winrarx.exe / wumgrd32.exe

[Adam Piggott]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hiya,

Found a pair of viral files on a client's Windows XP Home (RTM) computer
recently that seemed to be scanning the WAN IP range (couldn't tell what as
ethereal wouldn't listen on the interface type). This was causing the PC to
hang after a short while.

I removed the files which were in C:\WINDOWS\system32, with system and
hidden attributes set. They were both sitting in the HKCU Windows\Run
registry key and when the entries were removed, they were replaced.

winrarx.exe
138,721 bytes
SHA1: daf47331caf439fbaad74332e4507f37f77f83af

wumgrd32.exe
78,622 bytes
SHA1: 16e7c2958abb7042e8492b8fdea71e968f1b8afb

Virustotal.com's results are all heuristic detection and I'd like to know
what exactly these files were doing so I can consider a plan of action on
the infected PC.

Any further information appreciated!


Cheers,


Adam Piggott,
Proprietor,
Proactive Services (Computing).

- --
Please replace dot invalid with dot uk to email me.
Apply personally for PGP public key.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (MingW32)

iD8DBQFCcOVi7uRVdtPsXDkRAmgjAKCceDXF3TzBMFkmdWw2WZLwhEc1QACfcBPN
DTYPLJRhMld4PLLvOcjPjkI=
=xxWI
-----END PGP SIGNATURE-----

 

[null]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hiya,

Found a pair of viral files on a client's Windows XP Home (RTM) computer
recently that seemed to be scanning the WAN IP range (couldn't tell what as
ethereal wouldn't listen on the interface type). This was causing the PC to
hang after a short while.

I removed the files which were in C:\WINDOWS\system32, with system and
hidden attributes set. They were both sitting in the HKCU Windows\Run
registry key and when the entries were removed, they were replaced.

winrarx.exe
138,721 bytes
SHA1: daf47331caf439fbaad74332e4507f37f77f83af

wumgrd32.exe
78,622 bytes
SHA1: 16e7c2958abb7042e8492b8fdea71e968f1b8afb

Virustotal.com's results are all heuristic detection and I'd like to know
what exactly these files were doing so I can consider a plan of action on
the infected PC.

The results are not just heuristic detection. You didn't get malware
names to follow up on?

Here's another av scan upload site:

http://virusscan.jotti.org/

NVC sandbox sometimes produces a description.

If av scanners don't alert, the files may be spyware. Did you run
Spybot and AdAware?

Art

http://home.epix.net/~artnpeg

 

[Adam Piggott]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

The results are not just heuristic detection. You didn't get malware
names to follow up on?

Sorry, my sentence wasn't too clear. When I sent the two files to
virustotal, the products that did "catch" something where all heuristic
detections on this occasion, i.e. they didn't say "This is x virus"
specifically.

Here's another av scan upload site:

http://virusscan.jotti.org/

NVC sandbox sometimes produces a description.

This give a few more hits, but still no definitive list of what it does,
thanks - I'll keep the URL handy.

If av scanners don't alert, the files may be spyware. Did you run
Spybot and AdAware?

It's definitely not spyware, it's port scanning the WAN IP range assumedly
trying to sploit whatever Windows hole it used to get in to start with. I
had scanned it with Ad-Aware and it wasn't picked up.

Cheers for the info!


Adam.

- --
Please replace dot invalid with dot uk to email me.
Apply personally for PGP public key.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (MingW32)

iD8DBQFCcQDo7uRVdtPsXDkRApPrAJ9tV5HLRRm2pI1uwYx4g53DsFk8pwCeMUuj
/FuyMPnCKfGMXUZvbUsV9Vo=
=ZDP6
-----END PGP SIGNATURE-----

 

[David H. Lipman]

From: "Adam Piggott" <[email protected]>

|
| It's definitely not spyware, it's port scanning the WAN IP range assumedly
| trying to sploit whatever Windows hole it used to get in to start with. I
| had scanned it with Ad-Aware and it wasn't picked up.
|
| Cheers for the info!
|
| Adam.
|
| - --
| Please replace dot invalid with dot uk to email me.

Adam:

Are you able to access Birus Total now ?

I have been unavble to access Virus Total all day.

 

[Adam Piggott]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

From: "Adam Piggott" <[email protected]>

|
| It's definitely not spyware, it's port scanning the WAN IP range assumedly
| trying to sploit whatever Windows hole it used to get in to start with. I
| had scanned it with Ad-Aware and it wasn't picked up.
|
| Cheers for the info!
|
| Adam.
|
| - --
| Please replace dot invalid with dot uk to email me.

Adam:

Are you able to access Birus Total now ?

I have been unavble to access Virus Total all day.

Keep in mind I've been using virustotal by email. The last response I had
was at 14:39 GMT.


Adam.

- --
Please replace dot invalid with dot uk to email me.
Apply personally for PGP public key.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (MingW32)

iD8DBQFCcR007uRVdtPsXDkRAiMWAKCFsC0pjk4LkPYYmzvpTPMBDTS8SQCdFMHR
utX179vK7wj5lhnkbIVkSAU=
=zYaA
-----END PGP SIGNATURE-----

 

[null]

This give a few more hits, but still no definitive list of what it does,
thanks - I'll keep the URL handy.

Still no malware name? If you do get malware names, it's sometimes
productive to then use Project VGREP:

http://www.virusbtn.com/resources/vgrep/index.xml

which is designed to show the various names different av products
use for the same malware. But in addition, clicking on some av
vendor's name will sometimes lead directly to their description.
Trend Micro, McAfee and Norton in particular often have hits in this
regard.

It's definitely not spyware, it's port scanning the WAN IP range assumedly
trying to sploit whatever Windows hole it used to get in to start with. I
had scanned it with Ad-Aware and it wasn't picked up.

If you still find that av scanners don't alert, you can submit the
file samples to vendors for analysis. I find that Kaspersky and McAfee
respond very quickly, and I get updated defs within an hour or so.
Here's a list of addresses:

http://www.claymania.com/panic.html

Cheers for the info!

You're weclome.

Art

http://home.epix.net/~artnpeg

 

[null]

Are you able to access Birus Total now ?

I have been unavble to access Virus Total all day.

Me too.

Art

http://home.epix.net/~artnpeg

 

[David H. Lipman]

From: <[email protected]>

| On Thu, 28 Apr 2005 16:33:09 GMT, "David H. Lipman"
|
| Me too.
|
| Art
|
| http://home.epix.net/~artnpeg

Thanx Art.

Now I know its not a Verizon routing problem.