Trojan

[tkirk52]

On my laptop when trying to launch AOL.com I get a pop-up
telling me that IE needs to close because there is a
problem. I follow the reporting of the problem and it
brings me to Microsoft telling me the following:
Virus Alert

Thank you for submitting an error report. The error was
likely caused by:

Win32/Winshow.51712.dll.Trojan

To prevent this problem from occurring again, we highly
recommend you install and run an up-to-date anti-virus
application to detect and fix this computer virus issue.
To see a list of anti-virus software vendors, click here.
To keep yourself informed of the latest security issues,
please visit the Microsoft Security Web site.

I have a corporate edition of Norton Anti-Virus and there
is not detection of this virus. Any idea's? Thank you,
Kirk

 

[serverguy]

I have a corporate edition of Norton Anti-Virus and there
is not detection of this virus.

....and when was the last time you updated the dat files? New viruses come
out everyday.

 

[HG]

Kirk,

Just curious...

Do you only get that pop-up when you launch www.aol.com or does it happens
with any other website?

I see that you have an AOL.com account so let me ask you this, do you get
that error on the AOL browser or IE browser? if only on the IE browser, have
you tried the AOL browser? Do you get the same error?

Norton AV, when did you last updated the .dat version for this AV? Make sure
you get ALL the updates (you might have to reboot a couple of times), Live
Update should be enable on your Control Panel, so make sure you leave it
interactive if this is something you want to do all the time or automatic if
this is sometign you don't want to deal with all the time.

If all the above is in order you can visit a couple of site that will do
scan of your PC for you. However, if you have AOL (dial-up) it might take
some time...Broadband shoudl be the one to go...
you can check Symantec.com, TrendMicro.com, Qualys.com so you can get some
ideas on what could be wrong.

CA Online Scanner => http://www3.ca.com/threatinfo/virusinfo/scan.aspx

Win32.Winshow Description

Win32.Winshow is a trojan that redirects the user's Internet Explorer start
page and search URLs. Its main intention is to get more visits to web pages
owned by the trojan authors.

The trojan itself consists of an executable and a DLL. The executable file
name varies; a common example is "Q230903.EXE".

When run, the executable file downloads the DLL, called "winshow.dll" from
the web server 00hq.com. It stores this DLL in a directory called "winshow",
which it creates inside the "Application Data" directory, for example:

C:\Documents and Settings\username\Application Data\winshow\winshow.dll

Where "username" is the name of the user who ran the trojan.

After downloading, the trojan tells the DLL to "register" itself. The DLL
then registers itself in a similar way to many advertising programs. It does
this so that it can update itself when necessary. It then changes several
registry values associated with Internet Explorer:

1. HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start
Page=http://www.searchv.com/w/
2. HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search
Page=http://www.searchv.com/w/search.html
3. HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search
Bar="http:/www.searchv.com/w/search.html"
4. HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Use Search
Asst="no"
5. HKEY_CURRENT_USER\Software\Microsoft\Internet
Explorer\SearchUrl\(Default)=http://www.searchv.com/w/
6. HKEY_CURRENT_USER\Software\Microsoft\Internet
Explorer\Search\SearchAssistant=http://www.searchv.com/w/search.html
7. HKEY_CURRENT_USER\Software\Microsoft\Internet
Explorer\Search\CustomizeSearch=http://www.searchv.com/w/search.html
8. HKEY_LOCAL_MACHINE\Software\Microsoft\Internet
Explorer\Search\SearchAssistant=http://www.searchv.com/w/search.html
9. HKEY_LOCAL_MACHINE\Software\Microsoft\Internet
Explorer\Search\CustomizeSearch=http://www.searchv.com/w/search.html
10. HKEY_LOCAL_MACHINE\Software\Microsoft\Internet
Explorer\Search\Default_Search_URL=http://www.searchv.com/w/search.html
11. HKEY_LOCAL_MACHINE\Software\Microsoft\Internet
Explorer\Main\Default_Page_URL=http://www.searchv.com/w/
12. HKEY_LOCAL_MACHINE\Software\Microsoft\Internet
Explorer\Main\Default_Search_URL=http://www.searchv.com/w/search.html
13. HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search
Page=http://www.searchv.com/w/search.html
14. HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Start
Page="http://www.searchv.com/"

These values are only set if their parent keys already exist. For example,
in lab tests on Windows XP, the value
HKEY_CURRENT_USER\Software\Microsoft\Internet
Explorer\Search\SearchAssistant
was not set because the key
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Search
did not exist.

The trojan saves backup copies of any of the above values before it replaces
them. These backup copies are stored in the key:
HKEY_CURRENT_USER\SOFTWARE\WinShow\WinShow\Save

in values named "Save 1", "Save 2", etc., up to "Save 14", where each number
corresponds to the number of the registry entry above. In each case, if no
value originally existed, no backup value is made.

At the time of writing, the IE start and search pages set by the trojan will
attempt to exploit an object tag vulnerability in order to install the
trojan executable. For more information, please visit:

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms03-040.asp

If an infected machine is vulnerable, the trojan will be reinstalled
whenever IE loads the start page or attempts to perform a search.

The trojan also creates the following registry values for its own use:
HKEY_CURRENT_USER\SOFTWARE\WinShow\WinShow\Counter
HKEY_CURRENT_USER\SOFTWARE\WinShow\WinShow\LastDay
HKEY_CURRENT_USER\SOFTWARE\WinShow\WinShow\LastUpdate
HKEY_CURRENT_USER\SOFTWARE\WinShow\WinShow\ModuleVersion
HKEY_CURRENT_USER\SOFTWARE\WinShow\WinShow\ConfigVersion
HKEY_CURRENT_USER\SOFTWARE\WinShow\WinShow\DictVersion

Good Luck,

GX