Trojan small ayl caught by NOD but now what?

[louise]

I just went to a site I've never gone to before and NOD32 popped up
with a trojan warning. I quarantined it.

Then it popped up with what seemed like another trojan warning, I
terminated.

Then the process repeated itself.... should I quarantine or should
I terminate should this happen in the future?

here's the info I was able to copy from NOD - what do I do now to
be "safe" - or "safer"

Time Module Object Name Threat Action User Information
10/25/2005 15:15:19 PM IMON file
http://66.230.175.129/1/gdnUS2161.exe
Win32/TrojanDownloader.Small.AYL trojan Connection
terminated SONATA\Madeline

Time Module Object Name Threat Action User Information
10/25/2005 15:20:52 PM AMON file C:\DOCUME~1\MADELINE\LOCALS~1\TEMP
\zwzz4i3t.exe Win32/TrojanDownloader.Small.AYL trojan
quarantined - deleted SONATA\Madeline Event occurred on a
new file created by the application: C:\PROGRA~1\MOZILL~1
\FIREFOX.EXE. The file was moved to quarantine. You may close this
window.

TIA

Louise

 

[Art]

I just went to a site I've never gone to before and NOD32 popped up
with a trojan warning. I quarantined it.

Then it popped up with what seemed like another trojan warning, I
terminated.

Then the process repeated itself.... should I quarantine or should
I terminate should this happen in the future?

here's the info I was able to copy from NOD - what do I do now to
be "safe" - or "safer"

Time Module Object Name Threat Action User Information
10/25/2005 15:15:19 PM IMON file
http://66.230.175.129/1/gdnUS2161.exe
Win32/TrojanDownloader.Small.AYL trojan Connection
terminated SONATA\Madeline

Time Module Object Name Threat Action User Information
10/25/2005 15:20:52 PM AMON file C:\DOCUME~1\MADELINE\LOCALS~1\TEMP
\zwzz4i3t.exe Win32/TrojanDownloader.Small.AYL trojan
quarantined - deleted SONATA\Madeline Event occurred on a
new file created by the application: C:\PROGRA~1\MOZILL~1
\FIREFOX.EXE. The file was moved to quarantine. You may close this
window.

BTW, I checked that download and KAV also alerts. It's not a good idea
to post links to malicious code.

Apparently, the reason you got repeated alerts is that the malicious
file is in a temp folder. You should delete it. Do you use any kind of
temp file deletion software such as CCleaner? It's handy for things
like that.

Insofar as "being safer", the only thing I see you might do is make
sure javascript is disabled in Firefox. It shouldn't be necessary but
it might be less scary for you

Art

http://home.epix.net/~artnpeg

 

[louise]

BTW, I checked that download and KAV also alerts. It's not a good idea
to post links to malicious code.

Apparently, the reason you got repeated alerts is that the malicious
file is in a temp folder. You should delete it. Do you use any kind of
temp file deletion software such as CCleaner? It's handy for things
like that.

Insofar as "being safer", the only thing I see you might do is make
sure javascript is disabled in Firefox. It shouldn't be necessary but
it might be less scary for you

Art

http://home.epix.net/~artnpeg

Thanks - I didn't think about posting the link - it came up with
the NOD report and I didn't realize it.

I will run CCleaner now - I do have it.

I also ran NOD in safe mode just now and it seems ok.

Should I have terminated rather than first chosen to quarantine?

Louise

 

[Art]

Thanks - I didn't think about posting the link - it came up with
the NOD report and I didn't realize it.

No problem. I managed to do it again when I copied your post

I will run CCleaner now - I do have it.

I also ran NOD in safe mode just now and it seems ok.

Should I have terminated rather than first chosen to quarantine?

I don't use NOD so I have to guess what it means or you mean by
"terminated" in this context. Usually, you can choose to delete,
quarantine or ignore Trojan detections. You would quarantine if you
were interested in scanning with other av to check for a false
positive.

I don't understand "terminate" in this case since it wasn't a running
process, presumably. Is "terminate" actually the word NOD used?

Art

http://home.epix.net/~artnpeg

 

[louise]

No problem. I managed to do it again when I copied your post


I don't use NOD so I have to guess what it means or you mean by
"terminated" in this context. Usually, you can choose to delete,
quarantine or ignore Trojan detections. You would quarantine if you
were interested in scanning with other av to check for a false
positive.

I don't understand "terminate" in this case since it wasn't a running
process, presumably. Is "terminate" actually the word NOD used?

