Jump to content
Sign in to follow this  
FrankenBox

Trojan Party!

Recommended Posts

I'm helping to clean up a work machine that is very very sick while our IT guy is away. Found a number of trojans so far, a few nasty malware pranks, and some rogue .exe files that I can't seem to place.

 

Mostly clean now, but I have two processes running that are suspicious.

 

msiexec.exe is automatically loading when windows boots, although there are no residual installation processes due to complete.

 

 

ME7244.exe is running and I am not sure what that is... further, there is no google info on it. I am considering it a very likely candidate to be a trouble maker.

 

Does anyone know what this process is?

Share this post


Link to post
Share on other sites

Might not be as simple as that... I lost ME7244.exe when I switched back to normal startup to see if it would start because the file search couldn't locate it. I did not find it starting up again, but got a nother bogus looking one... LNAFE2.exe Similarly there does not seem to be a listing for it.

 

Right now it is sitting open on my taskmanager but the file search is not able to locate it.

 

Unless it is a network file (in which case H*($S*#* we have big problems here), I think it might be an alias name for another process.

 

I keep seeing symantec find the same trojan threats over and over again even though I have removed them from the current and system registries.... there is a file here somewhere that I am not finding.

 

 

Edit: Collapsing Following post...

FOUND IT! It's getting created in a temp file whenever I restart.... I will upload LNAFE2.exe and scan per processes above now...

Edited by FrankenBox

Share this post


Link to post
Share on other sites

Results from Virustotal:

File UD6DD1.EXE received on 08.04.2008 10:40:49 (CET)

Current status: finished

 

Result: 1/36 (2.78%)

Compact Print results

Antivirus Version Last Update Result

AhnLab-V3 2008.7.29.1 2008.08.04 -

AntiVir 7.8.1.15 2008.08.04 -

Authentium 5.1.0.4 2008.08.03 -

Avast 4.8.1195.0 2008.08.03 -

AVG 8.0.0.156 2008.08.03 -

BitDefender 7.2 2008.08.04 -

CAT-QuickHeal 9.50 2008.08.02 -

ClamAV 0.93.1 2008.08.04 -

DrWeb 4.44.0.09170 2008.08.04 -

eSafe 7.0.17.0 2008.08.03 -

eTrust-Vet 31.6.6002 2008.08.02 -

Ewido 4.0 2008.08.03 -

F-Prot 4.4.4.56 2008.08.03 -

F-Secure 7.60.13501.0 2008.08.04 Suspicious:W32/Dzan!Gemini

Fortinet 3.14.0.0 2008.08.04 -

GData 2.0.7306.1023 2008.08.04 -

Ikarus T3.1.1.34.0 2008.08.04 -

K7AntiVirus 7.10.402 2008.08.02 -

Kaspersky 7.0.0.125 2008.08.04 -

McAfee 5352 2008.08.01 -

Microsoft 1.3807 2008.08.04 -

NOD32v2 3323 2008.08.04 -

Norman 5.80.02 2008.08.01 -

Panda 9.0.0.4 2008.08.03 -

PCTools 4.4.2.0 2008.08.03 -

Prevx1 V2 2008.08.04 -

Rising 20.56.01.00 2008.08.04 -

Sophos 4.31.0 2008.08.04 -

Sunbelt 3.1.1537.1 2008.08.01 -

Symantec 10 2008.08.04 -

TheHacker 6.2.96.393 2008.08.04 -

TrendMicro 8.700.0.1004 2008.08.04 -

VBA32 3.12.8.2 2008.08.04 -

ViRobot 2008.8.1.1321 2008.08.01 -

VirusBuster 4.5.11.0 2008.08.03 -

Webwasher-Gateway 6.6.2 2008.08.04 -

Additional information

File size: 296224 bytes

MD5...: b8bee3b4802f23fcc809082dfb5a663b

SHA1..: aaf3bec0920d83e09b24988d9d4baeebaa7c92e5

SHA256: b4a6cc1c2881f12ac55ea18dcb4d469c2bd39205db6103ff2450ac5b8ba4ba65

SHA512: 6b3a963734a87b8197dca6b106b9b2bfaa47a152cd26d3f0dbcc94cad96ad5e8

2cfbec390242e6adfd0023c62efbc110fec8a177420356efe5adf8051d8b0acc

PEiD..: -

PEInfo: PE Structure information

 

( base data )

entrypointaddress.: 0x41db09

timedatestamp.....: 0x48243050 (Fri May 09 11:06:56 2008)

machinetype.......: 0x14c (I386)

 

