w32:tenga

Viruses and worms
1

recently i’ve been inundated with warnings about a virus/worm called “win32:tenga” linked to various programs and exe files that i believe are legitimate.

2

Hi rycelover,

Go here for information: http://www.viruslist.com/en/viruses/encyclopedia?virusid=88153 to patch for W32 Tenga infections. Whenever you update ZoneAlarm disconnect from the Internet, install and after restart with a new ZoneAlarm reconnect to the net. Firefox is only safe as an alternate browser with a fully updated and patched OS and IE version. When having Avast run the Webshield inside Firefox. Instructions are shown how to do this on the homepage of Avast’s. Have Firefox with the extensions Adblock and NoScript to avoid script infections. Only temporarily lift the NoScript ban for trusted sites or those you know to be free of malicious code. To check all your hyperlinks you can also install the Dr.Web hyperlink pre-scan plug-in (15 K).

To just get a second opinion if you are now clean from W32 Tenga or all it may have dropped, and may have compromised your machine download the free on-line scanner from Bitdefender 8 and the free scanner from Spyaudit to see if all is well (this does not clean but gives an indication you have a clean machine)

W32 tenga comes with the following downloader Troj-Penta A:

This section is for technical experts who want to know more.

Troj/Penta-A is a downloader Trojan for the Windows platform.

Troj/Penta-A downloads files from a remote server to the folder that it is run from.

Troj/Penta-A runs these files, and creates the following registry entries to automatically start the two files when

Windows starts up:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
GAELICUM.EXE
\GAELICUM.EXE

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
CBACK.EXE
\CBACK.EXE

You have to switch to safe startup to remove these files, and use killbox for this purpose: from here http://www.bleepingcomputer.com/files/spyware/KillBox.zip

Usage Information:

Download this file, extract it, and run the killbox.exe file. When it loads type the full path to the file you would like to delete in the field and press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, allow it to do so, and hopefully your file will now be deleted.

polonus

3

The file names and locations of some of these files you believe are legit, example (C:\windows\system32\infected-file-name.xxx) ?

If you are getting a virus warning that you believe is a false positive, then if you can zip and password protect (‘virus’, will do) the suspect file and send it to virus @ avast.com (no spaces), or send from the chest.

Give a brief outline of the problem (possibly a link to this thread), the fact that you believe it to be a false positive and include the password in the body of the email. Some info on the avast version and VPS number (see about avast {right click avast icon}) will also help.

You could also check the offending/suspect file/s at: Jotti - Multi engine on-line virus scanner if any other scanners here detect them it is less likely to be a false positive. You can’t do this with the file in the chest, you will need to move it out.
Or VirusTotal - Multi engine on-line virus scanner

If it is indeed a false positive, add it to the exclusions lists (Standard Shield, Customize, Advanced and Program Settings, Exclusions) and check scan it periodically using the ashQuick scan (right click scan), when it is no longer detected then remove it from the exclusions.
Also see (Mini Sticky) False Positives

4

The infected files are these - taken from avast log. The files were previously downloaded a long time ago, but the virus warnings began on the 2nd of May:

5/2/2006 2:02:34 AM SYSTEM 1544 Sign of “Win32:Tenga” has been found in “C:\internet downloads\aawsepersonal.exe” file.
5/5/2006 9:17:57 PM SYSTEM 1544 Sign of “Win32:Tenga” has been found in “C:\internet downloads\firefox setup 1.0.7.exe” file.
5/5/2006 9:17:59 PM SYSTEM 1544 Sign of “Win32:Tenga” has been found in “C:\internet downloads\microsoftantispywareinstall.exe” file.
5/5/2006 9:18:06 PM SYSTEM 1544 Sign of “Win32:Tenga” has been found in “C:\internet downloads\pack_vista_inspirat_1.1.exe” file.
5/5/2006 9:18:14 PM SYSTEM 1544 Sign of “Win32:Tenga” has been found in “C:\internet downloads\setupeng.exe” file.
5/5/2006 9:18:17 PM SYSTEM 1544 Sign of “Win32:Tenga” has been found in “C:\internet downloads\spybotsd13.exe” file.
5/5/2006 9:18:21 PM SYSTEM 1544 Sign of “Win32:Tenga” has been found in “C:\internet downloads\zlssetup_60_667_000.exe” file.
5/5/2006 9:18:28 PM SYSTEM 1544 Sign of “Win32:Tenga” has been found in “C:\lame\lame.exe” file.
5/7/2006 2:02:41 AM SYSTEM 1544 Sign of “Win32:Tenga” has been found in “C:\internet downloads\aawsepersonal.exe” file.
5/7/2006 9:46:42 AM SYSTEM 1544 Sign of “Win32:Tenga” has been found in “C:\internet downloads\firefox setup 1.0.7.exe” file.
5/7/2006 9:47:05 AM SYSTEM 1544 Sign of “Win32:Tenga” has been found in “C:\internet downloads\microsoftantispywareinstall.exe” file.
5/7/2006 9:47:09 AM SYSTEM 1544 Sign of “Win32:Tenga” has been found in “C:\internet downloads\pack_vista_inspirat_1.1.exe” file.
5/7/2006 9:47:18 AM SYSTEM 1544 Sign of “Win32:Tenga” has been found in “C:\internet downloads\setupeng.exe” file.
5/7/2006 9:47:26 AM SYSTEM 1544 Sign of “Win32:Tenga” has been found in “C:\internet downloads\spybotsd13.exe” file.
5/7/2006 9:47:36 AM SYSTEM 1544 Sign of “Win32:Tenga” has been found in “C:\internet downloads\zlssetup_60_667_000.exe” file.
5/7/2006 9:47:51 AM SYSTEM 1544 Sign of “Win32:Tenga” has been found in “C:\lame\lame.exe” file.
5/7/2006 9:51:22 AM SYSTEM 1544 Sign of “Win32:Tenga” has been found in “C:\toshiba\ivp\ism\ivpsvmgr.exe” file.
5/7/2006 10:36:48 AM SYSTEM 1544 Sign of “Win32:Tenga” has been found in “C:\toshiba\ivp\ism\pinger.exe” file.
5/7/2006 10:37:35 AM SYSTEM 1544 Sign of “Win32:Tenga” has been found in “C:\toshiba\ivp\netint\netint.exe” file.
5/7/2006 10:37:41 AM SYSTEM 1544 Sign of “Win32:Tenga” has been found in “C:\toshiba\ivp\swupdate\csinstall.exe” file

5

:slight_smile: Hi Rycelover :

 So what, if anything, are your Ad-Aware & Spybot scans
 saying about this !?
6

Since Tenga infects PE exe files they could well be a correct detections and the files indicated would appear to be the installer/setup PE (packed Executable) files, certainly the ones in your downloads folder. Why after so long is a mystery, check some of the suspect infected exe files at Jotti, etc. as I suggested, this should be able to give confirmation one way or another.

The avast! cleaner should be able to detect and correct these Tenga infected files http://www.avast.com/eng/avast_cleaner.html. However, since it is also an integral part of avast it should have been able to clean them, so Repair I would have thought been one of the Options available to you when avast detected the viruses.

What action did you choose when avast detected them ?

I also notice that your version of firefox setup file (that is infected) is well out of date, the latest version is 1.5.0.3, which closed a number of vulnerabilities. So if this is an indication of how frequently you update your programs then you are probably in need of a windows update also. Ensure any security based program or those that connect to the internet are maintained up to date.