-
July 6th, 2005, 04:43 PM
#1
Autoexe.exe (wants morte to serve beer)
Well, there seems to be an infection of some sort on a PC of a relative of mine.
What it does it's that it creates a hidden file called autoexe.exe to the WINNT\system32 directory (W2K Pro in use, fully updated). It also adds the autoexe.exe to one of the registry's autorun sections, in order to start autoexe.exe on boot. It is titled "Regedit" at the registry.
After boot its operation is almost unnoticeable, and it wouldn't have gotten caught, but then ISP blocked the traffic and informed that it could be disturbing ISP's other clients and should be removed.
Firewall tells this autoexe.exe tries to contact morte.servebeer.com at port 6667. I moved the autoexe.exe from system32 and deleted the registry key, and it didn't start on the next boot. However, something still added a new key to the registry, expecting autoexe.exe to still reside in system32.
I ran AVG free antivirus, Ad-Aware, Spybot and A-squared's scanner, but nothing was found. And it is even more complicated because I can't identify the virus myself either. I know of two virus-like programs that do this. The other is Trojan.Prova, and the other is a worm called W32/Semapi-A. However, in case of a Prova infection there should be some other files too, sistrai.exe, for example. And Semapi-A should be accompanied by files like winbios.exe. But the only one of these files I could find was autoexe.exe.
I tried an online scanner but it wouldn't load all of the virus database. I can do it again when I get the chance, but I wonder, how possible it is, it was just missed by AVG? And then what to do? I couldn't find any virus-specific removal tool by any antivirus provider that was related to autoexe.exe in any way. And if it's something AVG free leaves undisturbed, what should be done in order to prevent further infections. (These folks aren't really interested in using anything else than Internet Exploder or turning Active-X's rights on and off. Not because they're stubborn, but because they're quite unfamiliar with computers.)
-
July 6th, 2005, 04:58 PM
#2
MegaMod
I was able to find these on Symantec's website:
http://[email protected]
http://securityresponse.symantec.com...jan.prova.html
Concerning trojan.prova:
NOTE: This Trojan does not function correctly under Windows NT/2000/XP.
Maybe this is why it's missing some of the files that you think should be there.
Autoexe.exe: This file is created by the Sistray.exe executable that the Trojan drops.
Do the following to remove Trojan.Prova:
Run NAV, and delete all files that are detected as Trojan.Prova.
Search for and remove all copies of Sistrai.exe, and then delete all other associated files.
Remove the values that the Trojan added to the registry.
There are also other steps to follow to clean up the registry, etc.
Last edited by DonJ; July 6th, 2005 at 05:05 PM.
-
July 6th, 2005, 05:41 PM
#3
Driver Terrier
Originally Posted by AScannerDarkly
Well, there seems to be an infection of some sort on a PC of a relative of mine.
What it does it's that it creates a hidden file called autoexe.exe to the WINNT\system32 directory (W2K Pro in use, fully updated). It also adds the autoexe.exe to one of the registry's autorun sections, in order to start autoexe.exe on boot. It is titled "Regedit" at the registry.
After boot its operation is almost unnoticeable, and it wouldn't have gotten caught, but then ISP blocked the traffic and informed that it could be disturbing ISP's other clients and should be removed.
Firewall tells this autoexe.exe tries to contact morte.servebeer.com at port 6667. I moved the autoexe.exe from system32 and deleted the registry key, and it didn't start on the next boot. However, something still added a new key to the registry, expecting autoexe.exe to still reside in system32.
I ran AVG free antivirus, Ad-Aware, Spybot and A-squared's scanner, but nothing was found. And it is even more complicated because I can't identify the virus myself either. I know of two virus-like programs that do this. The other is Trojan.Prova, and the other is a worm called W32/Semapi-A. However, in case of a Prova infection there should be some other files too, sistrai.exe, for example. And Semapi-A should be accompanied by files like winbios.exe. But the only one of these files I could find was autoexe.exe.
I tried an online scanner but it wouldn't load all of the virus database. I can do it again when I get the chance, but I wonder, how possible it is, it was just missed by AVG? And then what to do? I couldn't find any virus-specific removal tool by any antivirus provider that was related to autoexe.exe in any way. And if it's something AVG free leaves undisturbed, what should be done in order to prevent further infections. (These folks aren't really interested in using anything else than Internet Exploder or turning Active-X's rights on and off. Not because they're stubborn, but because they're quite unfamiliar with computers.)
If it's a trojan go to www.emsisoft.com and download a-squared - they do a free version. It used to be called anti-trojan - but it has come along way since then... it now finds diallers, worms, trojans and spyware... it is not anti virus, so if this is a virus, a squared won't get it... if it's anything else, it will.
Never, ever approach a computer saying or even thinking "I will just do this quickly."
-
July 7th, 2005, 05:47 PM
#4
Registered User
Another little tool that I seem to be using more and more: http://www.sysinternals.com/utilities/autoruns.html. Current version of HijackThis can kill many malware processes and delete their related files at reboot.
-
July 11th, 2005, 01:50 PM
#5
Registered User
When I do a manual seek&destroy of a virus, I like to Explore to System32 and sort by "modified". Look for the newest EXE's, BAT's, COM's, etc. Right-click them and try to go to "Properties" to see if you can get a clue what each is. Some components might have fake Microsoft comments, and others might have blatant "Ha, Ha! Sucker!", but I still like to see the version/company/comment stuff.
You might find a re-installer or compiler. If certain, delete it, and if not certain, rename it.
Then reboot and see what the good you did.
Helps to have a 2nd computer to do research on. If you find something suspicious, see if the other computer has a file of the same name, in the same place.
If it's a new variant that no scanner will clean, wait a few days and try downloading new antivirus definitions or scanners again. A few months ago I found an infection and scanned with McAfee. McAfee wouldn't clean it but told me what it was. I manually removed it. Our Norton didn't know about the new virus until 4 days later.
(Not bashing Norton. There are lots of good companies out there, lots of viruses, and they don't all get everything immediately.)
-
July 11th, 2005, 02:14 PM
#6
Geezer
Originally Posted by JeffO93
When I do a manual seek&destroy of a virus, I like to Explore to System32 and sort by "modified". Look for the newest EXE's, BAT's, COM's, etc...
If you use a software firewall to do 'whitelisting' you'd know already about any modifications to 'called programs' Its a 'forgotten feature' of software firewalls, but I think very handy
Similar Threads
-
By WebHead in forum Politicos
Replies: 24
Last Post: October 19th, 2004, 07:53 AM
-
By Cleetus in forum Tech Lounge & Tales
Replies: 22
Last Post: March 23rd, 2004, 04:04 PM
-
By AKautz in forum Networking
Replies: 10
Last Post: June 25th, 2002, 04:42 AM
-
By +Daemon+ in forum Tech Lounge & Tales
Replies: 39
Last Post: February 7th, 2002, 01:20 PM
-
By opiate in forum Tech Lounge & Tales
Replies: 65
Last Post: January 21st, 2002, 10:37 AM
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Bookmarks