ran superantispyware and got this- is this a real trojan?

[robinb]

why? I reran the antispyware program and it found nothing this time so why
would I have to go further?
if there were more spyware- the program would have picked it up again or
something else
robin

 

[Guest]

Because it's very new, the earliest date I've found is Oct. 25th, but most
HJT logs containing it are from within the last week. Since it appears to be
a downloader rather than a specific known piece of malware, it's taking time
to get classified.

It appears that at least some distribution of the NTOS.EXE file itself may
have occured via compromised Invision Power Board based forums, meaning it
could have been installed when logging into a web forum, even a generally
trusted one. Both exlploits within the IPB platform code and PHP exploits
commonly place such forums at risk of compromise, which you can see could be
very dangerous.

As for Robin's apparent infection, Stu is absolutely correct, she should
post an HJT log to a good Malware Removal forum to double check. Though most
malware is noisy and visible, trojans often hide and/or collect info
silently. Since the downloader used was new and only recently known,
delivered malware could be also.

What you're seeing is the relatively less common discovery of a new class of
malware, something totally unknown to the antimalware community, so unlike a
new version of something already known, the process to identify and classify
takes time to flow through the back channels. That's why VirusTotal and other
front channels are so important, since they help to move the info faster by
providing the potential malware to everyone in their respective community.

Bitman

 

[Guest]

Because it's very new, the earliest date I've found is Oct. 25th, but most
HJT logs containing it are from within the last week. Since it appears to be
a downloader rather than a specific known piece of malware, it's taking time
to get classified. [... etc.]

Thanks Bitman for this very lucid explanation.

Looking at this situation as you decribe it - the so-called malware paranoia
really isn't paranoia, is it? It really is out there, and we're all only a
whisker away from it being 'in here'!

 

[Guest]

Presumabley the reason your AS software is not picking it up right now is
because you have placed NTOS.EXE in quarantine, right? The fact that NTOS is
an execution file could mean that it has already done its work and placed the
necessary reg entries in place. How can you be sure there are not other files
which have already been placed on your system by NTOS? AS progs are not
infallable.

Just trying to give you another perspective. Or, maybe I`m just paranoid.

Stu

 

[robinb]

well i will tell you that Nick Skrepetos does get back to you real quick.
I asked him since I ran a new scan to see if it picked up anything else and
it did not (and I also did it in safe mode just in case) he told me this:

"Yes, that should indicate you are clean. If you have no problems then you
can delete the file from the quarantine. It looks like all the other
anti-spyware/virus software missed the infect that SAS caught. "

and since he does know his stuff I will take his word for it.

robin

Because it's very new, the earliest date I've found is Oct. 25th, but
most
HJT logs containing it are from within the last week. Since it appears to
be
a downloader rather than a specific known piece of malware, it's taking
time
to get classified. [... etc.]

Thanks Bitman for this very lucid explanation.

Looking at this situation as you decribe it - the so-called malware
paranoia
really isn't paranoia, is it? It really is out there, and we're all only a
whisker away from it being 'in here'!

 

[Guest]

Though it's possible there's no remaining malware, it's absolutely impossible
to tell that without looking at the system, which is commonly done remotely
by looking at an HJT log. Though I'm sure Nick is a smart guy, you're
basically accepting the fact that he believes his product is infallible and
would have discovered any additional malware if it existed.

In a case where a downloader exisited on the system undetected for some
period of time, there's always the possibility it downloaded some additional
malware which is what it was designed to do. If I had such an experience, I'd
either scan using every good antimalware application (AV and AS) I could get
my hands on or have a HiJackThis log checked by a trusted forum. Otherwise,
it's just a guess, maybe educated but still a guess.

Bitman

 

[robinb]

I have run all of the av antispyware programs and 3 online scanners
I even followed someone's advice in castelcops and downloaded and did trojan
hunter in safe mode and no trojans are showing up.
I see no strange activity going on in my computer and I have done this
before on other computers so right now I am going to wait it out and see

robin

 

[Dave M]

Hey Robin...

Good to see you've got a grip on this... don't forget to send it into Uncle
Bill at Ms, so it can be added to the WD defs and save the rest of our
collective posteriors, before you delete that file. Gracias...

