weird xp behaviour

luna · Aug 15, 2006

anyone heard of something that can open start/run and auto pastes a url with
an .exe in the URL which
automatically downloads ? and tries to install ?

ive not seen anything like it before, all i can think of is an exploit
in opera, (im using v9) - ive ran nothing from emails, or used any bad files
that
i know of (im an experienced PC user)
ive killed the process and found the thing in RUN/and RUNONCE,
this happened once last week and i fixed it with a different URL to the one
i have
today

Ive also noticed it pasting the URL into open windows.

Steven Burn · Aug 15, 2006

luna said:
anyone heard of something that can open start/run and auto pastes a url with
an .exe in the URL which
automatically downloads ? and tries to install ?

ive not seen anything like it before, all i can think of is an exploit
in opera, (im using v9) - ive ran nothing from emails, or used any bad files
that
i know of (im an experienced PC user)
ive killed the process and found the thing in RUN/and RUNONCE,
this happened once last week and i fixed it with a different URL to the one
i have
today

Ive also noticed it pasting the URL into open windows.

What URL/file is it pointing to?

.... and have you ran the file through Jotti's online scanner?

http://virusscan.jotti.org

--
Regards

Steven Burn
Ur I.T. Mate Group
www.it-mate.co.uk

Keeping it FREE!

luna · Aug 15, 2006

What URL/file is it pointing to?

... and have you ran the file through Jotti's online scanner?

http://virusscan.jotti.org

--
Regards

Steven Burn
Ur I.T. Mate Group
www.it-mate.co.uk

Keeping it FREE!

today its http://65.98.57.2/~zuluzet/.../x.exe , it was a different url last
time with msconfig2.exe filename

online scan reveals the file is (quite an old one?)

AntiVir Found Worm/Rbot.193504
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found IRC/BackDoor.SdBot2.FWA
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found Win32.HLLW.MyBot
F-Prot Antivirus Found nothing
Fortinet Found W32/RBot.BFA!tr.bdr
Kaspersky Anti-Virus Found Backdoor.Win32.Rbot.bfa
NOD32 Found a variant of Win32/Rbot
Norman Virus Control Found nothing
UNA Found nothing
VirusBuster Found nothing
VBA32 Found Backdoor.Win32.Rbot.bfa

Steven Burn · Aug 15, 2006

luna said:
today its http://65.98.57.2/~zuluzet/.../x.exe , it was a different url last
time with msconfig2.exe filename

online scan reveals the file is (quite an old one?)

Most likely a new variant rather than an old one.

Download yourself the trial copy of both of the following and allow them to
run full system scans (after updating the sig files of course).

Might want to see if you can identify the process thats causing it aswell.
HJT will help with this.

www.merijn.org

--
Regards

Steven Burn
Ur I.T. Mate Group
www.it-mate.co.uk

Keeping it FREE!

Steven Burn · Aug 15, 2006

Steven Burn said:
Download yourself the trial copy of both of the following and allow them to
run full system scans (after updating the sig files of course).

Helps if I mention the app's, lol.

1. Ewido - www.ewido.com
2. NOD32 - www.eset.com

Might also want to get WinPatrol if you don't already have it.

www.winpatrol.com

--
Regards

Steven Burn
Ur I.T. Mate Group
www.it-mate.co.uk

Keeping it FREE!

luna · Aug 15, 2006

Steven Burn said:
Helps if I mention the app's, lol.

1. Ewido - www.ewido.com
2. NOD32 - www.eset.com

Might also want to get WinPatrol if you don't already have it.

www.winpatrol.com

cheers steve

im on xp64 tho

, i seem to be clear at the mo, turfed out the offending
thing from my registry
, wondering if theres any more reports of similar behaviour in the wild,
no idea where this came from as i'm really damn careful with what i open.

mark

Steven Burn · Aug 15, 2006

luna said:
cheers steve

im on xp64 tho , i seem to be clear at the mo, turfed out the offending
thing from my registry
, wondering if theres any more reports of similar behaviour in the wild,
no idea where this came from as i'm really damn careful with what i open.

Do you remember what the offending entry contained?

--
Regards

Steven Burn
Ur I.T. Mate Group
www.it-mate.co.uk

Keeping it FREE!

Dustin · Aug 15, 2006

Helps if I mention the app's, lol.

1. Ewido - www.ewido.com
2. NOD32 - www.eset.com

Might also want to get WinPatrol if you don't already have it.

www.winpatrol.com

Steven, BugHunter can now pick this one up as well. It's compressed with
PECompact2...

--
Dustin Cook
Author of BugHunter - MalWare Removal Tool
Version 1.9.2 Released August 15th, 2006
Last Pattern Update: August 15th, 2006
http://bughunter.it-mate.co.uk

mark · Aug 16, 2006

Do you remember what the offending entry contained?

--
Regards

Steven Burn
Ur I.T. Mate Group
www.it-mate.co.uk

Keeping it FREE!

usual lsa / start run and services stuff, and it was a 3 letter exe starting
with A,
too late now, a reboot trashed the machine

, - lost the network
workgroup, tried to recreate
and ended up with a bluescreen on boot, no safe mode or anything, i wont try
a repair, i think
a new machine is due anyway!

mark