Avast (latest update!) detected this Trojan in the file C:\WINNT\System32\onohuxin.exe, which I already mistrusted. The hexdump of this compressed file shows the filename atilufuto.exe appears in it. This is a known Trojan.
The filelength of onohuxin.exe is 108,478 bytes which is precisely equal to that of atilufuto as listed on the Trend Micro site (called there Troj_SDBOT.K).
This Trojan cannot be placed in the Avast Chest ("RAR archive corrupted, cannot process), so it will be detected again and again. It also resists ordinary deletion.
The payload of this Trojan was not present on my computer (atilufuto.exe and jarigop.exe, the latter is Dutch for “birthday-on”). No harm seems to have done as yet.
The onohuxin.exe file has an icon of three books. The same icon has the system32 file olasac.exe, which hexdump is very similar to that of onohuxin.exe, but no virus is detected.
Should I delete both files (does somebody want a sample ?) and use brute force with cmd ?
Check and see if there is anything running in Task Manager (I assume you are on XP) and end the process. then you should be able to move or delete onohuxin.exe.
Thanks DavidR for the tip on the Avast ext. control program !
I couldn’t find out what this Trojan is doing. No process seems to be linked with it permanently. When I tried again with Taskmanager, the suspects did not resist deletion and are now in the recycle bin. Wait and see what happens.
The file onohuxin.exe may actually be atilufuto.exe in disguise, and the same may apply to olasac.exe.
The main reason you can’t delete things is because they are running and windows protects them, especially when the file is also in the system32 folder. Do another scan as sometimes you may find that windows has saved a copy in the system volume information folder (system restore).
I kept the files in the bin to find out what they might have generated :-
I also used the free AV Clamwin 0.83 to test. The result is that both files are detected as Trojans:
The difference is due to the ability of dealing with oddly compressed files. Scans show that Avast! is able to open more files than Clamwin, but in this case it apparently failed. Only one my file analyzers was able to deal with these files.
Error message on quaranting concerning onohuxin.exe was: “RAR archive corrupted”
I submitted the olasac.exe file to jotti and got:
Service load: 0% 100%
File: Dc51.exe
Status: INFECTED/MALWARE
MD5 4370bbf704fe80e29ac8a1d7286b43a8
Packers detected: UPX, FSG
Scanner results
AntiVir Found TR/Ranky.U
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found Trojan.Proxy.Ranky.Gen
ClamAV Found Trojan.Proxy.Ranky-43
Dr.Web Found Trojan.Ranky
F-Prot Antivirus Found W32/Ranky.FH
Fortinet Found nothing
Kaspersky Anti-Virus Found Trojan-Proxy.Win32.Ranky.gen
mks_vir Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
VBA32 Found nothing
As I said before, the reason of several AV failing to detect it seems to be the special compression applied.
This file is very similar to onohuxin.exe, which is probably atilufuto.exe disguised. There is enough text readible in the decompressed hex to conclude it is not a false positive. I’m surprised to see how sophisticated this Trojan appears to be. It is quite a program, makes many system calls.
I submitted also onohuxin.exe to jotti and got a result differing from Avast! detection before:
File: onohuxin.exe
Status: INFECTED/MALWARE
MD5 d457f372238192d4c343990a327a494e
Packers detected: UPX, FSG
Scanner results
AntiVir Found Worm/SdBot.34969
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found Backdoor.SDBot.470BACE3
ClamAV Found nothing
Dr.Web Found Win32.HLLW.ForBot.based
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found Backdoor.Win32.SdBot.gen
mks_vir Found Trojan.Trojanproxy.Ranky.I
NOD32 Found nothing
Norman Virus Control Found nothing
VBA32 Found nothing
The original Avast! detection was Win32-RBot-QN (Trj), but then both files olasac.exe and onohuxin.exe were both in the same directory system32 (OS is Win2k sp4, fully MS updated).
My Avast scanner still detects the onohuxin file, while Avast on jotti does not. Either the latter is not fully updated or the decompressing software jotti uses (Sandbag) may be responsible.
Two known “packers” are used: UPX and FSG (encrypted). In the hex the call “get password” is made.
I have now a file removed, called UIUCU.exe, that employs unknown packers. None of the AV on jotti detected a virus, but jotti displayed a warning because of the suspicious packing method.
I forgot to mention that all the files I mentioned are of recent date; onohuxin.exe of april 5, 2005.
I’m not sure but the virus database is the same for all avast! versions. I mean, besides the kernel (engine), avast! should detect the same, shouldn’t it?
Up to a few days before my first posting, my Avast (home edition) did not detect the Trojan; the updating here is automatic. Hence my remark that Jotti might not be fully updated.
The internet is largely based on Unix and the majority of servers seems to be Linux or Unix. But Jotti should be capable to recognize the files I submitted as Win 32/NT5.
The other possibility is that the files are first processed at Jotti (decompressed, etc.) before the AV scanners are applied. Anyway, decompression of the files concerned is a hard task because there is also encryption used.
If the virus writers perfect this multilayer compression and encryption, no virus scanner will be able to get through. Then, there only remains the option to remove such files because of the “packing” employed.
I have now a file removed, called UIUCU.exe, that employs unknown packers. None of the AV on jotti detected a virus, but jotti displayed a warning because of the suspicious packing method.
My hex analysis shows this file is harmless. It is Conexant Universal Device install/Uninstall Application
I don’t understand why it took Jotti so much time to process it.