Update on my Trojan infection

[jeffc]

FYI:
Several weeks ago I started a thread asking for help with a "virus". I had
a very hard time with this one It was finally discovered by Kaspersky
support staff. Here are some of the symptoms.
- can use IE, but cannot get to common anti-virus web sites or Windows
updates
- can use Google for searches, but IE exits whenever a search term such as
"virus" is used
- Outlook Express works, but some email addresses could not be used, such as
some anti-virus companies
- regedit will not run
- command line will not run, but exits if "dir" is executed on certain file
names
- Task Manager comes up, but Processes page is always blank
- can get to newsgroups with Outlook Express, but OE exits when trying to
get to alt.comp.anti-virus
- anti-virus programs such as Stinger will not run (although it would run if
renamed)
- anti-virus software installation programs will not run (even if renamed)

Needless to say, the above make the Trojan extremely difficult to detect and
remove. To make a *long* story short, since Kaspersky was one of the
anti-virus apps I tried to install, I asked them for help. They sent me a
tool called TroyanFindInfo that reported info from my registry and task list
and created a report. I sent a report to Kaspersky, and they asked for a
few of the files. They then identified 2 of the files as containing the
trojan. I then used a utility called Iarsn TaskInfo2003 to display running
processes. The 2 were running as a service and I stopped them. All the
above problems went away. I then ran Kaspersky AV and it identified
DLLSTAT32.EXE and SVCXNV32.EXE as Backdoor Trojans. Their name for these is
Aebot.k and Pigbot.a respectively. Apparently other AV companies have
different names for these Trojans. Also, my hosts file was corrupted with
multiple entries to the types of web sites mentioned above, and I cleared
that out. As far as I can tell, nothing was "taken" from my computer in
terms of credit card numbers, etc. Not sure if this was a random "hit"
looking for a bigger network to play on or what.

Thanks to those who helped. By the way, I still am not able to access my
WinXP machine from my Win98 machine as connected through my router. But
that is for a rainy day...

 

[David H. Lipman]

If a pseudonym was IRC-AeBot -- http://vil.nai.com/vil/content/v_122315.htm
McAfee has had DAT files to detect it since DAT 4342 (now at 4401)

That McAfee URL unfortunately is sparse of information.

Too bad you did not take me up on my offer on Oct 10.

Dave



| FYI:
| Several weeks ago I started a thread asking for help with a "virus". I had
| a very hard time with this one It was finally discovered by Kaspersky
| support staff. Here are some of the symptoms.
| - can use IE, but cannot get to common anti-virus web sites or Windows
| updates
| - can use Google for searches, but IE exits whenever a search term such as
| "virus" is used
| - Outlook Express works, but some email addresses could not be used, such as
| some anti-virus companies
| - regedit will not run
| - command line will not run, but exits if "dir" is executed on certain file
| names
| - Task Manager comes up, but Processes page is always blank
| - can get to newsgroups with Outlook Express, but OE exits when trying to
| get to alt.comp.anti-virus
| - anti-virus programs such as Stinger will not run (although it would run if
| renamed)
| - anti-virus software installation programs will not run (even if renamed)
|
| Needless to say, the above make the Trojan extremely difficult to detect and
| remove. To make a *long* story short, since Kaspersky was one of the
| anti-virus apps I tried to install, I asked them for help. They sent me a
| tool called TroyanFindInfo that reported info from my registry and task list
| and created a report. I sent a report to Kaspersky, and they asked for a
| few of the files. They then identified 2 of the files as containing the
| trojan. I then used a utility called Iarsn TaskInfo2003 to display running
| processes. The 2 were running as a service and I stopped them. All the
| above problems went away. I then ran Kaspersky AV and it identified
| DLLSTAT32.EXE and SVCXNV32.EXE as Backdoor Trojans. Their name for these is
| Aebot.k and Pigbot.a respectively. Apparently other AV companies have
| different names for these Trojans. Also, my hosts file was corrupted with
| multiple entries to the types of web sites mentioned above, and I cleared
| that out. As far as I can tell, nothing was "taken" from my computer in
| terms of credit card numbers, etc. Not sure if this was a random "hit"
| looking for a bigger network to play on or what.
|
| Thanks to those who helped. By the way, I still am not able to access my
| WinXP machine from my Win98 machine as connected through my router. But
| that is for a rainy day...
|
|

 

[jeffc]

If a pseudonym was IRC-AeBot -- http://vil.nai.com/vil/content/v_122315.htm
McAfee has had DAT files to detect it since DAT 4342 (now at 4401)

That McAfee URL unfortunately is sparse of information.

Too bad you did not take me up on my offer on Oct 10.

What offer

 

[Duane Arnold]

I sent a report to Kaspersky, and they asked for a

few of the files. They then identified 2 of the files as containing the
trojan. I then used a utility called Iarsn TaskInfo2003 to display
running
processes. The 2 were running as a service and I stopped them. All the
above problems went away. I then ran Kaspersky AV and it identified
DLLSTAT32.EXE and SVCXNV32.EXE as Backdoor Trojans. Their name for these
is
Aebot.k and Pigbot.a respectively.

http://www.windowsecurity.com/pages/article_p.asp?id=1122

Anyone, with the proper tools and knew anything about the NT based O/S would
have detected those exe(s) and questioned as to why they were running.

Duane

 

[jeffc]

http://www.windowsecurity.com/pages/article_p.asp?id=1122

Anyone, with the proper tools and knew anything about the NT based O/S would
have detected those exe(s) and questioned as to why they were running.

Golly Duane, you are so smart.

 

[Duane Arnold]

Golly Duane, you are so smart.

Being smart has nothing to do with it and experience does have something to
do with it like been there and done that.

It's just informational and no insult was meant by it. The next time and I
hope it doesn't happen to you, you'll have the proper tools to look for
yourself and track it down as to what is running on the computer.

Duane

 

[rjdriver]

FYI:
Several weeks ago I started a thread asking for help with a "virus". I had
a very hard time with this one It was finally discovered by Kaspersky
support staff. Here are some of the symptoms.
- can use IE, but cannot get to common anti-virus web sites or Windows
updates
- can use Google for searches, but IE exits whenever a search term such as
"virus" is used
- Outlook Express works, but some email addresses could not be used, such as
some anti-virus companies
- regedit will not run
- command line will not run, but exits if "dir" is executed on certain file
names
- Task Manager comes up, but Processes page is always blank
- can get to newsgroups with Outlook Express, but OE exits when trying to
get to alt.comp.anti-virus
- anti-virus programs such as Stinger will not run (although it would run if
renamed)
- anti-virus software installation programs will not run (even if renamed)

Needless to say, the above make the Trojan extremely difficult to detect and
remove. To make a *long* story short, since Kaspersky was one of the
anti-virus apps I tried to install, I asked them for help. They sent me a
tool called TroyanFindInfo that reported info from my registry and task list
and created a report. I sent a report to Kaspersky, and they asked for a
few of the files. They then identified 2 of the files as containing the
trojan. I then used a utility called Iarsn TaskInfo2003 to display running
processes. The 2 were running as a service and I stopped them. All the
above problems went away. I then ran Kaspersky AV and it identified
DLLSTAT32.EXE and SVCXNV32.EXE as Backdoor Trojans. Their name for these is
Aebot.k and Pigbot.a respectively. Apparently other AV companies have
different names for these Trojans. Also, my hosts file was corrupted with
multiple entries to the types of web sites mentioned above, and I cleared
that out. As far as I can tell, nothing was "taken" from my computer in
terms of credit card numbers, etc. Not sure if this was a random "hit"
looking for a bigger network to play on or what.

Thanks to those who helped. By the way, I still am not able to access my
WinXP machine from my Win98 machine as connected through my router. But
that is for a rainy day...

Thanks Jeff. Interesting information on what appears to be a very well
protected trojan.



Bob