unknown email outgoing

Peter · Jun 25, 2006

i notice that my anti-virus program came up and tells me that a e-mail
message is to be sent out. (firewall is set to only send when i allow it
to.)

the address to were the e-mail is to go is flosmanta.bellcom.cz

going to the site by ie. it tells me that i need a password to access.

is this another spyware program that i have on my system.

David H. Lipman · Jun 25, 2006

From: "Peter" <[email protected]>

| i notice that my anti-virus program came up and tells me that a e-mail
| message is to be sent out. (firewall is set to only send when i allow it
| to.)
|
| the address to were the e-mail is to go is flosmanta.bellcom.cz
|
| going to the site by ie. it tells me that i need a password to access.
|
| is this another spyware program that i have on my system.
|

Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file. http://www.ik-cs.com/multi-av.htm

Additional Instructions:
http://pcdid.com/Multi_AV.htm

* * * Please report back your results * * *

ed · Jun 25, 2006

what av are you using?

ed · Jun 25, 2006

what anti-virus are you using?

Peter · Jun 25, 2006

i have avg free and avast free running on the system.
i also have outpost pro (firewall) that has anti-spyware included.

i had run scan with all three and found nothing.
then this morning, avg tells me that the file MswService.exe backup copy is
infected with the virus
Trojan hourse Dropper Generic FKM
stored in program files/common files/microsoft shared/temp/

auto quarantined the file.

David H. Lipman · Jun 25, 2006

From: "Peter" <[email protected]>

| i have avg free and avast free running on the system.
| i also have outpost pro (firewall) that has anti-spyware included.
|
| i had run scan with all three and found nothing.
| then this morning, avg tells me that the file MswService.exe backup copy is
| infected with the virus
| Trojan hourse Dropper Generic FKM
| stored in program files/common files/microsoft shared/temp/
|
| auto quarantined the file.
|

Please submit a sample of "MswService.exe" to Virus Total --
http://www.virustotal.com/flash/index_en.html
The submission will then be tested against many different AV vendor's scanners.
That will give you an idea what it is and who recognizes it. In addition, unless told
otherwise, Virus Total will provide the sample to all participating vendors.

You can also submit a suspect, one at a time, via the following email URL...
mailto:[email protected]?subject=SCAN

When you get the report, please post back the exact results.

Peter · Jun 26, 2006

David H. Lipman said:
From: "Peter" <[email protected]>

| i have avg free and avast free running on the system.
| i also have outpost pro (firewall) that has anti-spyware included.
|
| i had run scan with all three and found nothing.
| then this morning, avg tells me that the file MswService.exe backup copy
is
| infected with the virus
| Trojan hourse Dropper Generic FKM
| stored in program files/common files/microsoft shared/temp/
|
| auto quarantined the file.
|

Please submit a sample of "MswService.exe" to Virus Total --
http://www.virustotal.com/flash/index_en.html
The submission will then be tested against many different AV vendor's
scanners.
That will give you an idea what it is and who recognizes it. In addition,
unless told
otherwise, Virus Total will provide the sample to all participating
vendors.

You can also submit a suspect, one at a time, via the following email
URL...
mailto:[email protected]?subject=SCAN

When you get the report, please post back the exact results.

i try to submit it by both methods (web and e-mail, web submition and
outlook express)
the files size comes up as zero. avg will not let me have access to it.

David H. Lipman · Jun 26, 2006

From: "Peter" <[email protected]>

|
| i try to submit it by both methods (web and e-mail, web submition and
| outlook express)
| the files size comes up as zero. avg will not let me have access to it.
|

The operating system has the file handle open and thus can't be scanned nor deleted.

You can Kill the process by using software such as Process Explorer by Sysinternals.
http://www.sysinternals.com/Utilities/ProcessExplorer.html

Once the process is Killed you can then submit it for analysis.

Peter · Jun 26, 2006

David H. Lipman said:
From: "Peter" <[email protected]>

|
| i try to submit it by both methods (web and e-mail, web submition and
| outlook express)
| the files size comes up as zero. avg will not let me have access to it.
|

The operating system has the file handle open and thus can't be scanned
nor deleted.

You can Kill the process by using software such as Process Explorer by
Sysinternals.
http://www.sysinternals.com/Utilities/ProcessExplorer.html

Once the process is Killed you can then submit it for analysis.

killed all anti-virus program. but the system would not allow access to the
file.
so, i boot the system in dos. copies the file on to floppy.
the system would not, still give me access to it.

waited for the program folding@home to finish.
wanted to try the new vista beta. so i wipe the hard drive and install
vista.

was able to submit it then.

results.
AntiVir 6.35.0.16 06.26.2006 TR/Drop.Microjoin.BR
Authentium 4.93.8 06.23.2006 no virus found
Avast 4.7.844.0 06.26.2006 no virus found
AVG 386 06.26.2006 Dropper.Generic.FKM
BitDefender 7.2 06.26.2006 MemScan:Adware.WinAD.BV
CAT-QuickHeal 8.00 06.26.2006 no virus found
ClamAV devel-20060426 06.26.2006 no virus found
DrWeb 4.33 06.26.2006 Adware.Winad.154
eTrust-InoculateIT 23.72.49 06.25.2006 no virus found
eTrust-Vet 12.6.2275 06.26.2006 no virus found
Ewido 3.5 06.26.2006 Dropper.Microjoin.br
Fortinet 2.77.0.0 06.26.2006 W32/Microjoin.BR!tr
F-Prot 3.16f 06.23.2006 no virus found
Ikarus 0.2.65.0 06.26.2006
Trojan-Dropper.Win32.Microjoin.br
Kaspersky 4.0.2.24 06.26.2006
Trojan-Dropper.Win32.Microjoin.br
McAfee 4793 06.26.2006 no virus found
Microsoft 1.1481 06.25.2006 no virus found
NOD32v2 1.1625 06.26.2006 no virus found
Norman 5.90.21 06.26.2006 W32/Microjoin.WV
Panda 9.0.0.4 06.26.2006 no virus found
Sophos 4.07.0 06.26.2006 no virus found
Symantec 8.0 06.26.2006 no virus found
TheHacker 5.9.8.165 06.26.2006 Trojan/Dropper.Microjoin.br
UNA 1.83 06.26.2006
TrojanDropper.Win32.Microjoin
VBA32 3.11.0 06.26.2006
Trojan-Dropper.Win32.Microjoin.br
VirusBuster 4.3.7:9 06.25.2006 no virus found

David H. Lipman · Jun 26, 2006

From: "Peter" <[email protected]>

| killed all anti-virus program. but the system would not allow access to the
| file.
| so, i boot the system in dos. copies the file on to floppy.
| the system would not, still give me access to it.
|
| waited for the program folding@home to finish.
| wanted to try the new vista beta. so i wipe the hard drive and install
| vista.
|
| was able to submit it then.
|
| results.
| AntiVir 6.35.0.16 06.26.2006 TR/Drop.Microjoin.BR
| Authentium 4.93.8 06.23.2006 no virus found
| Avast 4.7.844.0 06.26.2006 no virus found
| AVG 386 06.26.2006 Dropper.Generic.FKM
| BitDefender 7.2 06.26.2006 MemScan:Adware.WinAD.BV
| CAT-QuickHeal 8.00 06.26.2006 no virus found
| ClamAV devel-20060426 06.26.2006 no virus found
| DrWeb 4.33 06.26.2006 Adware.Winad.154
| eTrust-InoculateIT 23.72.49 06.25.2006 no virus found
| eTrust-Vet 12.6.2275 06.26.2006 no virus found
| Ewido 3.5 06.26.2006 Dropper.Microjoin.br
| Fortinet 2.77.0.0 06.26.2006 W32/Microjoin.BR!tr
| F-Prot 3.16f 06.23.2006 no virus found
| Ikarus 0.2.65.0 06.26.2006
| Trojan-Dropper.Win32.Microjoin.br
| Kaspersky 4.0.2.24 06.26.2006
| Trojan-Dropper.Win32.Microjoin.br
| McAfee 4793 06.26.2006 no virus found
| Microsoft 1.1481 06.25.2006 no virus found
| NOD32v2 1.1625 06.26.2006 no virus found
| Norman 5.90.21 06.26.2006 W32/Microjoin.WV
| Panda 9.0.0.4 06.26.2006 no virus found
| Sophos 4.07.0 06.26.2006 no virus found
| Symantec 8.0 06.26.2006 no virus found
| TheHacker 5.9.8.165 06.26.2006 Trojan/Dropper.Microjoin.br
| UNA 1.83 06.26.2006
| TrojanDropper.Win32.Microjoin
| VBA32 3.11.0 06.26.2006
| Trojan-Dropper.Win32.Microjoin.br
| VirusBuster 4.3.7:9 06.25.2006 no virus found

Well if you drive is wiped then that's that !

However, I suggest submitting this infector in a password protected ZIP file with the
password being; infected { password = infected } to the AV companies that did NOT
recognize this infector.

The following web pages has numerous Anti Malware vendor submission addresses..
http://www.ik-cs.com/suspicious-files.htm