Art

http://home.epix.net/~artnpeg

Thanks for your help.

the NOD help file says:
"HTTP check
If a threat is picked up by IMON's HTTP scanner, the following
actions are available:

Terminate - Terminates the connection so that the threat is stopped
before it could make it to the disk and get executed

Close - Closes the alert window without taking any further action."

But in my case the threat was picked up through HTTP check (the
Internet Monitor) and also through the file system monitor.
Apparently the file system monitor offered quarantine whereas the
internet monitor offered "terminate".

I now understand I'd have been wiser to just terminate or delete or
get fully rid of it as fast as possible.

NOD came up clean running from safe mode after the fact.
I also have the free Bitdefender on my system for on-demand
scanning and I'll run that later tonight to be as sure as possible.

This is my first experience with anything other than an email
virus.

Or maybe its my second experience....I got involved in all of this
much more intensely after I lost my whole disk a few months ago to
an unknown ailment . I was running Norton AV, Sygate and a
Linksys router at the time it happened and the problem might have
been the result of a minor power failure - but I don't know.
Seagate Seatools said the NTFS file system was damaged.

Fortunately I had full data backups available. I ended up with a
new hard drive and reinstalled everything from scratch - including
all my customizations - it was pretty traumatic although recovery
was 100%.

Louise

 

[Art]

Thanks for your help.

the NOD help file says:
"HTTP check
If a threat is picked up by IMON's HTTP scanner, the following
actions are available:

Terminate - Terminates the connection so that the threat is stopped
before it could make it to the disk and get executed

Ah. Ok. Clears that up

Close - Closes the alert window without taking any further action."

But in my case the threat was picked up through HTTP check (the
Internet Monitor) and also through the file system monitor.
Apparently the file system monitor offered quarantine whereas the
internet monitor offered "terminate".

I now understand I'd have been wiser to just terminate or delete or
get fully rid of it as fast as possible.
Yes.

NOD came up clean running from safe mode after the fact.
I also have the free Bitdefender on my system for on-demand
scanning and I'll run that later tonight to be as sure as possible.

This is my first experience with anything other than an email
virus.

Or maybe its my second experience....I got involved in all of this
much more intensely after I lost my whole disk a few months ago to
an unknown ailment . I was running Norton AV, Sygate and a
Linksys router at the time it happened and the problem might have
been the result of a minor power failure - but I don't know.
Seagate Seatools said the NTFS file system was damaged.

Fortunately I had full data backups available. I ended up with a
new hard drive and reinstalled everything from scratch - including
all my customizations - it was pretty traumatic although recovery
was 100%.

I happen to be the sys admin for my wife's PC. She's into genealogy
research. If she ever loses her valuable data, I'm dead meat

I gradually evolved a backup approach we're both happy with. One of
the things I learned the hard way is to not trust storing data in
email folders. Both Pegasus and Moz email gave us a lot of grief
by losing her complex folder arrangements. So now she Saves
as text anything of value in a special disk folder system I created.

We also have two forms of backup to spare hard drives. One drive is
uses for daily data backup. Another drive sits on a shelf. It's a
fully cloned bootable drive that can be used in the event of a
disaster such as a failed drive.

She runs without using any realtime av just as I do, and neither one
of us ever have any malware or spyware problems. I often wonder
what people are doing wrong to take hits. In that vein, I'd really
be interested to take a look at the url, if you have it, of the
originating web site that led to the download of the recent Trojan
to your temp folder. Since you're apparently using Firefox, you
shouldn't be experiencing any problems. You most likely wouldn't
have had any problem without the NOD monitors actve and just scaring
the hell out of you. I'm assuming you know enough to be internet
port protected, one way or another. And I'm assuming you know
enough to be careful with downloads.

Art

http://home.epix.net/~artnpeg

 

[Virus Guy]

http://66.230.175.129/1/gdnUS2161.exe

The file is small (11.6 kb).

Virus total finds nothing. Moosoft's "The Cleaner" finds nothing.

No threat found by any AV software (including NOD).

It looks like a dialer.

Inside the file, I find the following text fragments:

---------------
www.dialerplatform.com

http://crl.thawte.com/ThawteCodeSigningCA.crl02
http://ocsp.thawte.com
(e-mail address removed)

PrivateLabel2-1440
Secure Application Development
Nevis
Charlestown

Thawte Consulting (Pty) Ltd.
Thawte Code Signing CA

Advanced Browsing Technologies. International Charges Apply after
clicking Yes, otherwise press cancel. Minors and persons under age of
18 are not allowed to continue.

