REQ: German -> English translation : TR/Small.Dld.FO worm

  • Thread starter Thread starter REM
  • Start date Start date
R

REM

This is the only information I've found concerning the virus I have.
I'm currently on the 4th clean install.

From what I've gathered this is an IE Active-X exploit. HijackThis
located the startup entries that silently download a worm and a
dialer.

I thought I had stopped the thing, but in reality the worm program was
simply removed from the http address in the startup. The dialer is
still there. And I still have the infection.

I can kinda guess what these pages are saying, but I'd prefer a
translation:

http://www.trojaner-board.de/forum/ultimatebb.cgi?ubb=get_topic;f=6;t=005165;p=


http://www.bsi.bund.de/av/texte/wiederher.htm#WindowsXP


http://www.virus-aktuell.de/foren/messages/1/1114.html?1081113214


This is similar to the entry HijackThis found, except that mine also
has a dialer file. I removed it, yet I still have the infection. If
anyone running XP is suspicious to identify that particular bug run
HijackThis and look for a startup entry similar to the following.
There are other variations of */Small*.* also...

O16 - DPF: {11111111-1111-1111-1111-111111111111} -
mhtml:file://C:NXSFT.MHT!http://66.117.38.54:80/iex/ofile.exe


HijackThis:

http://www.spywareinfo.com/~merijn/
 
On that special day, REM, ([email protected]) said...
This is the only information I've found concerning the virus I have.
Click to expand...
I thought I had stopped the thing, but in reality the worm program was
simply removed from the http address in the startup. The dialer is
still there. And I still have the infection.

I can kinda guess what these pages are saying, but I'd prefer a
translation:

http://www.trojaner-board.de/forum/ultimatebb.cgi?ubb=get_topic;f=6;t=005165;p=
Click to expand...

The downloader trojan was found in the system restore. After purging, it
was gone.
http://www.bsi.bund.de/av/texte/wiederher.htm#WindowsXP
Click to expand...

This one only tells you how to disable system restore.
http://www.virus-aktuell.de/foren/messages/1/1114.html?1081113214
Click to expand...

In this case, the offending file was found in the Temporary Internet
Files, which had to be purged, by using the Internet Explorer settings.
O16 - DPF: {11111111-1111-1111-1111-111111111111} -
mhtml:file://C:NXSFT.MHT!http://66.117.38.54:80/iex/ofile.exe
Click to expand...

Does that mean, you executed the file somehow? And now it is constantly
being fetched from said IP number and executed, if the link is used
(probably on startup of Wi8ndows, trying to access the internet).

I am afraid you will have to use a specific trojan remover. Use it in
Safe Mode.

66.117.38.54 is a machine run inside Carpathia Hosting (ugh, the
Carpathes are a mountain range in Romania - what's that? A dependancy of
Vlad the Impaler?)

Maybe it is making use of a bug in the help file system, that allows for
downloading files and executing them in system context, which has been
around for some time. Did you update your Windows properly?

BTW: this topic is far more related to viruses, so please let us discuss
it in alt.comp.anti-virus

Follow-Up is set to there.


Gabriele Neukam

(e-mail address removed)
 
Back
Top