 

[Robin]

dave, it would not allow me to send it- kept coming up that it was locked.
that also gave me the impression that it was malware. It did allow me to put
it up on virustotal.com which was real strange but it would not allow me to
email it at all. I wish it would have and believe me i tried everything to
unlock it but to no avail. Right now it is not in system32 anymore it is
sitting in superantispyware in its quarantine.

 

[Robin]

i am hoping someone in here is reading this from MS and can add this
definition to the database like superantispyware has in its, since i could
not send the file

 

[Dave M]

Not to worry, Robin. As you did manage to send to VirusTotal, they specify
that any code samples you send will be shared among the vendors of the
anti-malware they use in their analysis. Since Ms is among that select
group now, they've gotten that nasty code in a more round-about way, and
that's what's most important here. Appreciate your efforts, as I'm sure we
all do.

 

[Robin]

thanks Dave and I really appreicate all you do in here too
robin

 

[Dave M]

Hi again Robin and others;

Just as a followup to this thread and general techie interest, I'm going to
post the Wilder's forum thread started by Robin and dealing with the
ntos.exec malware:
http://www.wilderssecurity.com/showthread.php?t=154631&highlight=superantispyware
and the Secure Science Corp. Case Study white paper that resulted from this
malware...
http://ip.securescience.net/advisories/pubMalwareCaseStudy.pdf

You sure know how to pick an infection, Robin, and if you haven't yet
looked at that tech paper... it does explain a few things that you'd
wondered about, like the 8/04/2004 date on that file, and why you couldn't
send it off to Ms as a missed detection, albeit in a very techie way. I'm
curious as to what your plans are after looking at this additional
information, and I hope that your machine was not used for any sensitive
data that might have been compromised through any stealth. I'm really not
sure what I'd do with the knowledge that this was on my system.

 

[Guest]

Yes Dave, that Wilder's Security Thread quite clearly displays the typical
"me first" and "but my favorite xxx antimalware doesn't detect it" symptoms
that accompany the initial discovery phase of a new type of malware. Even to
the point that you'll note they've completely forgotten about Robin and
helping her understand the potential risk.

If the folder containing the the two dll files used to store stolen data
doesn't exist on her PC, she's likely OK, but having an HJT log checked would
be advisable to be sure. It may never have gone active on her system if, for
example, she has Outpost firewall installed, which appears to suppress the
trojans operation.

Though the first samples of this were discussed in open forums around Oct.
25th, the paper states the infection of the Storage Review Forums occured on
Oct. 11th and there may have been others as early as Sept. 22nd, the date
found on the earliest known samples.

Bitman

 

[Robin]

if you notice in the post at wildersecurity it states
AVG7.5(Ewido) and Kaspersky have updated their definitions to include the 3
files referenced in this topic overnight
I ran avg7.5 and it still says I am clean. oh and I do not use Outpost for
firewall- I use avg antivirus with firewall app; I also ran the program that
is given by the securescience advisory board and it says i am clean too.
I am just wondering how the heck i picked this up in the first place since i
am so careful of where i go
robin

So in reply to the initial topic "it does now"

 

[Robin]

does anyone know how to run this program from the pdf?
it is at http://ip.securescience.net/advisories/
and it is called prgdetect.zip
I cannot figure out once open how to run the prg-dect.exe they say to do in
the command prompt
I got it from http://ip.securescience.net/advisories/MalwareCaseStudy.pdf
I unzipped all the files. put them in a directory called prg-dect but i
cannot figure out how to run it. there is no exe file in the 6 files it
unzips too,
this files shows if you are clean or not.
I read the pdf and i do not have the 2 additional files (dll's) they say is
with it.
I ran process explorer and did a find for the ntos.exe but i am totally
clean of that file.
I already deleted it from superantispyware after i had quarantined it and
reran a scan and all is fine but i really want to try this program and see
if i am super clean.
thanks
robin

 

[Tom Emmelot]

Hi Robin,

if you don't have a Visual C+ Compiler then you don't have anything of
the files you download!

Regards >*< TOM >*<

Robin schreef:

 

[Robin]

now you really lost me
all i did was download the zip file and extract them to folder
they are all there so now i am lost
robin

 

[Robin]

oh btw i do not have any of the files (the dll's) they they say goes with
this trojan
robin

 

[Tom Emmelot]

Hi Robin,

if you don't have the dll files than I think you are clean, if you also
did a search for those names in the registry and found nothing, there is
nothing to worry about.

Regards >*< TOM >*<

Robin schreef: