P2P-Zone - View Single Post

Mowzer · 20-05-02, 12:35 AM

Smokey 227,

Benjamin as was posted above is not a virus but rather a trojan.
It is also a variant of the original file.

Some people have found the following sysmptoms.

I have found a virus when running my latest version of AVG
and the software calls the virus "hidden extension exe". It is
located in a /sys folder with the windows /temp folder.

The software heals the infected files but as soon as I re-boot my
PC, the infection returns. I've tried several different virus detection
software packages (Norton, McAfee, etc) but these find nothing...
-----------------------------------------------------------------------------------
All,
Based on the time that we all started having trouble, it sure points to
KaZaa. Explorer.scr soaked up every bit of my processing bandwidth and put
me into a BSoD every time I booted to Windows. Even a boot to safe mode
wouldn't let me delete the windows\temp\sys32 directory. Had to do that from
DOS. Finally cured the problem by deleting Explorer.scr.

Also, I had something building scr/executable files from downloads in my
KaZaa storage folder. They would show as an xxx.mp3 with .exe displayed far
to the right. The file took the name of the original file. File size was
always around 600k.
----------------------------------------------------------------------------------

I have the exact same problem. Has anyone downloaded and launched a
file called something like "<filenameX>-full-downloader.exe"? Stupidly
and against any common sense, I downloaded and launched a file like
that... Soon afterward, I started noticing the "EXPLORER.SCR" problem
(i.e. thousands of .exe and .scr files clogging up my hard drive in
the folder C:\WINDOWS\Temp\sys32). So, I think the "full-downloader"
might be linked to the problem, if anyone can confirm.
----------------------------------------------------------------------------------
Yep ! I did exactly the same thing and got exactly the same problem. As soon
as I deleted EXPLORER.SCR problem solved. I'm sure it came from the "Full
downloader" file.
----------------------------------------------------------------------------------

It turns out as i mentioned at the top of this thread, the file Explorer.scr contains a now identified file BackDoor-AEG a lil trojan.

The reason most AV's have not been detecting it is because of the newness factor. When bad code hits the wild, its not instantly detectable.

The answer to you question of how to detect it, well you could trash the explorer.scr file. Or just wait. Soon all the avs will offer coverage. Symantec has just added detection for it as "Backdoor.Trojan"

The sad thing is not all AV comapnies lable bad code universally.
so it gets confusing.

Here is a report on the virus: The original file was made available to Kazaa probably just a few days
ago. It was most likely ~410-460 KB in size (at least my client's
was). The size seems to be deliberately random to insure it cannot be
detected by a fixed file size.

It could have any name, and is not just related to files named such
as:
<filenameX>-full-downloader.exe, although the filenames seem to be produced from several key phrases.

The downloaded bot either has an .scr, .exe, or an .exe with a
variable number of spaces between the file name and the extension,
such as:
filename .exe

The first time it runs it creates the sys32 directory under the 'Temp'
directory of the O/S base directory, copies itself as explorer.scr to
the 'System' directory of the O/S base, and creates a startup entry
for this file. It appears as it's original filename under the task
manager the first time it runs, but appears as 'explorer.scr' for all
subsequent loads.

It then copies itself to the created sys32 directory and pads the file
size with random number of bytes so it will be between ~410-460 KB in
size. This insure it cannot be detected by file size alone. It then
proceeds to produce copy after copy of itself with different names.
Most of the filenames seem to be produced from internal data since I
tested it on a spare machine and did not provide a network connection
(a must when testing viruses etc.), and it still created 500+ copies
of itself with unique filenames. It also produces filenames from the
files in your Kazaa shared directory. For these, it uses each name to
produce two copies of itself. One with an .exe extension, and one with
a .scr extension.

Now for the the bad part and the reason it might spread fast. When you
launch Kazaa, the bot makes sure that Kazaa shares the infected files
in the OS-Dir/Temp/sys32 directory. Since this seems to be
approximately 2 files for each megabyte of free space on the O/S

this can result in hundreds or thousands of infected files that
are shared via your computer (I'm not really sure what the limit on
the number of unique file names is). In other words, if you are
infected, you are most likely sharing more infected files than clean
files.

So here's the event chain:

You download an infected file from Kazaa.

When run, it copies itself to the 'system' directory under the O/S
base directory as 'explorer.scr' and creates a 'startup' entry to
auto-load it on boot up.

It then produces the sys32 directory and copies itself there with a
new name. It then creates as many copies with unique filenames as
possible, depending of file space available, or available filenames.

When Kazaa is launched, the sys32 directory containing the
infected/bot files is forced to the share state where they now become
available for download via your computer, and the process continues.

Note: These tests were done under time constraints and various modes
were not tested. For instance, I did not have time to place a packet
sniffer on the network to see what would happen if I had allowed it to
access the network, etc. Since I know it forces the sharing of the
infected files via Kazaa, that's already a problem, and it's easy to
diagnose. I also did not want to place any other machine or user at
peril.

It appears this attack is aimed specifically at the Kazaa network of
computers because of the way it operates (ie, it knows the path format
and how to force sharing of the infected files, etc.). I'm sure a
minimal amount of work would be required to target other file sharing
systems, but I hope it does not come to this.

Worm.Kazaa.Benjamin appears This appears to be a
variant, since it does not present an error message, nor does it
redirect to a web site (at least not the one I found). This behavior
might have been introduced to hide itself better.

All copies produced are about 410-460KB for mine, and the files seem
to be rather full of data. There might have been some additional code
added to modify the file names, etc (I'm not really sure).

I have retained a functioning copy and may play with it to see if
there is any other hidden damage produced.

