New Virus has been caught!! - Avast cannot detect!

Viruses and worms
1

Today my office’s PC got worm/virus. Everytime I plug-in USB FlashDisk or format it, there is a file call Administration Porn, some times 'new folder". Those file, had icon like folder icon. But with extension .exe (Application).

Un-luckily, AVAST (new update) cannot detect this virus. :frowning:
One of another Virus can detect this threat.

I repair manually. After run hijackthis, the log report:

Logfile of HijackThis v1.99.1 Scan saved at 10:11:47, on 03/07/2006 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Documents and Settings\Administrator\Templates\O18281Z\service.exe
C:\WINNT\M71373\smss.exe
C:\WINNT\M71373\EmangEloh.exe
C:\Documents and Settings\Administrator\Templates\O18281Z\winlogon.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\FreePDF_XP\fpassist.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Documents and Settings\Administrator\Desktop\hijackthis\HijackThis.exe

F2 - REG:system.ini: Shell=explorer.exe, “C:\Documents and Settings\Administrator\Templates\O18281Z\TuxO18281Z.exe”
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe , “C:\WINNT\M71373\Ja401375bLay.com”
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM..\Run: [nwiz] nwiz.exe /install
O4 - HKLM..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM..\Run: [FreePDF Assistant] C:\Program Files\FreePDF_XP\fpassist.exe
O4 - HKLM..\Run: [T81Z627] C:\WINNT\sa-310733.exe
O4 - HKCU..\Run: [T1713733TT4] C:\WINNT\system32\662732180417l.exe
O4 - Global Startup: Z662732cie.cmd
O4 - Global User Startup: Z662732cie.cmd
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra ‘Tools’ menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

I delete this files manually thru Windows 2000 recovery Console (command
prompt):
C:\Documents and Settings\Administrator\Templates\O18281Z\service.exe
C:\WINNT\M71373\smss.exe
C:\WINNT\M71373\EmangEloh.exe → Indonesian language, mean “Its you?”
C:\Documents and Settings\Administrator\Templates\O18281Z\winlogon.exe
O4 - HKLM..\Run: [T81Z627] C:\WINNT\sa-310733.exe
O4 - HKCU..\Run: [T1713733TT4] C:\WINNT\system32\662732180417l.exe
O4 - Global Startup: Z662732cie.cmd
O4 - Global User Startup: Z662732cie.cmd

Then everything back to normal :wink:

Here my first catch, http://forum.avast.com/index.php?topic=15082.0

the attchment above is virus/worm files, please refer to hijackthis log for file list. And dont forget to rename the attachment from .TXT to .RAR.
I give the password for .RAR file. the password is my email for this forum :slight_smile:
Hopely, Avast can build the new update for this threat.

thank you.

regards,

iwan

2

:slight_smile: Hi Iwan :

  You should get something other than just an antivirus &
  firewall on that computer, like the good "Ewido" from
  www.ewido.net/en , to enhance its security . That 
  program "specializes" in detecting & removing trojans,
  worms, keyloggers, generic dialers, etc .
3

Hello. Is any VPS update available? :slight_smile:
This worm has been spread to several PC at my office, thru USB Flashdisk and network. This worm display as folder icon, make easy to spread.

VirusTotal can found this threat with this AV:
Authentium 4.93.8 07.05.2006 no virus found
Avast 4.7.844.0 07.05.2006 no virus found
ClamAV devel-20060426 07.05.2006 no virus found
eTrust-InoculateIT 23.72.60 07.06.2006 no virus found
eTrust-Vet 12.6.2287 07.05.2006 no virus found
F-Prot 3.16f 07.05.2006 no virus found
F-Prot4 4.2.1.29 07.05.2006 no virus found
Ikarus 0.2.65.0 07.05.2006 no virus found
Microsoft 1.1481 07.01.2006 no virus found
Norman 5.90.23 07.05.2006 no virus found
Sophos 4.07.0 07.06.2006 no virus found
Symantec 8.0 07.06.2006 no virus found
TheHacker 5.9.8.169 07.04.2006 no virus found
UNA 1.83 07.05.2006 no virus found
VirusBuster 4.3.7:9 07.05.2006 no virus found

These AV can detect this virus:
AntiVir 6.35.0.20 07.05.2006
AVG 386 07.04.2006
BitDefender 7.2 07.06.2006
CAT-QuickHeal 8.00 07.05.2006
DrWeb 4.33 07.06.2006
Ewido 3.5 07.05.2006
Fortinet 2.77.0.0 07.05.2006
Kaspersky 4.0.2.24 07.06.2006
McAfee 4800 07.05.2006
NOD32v2 1.1645 07.05.2006
Panda 9.0.0.4 07.05.2006
VBA32 3.11.0 07.06.2006

4

iwannet,

If you think you have a worm you need to isolate the infected computer(s) from the network. Just pull the cable until you get this sorted.

