Strange virus/trojan not detected

External Since: Oct 22, 2003 Posts: 9

I didn't get any answer to this message nor it appeared within my message
list.
Probably lost.

I'd appreciate to get additional information.
Sorry for the length!

After the first post I performed Internet scans with TrojanScan and
Symantec.
They didn't ring on the infected files.
____________________________________________________

I finally restored my computer defences. At least I hope so ! The
virus-trojan-worm (?) is probably still present but doesn't appear active
anylonger.

Its actions:
It disabled Zone Alarm, VirusScan when launched, TC-Active and T-C Monitor,
The Cleaner (scaning machine on demand), The Windows System File Compare
(SFC), every attempt done with scan engines.

It didn't stop the functioning of "Ad-Aware 6" (free), dedicated virus
removers as "fixSbigF;exe, "stinger.exe", "The cleaner" launched from the
network server, even under normal sessions of Windows. I didn't try
VirusScan from the server.

Its activity/detection:
It wasn't active under the safe mode (probably because it was loaded by the
run keys).
Neither detected by "The cleaner", nor "stinger", "fixSbigF", "VirusScan"
unless the heuristics scanning was selected. In that case only the
"image023.pif" was recognized to contain "NewBackdoor1".
Later on I applied VirusScan to the other files without positive result,
even in heuristics mode.

Its system installation:
There were three "Com Service = "Wins98\command\" " entries in the registry
Run keys (HKCU, HKLM, and HKUD\Software\Microsoft\Windows\Current
version\Run) pointinh to E:\Win98\command\mshxbh.com.

This NewsGroup gave me the idea to look for strange file names with the same
date as the two known files (image023.pif and mshxbh.com).
I found two other occurrences: Win98\services.exe and
Win98\System\msulwy.com. They've exactly the same date (05.05.99 22:22)
identical to the Windows file's date and the same length (54 048bytes) and
the same contents (with Quick view). These characteristics also apply to
"image023.pif".
The characteristics of the four infected files follow here-below in case
this could bring some information more.
The three files have the attributes "system" & "hidden"

The disabling:
I went again in safe mode, (off then boot) and renamed "mshxbh.com",
"msulwy.com" and "Services.exe". I edited the registry searching for these
filenames as well as for "Com Service" and deleted the run keys launching
"mshxbh.com". I found a new one:
HKLM\Software\Microsoft\Active Setup\Installed
Components\{42AC0312-EE51-A3CC-EA32-40AA12E6115C}
containing "StubPath=E:\Win98\System\msulwy.com". I renamed its name &
value. It will be deleted later on if necessary.
Nothing concerning "Services.exe". This looks rather strange for me because
it's never called by any key or something else.

Should I mention that I also used "HiJackThis" after the cleaning was
manually done ? It didn't reveal anything more.

Rather satisfied I turned the computer Off and rebooted in normal mode. All
the protections were SUCCESSFULLY restored.
I tested ZoneAlarm attachment filters with fake files. The ".pif" is
correctly filtered. I'll give a complete try but I lost the Internet site
address allowing to do that. I'd appreciate to get this address. I still
don't understand why this attachment went through the protection.

I'm conscious the virus is still here. I still don't know what's its name
and what its activity is.
The ways to follow:
To find the free search engines and scan again the computer
To send a copy of the infected files to some antivirus manufacturers'
sites.
To compare the dates and the CRCs of the dll files called by the virus
in order to know if they were garbaged. But where to find the correct CRCs ?
Any other proposals ?

This post was rather long. I hope it is in the policy of this group. I
really thank everybody who answered and those who will bring some help more.

Bye

This is the information of the infected files Quick View provided:

WINDOWS EXECUTABLE
32bit for Windows 95 and Windows NT

Technical File Information:

Image File Header

Signature: 00004550
Machine: Intel 386
Number of Sections: 0003
Time Date Stamp: 2a425e19
Symbols Pointer: 00000000
Number of Symbols: 00000000
Size of Optional Header 00e0
Characteristics: Relocation info stripped from file.
File is executable (i.e. no unresolved external references).
Line numbers stripped from file.
Local symbols stripped from file.
Low bytes of machine word are reversed.
32 bit word machine.
High bytes of machine word are reversed.

