new malware 49aedfef.exe

[Proteios]

I got this by a profoundly dumb move, which I am not proud of and dont want to talk about (ran a web dl exe.... why o why (head in hands))

Anyway, it was clear it wasnt doing what it said it was and the firewall started throwing up flags as did the virus scanner.

STEP ONE.... IT WAS ONLY A 17k FILE... YANK THE NET CABLE!

Spybot picked up a load of registry changes(related to zlobdownloader), and hijack this got one (run the file 49aedfef.exe)

However on reboot the processes 49aedfef.exe was running(!)

A google search on this file comes up dry... a sure sign of a fresh virus/malware.

I killed the process, and located the file on the disk and deleted it.
Virus scan, spybot scan and hijack this all look clean now (all with fresh definitions): all running processes look legit and running from files in legit locations.

unfortuantly i didnt keep the logs, but ive wrote down the names of the alien files/ registry entries:
zlobdownloader
stdole.tlb
49aedfef.exe

everythings (looks) fine, just a heads up on the file name.

I owe S&D developers another $20

[tashi]

Hi there and thank you.

zlob is a nasty that is changing daily.

[Proteios]

well it came back on reboot,the file 49aedfef.exe rematerialized in two locations.

I deleted both of them, and have kept a copy if anyone wants it.

Spybot also found an entry it didnt find before:
-Pup
-Autorun settings (49aedfef.exe)
--HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\49aedfef.exe

Full virus scan found nothing.

I deleted all the files 49aedfef.exe (again)
Fixed the entries spybot found
Removed the entires in hijack this (again)
deleted all cookies and tempory files in IE.

rebooted, this time it looks to have got it!
but Im still keeping a sharp eye on any processes running!

[tashi]

Hello.

1) Please Zip any files you may have and send them to:
detections(AT)spybot.info

Put the name of the file/infection into subject matter.

2) Someone should take a look at the system.

Please follow the instructions in this sticky topic:
BEFORE you post and who will advise you. Preliminary Steps

Start your own topic here:
Malware Forum

A helper will then assist you as soon as available.

[Proteios]

unfortunatly the updated symmatec definintion not only found, but also deleted the file when I tried to create the zip file.
Sorry fellas!

[Proteios]

**READ FIRST**
I think I have cleared my machine of the installed malware (although this stuff always seems to be tenacious). This isn’t so much a request for help, but passing on current information. (the file wasn’t found symmatec with 10/06/06 definitions, but was with 11/06/06 definitions).

History.
Method of infection: user must DL and run an *.exe file.
*A method of infection that should only affect dumbasses*
-sigh…. head in hands... what was i thinking!

Exe run 04:30 10/6/06 (17k exe)
Immediate alien processes found running:
win4f2a.tmp.exe
49aedfef.exe
-machine network cable removed for all time other than when access to websites and dl files/ virus definintion was required.

Virus scan revealed (symantec definitions 10/6/06) nothing.
Spybot (fresh definintion) scan reveal zlobdownloader (reboot needed to clean)
Entry found using hijack this for file 49aedfef.exe and deleted

Spybot run on reboot, looks clean (zlob gone), but 49aedfef.exe still found in processes.

Hijack this entry for 49aedfef.exe deleted again (file located on disk and deleted)
Spybot run again, finds entry for 49aedfef.exe
-Pup
-Autorun settings (49aedfef.exe)
KEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\49aedfef.exe
(also deleted)
-reboot looks clean.

a look at recent files created on machine reveal suspicious activity from about the time the malware was run. Particularly numbered files written about every 18 mins in the dir
c:\winnt\temp\winXXX.tmp. Virtually all the files have zero size, but the few files with small size not written in ASCII. Files still being written, although I could find no alien processes on the machine. I renamed the directory c:\winnt\temp, and that seems to have stopped the problem.

Ewido installed: scan reveals:
[212] C:\winnt\system32\winbjt32.dll -> Trojan.Agent.vg : Cleaned with backup
C:\winnt\system32\1024 -> Trojan.Small : Cleaned with backup
C:\winnt\system32\1024\ldD1A6.tmp -> Trojan.Small : Cleaned with backup
C:\winnt\system32\1024\ldDC51.tmp -> Trojan.Small : Cleaned with backup
C:\winnt\system32\1024\ldE461.tmp -> Trojan.Small : Cleaned with backup
C:\winnt\system32\winbjt32.dll -> Trojan.Agent.vg : Cleaned with backup
Unclear if this is related to the 10/6/06 malware
Ewido also reveals no alien processes, and system processes running from expected locations (c:\winnt\systems etc).

Virus scan(symantec definitions 11/6/06) finds three threats (all Trojans)
49aedfef.exe (yes back again despite about 3 deletions)
default.sfx
dc9406.exe
(all linked by symantec to generic low threat, easily removed, low occurrence Trojans)
-these files weren’t detected with yesterdays definintions.
-files automatically deleted by symantec when I tired to zip them for Spybot team.

Apart from a few flags when exe initially run, the firewall (also symantec) was essentially silent.

All scans look clean (symantec, spybot, hijack this and ewido), and there are no more suspicious file creations on the machine.
Clean…I hope!

Useful for the community.. I hope!