Nasty worm

[Slashed Zero]

Hello,

I seem to have catched a nasty worm through opening a .scr-file I got
through e-mail (from someone who thought to be a friend - I know, how stupid
can you be...). Anyways, I am totally unable to remove it from my system.
What it does is: it starts itself up in the registry and creates two
instances of itself in memory. When you terminate one of these processes,
the remaining instance re-instantiates the other in memory, so that there is
always at least one of these two running. What these files do is try to
access the internet and probably send all sorts of info to someone, but this
has been blocked by ZoneAlarm. The other thing that happens is that they
constantly check the registry, so that if you want to deleted the keys that
start them up, they immediately re-appear. When using a registry activity
monitor, you can see the bad processes constantly accessing the registry.
The bad files are:
winnt/system.dli
winnt/system32/services.dli
winnt/system32/tasks/explorer.exe
and all of these are ran in memory. System.dli and services.dli seem to be
identical files.

TDS-3 is powerless against this, or so it seems to me.

I have tried booting using a win98-bootdisk and manually deleting the bad
files from the command prompt (luckily my harddisk is still fat32-formatted)
and this works, but after win2000 reboot, the processes and files are back
there! This could be because I am unable to delete one file, called
explorer.exe, and placed in winnt./system32/tasks. I don't know what sort of
directory this is, it shows up when doing a dir, but I am unable to access
it at the command prompt.

So, there seems to be a circular thing going on, with processes constantly
covering each others backs. Neither (fully updated) AVG nor McAfee detect
anything.

Can anyone help me to get rid of this trojan?
Thanks VERY MUCH in advance!

 

[Stratman]

Hello,

I seem to have catched a nasty worm through opening a .scr-file I got
through e-mail (from someone who thought to be a friend - I know, how stupid
can you be...). Anyways, I am totally unable to remove it from my system.
What it does is: it starts itself up in the registry and creates two
instances of itself in memory. When you terminate one of these processes,
the remaining instance re-instantiates the other in memory, so that there is
always at least one of these two running. What these files do is try to
access the internet and probably send all sorts of info to someone, but this
has been blocked by ZoneAlarm. The other thing that happens is that they
constantly check the registry, so that if you want to deleted the keys that
start them up, they immediately re-appear. When using a registry activity
monitor, you can see the bad processes constantly accessing the registry.
The bad files are:
winnt/system.dli
winnt/system32/services.dli
winnt/system32/tasks/explorer.exe
and all of these are ran in memory. System.dli and services.dli seem to be
identical files.

TDS-3 is powerless against this, or so it seems to me.

I have tried booting using a win98-bootdisk and manually deleting the bad
files from the command prompt (luckily my harddisk is still fat32-formatted)
and this works, but after win2000 reboot, the processes and files are back
there! This could be because I am unable to delete one file, called
explorer.exe, and placed in winnt./system32/tasks. I don't know what sort of
directory this is, it shows up when doing a dir, but I am unable to access
it at the command prompt.

So, there seems to be a circular thing going on, with processes constantly
covering each others backs. Neither (fully updated) AVG nor McAfee detect
anything.

Can anyone help me to get rid of this trojan?
Thanks VERY MUCH in advance!

Try Hijack This http://mjc1.com/mirror/hjt/

Or Google for SpyBot S&D or Lavasoft's AdAware

 

[Slashed Zero]

Try Hijack This http://mjc1.com/mirror/hjt/

Or Google for SpyBot S&D or Lavasoft's AdAware

Thanks! - it didn't work though... (updated Adaware also does not detect
anything!) Immediately after deleting the relevant registry keys, the
immediately re-appear as the worm constantly seems to find a way to re-load
itself in memory... Is there a way to bypass all automatic startup at system
start (startup menu, registry startups, etc?). Maybe through safe mode?

Thanks!

 

[Robin T Cox]

Nasty worm

Sounds like it could be RapidBlaster:
http://www.wilderssecurity.net/specialinfo/rapidblaster.html

 

[Slashed Zero]

Sounds like it could be RapidBlaster:

http://www.wilderssecurity.net/specialinfo/rapidblaster.html

I don't think this is it - this is something else, but I'm not able to find
anything on it on Google or something (it might be something that some local
guy cooked up - I got it in a Dutch e-mail, my mother tonge, sent to an
emailaddress I use for putting up adds to sell second-hand stuff).

I think I have succeeded in removing it, though. For future reference:

You receive this trojan through an e-mail that contains a screensaver file
in attachment (which only a fool like me would open...). Filename (in my
case): Sarah2.scr.

There are 3 files this trojan installs:
- winnt/system.dli
- winnt/system32/services.dli
- winnt/system32/ TASKS/explorer.exe (notice the preceding space in the
tasks-directory name)

Each of these files will be running as a process in memory. The files are
compiled with a Borland compiler, yet bear a Microsoft stamp (that says
"Microsoft 1992-95"). When stopping one of these processes, the two others
will immediately recreate the process. The files are loaded in memory at
startup through Run-entries in the registry. Searching the registry for
these filenames will yield a number of results, not only in startup-related
entries. Deleting the entries is no good, as the running processes
constantly monitor the registry and immediately recreates its entries on
modifying the registry. The processes also try to access the internet
(whether to get a new copy from some site or to send information, I don't
know).

