PDA

View Full Version : Trojan found



Lordessa
2009-06-28, 23:30
Spybot S&D found 10 instances of Win32.anel, a trojan. What it does, other than replicate, I'm not sure.

I use F-Secure Internet Security, Spybot SD Resident and Spyware Blaster. I admit, I hadn't run Spybot S&D in quite a while. I noticed my computer has been running slow since the last few Windows updates and attributed it to the updates. Plus, it could use some maintenance (defrag, delete unnecessary files, etc) so I wasn't too worried. The other day I finally ran Spybot which is when I found the Win32.anel trojan. I really can't find much about it on the internet - like exactly what it does. I found info on an email worm with a similar name but that's not the same as the trojan, is it? After that, I did a full virus scan with F-Secure which turned up clean. The next day I downloaded Malwarebytes' Anti-Malware. Malwarebytes found 7 TMP files in my Windows/fonts directory, such as:
c:\WINDOWS\FONTS\SET12B6.TMP (Spyware.OnlineGames) and a registry data item:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0). All supposedly quarantined and deleted successfully.

I can't help but wonder why S&D and F-Secure didn't find these. But my main question is - what potential harm does Win32.Anel cause? Is it a password stealer (ftp or other), logger, downloader or something else?

By the way, I do not use Windows Messenger and have since renamed the folder. I rarely use Internet Explorer but mostly use Firefox instead.

Here is partial fix log from the other day:

--- Report generated: 2009-06-24 10:19 ---

Win32.Anel: [SBI $90AC47DB] Settings (Registry value, fixed)
HKEY_USERS\.DEFAULT\Software\Microsoft\MessengerService\PasswordMSN Messenger Service

Win32.Anel: [SBI $90AC47DB] Settings (Registry value, fixed)
HKEY_USERS\S-1-5-19\Software\Microsoft\MessengerService\PasswordMSN Messenger Service

Win32.Anel: [SBI $90AC47DB] Settings (Registry value, fixed)
HKEY_USERS\S-1-5-20\Software\Microsoft\MessengerService\PasswordMSN Messenger Service

Win32.Anel: [SBI $90AC47DB] Settings (Registry value, fixed)
HKEY_USERS\S-1-5-21-515967899-706699826-839522115-1004\Software\Microsoft\MessengerService\PasswordMSN Messenger Service

Win32.Anel: [SBI $90AC47DB] Settings (Registry value, fixing failed)
HKEY_USERS\S-1-5-18\Software\Microsoft\MessengerService\PasswordMSN Messenger Service

Win32.Anel: [SBI $58692ABB] Settings (Registry value, fixed)
HKEY_USERS\.DEFAULT\Software\Microsoft\MessengerService\UserMSN Messenger Service

Win32.Anel: [SBI $58692ABB] Settings (Registry value, fixed)
HKEY_USERS\S-1-5-19\Software\Microsoft\MessengerService\UserMSN Messenger Service

Win32.Anel: [SBI $58692ABB] Settings (Registry value, fixed)
HKEY_USERS\S-1-5-20\Software\Microsoft\MessengerService\UserMSN Messenger Service

Win32.Anel: [SBI $58692ABB] Settings (Registry value, fixed)
HKEY_USERS\S-1-5-21-515967899-706699826-839522115-1004\Software\Microsoft\MessengerService\UserMSN Messenger Service

Win32.Anel: [SBI $58692ABB] Settings (Registry value, fixing failed)
HKEY_USERS\S-1-5-18\Software\Microsoft\MessengerService\UserMSN Messenger Service

--- Spybot - Search & Destroy version: 1.6.2 (build: 20090126) ---

Hopefully someone can help tell me what the trojan found could do. I have no idea how long it was on the system. :sad:

Thanks,
Lordessa
Edited to add: I have since run Spybot and Malwarebytes again and turned up clean.

drragostea
2009-06-30, 00:38
Hopefully someone can help tell me what the trojan found could do. I have no idea how long it was on the system. :sad:
Hello there. There doesn't seem to have a lot of information of this trojan according to Google. I ended up with the same conclusion as you, this is a email worm (VirusList).

You should be fine at the moment since the detected results are fixed by Spybot-Search&Destroy and MBAM. Be sure to keep your definition files up to date and run a scan, when you have the time, in Windows Safe Mode (F8).

Lordessa
2009-06-30, 03:36
Hi drragostea,
Thanks very much for the reply. Spybot reported Win32.anel as a trojan. Is a trojan the same as a worm? I thought they were different so I concluded that it was a trojan and different from the VirusList email worm of a similar name. It would be nice if someone Spybot would confirm this because it was found by their software and surely they would know at least something about it - more than that found on the internet. Should I try to contact them directly or do they check the forums?

Another question, you said I should run a scan in safe mode. Would that be with Spybot or with MBAM?

Thanks again!


Hello there. There doesn't seem to have a lot of information of this trojan according to Google. I ended up with the same conclusion as you, this is a email worm (VirusList).

You should be fine at the moment since the detected results are fixed by Spybot-Search&Destroy and MBAM. Be sure to keep your definition files up to date and run a scan, when you have the time, in Windows Safe Mode (F8).

drragostea
2009-07-01, 02:09
But I can't be sure if this entry is specifically an email worm. There might be variations of this, but information is limited.

