angle.eXe

hi all , a few days ago i did a search on google for my small village , i was looking for old maps , found and entry that dispalayed my name and addess etc , visited the site and found my information was in a sql file , name,email,homa address,phone number,mobile number etc etc , not clued up on sql files , or why this guy had this information on what looked like his web server , as of yesturday this web server was still viewable , but trying today it seems to be gone (http://www.google.co.uk/search?hl=en&q=angle.exe+abuse.txt&meta=)

i proded around so see what this guy was about ,he has photo’s and other stuff besides the sql file , and another file called angle.exe , gues what , i was silly enough to want to know what this file did , and ran it !!! , my life changed in 30 seconds…i have no idea exactly what its done , but just before it shut down a 16 bit ftp logo appeared in the top left of my screen…this bit i find worying…

the pc in question was shot , could hardly boot up , and files all over the place where corrupt ,referednces to angle.eXe & hiden system files ~angle.eXe where all over the place , other additions where RCX**.tmp files , and many more files with the eXe extension , scvhost was one i remember…

i rebuild the damaged pc , to onoy find after about 10 mins it contracted the same stuff , changed my router just in case , but did find all these files on my mapped network drives also , even when i plugged my usb stick into a different machine , it contacted the hidden ~angle.eXe file , so i’m safe in saying that all 5 of my pc’s got infected , 2 usb sticks , and a nas network drive along with them.

we both use our pc’s for work , and its our livelyhood , so you can imagine the headache this has caused , furhter digging found these files in ALL folders that had recent activity also , i haveno idea what is good and what is bad , and posibley 6 months of hard work down the drain…as the 4 backups i kept where all maped network drives , that have also got infected…cd’r from now on for me i think!!!

anyway , slowly i am introducing re built pcs back to me new routered network , all ready i am seeing attacks from the outside world , not sure if they are related though…

the first machine to get infected in not on the network now , i’m trying to salvage stuff from it , avast didnt pick up anything , but avg found the angle.eXe !!

is this the right place to get somebody to investigate , as i’d like avast to be able to pick it up in the future ?

Steve ,ps youd never belive i’m a computer engineer , and have been for years , an what i always tell people to NOT do , i do myslef out of nosyness…

“do not click on anything you are not sure about”

A good moral but at times we all fall for it. If you still have a copy of the file you could send it to avast. It might also be worth sending the file to http://www.thespykiller.co.uk/forum/index.php?board=1.0 for the attention of one of the experts. Just post the file with a brief synopsis of the symptoms as you have done here and one of the malware destroyers will pick it up for deconstruction, thereby helping other people and seeing if there is a non-destructive way of killing it

Hi Steve,

The link you posted is currently active and seems clean


http://img338.imageshack.us/img338/6012/gypsyqv9.png

There are couple web references to angle.exe being related to tenga.a

Try a Trend Micro on-line scan and, if anything is found, post the path and file name(s) along with the name of the detection.

EDIT: Here’s a link to the on-line scan

http://housecall.trendmicro.com/

hi , the link i posted was only a ref to the site/server that held the angle.eXe file , clicking on the links DID take you to the web server in question , but it looks down at the moment…

As for sending a copy , i’m not sure i can now , its a shame the above has gone , i’ll keep ckecking , it may come back…

I’m still working on trying to clean up what i have , found that my D drive (used as backup) had a hiden duplication of every exe file (281) on it , but hidden and the x in exe capitalised (eXe), e.g. spamfighter.eXe (hidden) , as well as spamfighter.exe (normal visable)…

I do have a nas drive though i havent got to yet , so it maybe still on there , i’ll try and track it down , but i have to be very carefull , as it get a bit confusing as to what i can attach/plugin to what…

That part of my post was as much for other forum members, who would be concerned about an active link, as it was for you.

I’m not saying for sure that this is tenga.a but, if it is, it does have the ability to spread though your network. Here are some links that may give you some clues

http://www.sophos.com/security/analyses/w32tengaa.html

http://www.pandasoftware.com/virus_info/encyclopedia/overview.aspx?IdVirus=82383&sind=0

http://www.f-secure.com/v-descs/tenga_a.shtml

Interestingly, the Panda site (second link) lists ftp as one of the transmission methods.

Whether its tenga.a or not I would still recommend the Trend scan. Just make sure to isolate your lan components until things are under control.

EDIT: When you say avg found angle.eXe I assume you deleted without notating what malware was identified. If you do have the name AVG gave it please post that.