----------------

Some additional info:

Domain Name: DIALERPLATFORM.COM (66.230.140.69)

Registrant:
Global Acces S.L.
Edifici Font 1-4a
La Cortinada, Ordino AD300
+376.376710
Fax:+376.849103

Administrative Contact:
Tavassi, Gaetano (e-mail address removed)
Viale dei Garofani 10
V Coppola Pinetamare, Caserta 81030
IT
+39.0815095325
Fax:+39.0815097895

Technical Contact:
Abdul-Hameed, Omar (e-mail address removed)
Edifici Font 1-4a
La Cortinada, Ordino AD300
AD
+376.376710
Fax:+376.849103

Record last updated 12-15-2003 03:59:57 PM
Record expires on 03-08-2006
Record created on 03-08-2002

--------

Google (web) search for "DIALERPLATFORM.COM" turns up nothing.
Absolutely nothing.

Google group search (usenet) for "DIALERPLATFORM.COM" turns up 48 hits
in NANAS.

nslookup on www.DIALERPLATFORM.COM returns (strangely) 127.0.0.1 -
because it's in my hosts file:

127.0.0.1 www.dialerplatform.com #[Trojan.Ibiza]

nslookup on DIALERPLATFORM.COM comes back with 66.230.140.69

There is an active web-site at that IP. It is hosted by:

OrgName: oXeo Networks
OrgID: OXEONE
Address: 90 admiralty loop
City: staten island
StateProv: NY
PostalCode: 10309
Country: US

NetRange: 66.230.140.64 - 66.230.140.95
CIDR: 66.230.140.64/27
NetName: OXEO-66-230-140-64
NetHandle: NET-66-230-140-64-1
Parent: NET-66-230-128-0-1
NetType: Reassigned
Comment:
RegDate: 2002-06-22
Updated: 2002-06-22

TechHandle: NA335-ARIN
TechName: Admin, Netblock
TechPhone: +1-866-275-6936
TechEmail: (e-mail address removed)

-------------------

The IP in the original URL (66.230.175.129) comes back as:

OrgName: Phantographics LLC
OrgID: PHANT-1
Address: 148 Clarence St
City: Sydney
PostalCode: NSW 2000
Country: AU

NetRange: 66.230.175.0 - 66.230.175.255
CIDR: 66.230.175.0/24
NetName: NCAT-2
NetHandle: NET-66-230-175-0-1
Parent: NET-66-230-128-0-1
NetType: Reassigned
NameServer: NS1.EASYXHOST.COM
NameServer: NS2.EASYXHOST.COM
Comment:
RegDate: 2004-06-04
Updated: 2004-06-04

OrgTechHandle: DBA62-ARIN
OrgTechName: Balyukov, Dmitriy
OrgTechPhone: 38-050-6226676
OrgTechEmail: (e-mail address removed)

 

[David H. Lipman]

From: "Virus Guy" <[email protected]>

||
| The file is small (11.6 kb).
|
| Virus total finds nothing. Moosoft's "The Cleaner" finds nothing.

< snip >

What do you mean Virus Total finds nothing ?

AntiVir 6.32.0.6 10.25.2005 TR/Dldr.Small.ayl.0
Avira 6.32.0.6 10.25.2005 TR/Dldr.Small.ayl.0
BitDefender 7.2 10.25.2005 Trojan.Dialer.GlobalAcces
CAT-QuickHeal 8.00 10.25.2005 (Suspicious) - DNAScan
Fortinet 2.48.0.0 10.26.2005 Dial/269.A
Kaspersky 4.0.2.24 10.24.2005 Trojan-Downloader.Win32.Small.ayl
McAfee 4612 10.25.2005 potentially unwanted program Dialer-269
NOD32v2 1.1265 10.25.2005 Win32/TrojanDownloader.Small.AYL
Norman 5.70.10 10.25.2005 W32/Downloader
Panda 8.02.00 10.25.2005 Dialer.NO
VBA32 3.10.4 10.24.2005 Trojan-Downloader.Win32.Small.ayl

Plus...
Ewido -- TrojanDownloader.Small.ayl

 

[Art]

The file is small (11.6 kb).

Virus total finds nothing. Moosoft's "The Cleaner" finds nothing.

Huh? No less than twelve av products alert on the file!

No threat found by any AV software (including NOD).

NOD is one of the twelve.

It looks like a dialer.

Some av describe it that way. Others call it a downloader Trojan.

<snip>

Art

http://home.epix.net/~artnpeg

 

[David H. Lipman]

From: "David H. Lipman" <[email protected]>

Addendum:

This just came in via email...

CA eTrust -- Win32/SillyDl trojan

 

[David H. Lipman]

From: "Art" <[email protected]>

|
| Huh? No less than twelve av products alert on the file!
||
| NOD is one of the twelve.
||
| Some av describe it that way. Others call it a downloader Trojan.
|
| <snip>
|
| Art
|
| http://home.epix.net/~artnpeg

Symantec called it a "Security Risk" dialer.