REMEDY (in Win2000):

- having a decent firewall (ZoneAlarm free edition will do) will prevent the
trojan getting access to the internet in the first place

- start up in Safe Mode (this will prevent the registry startup of the
malicious processes)
- use regedit to delete every occourence of entries containing filenames
with 'dli'-extension (i.e. 'system.dli' and 'services.dli' and filenames
containing 'tasks/explorer.exe')
- delete all occourences on your harddisk of the files mentioned above - in
my case only in the locations mentioned, but it's probably best to do a
disk-wide search
- once your system has been cleaned, reboot in normal mode and the trojan
should be gone

- you can use task manager to check whether there are still malicious
instances of explorer.exe, system.dli or services.dli running

Hope someone can do something with this (and that this indeed is the final
remedy)! Thanks everyone for your help!

 

[Gino Zantafio]

I got a similar trojans some weeks ago.
Disabling the defences. Multiple files surveying together.

I had to follow this procedure to recover.
Look for files of same size in Windows & Sytem and subdir.
The date couldn't be relevant because the infected files are of the same
date as Windows.
use MSCONFIG and Hijackthis. They ware of a great help.

Of course this is an example. Yours may be different in names and locations.

Good luck



I inadvertently clicked on a "pif" file not renamed by my firewall by some
unknown reason.
After 4 days of manual investigations / troubleshooting, I finally restored
my computer
defences. At least I hope so ! The virus-trojan-worm (?) is probably still
present but
doesn't appear active anylonger.


Its actions:
It disabled Zone Alarm, VirusScan when launched, TC-Active and T-C Monitor,
The Cleaner (scaning machine on demand), The Windows System File Compare
(SFC), every attempt done with scan engines.

It didn't stop the functioning of "Ad-Aware 6" (free), dedicated virus
removers as "fixSbigF;exe, "stinger.exe", "The cleaner" launched from the
network server, even under normal sessions of Windows. I didn't try
VirusScan from the server.


Its activity/detection:
It wasn't active under the safe mode (probably because it was loaded by the
run keys).
Neither detected by "The cleaner", nor "stinger", "fixSbigF", "VirusScan"
unless the heuristics scanning was selected. In that case only the
"image023.pif" was recognized to contain "NewBackdoor1".
Later on I applied VirusScan to the other files without positive result,
even in heuristics mode.


Its system installation:
There were three "Com Service = "Wins98\command\" " entries in the registry
Run keys (HKCU, HKLM, and HKUD\Software\Microsoft\Windows\Current
version\Run) pointinh to E:\Win98\command\mshxbh.com.


This NewsGroup gave me the idea to look for strange file names with the same
date as the two known files (image023.pif and mshxbh.com).
I found two other occurrences: Win98\services.exe and
Win98\System\msulwy.com. They've exactly the same date (05.05.99 22:22)
identical to the Windows file's date and the same length (54 048bytes) and
the same contents (with Quick view). These characteristics also apply to
"image023.pif".
The characteristics of the four infected files follow here-below in case
this could bring some information more.
The three files have the attributes "system" & "hidden"


The disabling:
I went again in safe mode, (off then boot) and renamed "mshxbh.com",
"msulwy.com" and "Services.exe". I edited the registry searching for these
filenames as well as for "Com Service" and deleted the run keys launching
"mshxbh.com". I found a new one:
HKLM\Software\Microsoft\Active Setup\Installed
Components\{42AC0312-EE51-A3CC-EA32-40AA12E6115C}
containing "StubPath=E:\Win98\System\msulwy.com". I renamed its name &
value. It will be deleted later on if necessary.
Nothing concerning "Services.exe". This looks rather strange for me because
it's never called by any key or something else.

Should I mention that I also used "HiJackThis" after the cleaning was
manually done ? It didn't reveal anything more.



Rather satisfied I turned the computer Off and rebooted in normal mode. All
the protections were SUCCESSFULLY restored.

 

[Gino Zantafio]

Boot in safe mode and do the job from there because residents aren't loaded
in safe mode. Hence nasty files aren't active and don't survey themselves.

Should the registry key deletion not be complete, everything restores when
you boot in normal mode !
Nasty keys are in relation with the filenames you'll find searching in your
win directories (may be also in "program files").
Using the help of hijackthis, you'll appreciate what to do with the
registry.

Inside regedit.exe, search these keys and rename them. I don't like to
delete keys as far as I'm not 100% sure.

Don't forget to make a backup of your registry files __before__ modifying
anything and learn how to restore them before being stuck ! ! !
It happened to me the first time !

 

[Stefan Jaeger]

---snip---

What it does is: it starts itself up in the registry and creates two
instances of itself in memory. When you terminate one of these processes,
the remaining instance re-instantiates the other in memory, so that there is
always at least one of these two running.
The bad files are:
winnt/system.dli
winnt/system32/services.dli
winnt/system32/tasks/explorer.exe
and all of these are ran in memory. System.dli and services.dli seem to be
identical files.

---snip---

I have tried booting using a win98-bootdisk and manually deleting the bad
files from the command prompt (luckily my harddisk is still fat32-formatted)
and this works, but after win2000 reboot, the processes and files are back
there! This could be because I am unable to delete one file, called
explorer.exe, and placed in winnt./system32/tasks. I don't know what sort of
directory this is, it shows up when doing a dir, but I am unable to access
it at the command prompt.

So, there seems to be a circular thing going on, with processes constantly
covering each others backs. Neither (fully updated) AVG nor McAfee detect
anything.

---snip---

Perhaps you like to try here:
http://www.antivir.de/vireninfo/sober.htm

The Site is german, english translation is available by using the
"english"-button in menu.

Description of double instances seems to match your problem.


Stefan