Hello all,
I was infected with W32.Mubla.B Sunday last and have as a result had multiple infections over the past week. Most of them I have been able to solve but there is one reccuring trj that has has easily taken me out of my depth (I admit that doesn’t take much).
There are various behaviours that I have noticed with this trojan and I shall try and list them:
Firstly an Avast! Warning pops up listing that a trojan was found, the particulars of the warning are this:
File name: “C:\Documents and Settings[user]\Local Settings\Temporary Internet Files\Content.IE5\39I3D317\yjgibkq[2].htm”
Malware name: Win32:Tiny-II [Trj]
The strange thing is that on searching for the content.IE folder…well I don’t have one (or can’t see it) in that path…neither can I find the file or folder within.
Next thing I have done is to “move to chest” as avast! recommends, I then receive a response:
“Avast! the system cannot find the file specified”
I press ok and immediately I get another avast! warning about the same Win32:Tiny-II [Trj]. There is only one difference, as I imagine you have already guessed, from the previous warning:
file name: “C:\Documents and Settings\Alex Bailey\Local Settings\Temporary Internet Files\Content.IE5[u]39I3D317\yjgibkq[2].htm[/u]”
My guess is that the trojan creates these folders and files (Content.IE5[random letters and numbers][random letters and numbers].htm) then deletes it and creates another immediately, or perhaps does this when it is detected by avast!?
The second behaviour that seems related (I’m not sure whether it is the same trojan or not) is one of a large number of “suspicious message!” warnings. At any one time i get about 18 of these warnings, I believe that there are some common sender/recipient/subject trails that identify the same infection:
Sender: “Glenda Haas” kuielkwood@ka.baynet.ne.jp
Recipient: “ocetinnn” ocetinnn@d-finans.com
Subject: No more being shy of your manhood
Sender: “Ed Mcallister” nygmandeville@cactimedia.com
Recipient: “ocetinnn” ocetinnn@d-finans.com; “nsjb_504k” nsjb_504k@i-next.net
Subject: Life is short… so make the most of it
Sender: “Neil Lester” wyeloraine@aquamails.com
Recipient: “nsj” nsj@wlu.edu
Subject: Be confident and stand tall
Sender: “Kurt Hurst” zcrhythm@imv-concept.com
Recipient: “nsj” nsj@wlu.edu; “numentacaodd” numentacaodd@balaska.com.br
Subject: No more being shy of your manhood
Sender: “Annmarie Gallagher” lgglenwhite@CS.com
Recipient: “ocetinh” ocetinh@suratkargo.com
Subject: Be careful of cheap imitations
Sender: “Chris Fontenot” qbolckow@missconet.com
Recipient: “nsjad” nsjad@wellsfargo.com
Subject: Be careful of cheap imitations
Sender: “Gino Guy” lvduckwater@frontier.net
Recipient: “nixl” nixl@pegasus-group.com
Subject: Significantly increase penis length
Sender: “Letha Mcmullen” lakennebunkport@email.vccs.edu
Recipient: “ongc.co.indudani_yogesh” ongc.co.indudani_yogesh@ongc.co.in
Subject: Be satisfied for life!
Sender: “Sybil Holbrook” ahjasonville@cdba.de
Recipient: “numefj” numefj@ms2.hinet.net
Subject: Be confident and stand tall
Sender: “Joaquin Crump” kbozoo@newlife-today.com
Recipient: “pacshordd” pacshordd@qdoba.com
Subject: All girls like the big guys
the list goes on…I can’t recall if the email addresses are the same for every batch of warnings, but most of the messages seem to be about health drugs, sex or spiritual well-being if that helps others identify it on their machine…
I think there must be an .exe somewhere but where that is I have no clue and neither can I tell what the trojan does.
I’ve tried using the avast! cleaner but it didn’t find anything, I’ve tried searching the internet for this trojan, here, symantec etc but have not found anything on it. I have win xp sp2 I scan my pc with spybot, avast!, windows defender and ad-adware 2007 ever night. I keep everything updated.
All help is appreciated!
cheers