Image Optional Header

Magic: 010b
Linker Version: 2.25
Size of Code: 0000c000
Size of Initialized Data: 00001000
Size of Uninitialized Data: 0001b000
Address of Entry Point: 0002794f
Base of Code: 0001c000
Base of Data: 00028000
Image Base: 00400000
Section Alignment: 00001000
File Alignment: 00000200
Operating System Version: 4.00
Image Version: 0.00
Subsystem Version: 4.00
Reserved1: 00000000
Size of Image: 00029000
Size of Headers: 00001000
Checksum: 00000000
Subsystem: Image runs in the Windows GUI subsystem.
DLL Characteristics: 0000
Size of Stack Reserve: 00100000
Size of Stack Commit: 00004000
Size of Heap Reserve: 00100000
Size of Heap Commit: 00001000
Loader Flags: 00000000
Size of Data Directory: 00000010
Import Directory Virtual Address: 0002849c
Import Directory Size: 00000264
Resource Directory
Virtual Address: 00028000
Resource Directory Size: 0000049c
TLS Directory Virtual Address: 00027aa4
TLS Directory Size: 00000018

Import Table

KERNEL32.DLL
Ordinal Function Name

0000 LoadLibraryA
0000 GetProcAddress
0000 ExitProcess

advapi32.dll
Ordinal Function Name

0000 RegEnumKeyA

AVICAP32.DLL
Ordinal Function Name

0000 capCreateCaptureWindowA

gdi32.dll
Ordinal Function Name

0000 BitBlt

oleaut32.dll
Ordinal Function Name

0000 SysFreeString

URLMON.DLL
Ordinal Function Name

0000 URLDownloadToFileA

user32.dll
Ordinal Function Name

0000 GetDC

wininet.dll
Ordinal Function Name

0000 InternetCheckConnectionA

winmm.dll
Ordinal Function Name

0000 mciSendStringA

wsock32.dll
Ordinal Function Name

0000 send

Section Table

Section name: code
Virtual Size: 0001b000
Virtual Address: 00001000
Size of raw data: 00000000
Pointer to Raw Data: 00000200
Pointer to Relocations: 00000000
Pointer to Line Numbers: 00000000
Number of Relocations: 0000
Number of Line Numbers: 0000
Characteristics: Section contains initialized data
Section is readable
Section is writeable

Section name: text
Virtual Size: 0000c000
Virtual Address: 0001c000
Size of raw data: 0000bc00
Pointer to Raw Data: 00000200
Pointer to Relocations: 00000000
Pointer to Line Numbers: 00000000
Number of Relocations: 0000
Number of Line Numbers: 0000
Characteristics: Section contains initialized data
Section is readable
Section is writeable

Section name: .rsrc
Virtual Size: 00001000
Virtual Address: 00028000
Size of raw data: 00000800
Pointer to Raw Data: 0000be00
Pointer to Relocations: 00000000
Pointer to Line Numbers: 00000000
Number of Relocations: 0000
Number of Line Numbers: 0000
Characteristics: Section contains initialized data
Section is readable
Section is writeable

Header Information

Signature: 5a4d
Last Page Size: 0050
Total Pages in File: 0002
Relocation Items: 0000
Paragraphs in Header: 0004
Minimum Extra Paragraphs: 000f
Maximum Extra Paragraphs: ffff
Initial Stack Segment: 0000
Initial Stack Pointer: 00b8
Complemented Checksum: 0000
Initial Instruction Pointer: 0000
Initial Code Segment: 0000
Relocation Table Offset: 0040
Overlay Number: 001a
Reserved: 0000 0000 0000 0000
0000 0000 0000 0000
0000 0000 0000 0000
0000 0000 0000 0000
Offset to New Header: 00000080
Memory Needed: 1K

External Since: Jul 03, 2003 Posts: 179

"Zantafio" <zzz DeleteThis @zorglub.net> wrote:

> I'd appreciate to get additional information.
> Sorry for the length!
<<snip>>

Sounds like you have done a great job so far.

Could I suggest that, to get detection of this added to virus scanners as
quickly as possible you should send all the suspect files, and a copy of
your description from your post, to your preferred antivirus developers
from the following list? I recommend that you send the samples to several
(if not all) vendors rather than just those whose product(s) you use.

Command Software <virus DeleteThis @commandcom.com>
Computer Associates (US) <virus DeleteThis @ca.com>
Computer Associates (Vet/EZ) <ipevirus DeleteThis @vet.com.au>
DialogueScience (Dr. Web) <Antivir DeleteThis @dials.ru>
Eset (NOD32) <sample DeleteThis @nod32.com>
F-Secure Corp. <samples DeleteThis @f-secure.com>
Frisk Software (F-PROT) <viruslab DeleteThis @f-prot.com>
Grisoft (AVG) <virus DeleteThis @grisoft.cz>
H+BEDV (AntiVir): <virus DeleteThis @antivir.de>
Kaspersky Labs <newvirus DeleteThis @kaspersky.com>
Network Associates (McAfee) <virus_research DeleteThis @nai.com>
Norman (NVC) <analysis DeleteThis @norman.no>
Sophos Plc. <support DeleteThis @sophos.com>
Symantec (Norton) <avsubmit DeleteThis @symantec.com>
Trend Micro (PC-cillin) <virus_doctor DeleteThis @trendmicro.com>
(Trend may only accept files from users of its products)

--
Nick FitzGerald