I have recently attained some sort of evil oddity. Good old Avast found it, whereas all others failed pretty much. Avast has attempted and succeeded in removing multiple files. “mezzicodec.net” seems to appear in the log. Through a brief search of the internet, I was unsuccessful at finding the locale of this annoying little thing.
The things it does are as follows. One: It reinstalls itself. Two: When using the internet, and not, it makes pop-ups. Firefox is IMMUNE to pop-ups, but this virus is SMART and opens IE. I know my processes, and strike down the ones I know are the cause, but it STILL recovers itself and retains its ability to spam advertisements.
- How was it detected? What was scanning, you yourself or the back-ground scanner? When did the message occur on a download, unzipping, opening a file, mail or mail-attachment, etc.?
First it appeared during the running of a self-extracting .exe file, which opened a dos window and began spreading I believe. It has been detected since then multiple times by the scanner, but cannot be removed. I DO delete the files after killing the process, but to no avail.
- What was the source of the file, where did the file come from?.: e.g. address, URL, source.
Well, I am a gamer, and I wanted to see if there was a CD-Key of a game called “War Rock” that I could use. It needs a promo code to access stuff if you have the retail CD. It is freeware otherwise, but I wondered if there was a code lying about. So, I Googled “war rock promo code” and out came a link that caught my eye. “Keygen (software keys generator): war rock promo code keygen …” Well, it was late, and I was too sleepy to consider the consequences. (Normally I don’t fall for this bull.) The exact URL is “http: // keygen.name/serial/war_rock_promo_code.html”.
- When was it downloaded or received?
I downloaded it a day or so ago.
- What is the exact file name with extension.
war_rock_promo_code_keygen.exe
- What was the exact wording of the message that the AV program came up with? This is important for later.
Oh, like I would remember this one. It spammed warnings galore when I ran this. At the time, I was thinking, “OH GOD WHAT WAS I THINKING” and immediately closed the dos window it opened. (It must have ran for about three seconds tops… because I had to tell Avast to stop the connections it was trying to make, so I was stalled for a while.) It installed all over the place I think during that time. I hope the log’s record is better.
The warning section since start of problem:
6/2/2007 9:15:38 PM SYSTEM 1836 Sign of “Win32:Alphabet [Trj]” has been found in “http: // l.mezzicodec.net/a412/de.php?b=779[PECompact]” file.
6/2/2007 9:15:56 PM SYSTEM 1836 Sign of “Win32:Agent-FDG [Trj]” has been found in “http: // l.mezzicodec.net/a412/sv.php?m=1&b=779” file.
6/2/2007 9:16:00 PM SYSTEM 1836 Sign of “Win32:Agent-ECD [Trj]” has been found in “http: // l.mezzicodec.net/a412/tr.php?m=1&b=779[PECompact]” file.
6/2/2007 9:16:11 PM SYSTEM 1836 Sign of “Win32:PurityScan-AF [Trj]” has been found in “C:\Program Files\Common Files\Yazzle1162OinAdmin.exe[PECompact]” file.
6/2/2007 9:30:44 PM SYSTEM 1836 Sign of “Win32:VBStat-C [Trj]” has been found in “C:\DOCUME~1\John\LOCALS~1\Temp\hivhnolj.dll” file.
6/2/2007 9:51:04 PM John 3784 Sign of “Win32:Balloon [Adw]” has been found in “C:\WINDOWS\system32\ascbalo3N.dll” file.
6/2/2007 9:51:20 PM John 3784 Sign of “Win32:Balloon [Adw]” has been found in “C:\WINDOWS\system32\ascbalon.dll” file.
6/3/2007 1:20:53 AM John 2216 Sign of “Win32:Pwdump-B [Tool]” has been found in “C:\Documents and Settings\John\Local Settings\Temp\RarSFX1\pwdump2\pwdump2.exe[UPX]” file.
6/3/2007 1:21:52 AM John 2216 Sign of “Win32:Pwdump [Tool]” has been found in “C:\Documents and Settings\John\Local Settings\Temp\RarSFX1\pwdump2\samdump.dll[UPX]” file.
6/3/2007 1:22:18 AM John 2216 Sign of “Win32:Agent-HDR [Trj]” has been found in “C:\Documents and Settings\John\Local Settings\Temp\win46.tmp.exe[UPX]” file.
6/3/2007 1:44:06 AM John 2216 Sign of “Win32:Small-AFK [Trj]” has been found in “C:\System Volume Information_restore{E68F4C0B-CC79-41DA-8A08-056841B2D13B}\RP120\A0131428.exe” file.
6/3/2007 1:44:12 AM John 2216 Sign of “Win32:Trojan-gen. {Other}” has been found in “C:\System Volume Information_restore{E68F4C0B-CC79-41DA-8A08-056841B2D13B}\RP120\A0131429.exe” file.
6/3/2007 1:44:16 AM John 2216 Sign of “Win32:Nethief-W [Trj]” has been found in “C:\System Volume Information_restore{E68F4C0B-CC79-41DA-8A08-056841B2D13B}\RP122\A0131548.exe” file.
6/3/2007 1:44:16 AM John 2216 Sign of “Win32:Trojan-gen. {UPX!}” has been found in “C:\System Volume Information_restore{E68F4C0B-CC79-41DA-8A08-056841B2D13B}\RP122\A0131550.exe” file.
6/3/2007 1:44:16 AM John 2216 Sign of “Win32:Fontra-B” has been found in “C:\System Volume Information_restore{E68F4C0B-CC79-41DA-8A08-056841B2D13B}\RP122\A0131556.exe” file.
6/3/2007 1:44:25 AM John 2216 Sign of “Win32:Downloader-AS [Trj]” has been found in “C:\System Volume Information_restore{E68F4C0B-CC79-41DA-8A08-056841B2D13B}\RP122\A0131598.exe” file.
6/3/2007 1:44:26 AM John 2216 Sign of “Win32:Qhost-AI [Trj]” has been found in “C:\System Volume Information_restore{E68F4C0B-CC79-41DA-8A08-056841B2D13B}\RP122\A0131620.exe” file.
6/3/2007 1:44:27 AM John 2216 Sign of “Win32:Trojan-gen. {Other}” has been found in “C:\System Volume Information_restore{E68F4C0B-CC79-41DA-8A08-056841B2D13B}\RP122\A0131625.exe” file.
6/3/2007 1:44:35 AM John 2216 Sign of “Win32:Agent-FMH [Trj]” has been found in “C:\System Volume Information_restore{E68F4C0B-CC79-41DA-8A08-056841B2D13B}\RP122\A0131649.exe” file.
6/3/2007 1:44:37 AM John 2216 Sign of “Win32:Trojan-gen. {Other}” has been found in “C:\System Volume Information_restore{E68F4C0B-CC79-41DA-8A08-056841B2D13B}\RP122\A0131681.exe” file.
6/3/2007 1:44:49 AM John 2216 Sign of “Win32:Trojan-gen. {UPX!}” has been found in “C:\System Volume Information_restore{E68F4C0B-CC79-41DA-8A08-056841B2D13B}\RP122\A0131770.exe” file.
6/3/2007 1:44:52 AM John 2216 Sign of “Win32:Trojan-gen. {Other}” has been found in “C:\System Volume Information_restore{E68F4C0B-CC79-41DA-8A08-056841B2D13B}\RP122\A0131817.exe” file.
6/3/2007 1:48:06 AM John 2216 Sign of “Win32:Balloon [Adw]” has been found in “C:\System Volume Information_restore{E68F4C0B-CC79-41DA-8A08-056841B2D13B}\RP125\A0133247.dll” file.
6/3/2007 1:48:11 AM John 2216 Sign of “Win32:Balloon [Adw]” has been found in “C:\System Volume Information_restore{E68F4C0B-CC79-41DA-8A08-056841B2D13B}\RP125\A0133248.dll” file.
6/3/2007 5:45:26 AM John 2188 Sign of “Win32:Ardamax-CG [Trj]” has been found in “C:\Documents and Settings\John\Local Settings\Temp@4E.tmp” file.
6/3/2007 11:24:53 AM SYSTEM 1864 Sign of “Win32:Alphabet [Trj]” has been found in “http: // l.mezzicodec.net/a412/de.php?b=779[PECompact]” file.
6/3/2007 11:25:10 AM SYSTEM 1864 Sign of “Win32:Agent-FDG [Trj]” has been found in “http: // l.mezzicodec.net/a412/sv.php?m=1&b=779” file.
6/3/2007 11:25:21 AM SYSTEM 1864 Sign of “Win32:Agent-ECD [Trj]” has been found in “http: // l.mezzicodec.net/a412/tr.php?m=1&b=779[PECompact]” file.
6/3/2007 11:25:25 AM SYSTEM 1864 Sign of “Win32:Agent-HDR [Trj]” has been found in “http: // l.mezzicodec.net/a412/mc.php?m=1&b=779[UPX]” file.
6/3/2007 11:25:31 AM SYSTEM 1864 Sign of “Win32:PurityScan-AF [Trj]” has been found in “C:\Program Files\Common Files\Yazzle1162OinAdmin.exe[PECompact]” file.
I deleted my system restore due to the aggitation of this find while I ran a scan. Pay attention to the ones that were not in the system restore.
- Now go back and do nothing yet. Scan the particular file once again with your AV product.
Heh, found nothing, I scanned it in advance to opening too.
A. The message is in the same wording: maybe positive alert
No message, but I am NOT opening this thing again.
B. If the message is not in the same wording or the scan does not find up anything this could be a false positive.
False positive? … Yeah sure, then EXPLAIN THE POP-UPS!
- Check with an on line scanner or update to jotti for a second opinion. Jotti resides at http://virusscan.jotti.org/
I plan to do this momentarily… Installing ClamWin on a USB drive to use.
- Go get informed ask a Virus Encyclopedia or Virus Central, put a question on a forum.
I’ll do this as well eventually.
- Make an informed decision on the basis of what you have found.
Informed decision? Okay, let’s see… (Insert a crazy man laughing on Normandy Beach.) Hmm, it backs itself up multiple times. Thus far, it has not infected files, just hidden itself and ran. It has hidden as svchost.exe, a few “spam” processes, etc. How to describe it. It seems to send stuff out on occasions, I blocked the locations it wanted to contact with my router. It has been a tad more dormant since Avast pummeled it on occasions. I think it is a keylogger and it sends out information about passwords, etc. Oh, it DOES infect over networks. It managed to infect the other PC, which is being given a final scan, to see if it was properly cleaned. Unfortunately, Avast can’t beat it on this system I am using. (Insert the same man on the beach looking to the sky screaming an elongated “WHY” at the top of his lungs.)
- Inform others about what you have learned, if the file came from a reliable source, author, programmer etc. send a friendly e-mail with your findings. This will help us all.
“Inform”? Uh… it’s evil.