D
DesignGuy
My AVG Anti-Virus detected a virus this morning:
C:\WINNT\SYSTEM32\WSHIRDA.EXE Trojan horse Downloader.Small.6.T
Note that there is a legitimate file called wshirda.dll, which is supposed
to be there. There is not supposed to be a wshirda.exe, and I'm sure the
trojan writer is depending on the confusion. The date on the wshirda.exe
file was close to the date on wshirda.dll (2001 as I recall)
It apparently tries to reach an outside server at search.requestlookup.net
according to Sygate Personal Firewall:
2340252 06/03/2004 10:03:53 Blocked 3 Outgoing TCP search.requestlookup.net
[206.58.237.248] 00-0C-41-3D-F8-16 80 192.168.1.101 00-E0-29-5D-53-25 4666
C:\WINNT\system32\wshirda.exe Administrator CT876441-A Normal 1 06/03/2004
10:04:01 06/03/2004 10:04:01 Ask all running apps
2340253 06/03/2004 10:03:58 Blocked 3 Outgoing TCP search.requestlookup.net
[206.58.237.248] 00-0C-41-3D-F8-16 80 192.168.1.101 00-E0-29-5D-53-25 4666
C:\WINNT\system32\wshirda.exe Administrator CT876441-A Normal 1 06/03/2004
10:04:04 06/03/2004 10:04:04 Ask all running apps
2340256 06/03/2004 10:04:03 Blocked 3 Outgoing TCP search.requestlookup.net
[206.58.237.248] 00-0C-41-3D-F8-16 80 192.168.1.101 00-E0-29-5D-53-25 4666
C:\WINNT\system32\wshirda.exe Administrator CT876441-A Normal 1 06/03/2004
10:04:10 06/03/2004 10:04:10 Ask all running apps
2340261 06/03/2004 10:05:56 Blocked 3 Outgoing TCP search.requestlookup.net
[206.58.237.248] 00-0C-41-3D-F8-16 80 192.168.1.101 00-E0-29-5D-53-25 4673
C:\WINNT\system32\wshirda.exe Administrator CT876441-A Normal 1 06/03/2004
10:06:03 06/03/2004 10:06:03 Ask all running apps
2340262 06/03/2004 10:06:01 Blocked 3 Outgoing TCP search.requestlookup.net
[206.58.237.248] 00-0C-41-3D-F8-16 80 192.168.1.101 00-E0-29-5D-53-25 4673
C:\WINNT\system32\wshirda.exe Administrator CT876441-A Normal 1 06/03/2004
10:06:06 06/03/2004 10:06:06 Ask all running apps
2340263 06/03/2004 10:06:06 Blocked 3 Outgoing TCP search.requestlookup.net
[206.58.237.248] 00-0C-41-3D-F8-16 80 192.168.1.101 00-E0-29-5D-53-25 4673
C:\WINNT\system32\wshirda.exe Administrator CT876441-A Normal 1 06/03/2004
10:06:12 06/03/2004 10:06:12 Ask all running apps
I'm not sure how long this virus was in place. My last ghost image was May
21st, and wshirda.exe was not in that file (which is how I knew it wasn't
supposed to be there).
There are similar usenet threads dealing with a virus in Moricons.exe (vs.
the legitimate .dll):
http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&c2coff=1&q=requestlookup.
net
C:\WINNT\SYSTEM32\WSHIRDA.EXE Trojan horse Downloader.Small.6.T
Note that there is a legitimate file called wshirda.dll, which is supposed
to be there. There is not supposed to be a wshirda.exe, and I'm sure the
trojan writer is depending on the confusion. The date on the wshirda.exe
file was close to the date on wshirda.dll (2001 as I recall)
It apparently tries to reach an outside server at search.requestlookup.net
according to Sygate Personal Firewall:
2340252 06/03/2004 10:03:53 Blocked 3 Outgoing TCP search.requestlookup.net
[206.58.237.248] 00-0C-41-3D-F8-16 80 192.168.1.101 00-E0-29-5D-53-25 4666
C:\WINNT\system32\wshirda.exe Administrator CT876441-A Normal 1 06/03/2004
10:04:01 06/03/2004 10:04:01 Ask all running apps
2340253 06/03/2004 10:03:58 Blocked 3 Outgoing TCP search.requestlookup.net
[206.58.237.248] 00-0C-41-3D-F8-16 80 192.168.1.101 00-E0-29-5D-53-25 4666
C:\WINNT\system32\wshirda.exe Administrator CT876441-A Normal 1 06/03/2004
10:04:04 06/03/2004 10:04:04 Ask all running apps
2340256 06/03/2004 10:04:03 Blocked 3 Outgoing TCP search.requestlookup.net
[206.58.237.248] 00-0C-41-3D-F8-16 80 192.168.1.101 00-E0-29-5D-53-25 4666
C:\WINNT\system32\wshirda.exe Administrator CT876441-A Normal 1 06/03/2004
10:04:10 06/03/2004 10:04:10 Ask all running apps
2340261 06/03/2004 10:05:56 Blocked 3 Outgoing TCP search.requestlookup.net
[206.58.237.248] 00-0C-41-3D-F8-16 80 192.168.1.101 00-E0-29-5D-53-25 4673
C:\WINNT\system32\wshirda.exe Administrator CT876441-A Normal 1 06/03/2004
10:06:03 06/03/2004 10:06:03 Ask all running apps
2340262 06/03/2004 10:06:01 Blocked 3 Outgoing TCP search.requestlookup.net
[206.58.237.248] 00-0C-41-3D-F8-16 80 192.168.1.101 00-E0-29-5D-53-25 4673
C:\WINNT\system32\wshirda.exe Administrator CT876441-A Normal 1 06/03/2004
10:06:06 06/03/2004 10:06:06 Ask all running apps
2340263 06/03/2004 10:06:06 Blocked 3 Outgoing TCP search.requestlookup.net
[206.58.237.248] 00-0C-41-3D-F8-16 80 192.168.1.101 00-E0-29-5D-53-25 4673
C:\WINNT\system32\wshirda.exe Administrator CT876441-A Normal 1 06/03/2004
10:06:12 06/03/2004 10:06:12 Ask all running apps
I'm not sure how long this virus was in place. My last ghost image was May
21st, and wshirda.exe was not in that file (which is how I knew it wasn't
supposed to be there).
There are similar usenet threads dealing with a virus in Moricons.exe (vs.
the legitimate .dll):
http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&c2coff=1&q=requestlookup.
net