Virus alert: Runescapes "Popular" bot: Epicbot

Viruses and worms
1

If you havn’t already downloaded this bot, don’t, i know what you must be thinking, Runescape is for kids, blah blah, but it does contain a virus, my firewall, (Pctools) blocked Au_.exe, it was located in my local temp folder, if you don’t know what Au_.exe is:

The Au_.exe executable file belongs to the rogue anti-spyware program, SpyFalcon. This malicious program camouflages itself as an anti-spyware utility when in fact it is a Trojan. This malware has the capability to infiltrate your computer through security exploits and install itself along with other Trojans. What the file basically does is hijack the user’s desktop and changes user settings to make it function according to its own requirements.

Au_.exe is also linked to many other spyware, adware and cloaked malware groups. Where some say that the origin of this Trojan is unknown, some are of the opinion that the malicious software to which the file belongs can be downloaded easily from manufacturer’s website. The file is also said to be a part of the Arovax Anti-Spyware software. This may be probable, as the initial description says that this executable pretends to be an anti-spyware application.

How Au_.exe Infects your PC

The following are some of the ways au_.exe is known to affect the PC it infects:

Deletes essential processes from the disk
Executing harmful processes stored in temporary folders
Creates other potentially dangerous processes on your system.
Uses HTTP protocols to communicate with other computer systems for malicious purposes.
Adds bad entries to the registry.
Hijacks system processes to delete links in the Start Menu and can be a source of annoyance for many users.
Looks at what’s inside the autoexec.bat file and invades your privacy by reading email addresses and phone book details.

IF you have downloaded this bot, and you are seeing decreases in PC performance, files disappearing, or anything else strange, open task manager, go to processes, Select: Show processes from all users, look for Au_.exe, and end it, then go to: C:\Users\User\AppData\Local\Temp, if you see a folder ~nsu.tmp open it, and see if there is a program with the Epicbot icon, if so, go back and delete the ~nsu.tmp and restart your computer.

2

Prevx - AU_.EXE - Spyware
http://www.prevx.com/filenames/2090368270727727277-X1/AU_.EXE.html

do you have a sample ?
can you upload it to www.virustotal.com and the post the scan link for us to see

from the info found on the net it seems to be very old ?
from the prevx link above it is first seen in 2007…
cleaning guide for SpyFalcon was posted at BleepingComputer 2006

3

AU_EXE was last seen in Saudi Arabia on May 19 2010. Has been part of the Bagle malware, as such could it have been resurrected?

pol

4

A sample of the Au_.exe? no, i deleted it, i won’t be redownloading epicbot either, and i C+P’ed from another site, http://www.exe-error-fixes.com/remove-auexe-system/

5

2010 eh?, gives me another reason to believe epicbot contains this virus,

Epicbot was made back in 2010.

6

I also downloaded it again to see if it would work after i uninstalled it,

Guess what? it wouldn’t start.

7

upload suspicious file(s) to www.virustotal.com and test with 44 malware scanners
when you have the result, copy the url in the address bar and post it here for us to see

alternative
Jotti http://virusscan.jotti.org/en
VirSCAN http://virscan.org/

8

Hi Markeo and Pondus,

Markeo, I remember year ago we had long postings here in the forums about Arovax.
About epicbot being malware and the link to mentioned malware:
Consider the info via this link: http://www.online-armor.com/oasis2/file/w3i__llc/installiq_installation_utility/epicbot_exe/3132880
Status not trusted
And this says malware from UAE from 2011 (that is not that far from Saudi Arabia):
considered to be cloaked malware: http://www.prevx.com/filenames/X498318420075365485-X1/EPICBOT.EXE.html
Do we find this malware described here? http://www.mpgh.net/forum/120-runescape-hacks-bots/323086-runescape-epicbot-better-than-rsbot.html

polonus

9

http://www.virustotal.com/file-scan/report.html?id=078989bdc50e00a4107451edb066313f064bbac5050986d8f29060e13fd695a6-1311623326

10

Hi Dim@rik,

Thanks for the very practical scan to confirm detection,

polonus

11

here is one more…different MD5
http://www.virustotal.com/file-scan/report.html?id=754d539f201872a840cb338449dd89332d2cbbd9f16d5ad4aa603e25ed7f77c9-1315775608

unpacked scan
http://www.virustotal.com/file-scan/report.html?id=7fdec2747d89f15c7e93d0213675380d9af37ba438a92621dc5380821487848b-1315776855