( 4 sections )

name viradd virsiz rawdsiz ntrpy md5

.text 0x1000 0x350bb 0x36000 6.61 d7f9a3888ef873e8a66a5ef75280ec7a

.rdata 0x37000 0xb763 0xc000 5.01 781cee8b4262394da3ccceb73a8c24fe

.data 0x43000 0xb760 0x3000 3.16 2b669b77dbae0570d425d6dfcbaf70da

.rsrc 0x4f000 0xaf8 0x1000 4.42 853b1f5de5376361b0ca12f4a6354f1e

 

( 7 imports )

> WS2_32.dll: -, -, -

> ADVAPI32.dll: SetSecurityDescriptorDacl, InitializeSecurityDescriptor, StartServiceA, QueryServiceStatus, CloseServiceHandle, OpenServiceA, OpenSCManagerA, RegCloseKey, RegQueryValueExA, RegOpenKeyExA, RegSetValueExA, RegDeleteValueA, RegCreateKeyExA, QueryServiceConfigA, RegNotifyChangeKeyValue

> KERNEL32.dll: GlobalAlloc, GlobalFree, lstrcmpA, TlsGetValue, GlobalReAlloc, GlobalHandle, TlsAlloc, TlsSetValue, LocalReAlloc, TlsFree, InterlockedDecrement, InterlockedIncrement, GlobalGetAtomNameA, GetThreadLocale, ResumeThread, GlobalFlags, lstrcmpW, GlobalDeleteAtom, GlobalFindAtomA, GlobalAddAtomA, GetLocaleInfoA, GetCPInfo, GetOEMCP, SetFilePointer, FlushFileBuffers, GlobalLock, CreateFileA, GetFileAttributesA, RaiseException, RtlUnwind, ExitThread, CreateThread, GetSystemTimeAsFileTime, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, HeapAlloc, HeapFree, HeapReAlloc, GetCommandLineA, GetProcessHeap, GetStartupInfoA, HeapSize, ExitProcess, GetACP, IsValidCodePage, LCMapStringA, LCMapStringW, VirtualFree, HeapDestroy, HeapCreate, GetStdHandle, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, GetEnvironmentStringsW, SetHandleCount, GetFileType, QueryPerformanceCounter, GetStringTypeA, GetStringTypeW, GetUserDefaultLCID, EnumSystemLocalesA, IsValidLocale, GetConsoleCP, GetConsoleMode, GetLocaleInfoW, SetStdHandle, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, GlobalUnlock, FormatMessageA, SetLastError, GetCurrentProcess, LoadLibraryW, CreateFileW, WaitNamedPipeW, SetNamedPipeHandleState, WriteFile, SetWaitableTimer, GetOverlappedResult, ReadFile, GetCurrentThreadId, CreateEventW, CreateNamedPipeW, DisconnectNamedPipe, ConnectNamedPipe, lstrlenA, CompareStringA, MultiByteToWideChar, InterlockedExchange, WaitForMultipleObjects, LocalAlloc, LocalFree, CreateProcessA, GetModuleFileNameA, GetTickCount, CopyFileA, TerminateProcess, MoveFileExA, GetVersion, VirtualAlloc, DeleteFileA, Sleep, ResetEvent, SetEvent, TerminateThread, DeleteCriticalSection, CreateEventA, InitializeCriticalSection, GetCurrentDirectoryA, GetComputerNameA, GetTempPathA, GetTempFileNameA, GetSystemDirectoryA, FindFirstFileA, FindNextFileA, FindClose, lstrcmpiA, OpenFile, WideCharToMultiByte, GetVersionExA, GetLastError, EnterCriticalSection, _lclose, LeaveCriticalSection, GetPrivateProfileIntA, FindResourceA, FreeLibrary, LoadResource, LockResource, SizeofResource, CreateMutexA, GetModuleHandleA, WaitForSingleObject, GetExitCodeThread, lstrcpyA, GetCurrentProcessId, OpenProcess, CloseHandle, ReadProcessMemory, WriteProcessMemory, GetProcAddress, LoadLibraryA, InterlockedCompareExchange