Trojans act more like spyware, wreaking rogue AVs on your machine, while worms seek to cause damage to replicate their junk.

Another question, you said I should run a scan in safe mode. Would that be with Spybot or with MBAM?
Fire them both up, with the latest definition updates. I'd suggest tomorrow because Spybot-Search&Destroy updates come tomorrow.

Should I try to contact them directly or do they check the forums?
Would it make a big difference?
I'm getting mixed results SaferNetworking (Spybot) tells me it's a Trojan from February 25, 2009's updates.
http://www.safer-networking.org/en/updatehistory/page-15.html

I think it's an email worm, now that I'm getting more sites on Google that confirms it's a email worm like Nabble.com.

Google Win32.Anel, and you'll see the results I saw.

Lordessa
2009-07-01, 02:31
But I can't be sure if this entry is specifically an email worm. There might be variations of this, but information is limited.
Yes, that's why I wondered if was a trojan as S&D labeled it.


Would it make a big difference?
I'm getting mixed results SaferNetworking (Spybot) tells me it's a Trojan from February 25, 2009's updates.
It would make a difference to me. They are different - a trojan would be worse, in my opinion, since I do not use Outlook (no, I don't consider myself safe, just more secure for not using it) and I have FTP information for sites on my system.


I think it's an email worm, now that I'm getting more sites on Google that confirms it's a email worm like Nabble.com. Google Win32.Anel, and you'll see the results I saw.[/FONT]
I did Google it -- before I posted initially. There wasn't much information so that's why I came here. I would think it would be less worrisome if it was an email worm but why would an email worm care about \Software\Microsoft\MessengerService\UserMSN Messenger Service? Then again, I'm not an expert, which is why I sought help here.

Thanks for your help.

drragostea
2009-07-01, 03:26
Fire them both up, with the latest definition updates. I'd suggest tomorrow because Spybot-Search&Destroy updates come tomorrow.
Well, I guess as long Spybot doesn't detect any Win32.Anel stuff in the future, I don't think you have anything to worry about.

Lordessa
2009-07-01, 03:38
Yes, but what if it's already done some damage? If I knew what damage it could cause, then I could deal with it. That's why I was wondering if I should contact Spybot directly. They seem to be the only ones who know about it.



Well, I guess as long Spybot doesn't detect any Win32.Anel stuff in the future, I don't think you have anything to worry about.

drragostea
2009-07-01, 04:39
Yes, but what if it's already done some damage?
That's a difficult question because we cannot determine specifically what it might have done. No two infections are the same and we can only give information and solutions in fixing this email worm/trojan.

That's why I was wondering if I should contact Spybot directly.
This is where you contact them. Member share their knowledge about what they know and they can contribute to a query. The Forums is Spybot's main Tech Support.

To ensure that MBAM, and Spybot aren't the only ones that come back clean during a scan, my best suggestion at the moment is to run another anti-spyware scanner.

The one I recommend is Superantispyware. I think of it as a heavy duty, light weight champion at the same time.
http://www.superantispyware.com/

Lordessa
2009-07-01, 04:54
That's a difficult question because we cannot determine specifically what it might have done. No two infections are the same and we can only give information and solutions in fixing this email worm/trojan.

Ok. So even though there is a fix for it, not even the most basic information is known about it, such as, if it is a trojan or a worm? Sorry, I didn't realize that's how it worked. I was under the impression that you had to know what it does in order to fix it. :confused:



To ensure that MBAM, and Spybot aren't the only ones that come back clean during a scan, my best suggestion at the moment is to run another anti-spyware scanner.

The one I recommend is Superantispyware. I think of it as a heavy duty, light weight champion at the same time.
http://www.superantispyware.com/
Will do. Thanks so much for all your help! :thanks:

drragostea
2009-07-01, 05:01
Well... there are fixes for this trojan... you know that. Spybot, anti-malware programs... or manually removal with the aid of a malware expert. Things like that.

not even the most basic information is known about it, such as, if it is a trojan or a worm?
Not that Google knows of. It's a bit confusing because you can't always pinpoint this one entry. Spybot tells you it's a trojan and Google tells you it's an email worm. You'll only confuse yourself more if you keep switching back and forth, thinking about whether this Win32.Anel is a trojan or worm.

Point is, you know it's bad stuff.

I was under the impression that you had to know what it does in order to fix it.
Spybot has this entries detections, so it should have taken care of Win32.Anel. There might be not be a lot of information but there are certainly procedures that can be taken to resolve this problem.

Matt
2009-07-01, 12:47
Hi drragostea & Lordessa,


It's a bit confusing because you can't always pinpoint this one entry. Spybot tells you it's a trojan and Google tells you it's an email worm.
Spybot doesn't have an extra database for worms like this one. As far as I know, all worms are included in Spybots two files Trojans.sbi and TrojansC.sbi. There, you can find, for example, the known worm RBOT as well. ;)

Viruses and worms should be especially detected by your Antivirus program. :bigthumb:
Team Spybot doesn't search for worms, but if they find some files or I give them some rules with my "New Malware files" (http://forums.spybot.info/forumdisplay.php?f=53), they will add them into Spybot's database. :D: