virus/trojan/worm?

[jamie]

all,
I have a potential potential virus/trojan/worm that does not appear to
be detected by Norton Antivirus.

Details:

I received this email:

Subject Re: mail delivery system Show full header
This mail was generated automatically.
More info about --GARFIELD-- under: http://www.garfield.tktech.ac.za

-------
Occured_Errors:

15.135.17.78_failed_after_I_sent_the_message.
% 266: mailbox_unavailable
% 311: Remote_host_said:_delivery_error
% 187: This_account_has_been_disabled_[#190].

End
-------

The full mail is attached.

Auto_Mail.System: [garfield]"

The email contains the attachment mail.zip.

The zip contains a file message_text.txt. This in fact an executable,
but Windows reports in incorrectly as a txt file. (I am running Service
Pack two, with all of Microsoft's latest updates).

When executed, the program reports a Winzip fault. Funny? I am not
running Winzip... using WinAce.

The program installs two processes.. which seem to have different names
each time the program is run.

The first time I ran the program it installed:
C:\WINDOWS\system32\cryptdiscdir.exe
C:\WINDOWS\system32\dirrun.exe
The second time I ran the program it installed:
C:\WINDOWS\system32\diagexpoler.exe
C:\WINDOWS\system32\windiagdisc.exe
It adds these to the Windows system startup (i.e.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
registry key) i.e.
servicerun C:\WINDOWS\system32\diagexpoler.exe
spooldiagx C:\WINDOWS\system32\windiagdisc.exe %srun%
After a while, these processes attempt to access the Internet. I have
not had the chance to investigate this further.
Do you recognize this behavior?

Thanks in advance,

egg

 

[pp hammer]

http://www.mwti.net/virusnews/virusalertd.asp?id=325

or a varient would be a guess..

"
When executed, W32/Sober-I displays a fake error message with the header
"WinZip Self-Extractor",
followed by the message text "WinZip_Data_Module is missing ~Error:...", and
at the same time "

and it constructs its filename from 2-3 random words..

 

[Gabriele Neukam]

On that special day, jamie, ([email protected]) said...

-------
Occured_Errors:

15.135.17.78_failed_after_I_sent_the_message.
% 266: mailbox_unavailable
% 311: Remote_host_said:_delivery_error
% 187: This_account_has_been_disabled_[#190].

A typical line of Sober.I, which fakes "bounces" which actually aren't
bounces, but the worm infested mails.

See

http://securityresponse.symantec.com/avcenter/venc/data/[email protected]

When executed, the program reports a Winzip fault. Funny? I am not
running Winzip... using WinAce.

Ouch. You infected your machine. That was DUMB! Sober.I injects a
backdoor. Your machine by now is NO LONGER YOURS.

See
http://www.microsoft.com/technet/community/columns/secmgmt/sm0504.mspx


Gabriele Neukam

(e-mail address removed)

 

[Beauregard T. Shagnasty]

The email contains the attachment mail.zip.

...and you unzipped it?

The zip contains a file message_text.txt. This in fact an
executable, but Windows reports in incorrectly as a txt file. (I am
running Service Pack two, with all of Microsoft's latest updates).

If you look closely, you will probably find the file names is:

"message_text.txt .exe"

or similar - maybe with a .scr or a .pif extension. Adding many spaces
to the file name is a very old trick.

When executed, the program reports a Winzip fault. Funny? I am not
running Winzip... using WinAce.

The program installs two processes.. which seem to have different
names each time the program is run.

The first time I ran the program it installed:

I don't understand why you would execute unknown programs...