One computer in our company was infected with the Bofra virus on saturday
20/11/04 12:40 (Falk AG loadbalancer hack), during the weekly scan de file
bla.exe was found and removed.
avast! [xxxxx]: File “C:\bla.exe” is infected by “Win32:Trojano-781 [Trj]”
virus.
“Weekly Scan” task used
Version of current VPS file is 0448-0, 23-11-2004
After a check a on the infected system for modified files on 20/11/04 I
found 2 suspious files (lbghbmjg.exe and lbghbmjg.dat) in C:\Winnt\System32
which are already sent to virus@asw.cz.
Scanning the files with avast returned nothing.
Scanning the files online with the Kaspersky online scanner returned:
Scanned file: lbghbmjg.exe
lbghbmjg.exe - packed with PE_Patch.PECompact
lbghbmjg.exe - packed with PecBundle
lbghbmjg.exe - packed with PECompact
lbghbmjg.exe - infected by Backdoor.Win32.Agent.ec
I found little our less info on the Backdoor.Win32.Agent.ec.
Status: INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file’s scan results will not be stored in the database)
Packers detected: PE_PATCH.PECOMPACT, PECBUNDLE, PECOMPACT
Please see log? Or do I misunderstand your question?
File: lbghbmjg.exe
Status: INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file’s scan results will not be stored in the database)
Packers detected: PE_PATCH.PECOMPACT, PECBUNDLE, PECOMPACT
But still the virus is not detected where I choose Avast because of it’s good quality. And like you i’m also a avast evangelist both professional as privat.
Troj/Agent-EC is a backdoor Trojan that listens in the background for incoming connections and allows remote intruders to control the infected computer.
Troj/Agent-EC attempts to teminate any security-related applications running on the computer and then waits to download and install new updates when notified.
The link you sent was for IE 5. And only for:
• Microsoft Internet Explorer 5 for Windows 95
• Microsoft Internet Explorer 5 for Windows NT 4.0
• Microsoft Windows 98
This Iframe exploit is new.
My advise use Firefox.
So Eddy if you where using sites in Europe between 19/20 november who where using the AD services from Falk AG. And you use MS IE 6.0 (SP1) be advised.
Ilse media was hit and people who hadn’t (have?) not setup their protection properly. I have visited nu.nl in that period, but my systems are still clean and I never had any problem at all. In fact, in the almost 25 years I am working with computers the only malware there ever was on one of my systems was something I put on it myself to show people what can happen and what to do if they get infected.
Eddy could you please share which kind of protection you would use against this Iframe exploit. In a corporate environment where MS IE 6.0 SP1 is the policy and there is still no patch from MS.
I didn’t find any solution’s for this senario (or i’m searching wrong).
I suspect that you are not running IE 6.0 SP1 (like me)?
A little bit more info about the environment:
All clients run win2000 sp4.
All clients run Avast pro 4.5 (update auto)
All clients run Ad-Aware & when needed Spybot - Search & Destroy
Patching is done through MS SUS and a reporting tool for insuring that all the patches are deployed correctly.
Users having no admin rights on the local computer and policies are defined in a Win2000 AD
A firewall which only allows a few outgoing tcp ports (pop3, smtp, icmp, http, etc)
Thanks already for your input.
Sorry if I have offended you in my earlier advice a few postings ego.
I only use IE 6 SP1 to check for updates from the MS website, since the automatic updates in XP is only checking for high rated security patches and nothing else.
For my lan I use a Zyxel 10 router/hub/firewall.
One one of my other systems I use Avast and ZA Pro.
But most of all, I use common sense and the knowledge I have build up in those years.
"But most of all, I use common sense and the knowledge I have build up in those years. "
Try to explain that to a normal corporate user.
Still looking at the evidence in the links from the above postings, it’s strange that you where not hit. I know 1 in the 30 requests from the Falk servers was injected with the malicious code in those hours.
Since you are running IE 6 SP1 (so you didn’t install XP SP2) you would be vulnerable to this Iframe exploit. See
But oke we will never find out, so let’s just wait and see how Alwil’s lab will solve this nasty bit of code. Lets hope for a quick response and use our common sense.
Still looking at the evidence in the links from the above postings, it's strange that you where not hit.
Not strange at all. I know how to use a computer.
Since you are running IE 6 SP1 (so you didn't install XP SP2)
Yes I do have sp2, but IE is still refered to (officially) as IE SP1. That is what MS is calling it. Eventhough SP1 was released long before "IE6 SP1" was released for download.
It is just how you (or rather more correct, MS calls) it.
So your where saved by XP SP2 and your common sense.
But (and this is for MS) where does this leave all the win 2000 users (even when they are fully patched) which are most likely corporate users (and license paying companies). There is a known exploit on the lose which hasn’t been patched till now. And virus companies will not be always one step ahead.
For now happy protecting and a good night.
Ps. do you now how long the average response time of Alwil’s lab is?
Ps. do you now how long the average response time of Alwil's lab is?
Im afraid that Alwil don’t respond to virus submissions because there are simply to many sent in and they would spend more time replying to them then they would adding them to the virus submissions.
Hopefully this trojan will be picked up soon by avast.
I think i’m not the only one who has to deal with this nasty code, and when you look at which sites where hit by this scam there will be more systems infected.
But till now the trojan doesn’t seem to be getting orders from his master.