Thats that. Hopefully it offers you and other some insight on what the little bugger is, and some ways to kill him.

20-05-02, 12:35 AM	#13
Mowzer ' Join Date: Jan 2002 Posts: 209	A report form the VX world... Smokey 227, Benjamin as was posted above is not a virus but rather a trojan. It is also a variant of the original file. Some people have found the following sysmptoms. I have found a virus when running my latest version of AVG and the software calls the virus "hidden extension exe". It is located in a /sys folder with the windows /temp folder. The software heals the infected files but as soon as I re-boot my PC, the infection returns. I've tried several different virus detection software packages (Norton, McAfee, etc) but these find nothing... ----------------------------------------------------------------------------------- All, Based on the time that we all started having trouble, it sure points to KaZaa. Explorer.scr soaked up every bit of my processing bandwidth and put me into a BSoD every time I booted to Windows. Even a boot to safe mode wouldn't let me delete the windows\temp\sys32 directory. Had to do that from DOS. Finally cured the problem by deleting Explorer.scr. Also, I had something building scr/executable files from downloads in my KaZaa storage folder. They would show as an xxx.mp3 with .exe displayed far to the right. The file took the name of the original file. File size was always around 600k. ---------------------------------------------------------------------------------- I have the exact same problem. Has anyone downloaded and launched a file called something like "<filenameX>-full-downloader.exe"? Stupidly and against any common sense, I downloaded and launched a file like that... Soon afterward, I started noticing the "EXPLORER.SCR" problem (i.e. thousands of .exe and .scr files clogging up my hard drive in the folder C:\WINDOWS\Temp\sys32). So, I think the "full-downloader" might be linked to the problem, if anyone can confirm. ---------------------------------------------------------------------------------- Yep ! I did exactly the same thing and got exactly the same problem. As soon as I deleted EXPLORER.SCR problem solved. I'm sure it came from the "Full downloader" file. ---------------------------------------------------------------------------------- It turns out as i mentioned at the top of this thread, the file Explorer.scr contains a now identified file BackDoor-AEG a lil trojan. The reason most AV's have not been detecting it is because of the newness factor. When bad code hits the wild, its not instantly detectable. The answer to you question of how to detect it, well you could trash the explorer.scr file. Or just wait. Soon all the avs will offer coverage. Symantec has just added detection for it as "Backdoor.Trojan" The sad thing is not all AV comapnies lable bad code universally. so it gets confusing. Here is a report on the virus: The original file was made available to Kazaa probably just a few days ago. It was most likely ~410-460 KB in size (at least my client's was). The size seems to be deliberately random to insure it cannot be detected by a fixed file size. It could have any name, and is not just related to files named such as: <filenameX>-full-downloader.exe, although the filenames seem to be produced from several key phrases. The downloaded bot either has an .scr, .exe, or an .exe with a variable number of spaces between the file name and the extension, such as: filename .exe The first time it runs it creates the sys32 directory under the 'Temp' directory of the O/S base directory, copies itself as explorer.scr to the 'System' directory of the O/S base, and creates a startup entry for this file. It appears as it's original filename under the task manager the first time it runs, but appears as 'explorer.scr' for all subsequent loads. It then copies itself to the created sys32 directory and pads the file size with random number of bytes so it will be between ~410-460 KB in size. This insure it cannot be detected by file size alone. It then proceeds to produce copy after copy of itself with different names. Most of the filenames seem to be produced from internal data since I tested it on a spare machine and did not provide a network connection (a must when testing viruses etc.), and it still created 500+ copies of itself with unique filenames. It also produces filenames from the files in your Kazaa shared directory. For these, it uses each name to produce two copies of itself. One with an .exe extension, and one with a .scr extension. Now for the the bad part and the reason it might spread fast. When you launch Kazaa, the bot makes sure that Kazaa shares the infected files in the OS-Dir/Temp/sys32 directory. Since this seems to be approximately 2 files for each megabyte of free space on the O/S this can result in hundreds or thousands of infected files that are shared via your computer (I'm not really sure what the limit on the number of unique file names is). In other words, if you are infected, you are most likely sharing more infected files than clean files. So here's the event chain: You download an infected file from Kazaa. When run, it copies itself to the 'system' directory under the O/S base directory as 'explorer.scr' and creates a 'startup' entry to auto-load it on boot up. It then produces the sys32 directory and copies itself there with a new name. It then creates as many copies with unique filenames as possible, depending of file space available, or available filenames. When Kazaa is launched, the sys32 directory containing the infected/bot files is forced to the share state where they now become available for download via your computer, and the process continues. Note: These tests were done under time constraints and various modes were not tested. For instance, I did not have time to place a packet sniffer on the network to see what would happen if I had allowed it to access the network, etc. Since I know it forces the sharing of the infected files via Kazaa, that's already a problem, and it's easy to diagnose. I also did not want to place any other machine or user at peril. It appears this attack is aimed specifically at the Kazaa network of computers because of the way it operates (ie, it knows the path format and how to force sharing of the infected files, etc.). I'm sure a minimal amount of work would be required to target other file sharing systems, but I hope it does not come to this. Worm.Kazaa.Benjamin appears This appears to be a variant, since it does not present an error message, nor does it redirect to a web site (at least not the one I found). This behavior might have been introduced to hide itself better. All copies produced are about 410-460KB for mine, and the files seem to be rather full of data. There might have been some additional code added to modify the file names, etc (I'm not really sure). I have retained a functioning copy and may play with it to see if there is any other hidden damage produced. Thats that. Hopefully it offers you and other some insight on what the little bugger is, and some ways to kill him.