Virus inside an Agent *.dat file?

  • Thread starter Thread starter col_klink
  • Start date Start date
C

col_klink

Here is a weird one.
Stinger was the only one to catch it.
NOD32, Norton, AVG and F-Protect all missed it on deep scan settings.

Backdoor-JZ trojan found in c:\agent\data\000005DE.DAT\000000d3d.EML\Parish_
Hilton.scr (yes Parish is spelled wrong I know).

If I browse the file with wordpad I find this:


This is a multi-part message in MIME format

--=_NextPart_2rfkindysadvnqw3nerasdf
Content-Type: text/plain
Content-Transfer-Encoding: 7bit

Parish Hilton having sex


--=_NextPart_2rfkindysadvnqw3nerasdf
Content-Type: application/octet-stream;
name="Parish_Hilton.scr"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
filename="Parish_Hilton.scr"


And a whole bunch of ASCII stuff after it including many other normal things
that he seems to have downloaded like *.mp3's etc.

Is this a false positive?
The dates on that file are from about a month ago and while he might have
downloaded something back then it appears gone now but the leftover record of
what was downloaded seems to be in the DAT file and is triggering Stinger.

Any ideas?
Comments?

TIA
 
This was a virus file with an scr extension, I do not know the details
but this info is from a Google search.
If the AVs have missed it, it may well be a trojan. I would do a scan
with Spybot
http://www.safer-networking.org/index.php?page=mirrors
to make sure that it has not been installed.

Taff..................


Here is a weird one.
Stinger was the only one to catch it.
NOD32, Norton, AVG and F-Protect all missed it on deep scan settings.

Backdoor-JZ trojan found in c:\agent\data\000005DE.DAT\000000d3d.EML\Parish_
Hilton.scr (yes Parish is spelled wrong I know).

If I browse the file with wordpad I find this:


This is a multi-part message in MIME format

--=_NextPart_2rfkindysadvnqw3nerasdf
Content-Type: text/plain
Content-Transfer-Encoding: 7bit

Parish Hilton having sex


--=_NextPart_2rfkindysadvnqw3nerasdf
Content-Type: application/octet-stream;
name="Parish_Hilton.scr"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
filename="Parish_Hilton.scr"


And a whole bunch of ASCII stuff after it including many other normal things
that he seems to have downloaded like *.mp3's etc.

Is this a false positive?
The dates on that file are from about a month ago and while he might have
downloaded something back then it appears gone now but the leftover record of
what was downloaded seems to be in the DAT file and is triggering Stinger.

Any ideas?
Comments?

TIA
Click to expand...




www.sounds-pa.com | www.thecomputerworkshop.com
 
This was a virus file with an scr extension, I do not know the details
but this info is from a Google search.
If the AVs have missed it, it may well be a trojan. I would do a scan
with Spybot
http://www.safer-networking.org/index.php?page=mirrors
to make sure that it has not been installed.

Taff..................
Click to expand...

Thanks Taff!
I know it's one of the backdoor trojans spread via the scr file type.
It's definitely NOT on the system in question, but I think the *.DAT file that
Agent and FreeAgent use holds some kind of a database or log of what was
downloaded, but not necessarily what was executed.
This particular system is running NOD32 and I'm sure if it was real code, rather
than just a log with the name of the program etc NOD32 would find it.

As a test I wandered over to some of the porn groups and within 5 minutes I
found several "Parish_Hilton.scr" trojans and NOD32 nailed them every time.

I ran Spybot as you suggested and all looks clean.
Also did the online scan from trends which I like as well and it was clean.
I also checked for indications of that particular trojan and it looks clean so
what I suspect is the user downloaded the file but never executed it and the
*.dat file is just showing that it was downloaded at one time.
 
Here is a weird one.
Stinger was the only one to catch it.
NOD32, Norton, AVG and F-Protect all missed it on deep scan settings.

Backdoor-JZ trojan found in c:\agent\data\000005DE.DAT\000000d3d.EML\Parish_
Hilton.scr (yes Parish is spelled wrong I know).
[snip]

And a whole bunch of ASCII stuff after it including many other normal things
that he seems to have downloaded like *.mp3's etc.

Is this a false positive?
The dates on that file are from about a month ago and while he might have
downloaded something back then it appears gone now but the leftover record of
what was downloaded seems to be in the DAT file and is triggering Stinger.

Any ideas?
Comments?
Click to expand...

what happens if you extract the .scr file from the dat file and save it
to your hard disk - will the above mentioned av's detect it then?

my suspicion is that they simply can't parse that particular data file
structure... no biggie there, since the malware would have to be
extracted before it gets run anyways...
 
Back
Top