TaskDir Trojan

[AgentSmith]

I got hit with a trojan that installed itself as taskdir.exe in my system32 directory. It added itself to the HKEY_CURRENT_USER Run registry key, and once it was running, it would first connect to some systems on port 80 (probably to get instructions), then proceed to start sending out spam on port 25 to various mail servers.

Spybot, Avast!, and BitDefender all failed to detect taskdir.exe, although Spybot did detect the zlbw.dll, which taskdir.exe created (and re-created after attempted removal). There were also files called parad.raw.exe and taskdir.dll, but I already purged those from my system. I do still have access to taskdir.exe and zlbw.dll, however, if you want me to submit them.

I don't have logs for TaskDir, but it looks like someone who posted logs here had that trojan as well: http://forums.spybot.info/showthread.php?t=2853

Unlike that user, my system was still usable for the most part, but Windows Update would not work and moving my mouse over a folder in my Internet Explorer Favorites list would cause IE to crash. This stopped once I deactivated taskdir.exe.

[md usa spybot fan]

According to the following Symantec Security Response taskdir.exe can be associated with Trojan.Abwiz.F (a.k.a Troj/DwnLdr-AKR [Sophos]):

• Trojan.Abwiz.F
  http://securityresponse.symantec.com...n.abwiz.f.html

Note the date the Trojan was discovered: March 22, 2006

If it is in fact something new, maybe that is why your anti-virus did not pick it up.

Is your file the same as glogglog's in the thread (which was dated March 6 2006):

• big virus problem.
  http://forums.spybot.info/showthread.php?t=2853

• Located: HK_CU:Run, taskdir
  command: C:\WINDOWS\System32\taskdir.exe
  file: C:\WINDOWS\System32\taskdir.exe
  size: 47136
  MD5: 3c3317f0c6941fe0b4d56046d39d92a1

[AgentSmith]

Yeah, I figured it was something fairly new.

My taskdir.exe file has the following properties, so it's not identical to glogglog's:
Size: 51134 bytes
MD5: 8107DA6B81818824881CC2A6505BB44D