 

[Virus Guy]

What do you mean Virus Total finds nothing ?

We are talking about this one, right?

http://66.230.175.129/1/gdnUS2161.exe

Funny. I used netscape 4.79 to download that file, then used IE to
submit it to VirusTotal. I got nothing at the time, and I submitted
it again, and again it came up with "no virus found" across the board.

Then I downloaded it with IE, and saved it to gdnUS2162.exe.

They are slightly different sizes:

gdnUS2161.exe 11,617 bytes (8:16 pm)
gdnUS2162.exe 11,568 bytes (9:27 pm)

I submitted gdnUS2162.exe to VirusTotal and got this:

---------

This is a report processed by VirusTotal on 10/26/2005 at 03:28:41
(CET) after scanning the file "gdnUS2162.exe" file.

Antivirus Version Update Result

AntiVir 6.32.0.6 10.25.2005 TR/Dldr.Small.ayl.0
Avast 4.6.695.0 10.25.2005 no virus found
AVG 718 10.24.2005 no virus found
Avira 6.32.0.6 10.25.2005 TR/Dldr.Small.ayl.0
BitDefender 7.2 10.25.2005 Trojan.Dialer.GlobalAcces
CAT-QuickHeal 8.00 10.25.2005 (Suspicious) - DNAScan
ClamAV devel-20050917 10.25.2005 Dialer-306
DrWeb 4.32b 10.23.2005 no virus found
eTrust-Iris 7.1.194.0 10.26.2005 no virus found
eTrust-Vet 11.9.1.0 10.25.2005 no virus found
Fortinet 2.48.0.0 10.26.2005 Dial/269.A
F-Prot 3.16c 10.24.2005 no virus found
Ikarus 0.2.59.0 10.25.2005 no virus found
Kaspersky 4.0.2.24 10.24.2005 Trojan-Downloader.Win32.Small.ayl
McAfee 4612 10.25.2005 potentially unwanted program
Dialer-269
NOD32v2 1.1265 10.25.2005 Win32/TrojanDownloader.Small.AYL
Norman 5.70.10 10.25.2005 W32/Downloader
Panda 8.02.00 10.25.2005 Dialer.NO
Sophos 3.98.0 10.26.2005 no virus found
Symantec 8.0 10.25.2005 no virus found
TheHacker 5.8.4.128 10.25.2005 no virus found
VBA32 3.10.4 10.24.2005 Trojan-Downloader.Win32.Small.ayl

Any ideas?

 

[David H. Lipman]

From: "Virus Guy" <[email protected]>

| "David H. Lipman" wrote:
||
| We are talking about this one, right?
|
| http://66.230.175.129/1/gdnUS2161.exe
|
| Funny. I used netscape 4.79 to download that file, then used IE to
| submit it to VirusTotal. I got nothing at the time, and I submitted
| it again, and again it came up with "no virus found" across the board.
|
| Then I downloaded it with IE, and saved it to gdnUS2162.exe.
|
| They are slightly different sizes:
|
| gdnUS2161.exe 11,617 bytes (8:16 pm)
| gdnUS2162.exe 11,568 bytes (9:27 pm)
|
| I submitted gdnUS2162.exe to VirusTotal and got this:
|
| ---------
|

< snip >

|
| Any ideas?

Interesting...

I downloaded it with; FireFox, IE6 SP1 and Opera.

OP-gdnUS2161.exe - Opera
MOZ-gdnUS2161.exe - FireFox
gdnUS2161.exe - IE6

All files are the same size, all the same results received from Virus Total.

 

[louise]

Ah. Ok. Clears that up

I cannot retrace to the original site as it seems to be missing
from my history. The only thing I know is that it came from a
search done in Vivisimo for certain kind of medication. I went
back to Vivisimo but I don't recognize the items that are coming up
as a response to my search now.

Interestingly enough, we use very similar backup techniques. I
back up every night to an external hard drive Using Retrospect
Professional. And, once every week with two I do a full image
backup using Ghost to a different external hard drive. I too save
important e-mails as text files.

You're probably correct in saying that Nod scared the hell out of
me -- but at least I know it works!

Louise

 

[Art]

We are talking about this one, right?

http://66.230.175.129/1/gdnUS2161.exe

Funny. I used netscape 4.79 to download that file, then used IE to
submit it to VirusTotal. I got nothing at the time, and I submitted
it again, and again it came up with "no virus found" across the board.

