need to figure out if an .scr file contains a security threat

[name]

Hello.

On MSN, I received an scr file and being the stupid idiot that I am, I
clicked on it. It didn't appear to do anything and when asking the
person who send it, he told me it was some kind of virus that was send
via msn. So now I'm extremely pissed off with myself but before
formatting my HD and installing everything once again, I was thinking
it might be possible to determine if the .scr file has actually
compromised my system in any way.

I've put the file online here:
http://www.ibbu.nl/~nsprakel/possible_virus.rar

I was wondering if anyone could help me out analyzing whether or not
the file is likely to have infected my computer? Or perhaps someone
can suggest a website where I could submit the file to have it scanned
to assess the potential threat.
I have my system fully updated (win xp pro sp2) and use AVG, which
didn't appear to find any virus in it.

Kind regards and thanks in advance for any help, Niek

 

[name]

Hello.

On MSN, I received an scr file and being the stupid idiot that I am, I
clicked on it. It didn't appear to do anything and when asking the
person who send it, he told me it was some kind of virus that was send
via msn. So now I'm extremely pissed off with myself but before
formatting my HD and installing everything once again, I was thinking
it might be possible to determine if the .scr file has actually
compromised my system in any way.

I've put the file online here:http://www.ibbu.nl/~nsprakel/possible_virus.rar

I was wondering if anyone could help me out analyzing whether or not
the file is likely to have infected my computer? Or perhaps someone
can suggest a website where I could submit the file to have it scanned
to assess the potential threat.
I have my system fully updated (win xp pro sp2) and use AVG, which
didn't appear to find any virus in it.

Kind regards and thanks in advance for any help, Niek

I scanned the file online and it did indeed contain a virus... here is
a screenshot
of Kaspersky's scan results for that file:
http://www.ibbu.nl/~nsprakel/virus.jpg

Ok, so now what do I do... would it really be necessary to format my
HD and install all the software again or is there a less cumbersome
solution?

 

[pcbutts1]

Trojan Backdoor.IRCBot.aaq

--

Newsgroup Trolls. Read about mine here http://www.pcbutts1.com/downloads
The list grows. Leythos the stalker http://www.leythosthestalker.com, David
H. Lipman, Max M Wachtell III aka What's in a Name?, Fitz,
Rhonda Lea Kirk, Meat Plow, F Kwatu F, George Orwell

 

[David H. Lipman]

From: "name" <[email protected]>


|
| I scanned the file online and it did indeed contain a virus... here is
| a screenshot
| of Kaspersky's scan results for that file:
| http://www.ibbu.nl/~nsprakel/virus.jpg
|
| Ok, so now what do I do... would it really be necessary to format my
| HD and install all the software again or is there a less cumbersome
| solution?

Please REMOVE that file from the http://www.ibbu.nl server.


Complete scanning result of "possible_virus.scr", processed in VirusTotal at 06/16/2007 00:03:27
(CET).

[ file data ]
* name: possible_virus.scr
* size: 345088
* md5.: 90e8e9e296ce9e19d1d1da97db4b62b5
* sha1: d82d2262bd4087cb4b939929b2101bb5b8a2ee59

[ scan result ]
AhnLab-V3 2007.6.16.0/20070615 found nothing
AntiVir 7.4.0.32/20070615 found [BDS/Bifrose.NU]
Authentium 4.93.8/20070615 found nothing
Avast 4.7.997.0/20070615 found nothing
AVG 7.5.0.467/20070615 found nothing
BitDefender 7.2/20070615 found [Backdoor.IRCBot.ABDD]
CAT-QuickHeal 9.00/20070615 found [(Suspicious) - DNAScan]
ClamAV devel-20070416/20070615 found [Trojan.Pakes-248]
DrWeb 4.33/20070615 found nothing
eSafe 7.0.15.0/20070614 found [Win32.IRCBot.aaq]
eTrust-Vet 30.7.3721/20070615 found nothing
Ewido 4.0/20070615 found [Backdoor.IRCBot.aaq]
F-Prot 4.3.2.48/20070615 found nothing
F-Secure 6.70.13030.0/20070615 found [Backdoor.Win32.IRCBot.aaq]
FileAdvisor 1/20070615 found [Not analyzed yet]
Fortinet 2.85.0.0/20070615 found [W32/IRCBot.AAQ!tr.bdr]
Ikarus T3.1.1.8/20070615 found [Backdoor.VB.EV]
Kaspersky 4.0.2.24/20070615 found [Backdoor.Win32.IRCBot.aaq]
McAfee 5054/20070615 found nothing
Microsoft 1.2607/20070615 found nothing
NOD32v2 2334/20070615 found nothing
Norman 5.80.02/20070615 found nothing
Panda 9.0.0.4/20070615 found [W32/Gaobot.OXI.worm]
Sophos 4.18.0/20070612 found nothing
Sunbelt 2.2.907.0/20070614 found [Win32.ExplorerHijack]
Symantec 10/20070615 found nothing
TheHacker 6.1.6.133/20070615 found [Backdoor/IRCBot.aaq]
VBA32 3.12.0.2/20070615 found [Backdoor.Win32.IRCBot.aaq]
VirusBuster 4.3.23:9/20070615 found [Backdoor.IRCBot.AZA]
Webwasher-Gateway 6.0.1/20070615 found [Trojan.Bifrose.NU]