> USER32.dll: DestroyMenu, PostQuitMessage, RegisterWindowMessageA, LoadIconA, WinHelpA, GetCapture, GetClassLongA, SetPropA, GetPropA, RemovePropA, GetForegroundWindow, GetTopWindow, DestroyWindow, GetMessageTime, GetMessagePos, MapWindowPoints, SetForegroundWindow, GetClientRect, GetMenu, PostMessageA, CreateWindowExA, GetClassInfoExA, GetClassInfoA, RegisterClassA, AdjustWindowRectEx, CopyRect, DefWindowProcA, CallWindowProcA, SystemParametersInfoA, IsIconic, GetWindowPlacement, SetMenuItemBitmaps, GetMenuCheckMarkDimensions, LoadBitmapA, ModifyMenuA, EnableMenuItem, CheckMenuItem, SetWindowPos, SetWindowLongA, IsWindow, GetDlgItem, GetFocus, ClientToScreen, GetWindow, GetDlgCtrlID, GetWindowRect, GetClassNameA, PtInRect, SetWindowTextA, UnregisterClassA, SetWindowsHookExA, CallNextHookEx, GrayStringA, DrawTextExA, DispatchMessageA, PeekMessageA, ValidateRect, GetWindowTextA, LoadCursorA, GetSystemMetrics, GetDC, ReleaseDC, GetSysColor, GetSysColorBrush, UnhookWindowsHookEx, GetWindowThreadProcessId, SendMessageA, GetParent, GetWindowLongA, GetLastActivePopup, IsWindowEnabled, EnableWindow, MessageBoxA, GetMenuState, GetMenuItemID, GetMenuItemCount, GetSubMenu, wsprintfA, DrawTextA, TabbedTextOutA, GetKeyState

> GDI32.dll: TextOutA, ExtTextOutA, Escape, SelectObject, SetViewportOrgEx, OffsetViewportOrgEx, SetViewportExtEx, ScaleViewportExtEx, SetWindowExtEx, ScaleWindowExtEx, RectVisible, DeleteDC, GetStockObject, PtVisible, DeleteObject, GetDeviceCaps, SetMapMode, RestoreDC, SaveDC, SetBkColor, SetTextColor, GetClipBox, CreateBitmap

> WINSPOOL.DRV: OpenPrinterA, DocumentPropertiesA, ClosePrinter

> OLEAUT32.dll: -, -, -

 

( 61 exports )

[email protected]@[email protected]@Z, [email protected]@[email protected]@Z, [email protected]@[email protected], [email protected]@[email protected]@Z, [email protected]@[email protected]@Z, [email protected]@[email protected], [email protected]@[email protected], [email protected]@[email protected], [email protected]@[email protected]@Z, [email protected]@[email protected]@Z, [email protected]@[email protected], [email protected]@[email protected], _Bac[email protected]@@IAEXXZ, [email protected]@@[email protected]@[email protected], [email protected]@@[email protected][email protected][email protected]@[email protected]@@@@[email protected]@[email protected], [email protected]@@[email protected][email protected][email protected]@[email protected]@@@@[email protected]@XZ, [email protected]@[email protected], [email protected]@@IBE_NXZ, [email protected]@YA_NXZ, [email protected]@@MAE_NXZ, [email protected]@@MAE_NXZ, [email protected]@@IBE_NXZ, [email protected]@@[email protected][email protected][email protected]@[email protected]@@@@[email protected]@[email protected], [email protected]@@[email protected], [email protected]@@[email protected]@Z, [email protected]@@QBE_NXZ, [email protected]@@[email protected]@@Z, [email protected]@YA_NXZ, [email protected]@YA_NXZ, [email protected]@YA_NXZ, [email protected]@YA_NXZ, [email protected]@YA_NXZ, [email protected]@YA_NXZ, [email protected]@@IAEXXZ, [email protected]@@QAEXXZ, [email protected]@@QAEXXZ, [email protected]@@QAEXXZ, [email protected]@@MAE_NXZ, [email protected]@@MAE_NXZ, [email protected]@@IAEXXZ, [email protected]@@[email protected], [email protected]@@[email protected], [email protected]@@[email protected], [email protected]@@IAEXXZ, [email protected]@@IAEXXZ, [email protected]@YA_NXZ, [email protected]@YA_NXZ, [email protected]@YA_NXZ, [email protected]@YA_NXZ, [email protected]@YA_NXZ, [email protected]@YA_NXZ, C_IsIPChanged, C_OfcDogLockFiles, C_RegWatchDog_Ofc, C_RegWatchDog_Ofc_PCCNTMON, C_RegWatchDog_Ofc_TMLISTEN, C_RegWatchDog_Ofc_TMPROXY, C_UnRegWatchDog_Ofc, C_UnRegWatchDog_Ofc_PCCNTMON, C_UnRegWatchDog_Ofc_TMLISTEN, C_UnRegWatchDog_Ofc_TMPROXY

 

ThreatExpert info: http://www.threatexpert.com/report.aspx?md...809082dfb5a663b

 

 

 

 

The other service reports nothing.

Share this post


Link to post
Share on other sites

Thanks.... looks tricky... not too many places seem to have solid info on it yet.

Share this post


Link to post
Share on other sites

Well, you've scanned a temp file, that apparently can reproduce it'self to keep it alive.

 

You don't have the 'dropper' file (could look like a normal file) or anything else that looks fishy?

How about email?

How about IM? Is it used?

How about an infected usb flash device?

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×
×
  • Create New...