PDA

View Full Version : TaskDir Trojan



AgentSmith
2006-03-24, 08:55
I got hit with a trojan that installed itself as taskdir.exe in my system32 directory. It added itself to the HKEY_CURRENT_USER Run registry key, and once it was running, it would first connect to some systems on port 80 (probably to get instructions), then proceed to start sending out spam on port 25 to various mail servers.

Spybot, Avast!, and BitDefender all failed to detect taskdir.exe, although Spybot did detect the zlbw.dll, which taskdir.exe created (and re-created after attempted removal). There were also files called parad.raw.exe and taskdir.dll, but I already purged those from my system. I do still have access to taskdir.exe and zlbw.dll, however, if you want me to submit them.

I don't have logs for TaskDir, but it looks like someone who posted logs here had that trojan as well: http://forums.spybot.info/showthread.php?t=2853

Unlike that user, my system was still usable for the most part, but Windows Update would not work and moving my mouse over a folder in my Internet Explorer Favorites list would cause IE to crash. This stopped once I deactivated taskdir.exe.

md usa spybot fan
2006-03-24, 20:11
According to the following Symantec Security Response taskdir.exe can be associated with Trojan.Abwiz.F (a.k.a Troj/DwnLdr-AKR [Sophos]):
Trojan.Abwiz.F
http://securityresponse.symantec.com/avcenter/venc/data/trojan.abwiz.f.html
Note the date the Trojan was discovered: March 22, 2006

If it is in fact something new, maybe that is why your anti-virus did not pick it up.

Is your file the same as glogglog (http://forums.spybot.info/member.php?u=4645)'s in the thread (which was dated March 6 2006):
big virus problem.
http://forums.spybot.info/showthread.php?t=2853
Located: HK_CU:Run, taskdir
command: C:\WINDOWS\System32\taskdir.exe
file: C:\WINDOWS\System32\taskdir.exe
size: 47136
MD5: 3c3317f0c6941fe0b4d56046d39d92a1

AgentSmith
2006-03-25, 07:07
Yeah, I figured it was something fairly new.

My taskdir.exe file has the following properties, so it's not identical to glogglog's:
Size: 51134 bytes
MD5: 8107DA6B81818824881CC2A6505BB44D