New virus found from MSN Hacker

Viruses and worms
1

He gave me that link

hxxp://facebookimgs.com/viewimage.php

Don’t go there its a automatic virus installer.
This needs to be added to the ban list fast.

2

Welcome to the forums, jdjesse. :slight_smile:

Please modify the link you have posted so that it is not an active link to malware.

You can change http to hXXp which will break the link.

3

Yes this only tries to infect, see image.

The file it tries to run is also undetected, I have sent it to virus(at)avast(dot)com.

VirusTotal does detect this file (11 of 38) as a backdoor, dropper/downloader, etc.

http://www.virustotal.com/analisis/f9b9e8e4e83b226b9105d43a737bb1f5

4

Removal instructions:

Virus Profile: W32/Sdbot.worm!797C016E
Risk Assessment

  • Home Users: Low
  • Corporate Users: Low
    Date Discovered: 11/7/2008
    Date Added: 11/7/2008
    Origin: Unknown
    Length: 48690
    Type: Virus
    SubType: Worm
    DAT Required: 5426
    Virus Family Statistics (over the past 30 days)
    Virus Name Infected Files Scanned Files % Infected Computers
    IRC-Sdbot 1,174 17,851,431 0.01
    IRC-Sdbot.dr 3,025 5,202,380 0.00
    Virus Characteristics

File Property Property Value
FileName fxstal~1.exe
McAfee Detection W32/Sdbot.worm
Length 48,690 bytes
CRC 797C016E
MD5 6ABB6C6CFF603DC3AAAF6B2E39D2C3D9
SHA1 54C55A36B1CA1F56D87D8C199B1A1D9E522E1D70

Other Common Detection Aliases

Company Name Detection Name
avast Win32:Trojan-gen {Other}
AVG (GriSoft) sheur2.oe
Avira Worm/IrcBot.48690
BitDefender Backdoor.RBot.YBJ
Eset Win32/Injector.EN
Kaspersky Backdoor.Win32.IRCBot.gln
microsoft VirTool:Win32/CeeInject.gen!J

Avert® Labs has observed the following system activities:

Activity Risk Level
Modifies memory of other processes
Critical
Writes executable in the windows folder
Low
Creates registry keys and data values to persist on OS reboot
Informational

Other detections that have been observed.

FileName McAfee Supported
%WINDIR%\fxstaller.exe
W32/Sdbot.worm

This sample can be identified by the following symptoms.

System Changes

These are general defaults for typical path variables.
(Although they may differ, these examples are common.):
%WinDir% = \WINDOWS (Windows 9x/ME/XP/Vista), \WINNT (Windows NT/2000)
%SystemDir% = \WINDOWS\SYSTEM (Windows 98/ME),
\WINDOWS\SYSTEM32 (Windows XP/Vista), \WINNT\SYSTEM32 (Windows NT/2000)
%ProgramFiles% = \Program Files

The following files have been added to the system:

%WINDIR%\fxstaller.exe

The applications created the following network connection(s):

172.16.199.200:4244 (irc)

* PASS letmein NICK [00|USA|078459]
* PASS letmein NICK [00|USA|078459] USER XP-0614 * 0 :VMG-CLIENT

Indications of Infection

This symptoms of this detection are the files, registry,
and network communication referenced in the characteristics section.
Method of Infection

Viruses are self-replicating.
They are often spread by a network or by transmission to a removable medium such as a removable disk,
writable CD, or USB drive.
Viruses may also spread by infecting files on a network file system
or a file system that is shared by another computer.

Also known as:
Troj/IRCBot-ZI is a Trojan for the Windows platform.

Troj/IRCBot-ZI runs continuously in the background,
providing a backdoor server which allows a remote intruder
to gain access and control over the computer via IRC channels.

When first run Troj/IRCBot-ZI copies itself to \fxstaller.exe.

The following registry entry is created to run fxstaller.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Windows UDP Control Center
fxstaller.exe

