Virus source

  • Thread starter Thread starter Lil' Dave
  • Start date Start date
L

Lil' Dave

Its been a long, long time. My PC succumbed to a virus. Its all been
cleaned up. For the curious, it was the generic name trojan.dropper
system32 NV virus. Common files associated were ms18_word.exe in 2
locations for example.

My question is how does one backtrack and figure out where the source of
this was?

I stumbled upon program attempting to reside in start menu alert when I
updated from Trend Micro 2007 to 2009 per tech support. The reason for the
update was all the tech support menu was inoperational in the 2007 version.
All updates paid for through April 2010. 2007 version was up to date.
 
From: "Lil' Dave" <[email protected]>

| Its been a long, long time. My PC succumbed to a virus. Its all been
| cleaned up. For the curious, it was the generic name trojan.dropper
| system32 NV virus. Common files associated were ms18_word.exe in 2
| locations for example.

| My question is how does one backtrack and figure out where the source of
| this was?

| I stumbled upon program attempting to reside in start menu alert when I
| updated from Trend Micro 2007 to 2009 per tech support. The reason for the
| update was all the tech support menu was inoperational in the 2007 version.
| All updates paid for through April 2010. 2007 version was up to date.
| --

| Dave


You are confused. If it is a "trojan.dropper" then it is a trojan that's drops other
trojan files and is NOT a virus.

As for the source... That is VERY hard to determine. Maybe if you scan the TIF you'll
find HTML Exploit code. Or maybe you have an outdated version of Sun Java or Quicktime,
etc and you vsited a web site using exploiting code that cause the dopper to be found.

What is MORE important is if you had a Trojan dropper then what other malware was dropped
(installed) into your PC ?
 
David H. Lipman said:
From: "Lil' Dave" <[email protected]>

| Its been a long, long time. My PC succumbed to a virus. Its all been
| cleaned up. For the curious, it was the generic name trojan.dropper
| system32 NV virus. Common files associated were ms18_word.exe in 2
| locations for example.

| My question is how does one backtrack and figure out where the source of
| this was?

| I stumbled upon program attempting to reside in start menu alert when I
| updated from Trend Micro 2007 to 2009 per tech support. The reason for
the
| update was all the tech support menu was inoperational in the 2007
version.
| All updates paid for through April 2010. 2007 version was up to date.
| --

| Dave


You are confused. If it is a "trojan.dropper" then it is a trojan that's
drops other
trojan files and is NOT a virus.

As for the source... That is VERY hard to determine. Maybe if you scan
the TIF you'll
find HTML Exploit code. Or maybe you have an outdated version of Sun Java
or Quicktime,
etc and you vsited a web site using exploiting code that cause the dopper
to be found.

What is MORE important is if you had a Trojan dropper then what other
malware was dropped
(installed) into your PC ?
Click to expand...

The other symptom was a file in temp file folder of windows folder. This
file was attempting to modify the Windows Explorer Shell as to what programs
opened what files. I could block or allow from TMAV 2009. If I blocked,
another temp file of another name would attempt to do the same all over
again a few seconds later. This happened in groups of 3s if I blocked each
attempt in one windows session. Upon next boot or reboot, it all happened
all over again. The filename was consistently BN#.tmp. The "#" is a number
from 1-12.

Using TrendMicro's version of Hijackthis, I was instructed by TM support to
remove the following startup entries:
O4 - HKLM\..\Run: [ms18_word] C:\WINDOWS\system32\ms18_word.exe
O4 - HKCU\..\Run: [ms18_word] C:\Documents and Settings\Dave\ms18_word.exe
O4 - HKCU\..\Run: [ttool] C:\WINDOWS\9129837.exe
O4 - Startup: ikowin32.exe

I deleted those files later.

They sent me 2 other programs to sniff out more. One ran in windows
normally, Twinfix. The other, SIC 5.0, ran in windows safe mode with
network support. Only thing found was the jellybean finder on another
partition (keyfinder.exe) that I haven't used for many years.

I don't use QuickTime. Not sure if Sun version of Java is installed on this
machine. The PC is clean per TMAV (and antispyware) 2009 version.

Dave
 
Lil' Dave said:
Its been a long, long time. My PC succumbed to a virus. Its all been
cleaned up.
Click to expand...

Wouldn't you say your subsequent posts probably makes this quite
untrue Dave?
For the curious, it was the generic name trojan.dropper
system32 NV virus. Common files associated were ms18_word.exe in 2
locations for example.

My question is how does one backtrack and figure out where the source of
this was?

I stumbled upon program attempting to reside in start menu alert when I
updated from Trend Micro 2007 to 2009 per tech support. The reason for the
update was all the tech support menu was inoperational in the 2007 version.
All updates paid for through April 2010. 2007 version was up to date.
Click to expand...

Try running the updated freeware version of MBAM in normal mode.
Follow-up by running the updated freeware version of SAS in the Safe
Mode. It also wouldn't hurt to run GMER.

Please post a follow-up with your results.

MBAM: <http://www.malwarebytes.org/>
SAS: <http://www.superantispyware.com/>
GMER: <http://www.gmer.net/#files>

FWIW, some might have you invest in a much better AV product than
what's in current use.

HTH

Pete
 
From: "Lil' Dave" <[email protected]>


| The other symptom was a file in temp file folder of windows folder. This
| file was attempting to modify the Windows Explorer Shell as to what programs
| opened what files. I could block or allow from TMAV 2009. If I blocked,
| another temp file of another name would attempt to do the same all over
| again a few seconds later. This happened in groups of 3s if I blocked each
| attempt in one windows session. Upon next boot or reboot, it all happened
| all over again. The filename was consistently BN#.tmp. The "#" is a number
| from 1-12.

| Using TrendMicro's version of Hijackthis, I was instructed by TM support to
| remove the following startup entries:
| O4 - HKLM\..\Run: [ms18_word] C:\WINDOWS\system32\ms18_word.exe
| O4 - HKCU\..\Run: [ms18_word] C:\Documents and Settings\Dave\ms18_word.exe
| O4 - HKCU\..\Run: [ttool] C:\WINDOWS\9129837.exe
| O4 - Startup: ikowin32.exe

| I deleted those files later.

| They sent me 2 other programs to sniff out more. One ran in windows
| normally, Twinfix. The other, SIC 5.0, ran in windows safe mode with
| network support. Only thing found was the jellybean finder on another
| partition (keyfinder.exe) that I haven't used for many years.

| I don't use QuickTime. Not sure if Sun version of Java is installed on this
| machine. The PC is clean per TMAV (and antispyware) 2009 version.

| Dave


Those wre only a small fraction of possible exploit vectors. Unles there are other clues,
sourcing the installation of that dropper is more than difficult.

It is too bad you deleted those files before you could submit them toi Virus Total.
 
Back
Top