Keep that USB drive away the clean computers, too.

Have you taken Spiritsongs’ advice about scanning with Ewido?

5

Plug out the network cable is not wise. but, I tell everyone, to “dont sharing folder” for a moment.

About Ewido, Doesnt work on my Vista 2 :slight_smile:

6

Yeah… it’s not prepared to Vista :cry:
Aren’t the boot time scanning of avast available? I’m not sure… I did not test it on Vista.
What I know it does not work on 64bits systems.

7

Boot Time? Which function?
Its boot scanning console or else?

8

yeah… after 4 months. Avast still cannot detecting this threat :slight_smile:
Here, I attach the sample. With the password “my email address for this forum”
Rename the extension LOG with ZIP extension.

http://img297.imageshack.us/img297/4127/scange4.gif

I hope next vps can detect this…

9

Hello iwannet,

My laptop just got this emangeloh.exe virus from Internet Cafe in Jakarta!

My OS is Windows XP SP2. Please teach me how to delete the problematic files you just mentioned. I tried HijackThis but the files came back after deletion. I don’t understand what’s the recovery console. I have minimal virus knowledge.

I’m so unlucky…This is the 2nd time. The first was the RavMon.exe worm.

Please reply asap.

Thanks!
Jim.

10

See http://forum.avast.com/index.php?topic=14433.msg121822#msg121822
Browse for Eddy’s cleaning page too: http://members.home.nl/edeijl/
The application tool called Autorun could help you on brute force malware removal.

If you find a virus keeps coming back after you delete it, it’s most probably infected the System Restore folder, the best way to solve this is to disable System Restore, reboot your machine and then enable it again. After all, run a full avast! scanning. System Restore cannot be disabled on Windows 9x.

I suggest:

  1. Disable System Restore (enable it at the end of scanning/cleaning):
    Windows ME: http://support.microsoft.com/default.aspx?scid=kb;en-us;Q264887
    Windows XP: http://support.microsoft.com/default.aspx?scid=kb;[LN];310405

  2. Schedule a boot time scanning (Start avast! > Right click the skin > Schedule a boot-time scanning. Select for scanning archives. Boot).

  3. It will be good if you download, install, update and run other trojan remover tools:
    a-squared
    Free AVG Antispyware
    SUPERantispyware
    Spyware Terminator

11

Hi iwannet,

The technical analysis and the removal instructions for this malware can be found here:
http://www.sophos.com/security/analyses/w32bobandyc.html

The infection vector is P2P-ing. If you engage in P2P-ing or allow people to P2P on your network you know beforehand that you run gigantic risks. Some parties pollute P2P with all sorts of malicious code (even because it is considered controversial). Just like php it seems questionable that it can be made secure. Pre-scan your links using the DrWeb hyperlink scanner (http://www.drweb.com/) gives you some sort of protection.

polonus

12

Yes, definitely correct!
The main virus, now detected as (different name for different AV) :slight_smile:
Worm.Win32.VB.cz
W32/MoonLight.worm
WORM_VB.BLW
Win32/NoonLight

Tech give good suggestion for Jims642 to do.
Thats will disable virus to activated themselves after performing clean process (Boot Time Scanning) by Avast

Please careful, If you’re using our Internet Cafe. Not many, Administrator know the present of viruses. Some place use pirate AV software, which have trojan/keylogger :slight_smile:
My advice, try to find Big Internet Cafe here (Indonesia). Usually they have good Administrator

Here the alternatif way to remove your problem (I hope):

  • Go to safe mode
  • Use Hijackthis program, and kill the program like post above. Sadly, the virus is smart. They know Hijackthis running, kill this program and restart windows itself :slight_smile:
  • Alternatif, download this
http://www.virologi.info/download/ShowKillProcess.exe
  • virology.info is local AV site
  • Kill program emangloe.exe and other program that you dont know. And delete the files manually. If confuse, attach screen capture here, and Tech or other member will help you.
  • Restart PC.

Here the screenshot usually found, beware for clicking folder. Some virus change the file/application icon with folder name icon. If we clicking it, you click app file, not folder.

http://img173.imageshack.us/img173/5201/filemoonot8.gif

If you interest with showkillprocess, source program can be download it here

http://www.virologi.info/download/ShowKillProcesssourcecode.zip

Here the sample of my local virus, Some virus is modified or mutant from another virus. I dont know programming :slight_smile:

ISI FILE

  1. AntiMyheart
  2. AntiFunLove
  3. MyDoom Remover
  4. anti worm
  5. Brontok Backyard (Jowobot)
  6. Brontok Cleaner Remover (Jowobot)
  7. Brontok Washer (Jowobot)
  8. Jowobot FINAL
  9. VarX 1.4.1 (Jowobot)

Some local variant virus can detected by NOD32, BitDefender, Kapersky and Avast

13

Hi,
which is the actual situation? Avast still cannot detecting this threat ?
Thanks