Strange virus/trojan not detected

[Zantafio]

I didn't get any answer to this message nor it appeared within my message
list.
Probably lost.

I'd appreciate to get additional information.
Sorry for the length!

After the first post I performed Internet scans with TrojanScan and
Symantec.
They didn't ring on the infected files.
____________________________________________________

I finally restored my computer defences. At least I hope so ! The
virus-trojan-worm (?) is probably still present but doesn't appear active
anylonger.


Its actions:
It disabled Zone Alarm, VirusScan when launched, TC-Active and T-C Monitor,
The Cleaner (scaning machine on demand), The Windows System File Compare
(SFC), every attempt done with scan engines.

It didn't stop the functioning of "Ad-Aware 6" (free), dedicated virus
removers as "fixSbigF;exe, "stinger.exe", "The cleaner" launched from the
network server, even under normal sessions of Windows. I didn't try
VirusScan from the server.


Its activity/detection:
It wasn't active under the safe mode (probably because it was loaded by the
run keys).
Neither detected by "The cleaner", nor "stinger", "fixSbigF", "VirusScan"
unless the heuristics scanning was selected. In that case only the
"image023.pif" was recognized to contain "NewBackdoor1".
Later on I applied VirusScan to the other files without positive result,
even in heuristics mode.


Its system installation:
There were three "Com Service = "Wins98\command\" " entries in the registry
Run keys (HKCU, HKLM, and HKUD\Software\Microsoft\Windows\Current
version\Run) pointinh to E:\Win98\command\mshxbh.com.


This NewsGroup gave me the idea to look for strange file names with the same
date as the two known files (image023.pif and mshxbh.com).
I found two other occurrences: Win98\services.exe and
Win98\System\msulwy.com. They've exactly the same date (05.05.99 22:22)
identical to the Windows file's date and the same length (54 048bytes) and
the same contents (with Quick view). These characteristics also apply to
"image023.pif".
The characteristics of the four infected files follow here-below in case
this could bring some information more.
The three files have the attributes "system" & "hidden"


The disabling:
I went again in safe mode, (off then boot) and renamed "mshxbh.com",
"msulwy.com" and "Services.exe". I edited the registry searching for these
filenames as well as for "Com Service" and deleted the run keys launching
"mshxbh.com". I found a new one:
HKLM\Software\Microsoft\Active Setup\Installed
Components\{42AC0312-EE51-A3CC-EA32-40AA12E6115C}
containing "StubPath=E:\Win98\System\msulwy.com". I renamed its name &
value. It will be deleted later on if necessary.
Nothing concerning "Services.exe". This looks rather strange for me because
it's never called by any key or something else.

Should I mention that I also used "HiJackThis" after the cleaning was
manually done ? It didn't reveal anything more.



Rather satisfied I turned the computer Off and rebooted in normal mode. All
the protections were SUCCESSFULLY restored.
I tested ZoneAlarm attachment filters with fake files. The ".pif" is
correctly filtered. I'll give a complete try but I lost the Internet site
address allowing to do that. I'd appreciate to get this address. I still
don't understand why this attachment went through the protection.

I'm conscious the virus is still here. I still don't know what's its name
and what its activity is.
The ways to follow:
To find the free search engines and scan again the computer
To send a copy of the infected files to some antivirus manufacturers'
sites.
To compare the dates and the CRCs of the dll files called by the virus
in order to know if they were garbaged. But where to find the correct CRCs ?
Any other proposals ?

This post was rather long. I hope it is in the policy of this group. I
really thank everybody who answered and those who will bring some help more.

Bye



This is the information of the infected files Quick View provided:

WINDOWS EXECUTABLE
32bit for Windows 95 and Windows NT

Technical File Information:

Image File Header

Signature: 00004550
Machine: Intel 386
Number of Sections: 0003
Time Date Stamp: 2a425e19
Symbols Pointer: 00000000
Number of Symbols: 00000000
Size of Optional Header 00e0
Characteristics: Relocation info stripped from file.
File is executable (i.e. no unresolved external references).
Line numbers stripped from file.
Local symbols stripped from file.
Low bytes of machine word are reversed.
32 bit word machine.
High bytes of machine word are reversed.



Image Optional Header

Magic: 010b
Linker Version: 2.25
Size of Code: 0000c000
Size of Initialized Data: 00001000
Size of Uninitialized Data: 0001b000
Address of Entry Point: 0002794f
Base of Code: 0001c000
Base of Data: 00028000
Image Base: 00400000
Section Alignment: 00001000
File Alignment: 00000200
Operating System Version: 4.00
Image Version: 0.00
Subsystem Version: 4.00
Reserved1: 00000000
Size of Image: 00029000
Size of Headers: 00001000
Checksum: 00000000
Subsystem: Image runs in the Windows GUI subsystem.
DLL Characteristics: 0000
Size of Stack Reserve: 00100000
Size of Stack Commit: 00004000
Size of Heap Reserve: 00100000
Size of Heap Commit: 00001000
Loader Flags: 00000000
Size of Data Directory: 00000010
Import Directory Virtual Address: 0002849c
Import Directory Size: 00000264
Resource Directory
Virtual Address: 00028000
Resource Directory Size: 0000049c
TLS Directory Virtual Address: 00027aa4
TLS Directory Size: 00000018




Import Table

KERNEL32.DLL
Ordinal Function Name

0000 LoadLibraryA
0000 GetProcAddress
0000 ExitProcess


advapi32.dll
Ordinal Function Name

0000 RegEnumKeyA


AVICAP32.DLL
Ordinal Function Name

0000 capCreateCaptureWindowA


gdi32.dll
Ordinal Function Name

0000 BitBlt


oleaut32.dll
Ordinal Function Name

0000 SysFreeString


URLMON.DLL
Ordinal Function Name

0000 URLDownloadToFileA


user32.dll
Ordinal Function Name

0000 GetDC


wininet.dll
Ordinal Function Name

0000 InternetCheckConnectionA


winmm.dll
Ordinal Function Name

0000 mciSendStringA


wsock32.dll
Ordinal Function Name

0000 send


Section Table

Section name: code
Virtual Size: 0001b000
Virtual Address: 00001000
Size of raw data: 00000000
Pointer to Raw Data: 00000200
Pointer to Relocations: 00000000
Pointer to Line Numbers: 00000000
Number of Relocations: 0000
Number of Line Numbers: 0000
Characteristics: Section contains initialized data
Section is readable
Section is writeable



Section name: text
Virtual Size: 0000c000
Virtual Address: 0001c000
Size of raw data: 0000bc00
Pointer to Raw Data: 00000200
Pointer to Relocations: 00000000
Pointer to Line Numbers: 00000000
Number of Relocations: 0000
Number of Line Numbers: 0000
Characteristics: Section contains initialized data
Section is readable
Section is writeable



Section name: .rsrc
Virtual Size: 00001000
Virtual Address: 00028000
Size of raw data: 00000800
Pointer to Raw Data: 0000be00
Pointer to Relocations: 00000000
Pointer to Line Numbers: 00000000
Number of Relocations: 0000
Number of Line Numbers: 0000
Characteristics: Section contains initialized data
Section is readable
Section is writeable


Header Information

Signature: 5a4d
Last Page Size: 0050
Total Pages in File: 0002
Relocation Items: 0000
Paragraphs in Header: 0004
Minimum Extra Paragraphs: 000f
Maximum Extra Paragraphs: ffff
Initial Stack Segment: 0000
Initial Stack Pointer: 00b8
Complemented Checksum: 0000
Initial Instruction Pointer: 0000
Initial Code Segment: 0000
Relocation Table Offset: 0040
Overlay Number: 001a
Reserved: 0000 0000 0000 0000
0000 0000 0000 0000
0000 0000 0000 0000
0000 0000 0000 0000
Offset to New Header: 00000080
Memory Needed: 1K

 

[Nick FitzGerald]

I'd appreciate to get additional information.
Sorry for the length!

<<snip>>

Sounds like you have done a great job so far.

Could I suggest that, to get detection of this added to virus scanners as
quickly as possible you should send all the suspect files, and a copy of
your description from your post, to your preferred antivirus developers
from the following list? I recommend that you send the samples to several
(if not all) vendors rather than just those whose product(s) you use.

Command Software <[email protected]>
Computer Associates (US) <[email protected]>
Computer Associates (Vet/EZ) <[email protected]>
DialogueScience (Dr. Web) <[email protected]>
Eset (NOD32) <[email protected]>
F-Secure Corp. <[email protected]>
Frisk Software (F-PROT) <[email protected]>
Grisoft (AVG) <[email protected]>
H+BEDV (AntiVir): <[email protected]>
Kaspersky Labs <[email protected]>
Network Associates (McAfee) <[email protected]>
Norman (NVC) <[email protected]>
Sophos Plc. <[email protected]>
Symantec (Norton) <[email protected]>
Trend Micro (PC-cillin) <[email protected]>
(Trend may only accept files from users of its products)

 

[Zantafio]

Thanks for your answer. I did sent the information to the companies you
mention.
Concerning the files, I'll send them only upon their request. I'm not so
familiar with this kind of stuff!
Thanks again

 

[Nick FitzGerald]

Thanks for your answer. I did sent the information to the companies you
mention.
Concerning the files, I'll send them only upon their request. I'm not so
familiar with this kind of stuff!

Realistically, they may not request them.

Sending them is quite OK -- that's how most AV companies get much of the
"new stuff" they add detection for anyway. You will not get in trouble
for sending malware or suspected malware to the addresses I listed --
that is primarily what those addresses are for and the folk who handle
the Email that arrives to those addresses are well trained in doing so
"safely" (in fact, most of those addresses probably have automated
processes screening incoming messages for any attachments and do at least
some of the required processing automatically).

I strongly commend you to send the files to the sample submission
addresses of the AV developers you trust.

 

[Ka Khiong Kwok]

Sorry to tag onto your Nick. With VET, there's an automated feature that
let's you submit files. It turns it around quick smart. I think Symantec's
got one too but haven't bothered with it yet.

Gonna have to start getting back into this stuff.

Regards,

Ka.

 

[Zantafio]

I did it today.

 

[Buffalo]

Great move. Good for you and probably it will be good for me also.

I did it today.

 

[Nick FitzGerald]

Great move. Good for you and probably it will be good for me also.

Yep -- as I hinted earlier in teh thread, to an "outsider" it may be quite
surprising how much stuff has detection added because of initial "from the
field" sample submissions such as this. The sooner a user who suspects
something gets it to the vendors the better for _all_.

 

[Zantafio]

Hi,
Following the different responses, I got from the sites you directed me,
The backdoor is
"Backdoor.beasty.Fami" or "Backdoor.beastdoor.202" aka "Backdoor-AMQ"
The library informations don't give exactly the same infection profile as I
had. The filenames are different and the mode the virus modified the
registry is slightly different as well.
I have probably a variant of one of above. The antivirus aren't yet updated
and I'm proposed beta signatures.

However my evening readings led me to find another file:
Windows\system\ulwy.blf. I think it's the log the virus wrote in prevision
to send it to the remote site.

Your recommendations have been widely helpful. Thanks again to all who
answered.


Now begins another story: Why didn't ZoneAlarm rename the PIF file ?