files to remove:
6936955.exe
6936955.exe

VirTool:Win32/CeeInject.gen!J [Microsoft] is known to be created as:
%ProgramFiles%\bifeg\dg.exe
%ProgramFiles%\bifrost\server.exe
%ProgramFiles%\common files\system\svcchost.exe
%ProgramFiles%\common files\system\svchostu.exe
%ProgramFiles%\common files\system\vnasc.exe
%ProgramFiles%\java\msn.exe
%ProgramFiles%\massenger live\server.exe
%ProgramFiles%\msn\messanger.exe
%ProgramFiles%\system33\rundill32.exe
%System%\avs.exe
%System%\bifrost\regidl.exe
%System%\bifrost\server.exe
%System%\bifrost\shell.exe
%System%\cmd32.exe
%System%\dllcache\aic17u1.sys
%System%\getmac16.exe
%System%\lasssc.exe
%System%\messanger\msn.exe
%System%\mldmm.exe
%System%\msn\system.exe
%System%\msnmsgr\msn.exe
%System%\msupdate.exe
%System%\nessrvces32.exe
%System%\petnkc.exe
%System%\progrmas\server.exe
%System%\rbjeivpetkbayv.exe
%System%\sadasdj.exe
%System%\scuccccmunafgb.exe
%System%\service.exe
%System%\services\server.exe
%System%\sm.exe
%System%\svhost.exe
%System%\system\windows.exe
%System%\tasgmger.exe
%System%\twext.exe
%System%\wntfy.exe
%System%\wplayer.exe
%Temp%\240135.exe
%Temp%\dos-sql-php.99.exe
%Temp%\dr.mot4.exe
%Temp%\ixp000.tmp\aa.exe
%Temp%\ixp000.tmp\act.exe
%Temp%\ixp000.tmp\buri.exe
%Temp%\ixp000.tmp\fapack.exe
%Temp%\ixp000.tmp\file.exe
%Temp%\ixp000.tmp\image.exe
%Temp%\ixp000.tmp\lsass.exe
%Temp%\ixp000.tmp\pa.exe
%Temp%\ixp000.tmp\pack.exe
%Temp%\ixp000.tmp\pr.exe
%Temp%\ixp000.tmp\rundii32.exe
%Temp%\ixp000.tmp\service.exe
%Temp%\ixp000.tmp\test.exe
%Temp%\ixp000.tmp\update.exe
%Temp%\ixp001.tmp\1.exe
%Temp%\ixp001.tmp\burimi.exe
%Temp%\ixp001.tmp\rundii32.exe
%Temp%\ixp002.tmp\rundii32.exe
%Temp%\messanger.exe
%Temp%\rarsfx0\1.exe
%Windir%\bifrost\server.exe
%Windir%\cftmon32.exe
%Windir%\config\polcmd32.exe
%Windir%\explrer.exe
%Windir%\fxstaller.exe
%Windir%\libsrv32.exe
%Windir%\mdm32.exe
%Windir%\server.exe
%Windir%\service.exe
%Windir%\sqihost32.exe
%Windir%\sqlhostt32.exe
%Windir%\system32:explorer.exe
%Windir%\system32:svchostt.exe
%Windir%\tunesfix.exe
%Windir%\winudpmgr.exe
Notes:

* %ProgramFiles% is a variable that refers to the Program Files folder. 
  A typical path is C:\Program Files.
* %System% is a variable that refers to the System folder. 
  By default, this is C:\Windows\System (Windows 95/98/Me), 
  C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
* %Temp% is a variable that refers to the temporary folder in the short path form.  
  By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).
* %Windir% is a variable that refers to the Windows installation folder. 
  By default, this is C:\Windows or C:\Winnt.

polonus

5

Bad that Dr Web found nothing either… :stuck_out_tongue:

6

I wouldn’t really expect it to find anything here hXXp://facebookimgs.com/viewimage.php, all there is on that page is an iframe tag to run/direct to the other infected file.

So there is actually nothing on that page.

7

It’s a pity that Dr Web can’t detect these nasties…

8

Don’t forget the iframe tag is a legitimate html tag usually used to deliver dynamic content and commonly adverts. So unless it checks for any off site (or any) url in the iframe tag and then scans those it won’t and shouldn’t alert simply because it has an iframe tag on the page.

As far as I’m aware (and your scan seems to confirm it) DrWeb only checks for malware at the url that you select to be scanned, it doesn’t go beyond that level. If it did then perhaps we would see it detecting, but soon it would need to go to another level if there were URLs in that page too.

9

Hi DavidR and Tech,

Here I am glad to have Fx with RequestPolicy, NoScript and RedirectRemover add-ons to protect me, as link checkers finjan detects, and WOT does not detect…

pol

P.S. RedirectRemover and RequestPolicy test here: http://redirectremover.mozdev.org/rdrtestpage.html

10

That’s the matter… maybe they could improve this as an option of the Firefox extension and its own url scanner.

11

I know if it did that I would probably drop it, once it starts to go too deep in scanning 2nd and worse if it went to a 3rd levels it could get extremely cumbersome slowing things down, for me on dial-up it is already slow enough.

12

If the user can configurate… we can’t expect that everybody is on dial-up and maybe 2nd level, in most cases, is enough…

13

Yes if it were user configurable, but even a 2nd level could have a huge impact on browsing, not to mention server load and messing with site stats, or have you forgotten the flack that AVG8 got about their proactive link scanning. There could be many links on the page that you ask it to scan.

14

I’m talking about Dr Web extension and not avast WebShield…
I see no reason for a second level scan with WebShield… if the page is loaded, it’s scanned, that’s all.

15

And that is what I’m talking about too, the example of how VAG8 scanned to multiple levels could just as easily be applied to DrWeb for the selective link scan.

16

Yay it was added to the ban list lol. Now to get my poor friends computer fixed.