Lordessa
2009-06-28, 23:30
Spybot S&D found 10 instances of Win32.anel, a trojan. What it does, other than replicate, I'm not sure.
I use F-Secure Internet Security, Spybot SD Resident and Spyware Blaster. I admit, I hadn't run Spybot S&D in quite a while. I noticed my computer has been running slow since the last few Windows updates and attributed it to the updates. Plus, it could use some maintenance (defrag, delete unnecessary files, etc) so I wasn't too worried. The other day I finally ran Spybot which is when I found the Win32.anel trojan. I really can't find much about it on the internet - like exactly what it does. I found info on an email worm with a similar name but that's not the same as the trojan, is it? After that, I did a full virus scan with F-Secure which turned up clean. The next day I downloaded Malwarebytes' Anti-Malware. Malwarebytes found 7 TMP files in my Windows/fonts directory, such as:
c:\WINDOWS\FONTS\SET12B6.TMP (Spyware.OnlineGames) and a registry data item:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0). All supposedly quarantined and deleted successfully.
I can't help but wonder why S&D and F-Secure didn't find these. But my main question is - what potential harm does Win32.Anel cause? Is it a password stealer (ftp or other), logger, downloader or something else?
By the way, I do not use Windows Messenger and have since renamed the folder. I rarely use Internet Explorer but mostly use Firefox instead.
Here is partial fix log from the other day:
--- Report generated: 2009-06-24 10:19 ---
Win32.Anel: [SBI $90AC47DB] Settings (Registry value, fixed)
HKEY_USERS\.DEFAULT\Software\Microsoft\MessengerService\PasswordMSN Messenger Service
Win32.Anel: [SBI $90AC47DB] Settings (Registry value, fixed)
HKEY_USERS\S-1-5-19\Software\Microsoft\MessengerService\PasswordMSN Messenger Service
Win32.Anel: [SBI $90AC47DB] Settings (Registry value, fixed)
HKEY_USERS\S-1-5-20\Software\Microsoft\MessengerService\PasswordMSN Messenger Service
Win32.Anel: [SBI $90AC47DB] Settings (Registry value, fixed)
HKEY_USERS\S-1-5-21-515967899-706699826-839522115-1004\Software\Microsoft\MessengerService\PasswordMSN Messenger Service
Win32.Anel: [SBI $90AC47DB] Settings (Registry value, fixing failed)
HKEY_USERS\S-1-5-18\Software\Microsoft\MessengerService\PasswordMSN Messenger Service
Win32.Anel: [SBI $58692ABB] Settings (Registry value, fixed)
HKEY_USERS\.DEFAULT\Software\Microsoft\MessengerService\UserMSN Messenger Service
Win32.Anel: [SBI $58692ABB] Settings (Registry value, fixed)
HKEY_USERS\S-1-5-19\Software\Microsoft\MessengerService\UserMSN Messenger Service
Win32.Anel: [SBI $58692ABB] Settings (Registry value, fixed)
HKEY_USERS\S-1-5-20\Software\Microsoft\MessengerService\UserMSN Messenger Service
Win32.Anel: [SBI $58692ABB] Settings (Registry value, fixed)
HKEY_USERS\S-1-5-21-515967899-706699826-839522115-1004\Software\Microsoft\MessengerService\UserMSN Messenger Service
Win32.Anel: [SBI $58692ABB] Settings (Registry value, fixing failed)
HKEY_USERS\S-1-5-18\Software\Microsoft\MessengerService\UserMSN Messenger Service
--- Spybot - Search & Destroy version: 1.6.2 (build: 20090126) ---
Hopefully someone can help tell me what the trojan found could do. I have no idea how long it was on the system. :sad:
Thanks,
Lordessa
Edited to add: I have since run Spybot and Malwarebytes again and turned up clean.
I use F-Secure Internet Security, Spybot SD Resident and Spyware Blaster. I admit, I hadn't run Spybot S&D in quite a while. I noticed my computer has been running slow since the last few Windows updates and attributed it to the updates. Plus, it could use some maintenance (defrag, delete unnecessary files, etc) so I wasn't too worried. The other day I finally ran Spybot which is when I found the Win32.anel trojan. I really can't find much about it on the internet - like exactly what it does. I found info on an email worm with a similar name but that's not the same as the trojan, is it? After that, I did a full virus scan with F-Secure which turned up clean. The next day I downloaded Malwarebytes' Anti-Malware. Malwarebytes found 7 TMP files in my Windows/fonts directory, such as:
c:\WINDOWS\FONTS\SET12B6.TMP (Spyware.OnlineGames) and a registry data item:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0). All supposedly quarantined and deleted successfully.
I can't help but wonder why S&D and F-Secure didn't find these. But my main question is - what potential harm does Win32.Anel cause? Is it a password stealer (ftp or other), logger, downloader or something else?
By the way, I do not use Windows Messenger and have since renamed the folder. I rarely use Internet Explorer but mostly use Firefox instead.
Here is partial fix log from the other day:
--- Report generated: 2009-06-24 10:19 ---
Win32.Anel: [SBI $90AC47DB] Settings (Registry value, fixed)
HKEY_USERS\.DEFAULT\Software\Microsoft\MessengerService\PasswordMSN Messenger Service
Win32.Anel: [SBI $90AC47DB] Settings (Registry value, fixed)
HKEY_USERS\S-1-5-19\Software\Microsoft\MessengerService\PasswordMSN Messenger Service
Win32.Anel: [SBI $90AC47DB] Settings (Registry value, fixed)
HKEY_USERS\S-1-5-20\Software\Microsoft\MessengerService\PasswordMSN Messenger Service
Win32.Anel: [SBI $90AC47DB] Settings (Registry value, fixed)
HKEY_USERS\S-1-5-21-515967899-706699826-839522115-1004\Software\Microsoft\MessengerService\PasswordMSN Messenger Service
Win32.Anel: [SBI $90AC47DB] Settings (Registry value, fixing failed)
HKEY_USERS\S-1-5-18\Software\Microsoft\MessengerService\PasswordMSN Messenger Service
Win32.Anel: [SBI $58692ABB] Settings (Registry value, fixed)
HKEY_USERS\.DEFAULT\Software\Microsoft\MessengerService\UserMSN Messenger Service
Win32.Anel: [SBI $58692ABB] Settings (Registry value, fixed)
HKEY_USERS\S-1-5-19\Software\Microsoft\MessengerService\UserMSN Messenger Service
Win32.Anel: [SBI $58692ABB] Settings (Registry value, fixed)
HKEY_USERS\S-1-5-20\Software\Microsoft\MessengerService\UserMSN Messenger Service
Win32.Anel: [SBI $58692ABB] Settings (Registry value, fixed)
HKEY_USERS\S-1-5-21-515967899-706699826-839522115-1004\Software\Microsoft\MessengerService\UserMSN Messenger Service
Win32.Anel: [SBI $58692ABB] Settings (Registry value, fixing failed)
HKEY_USERS\S-1-5-18\Software\Microsoft\MessengerService\UserMSN Messenger Service
--- Spybot - Search & Destroy version: 1.6.2 (build: 20090126) ---
Hopefully someone can help tell me what the trojan found could do. I have no idea how long it was on the system. :sad:
Thanks,
Lordessa
Edited to add: I have since run Spybot and Malwarebytes again and turned up clean.