[ notes ]
packers: Themida
Bit9 info: http://fileadvisor.bit9.com/services/extinfo.aspx?md5=90e8e9e296ce9e19d1d1da97db4b62b5

 

[name]

From: "name" <[email protected]>

|
| I scanned the file online and it did indeed contain a virus... here is
| a screenshot
| of Kaspersky's scan results for that file:
|http://www.ibbu.nl/~nsprakel/virus.jpg
|
| Ok, so now what do I do... would it really be necessary to format my
| HD and install all the software again or is there a less cumbersome
| solution?

Please REMOVE that file from thehttp://www.ibbu.nl server.

Ok, done, but what do I do about my infected computer?

 

[David H. Lipman]

From: "name" <[email protected]>

|>> I scanned the file online and it did indeed contain a virus... here is
|>> a screenshot
|>> of Kaspersky's scan results for that file:
|>> http://www.ibbu.nl/~nsprakel/virus.jpg
|>>
|>> Ok, so now what do I do... would it really be necessary to format my
|>> HD and install all the software again or is there a less cumbersome
|>> solution?| Ok, done, but what do I do about my infected computer?

You RAN IT ? Oy vay...

You can use the Kaspersky module of the following Multi AV Scanning Tool and/or the free
BitDefender 8.

I will submit the file to mAV vendors this evening.

Free BitDefender v8
--------------------
http://www.bitdefender.com/PRODUCT-14-en--BitDefender-8-Free-Edition.html


Multi AV Scanning Tool.
----------------------
Download MULTI_AV.EXE from the URL --
http://www.pctipp.ch/downloads/dl/35905.asp

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file.

Additional Instructions:
http://pcdid.com/Multi_AV.htm


* * * Please report back your results * * *

 

[name]

From: "name" <[email protected]>



|>> I scanned the file online and it did indeed contain a virus... here is
|>> a screenshot
|>> of Kaspersky's scan results for that file:
|>>http://www.ibbu.nl/~nsprakel/virus.jpg
|>>
|>> Ok, so now what do I do... would it really be necessary to format my
|>> HD and install all the software again or is there a less cumbersome
|>> solution?


| Ok, done, but what do I do about my infected computer?

You RAN IT ? Oy vay...

Yes, I ran it. Twice even. :-/ *sigh*
Like I said in my first posting in this thread, I was stupid enough to
run it.

You can use the Kaspersky module of the following Multi AV Scanning Tool and/or the free
BitDefender 8.

Wouldn't it be possible to use the online kaspersky scan to clean my
computer somehow?
Is it likely it has infected all HD's or just the system HD?

I will submit the file to mAV vendors this evening.

Free BitDefender v8
--------------------http://www.bitdefender.com/PRODUCT-14-en--BitDefender-8-Free-Edition....

Multi AV Scanning Tool.
----------------------
Download MULTI_AV.EXE from the URL --http://www.pctipp.ch/downloads/dl/35905.asp

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file.

Additional Instructions:http://pcdid.com/Multi_AV.htm

* * * Please report back your results * * *

 

[David H. Lipman]

From: "name" <[email protected]>


|
| Wouldn't it be possible to use the online kaspersky scan to clean my
| computer somehow?
| Is it likely it has infected all HD's or just the system HD?
|

The online Kaspersky scanner is a "detection only" scanner.

What was the message on MSN ? Could you post subject and body text ?

Did you keep a copy ?

 

[name]

From: "name" <[email protected]>

|
| Wouldn't it be possible to use the online kaspersky scan to clean my
| computer somehow?
| Is it likely it has infected all HD's or just the system HD?
|

The online Kaspersky scanner is a "detection only" scanner.

Ok, I'll try the scanners you suggested, bit defender and kaspersky
from the multi-AV tool.

What was the message on MSN ? Could you post subject and body text ?

Did you keep a copy ?

I didn't keep a copy... it was just an MSN chat message (they don't
have subjects)
saying something like "have a look at these pictures" and a file
photos.zip that contained a file photos.scr . On msn, you have to
accept files in order to receive them when someone sends them in a
chat message. I accepted the file, unzipped it, had a look at
wikipedia.org to see what scr files are and thinking a screensaver
file was probably safe I attempted to open it. Nothing seemed to
happen of course, so I asked the person who had send it and he told me
the msg had been send automatically and he had also clicked the scr
file himself previously.

I have a huge (over 300 contacts) contactlist on MSN and I tried to
send a kind of multiple recipient message to warn other people not to
open any files in messages send by me, but that didn't work. So I
closed down MSN to avoid the virus sending itself.

 

[name]

[..]
I didn't keep a copy... it was just an MSN chat message (they don't

For clarity, by MSN I mean the chat program "Windows Live Messenger".

 

[jen]

From: "name" <[email protected]>
| Wouldn't it be possible to use the online kaspersky scan to clean my
| computer somehow?
| Is it likely it has infected all HD's or just the system HD?
The online Kaspersky scanner is a "detection only" scanner.
What was the message on MSN ? Could you post subject and body text ?
Did you keep a copy ?

aka W32.Mubla
http://www.symantec.com/security_response/writeup.jsp?docid=2007-060108-4446-99

 

[Beauregard T. Shagnasty]

had a look at wikipedia.org to see what scr files are and thinking a
screensaver file was probably safe I attempted to open it.

"Screensaver" files have long been used as a prime way to distribute
viruses. It's called social engineering.

Then there is the chance the file was actually named:

"screensaver.scr .exe"

Notice the .exe way over there --->

Nothing seemed to happen of course, so I asked the person who had send
it and he told me the msg had been send automatically and he had also
clicked the scr file himself previously.

Then you had best pass David's instruction along to him as well, as he
is surely infected, too.

Time to post this link again?
http://outside.arc.ab.ca/staff/erkamp/security.jpg

 

[name]

"Screensaver" files have long been used as a prime way to distribute
viruses. It's called social engineering.

Then there is the chance the file was actually named:

"screensaver.scr .exe"

Notice the .exe way over there --->

I don't think that was the case.. a few years ago I did click on a
file picture.jpg.exe and had a similar situation but this time I'm
fairly sure the extension was really just ".scr"

Then you had best pass David's instruction along to him as well, as he
is surely infected, too.

Well, I did refer him to this thread on groups.google.com

Time to post this link again?http://outside.arc.ab.ca/staff/erkamp/security.jpg

In retrospect you always wonder how you can be so stupid. :-/

 

[name]

aka W32.Mublahttp://www.symantec.com/security_response/writeup.jsp?docid=2007-0601...

Hmmm...
Risk Level 1: Very Low

That's a bit of a comfort... I just hope I'm able to clean my computer
without a HD format.

 

[Char Jackson]

I don't think that was the case.. a few years ago I did click on a
file picture.jpg.exe and had a similar situation but this time I'm
fairly sure the extension was really just ".scr"

It doesn't matter, since .scr and .exe are both executable, as are a
host of other extensions.

 

[name]

[ scan result ]
Symantec 10/20070615 found nothing

That's odd btw that symantec didn't recognize it.. since jen posted
the following link in this thread that seems to indicate symantec does
know about it:

http://www.symantec.com/security_response/writeup.jsp?docid=2007-060108-4446-99

 

[jen]

[ scan result ]
Symantec 10/20070615 found nothing

That's odd btw that symantec didn't recognize it.. since jen posted
the following link in this thread that seems to indicate symantec does
know about it:
http://www.symantec.com/security_response/writeup.jsp?docid=2007-060108-4446-99

Probably a new variant... I just now got a new def, prolly covers it
I have Symantec Corporate Edition.

-jen

 

[David H. Lipman]

From: "name" <[email protected]>


|
| That's odd btw that symantec didn't recognize it.. since jen posted
| the following link in this thread that seems to indicate symantec does
| know about it:
|
| http://www.symantec.com/security_response/writeup.jsp?docid=2007-060108-4446-99

It doesn't mean they are one in the same.

It could be the same BUT... a different variant.

 

[David H. Lipman]

From: "David H. Lipman" <[email protected]>

|
| It doesn't mean they are one in the same.
|
| It could be the same BUT... a different variant.
|

Jen is correct.
It is a new variant of what Symantec calls "W32.Mubla"

This variant uses:

HKCR\CLSID\{CA4896E7-EE32-4899-8950-9E7126515E48}\InProcServer32
"(Default)" = "syshelps.dll"
HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
"syshelps" = "{CA4896E7-EE32-4899-8950-9E7126515E48}

 

[name]

From: "David H. Lipman" <[email protected]>

|
| It doesn't mean they are one in the same.
|
| It could be the same BUT... a different variant.
|

Jen is correct.
It is a new variant of what Symantec calls "W32.Mubla"

This variant uses:

HKCR\CLSID\{CA4896E7-EE32-4899-8950-9E7126515E48}\InProcServer32
"(Default)" = "syshelps.dll"
HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
"syshelps" = "{CA4896E7-EE32-4899-8950-9E7126515E48}

Ah, that explains why AVG gave me an allert about a 'syshelps.dll'
file... bit late though after my computer had already been infected.