Then I downloaded it with IE, and saved it to gdnUS2162.exe.

They are slightly different sizes:

gdnUS2161.exe 11,617 bytes (8:16 pm)
gdnUS2162.exe 11,568 bytes (9:27 pm)

I submitted gdnUS2162.exe to VirusTotal and got this:

<snip results>

Nutscrape 4.79 eh? Should have been scrapped years ago

Art

http://home.epix.net/~artnpeg

 

[louise]

The file is small (11.6 kb).

Virus total finds nothing. Moosoft's "The Cleaner" finds nothing.

No threat found by any AV software (including NOD).

It looks like a dialer.

Inside the file, I find the following text fragments:

---------------
www.dialerplatform.com

http://crl.thawte.com/ThawteCodeSigningCA.crl02
http://ocsp.thawte.com
(e-mail address removed)

PrivateLabel2-1440
Secure Application Development
Nevis
Charlestown

Thawte Consulting (Pty) Ltd.
Thawte Code Signing CA

Advanced Browsing Technologies. International Charges Apply after
clicking Yes, otherwise press cancel. Minors and persons under age of
18 are not allowed to continue.

----------------

Some additional info:

Domain Name: DIALERPLATFORM.COM (66.230.140.69)

Registrant:
Global Acces S.L.
Edifici Font 1-4a
La Cortinada, Ordino AD300
+376.376710
Fax:+376.849103

Administrative Contact:
Tavassi, Gaetano (e-mail address removed)
Viale dei Garofani 10
V Coppola Pinetamare, Caserta 81030
IT

What is a "dialer"?

Louise

 

[David H. Lipman]

From: "louise" <[email protected]>


| What is a "dialer"?
|
| Louise

A software that will use a dial-up modem to call a 900 number or other toll call to rack up
a big phone bill.

 

[Norman L. DeForest]

We are talking about this one, right?

http://66.230.175.129/1/gdnUS2161.exe

Funny. I used netscape 4.79 to download that file, then used IE to
submit it to VirusTotal. I got nothing at the time, and I submitted
it again, and again it came up with "no virus found" across the board.

Then I downloaded it with IE, and saved it to gdnUS2162.exe.

They are slightly different sizes:

gdnUS2161.exe 11,617 bytes (8:16 pm)
gdnUS2162.exe 11,568 bytes (9:27 pm)

I submitted gdnUS2162.exe to VirusTotal and got this:

[snip lots of recognition this time]

Any ideas?

<guess type="wild">

Could the server have sent the wrong file type the first time
and the download occurred in ASCII mode instead of binary and
"newlines" got converted -- with LF (linefeed) getting changed
to CRLF (carriage-return/linefeed pair) in the process?
(49 of them in this case.)

</guess>

The Links browser version 0.8 had this problem when downloading binary
files. It converted what it assumed were newlines, corrupting the binary
file in the process. Version 0.9.3 doesn't have that problem.

 

[Virus Guy]

It's even different again today with NetScape.

<guess type="wild">

Could the server have sent the wrong file type the first time
and the download occurred in ASCII mode instead of binary and
"newlines" got converted -- with LF (linefeed) getting changed
to CRLF (carriage-return/linefeed pair) in the process?
(49 of them in this case.)

That appears to be it.

The value 13 (decimal) is being inserted before every value 10
where-ever the value 10 is found - even if there is already a byte
with the value 13 preceeding it.

Note also this:

If you look at the file list above, you will see that a new attempt to
download the file witn NetScape results in a file with a new length -
11620 bytes (3 more bytes than the previous 2 downloads using
NetScape). I then downloaded it again with IE, and got the same
file-length as last time with ie (11568). However, it does not
compare exactly with the previous IE download from 9:27 pm 10/25 (at
least 10 mis-matches (2 starting at byte offset 128, and then the rest
starting at byte offset 400). It appears to be code there - no
readable text at those locations.

Virus Total scans the new file with the same results as before (some
find a dialer, some find nothing).

When you right-click it, and look at properties (Digital Signatures
tab) it says:

NAME: DialerPlatform Limited

!?

The Links browser version 0.8 had this problem when
downloading binary files. It converted what it assumed
were newlines, corrupting the binary file in the process.

Netscape 4.79 must do this too.

 

[Norman L. DeForest]

It's even different again today with NetScape.


That appears to be it.

The value 13 (decimal) is being inserted before every value 10
where-ever the value 10 is found - even if there is already a byte
with the value 13 preceeding it.

[snip]

I love it when one of my "wild" guesses turns out to be domesticated!

Norman "wondering why supermarkets don't keep their
``Wild Bird Seed'' behind bars" De Forest