". Could I ask you
| for a link to just one of them, please.
|
| Thank you for your invaluable help in killing my Horse. Is it wise to
| delete this file?

< snip >

No doubt about it being malicious !

Yes, it needs to be removed. Now that we know what we are dealing with, we can do a lookup
to see if there is OTHER information needed.

http://www3.ca.com/securityadvisor/virusinfo/virus.aspx?id=50214

Since McAfee recognizes this as a Downloder Trojan, I suggest starting with the McAfee
Module in the below Multi AV Scanning Tool.


Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file. http://www.ik-cs.com/multi-av.htm

Additional Instructions:
http://pcdid.com/Multi_AV.htm


* * * Please report back your results * * *

 

[Stephen Howe]

Hello everyone, Yes the old nag has at last gone to the knacker's yard.

.....so you are now flogging a dead horse?

Sorry I could not resist.

Stephen Howe

 

[Robert]

....so you are now flogging a dead horse?
Sorry I could not resist.

Neigh, neigh, enough! My withers have been wrung too much. Guilty as
charged re. the flogging. But what this horse left behind (Ughh!) is
still there and might be activated by some passing horse-whisperer to
destroy my beloved PC.
A sense of humour is a wondrous thing, and rare in these rather staid
columns where serious security matters are discussed. Those who think
otherwise are talking HS. Your apology is graciously accepted.
Robert.

 

[David H. Lipman]

From: "Robert" <[email protected]>

||
| Neigh, neigh, enough! My withers have been wrung too much. Guilty as
| charged re. the flogging. But what this horse left behind (Ughh!) is
| still there and might be activated by some passing horse-whisperer to
| destroy my beloved PC.
| A sense of humour is a wondrous thing, and rare in these rather staid
| columns where serious security matters are discussed. Those who think
| otherwise are talking HS. Your apology is graciously accepted.
| Robert.

Your humourous reply is refreshing

 

[Robert]

Your humourous reply is refreshing

Thanks, David, for your guidance all along. Sadly the next bit is far
from humourous. Having acted on your advice to use Virus Total for the
infected file, I have now done the same with four other files in
System32 (of exactly the same length and date of creation) which were
identified weeks ago by an online Kaspersky scan. I find that all five
files have exactly the same profile from Virus Total. They too will
need to be removed, I assume. Unfortunately Kaspersky online is not
able to do this: it identifies but does not disinfect.
I am only a computer simpleton but could all these files not simply be
deleted, since they serve no purpose useful to Windows?
A further reason for asking this is that I encountered two difficulties
in using the CLS Multi-AV front-end which you strongly promote. The
scans by Sophos and Trend went well (though did not find the Trojan),
but (a) the Kaspersky files, after several attempts, always downloaded
in a corrupt form and refused to run. One got a brief glmpse of an
error: "Object code not linked". And (b) McAfee refused to run,
displaying an error: "McAfeeUpdate.ini is not open for read."
I have neither the wit (nor the Horse Sense - Sorry) to discuss these
technicalities. I pass them on for your information. I shall certainly
try Multi-AV again. But if the two scanners fail once more, would it
not be enough simply to delete the clearly infected files?
With renewed thanks,
Robert.

 

[David H. Lipman]

From: "Robert" <[email protected]>

||
| Thanks, David, for your guidance all along. Sadly the next bit is far
| from humourous. Having acted on your advice to use Virus Total for the
| infected file, I have now done the same with four other files in
| System32 (of exactly the same length and date of creation) which were
| identified weeks ago by an online Kaspersky scan. I find that all five
| files have exactly the same profile from Virus Total. They too will
| need to be removed, I assume. Unfortunately Kaspersky online is not
| able to do this: it identifies but does not disinfect.
| I am only a computer simpleton but could all these files not simply be
| deleted, since they serve no purpose useful to Windows?
| A further reason for asking this is that I encountered two difficulties
| in using the CLS Multi-AV front-end which you strongly promote. The
| scans by Sophos and Trend went well (though did not find the Trojan),
| but (a) the Kaspersky files, after several attempts, always downloaded
| in a corrupt form and refused to run. One got a brief glmpse of an
| error: "Object code not linked". And (b) McAfee refused to run,
| displaying an error: "McAfeeUpdate.ini is not open for read."
| I have neither the wit (nor the Horse Sense - Sorry) to discuss these
| technicalities. I pass them on for your information. I shall certainly
| try Multi-AV again. But if the two scanners fail once more, would it
| not be enough simply to delete the clearly infected files?
| With renewed thanks,
| Robert.

The Kaspersky online scanner is a detect only scanner for informational purposes :-(

McAfeeUpdate.ini is not open for read --> means that for unknow reasons the INI file,
which contains signature version information, was NOT able to be downloaded. The INI file
is parsed (interpreted) to find out the latest version of thye McAfee DAT file. However,
there is a MANUAL method.

http://download.nai.com/products/licensed/superdat/english/intel/sdat4859.exe

Save; sdat4859.exe
Rename; sdat4859.exe to setup.exe
Copy; setup.exe to C:\AV-CLS\McAfee

Run the Multi AV Scanning Tool menu again and choose McAfee.

 

[Robert]

However,

there is a MANUAL method.

http://download.nai.com/products/licensed/superdat/english/intel/sdat4859.exe

Save; sdat4859.exe
Rename; sdat4859.exe to setup.exe
Copy; setup.exe to C:\AV-CLS\McAfee

Run the Multi AV Scanning Tool menu again and choose McAfee.

Hello again David. All is well, I think. I could not however run
McAfee, which produced the same error as before. Fortunately I did
manage this time to download Kaspersky, run it and do a full scan. It
identified all five of our suspect System32 files as Trojans and
deleted them.

Would you agree that the manual method above is now no longer
necessary? Can we allow ourselves a brief celebration that the Trojan
Horse is not only DEAD, but also BURIED?

If so, then the thanks are due entirely to you. Warmest thanks for
your patience and generosity.

Robert,
Birmingham, England.

 

[David H. Lipman]

From: "Robert" <[email protected]>

|
| Hello again David. All is well, I think. I could not however run
| McAfee, which produced the same error as before. Fortunately I did
| manage this time to download Kaspersky, run it and do a full scan. It
| identified all five of our suspect System32 files as Trojans and
| deleted them.
|
| Would you agree that the manual method above is now no longer
| necessary? Can we allow ourselves a brief celebration that the Trojan
| Horse is not only DEAD, but also BURIED?
|
| If so, then the thanks are due entirely to you. Warmest thanks for
| your patience and generosity.
|
| Robert,
| Birmingham, England.

That's up to you. The reason I include 4 different AV scanners is that one may catch what
another may miss.

If you decide to follow the directions, they are NOW updated for TODAY'S version...


http://download.nai.com/products/licensed/superdat/english/intel/sdat48561.exe

Save; sdat4861.exe
Rename; sdat4861.exe to setup.exe
Copy; setup.exe to C:\AV-CLS\McAfee

Run the Multi AV Scanning Tool menu again and choose McAfee.