Corporal Clegg
2006-01-28, 21:24
Hi. First off, thanks for Spybot and all the work you all do to make it such an excellent program.
The other day, my ZoneAlarm went off while I was surfing the web asking me if I wanted to allow "UWAS6_0001_N68M2301NetInstaller.exe" to access the internet. Naturally, I said NO. I had Kaspersky Personal AV running at the time and it gave no alerts (I use the extended database files for Kaspersky that usually catch malware/spyware). I located the .exe file named above in my %WINDIR%\DOWNLOADED PROGRAM FILES\ folder and deleted it immediately. I probably should have saved it, but I didn't. Later on that same day, when I was using msconfig to adjust some startup items, I noticed an entry in there that was checked to run at startup and it was for the UWAS6_0001_N68M2301NetInstaller.exe file I had previously deleted. I unchecked the setting and ran a Spybot scan to see if it found anything. The scan came up "clean", which was a relief. I ran a HiJackThis scan as well and it had no entries in it that weren't supposed to be there. I figured since the ZoneAlarm stopped it from connecting to whatever website it was trying to connect to, I hadn't gotten "infected". I had only picked up the installer.
Now today I decided to use msconfig again and saw that the startup entry for UWAS6_0001_N68M2301NetInstaller.exe was still there but unchecked, so I figured I'd go into regedit and clean up any registry references to that file I could find. But before I removed any registry references to this file, I decided to update my Spybot with the latest detections. After updating, I ran a scan. Spybot found a CoolWWWSearch.XPlugin: Tracking cookie, which I fixed, but nothing else. No mention of the reg key associated with UWAS6_0001_N68M2301NetInstaller.exe. So I did a google on that file name and got back just 1 hit, for this URL:
http://virusinfo.prevx.com/viruscenter.asp?GRP=4785000015
If you scroll down the page, you'll come to the reference to UWAS6_0001_N68M2301NetInstaller.exe and what they say it's actions are:
"Rogue.ErrorSafe: Installs programs. Invokes dll components. Creates Run Keys. Runs temporary programs. Communicates with web sites using httpout protocols. Has outbound communications. Creates registry entries. Creates run keys for known malware."
I've never heard of this "Prevx" company, or their product before so I have know way of knowing how valid their information is. According to their site, this variant was first seen January 26th and it was on the afternoon of the 27th that I came across it in my web surfing. I'm not sure what site I was at when I picked up the installer, but I remember I had been looking for themes for my cell phone display. Perhaps it was one of those sites.
I'm not sure if the Spybot team know about this, but I decided to register and post just in case you weren't aware of it yet. Just a little info I have about this is listed below.
File Name: UWAS6_0001_N68M2301NetInstaller.exe
File loaded into %WINDIR%\DOWNLOADED PROGRAM FILES\
Created the following registry entry:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\NI.UWAS6_0001_N68M2301]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="UWAS6_0001_N68M2301NetInstaller"
"hkey"="HKLM"
"command"="\"C:\\WINNT\\Downloaded Program Files\\UWAS6_0001_N68M2301NetInstaller.exe\" -nag "
"inimapping"="0"
ZoneAlarm logs it as "WinSoftware Installer". ZA entries related to this:
17:21:50 -5:00 GMT WinSoftware Installer was temporarily blocked from connecting to the Internet (66.244.254.178:HTTP)
17:25:11 -5:00 GMT WinSoftware Installer was temporarily blocked from connecting to the Internet (66.244.254.239:HTTP)
17:35:32 -5:00 GMT WinSoftware Installer was temporarily blocked from connecting to the Internet (66.244.254.239:HTTP)
I probably deleted the UWAS6_0001_N68M2301NetInstaller.exe before 17:45:00 -5:00 GMT. Just a guess since it looks like it tries to connect to the net at 10 minute intervals.
--- System information ---
Windows XP (Build: 2600) Service Pack 2
--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---
2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2005-10-21 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2005-05-31 advcheck.dll (1.0.2.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2005-05-31 Tools.dll (2.0.0.2)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2006-01-27 Includes\Beta.sbi (*)
2005-02-16 Includes\Beta.uti (*)
2006-01-27 Includes\Cookies.sbi (*)
2006-01-27 Includes\Dialer.sbi (*)
2006-01-27 Includes\Hijackers.sbi (*)
2006-01-27 Includes\Keyloggers.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2006-01-27 Includes\Malware.sbi (*)
2003-04-28 Includes\plugin-ignore.ini
2006-01-27 Includes\PUPS.sbi (*)
2006-01-27 Includes\Revision.sbi (*)
2006-01-27 Includes\Security.sbi (*)
2006-01-27 Includes\Spybots.sbi (*)
2005-02-17 Includes\Tracks.uti
2006-01-27 Includes\Trojans.sbi (*)
As I said before, I'm pretty sure I didn't get the full effect of this "thing" since ZoneAlarm was able to stop it before it could download any other files it uses to install itself on a users system.
If you need any more information about this, please let me know and I'll respond with whatever info I have that may help you.
I hope this is the right format for submitting spyware reports on this forum. I searched the boards beforehand and didn't find any posts about this particular problem. Thanks again for Spybot and to it's entire team for making computers safer.
Corporal Clegg
The other day, my ZoneAlarm went off while I was surfing the web asking me if I wanted to allow "UWAS6_0001_N68M2301NetInstaller.exe" to access the internet. Naturally, I said NO. I had Kaspersky Personal AV running at the time and it gave no alerts (I use the extended database files for Kaspersky that usually catch malware/spyware). I located the .exe file named above in my %WINDIR%\DOWNLOADED PROGRAM FILES\ folder and deleted it immediately. I probably should have saved it, but I didn't. Later on that same day, when I was using msconfig to adjust some startup items, I noticed an entry in there that was checked to run at startup and it was for the UWAS6_0001_N68M2301NetInstaller.exe file I had previously deleted. I unchecked the setting and ran a Spybot scan to see if it found anything. The scan came up "clean", which was a relief. I ran a HiJackThis scan as well and it had no entries in it that weren't supposed to be there. I figured since the ZoneAlarm stopped it from connecting to whatever website it was trying to connect to, I hadn't gotten "infected". I had only picked up the installer.
Now today I decided to use msconfig again and saw that the startup entry for UWAS6_0001_N68M2301NetInstaller.exe was still there but unchecked, so I figured I'd go into regedit and clean up any registry references to that file I could find. But before I removed any registry references to this file, I decided to update my Spybot with the latest detections. After updating, I ran a scan. Spybot found a CoolWWWSearch.XPlugin: Tracking cookie, which I fixed, but nothing else. No mention of the reg key associated with UWAS6_0001_N68M2301NetInstaller.exe. So I did a google on that file name and got back just 1 hit, for this URL:
http://virusinfo.prevx.com/viruscenter.asp?GRP=4785000015
If you scroll down the page, you'll come to the reference to UWAS6_0001_N68M2301NetInstaller.exe and what they say it's actions are:
"Rogue.ErrorSafe: Installs programs. Invokes dll components. Creates Run Keys. Runs temporary programs. Communicates with web sites using httpout protocols. Has outbound communications. Creates registry entries. Creates run keys for known malware."
I've never heard of this "Prevx" company, or their product before so I have know way of knowing how valid their information is. According to their site, this variant was first seen January 26th and it was on the afternoon of the 27th that I came across it in my web surfing. I'm not sure what site I was at when I picked up the installer, but I remember I had been looking for themes for my cell phone display. Perhaps it was one of those sites.
I'm not sure if the Spybot team know about this, but I decided to register and post just in case you weren't aware of it yet. Just a little info I have about this is listed below.
File Name: UWAS6_0001_N68M2301NetInstaller.exe
File loaded into %WINDIR%\DOWNLOADED PROGRAM FILES\
Created the following registry entry:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\NI.UWAS6_0001_N68M2301]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="UWAS6_0001_N68M2301NetInstaller"
"hkey"="HKLM"
"command"="\"C:\\WINNT\\Downloaded Program Files\\UWAS6_0001_N68M2301NetInstaller.exe\" -nag "
"inimapping"="0"
ZoneAlarm logs it as "WinSoftware Installer". ZA entries related to this:
17:21:50 -5:00 GMT WinSoftware Installer was temporarily blocked from connecting to the Internet (66.244.254.178:HTTP)
17:25:11 -5:00 GMT WinSoftware Installer was temporarily blocked from connecting to the Internet (66.244.254.239:HTTP)
17:35:32 -5:00 GMT WinSoftware Installer was temporarily blocked from connecting to the Internet (66.244.254.239:HTTP)
I probably deleted the UWAS6_0001_N68M2301NetInstaller.exe before 17:45:00 -5:00 GMT. Just a guess since it looks like it tries to connect to the net at 10 minute intervals.
--- System information ---
Windows XP (Build: 2600) Service Pack 2
--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---
2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2005-10-21 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2005-05-31 advcheck.dll (1.0.2.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2005-05-31 Tools.dll (2.0.0.2)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2006-01-27 Includes\Beta.sbi (*)
2005-02-16 Includes\Beta.uti (*)
2006-01-27 Includes\Cookies.sbi (*)
2006-01-27 Includes\Dialer.sbi (*)
2006-01-27 Includes\Hijackers.sbi (*)
2006-01-27 Includes\Keyloggers.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2006-01-27 Includes\Malware.sbi (*)
2003-04-28 Includes\plugin-ignore.ini
2006-01-27 Includes\PUPS.sbi (*)
2006-01-27 Includes\Revision.sbi (*)
2006-01-27 Includes\Security.sbi (*)
2006-01-27 Includes\Spybots.sbi (*)
2005-02-17 Includes\Tracks.uti
2006-01-27 Includes\Trojans.sbi (*)
As I said before, I'm pretty sure I didn't get the full effect of this "thing" since ZoneAlarm was able to stop it before it could download any other files it uses to install itself on a users system.
If you need any more information about this, please let me know and I'll respond with whatever info I have that may help you.
I hope this is the right format for submitting spyware reports on this forum. I searched the boards beforehand and didn't find any posts about this particular problem. Thanks again for Spybot and to it's entire team for making computers safer.
Corporal Clegg