Solved Does anyone recognize these three infections? Google doesn't

[RknRusty]

c:\users\rusty\appdata\local\ojimocin.dll

c:\users\rusty\appdata\local\ehevurijanoxoz.dll

c:\users\rusty\appdata\local\ayimeqaguvi.dll

The last one got caught by NIS when I booted this morning. The other two got caught together a week ago. After the first incident I did full scans with Malwarebytes and Super Antispyware. Only one non threatening tracking cookie was picked up by Super. Norton has run full scans since the first incident and come up clean too.

The usual 54 services are listed in Process explorer.

 

[Golden]

Hi,

What size are these files? If less than 20MB, upload them here for a more comprehensive scan:

VirusTotal - Free Online Virus, Malware and URL Scanner

This is another newer one just come online too:

http://www.metascan-online.com/index.cgi

Regards,
Golden

 

[GEWB]

My best guess is a polymorphic virus. These can be very difficult to identify and stubborn to eradicate. I would try using a live Linux disk (or USB) such as Puppy Linux then install one of many AV programs and run it against your hard disk.

Regards,
GEWB

 

[Bill2]

I agree with Golden on what you should do. Having said that appdata\local is one of the folders where applications store their local machine only settings. Appdata\Roaming is used by default by most apps, Local only stores settings that are volatile or easily regenerated, AFAIK. So theoretically it should be safe to delete anything under Appdata\local. You can try backup these dlls to external media, then delete them from the hard disk and wait for a disaster to happen. If it does, you can restore the files.

 

[Golden]

I did a search here for the .dll's:

ThreatExpert - Automated Threat Analysis

but didn't find anything. It would be useful to know what family NIS flagged them as....might help us narrow it down a bit more.

Can you elaborate on where you suspect you might have picked these up from?

Regards,
Golden

 

[Jacee]

My best guess is a polymorphic virus. These can be very difficult to identify and stubborn to eradicate. I would try using a live Linux disk (or USB) such as Puppy Linux then install one of many AV programs and run it against your hard disk.

Regards,
GEWB

Good guess! Definitely bad malware.

 

[RknRusty]

Thanks everybody. I'll investigate it more this evening. If i get too worried about it I have a two week old Acronis image of the whole system ready to go. That's probably the most sure fire fix. If I format my drive before I run the backup, is there anything else I can do to make sure the bugs are vaporized? I remember back in the old days, I used to power down in the middle of a format to make sure they weren't hiding im RAM waiting to jump back on after the format was done. Any reason to do that these days?

I'm very vigilant against this kind of thing, but I moderate a forum and sometimes I have to click links I wouldn't otherwise follow. Right after I opened one is when the first of these showed up. Since then the other two have been caught. I'll post back if I turn up any useful information.

 

[GEWB]

Sounds like it could be Conflicker, varient C, D or E (associated with the Waledac family of malware and its Storm botnet). "E" was discovered the beginning of this month whereas "C" and "D" have been around for a while.

Also note that a new tool to rewrite viruses as polymorphic (and running in memory) has been in the wild for several months. This has made it fairly easy to recyle older code into new threats very quickly.


Symantec published this in their July analysis:

This month’s analysis reveals a significant increase in activity related to what may be described as a aggressive and rapidly changing form of generic polymorphic1 malware. With one in 280.9 emails identified as malicious in July, the rise accounted for 23.7 percent of all email-borne malware intercepted in July; more than double the same figure six months ago, indicating a much more aggressive strategy on the part of the cyber criminals responsible.

The report shows that the malware is frequently contained inside an executable within the attached ZIP archive file, and often disguised as a PDF file or an office document, for example. “This new aggressive approach to distributing generic polymorphic malware on such a scale should be concerning for many businesses, particularly for those who rely solely on more traditional security countermeasures, which this type of malware is designed to evade. One example of this technique involves changing the startup code in almost every version of the malware; subtly changing the structure of the code and making it harder for emulators built-in to many anti-virus products to identify the code as malicious.”

“Polymorphic malware is a way for malware writers to write their malware so that each particular malware is different from the last. So, although the malicious code does the same thing – infect your computer – each program that the malware writer is producing is acting in a slightly different way”, explained Lee, senior software engineer at Symantec.cloud.
​

For example, when varient C is executed, the worm will copy itself as a randomly named DLL and copies itself to:

[System]\randomname (preferred location) or

[Program Files]\Internet Explorer\randomname or
[Program Files]\Movie Maker\randomname (50% chance of each), or

[Application Data]\randomname, or

[Temp]\randomname

(Sounds familiar, doesn't it?)

Some GENERAL notes about current polymorphics:

> Can be memory resident (which is why I use a Live Linux disk for removal)
> New threats are created very quickly (i.e., zero-day exploits)
> P2P systems and email attachments are popular attack vectors

Regards,
GEWB

 

[GEWB]

I'm very vigilant against this kind of thing, but I moderate a forum and sometimes I have to click links I wouldn't otherwise follow. Right after I opened one is when the first of these showed up.

Can you use a live bootable OS to moderate your forum or is a Microsoft OS required? Just a thought...

Regards,
GEWB

 

[RknRusty]

That's a good idea. I can use Ubuntu on a flash drive. It has Mozilla which will work fine. Never thought of it, thanks for the tip.

 

[GEWB]

That's a good idea. I can use Ubuntu on a flash drive. It has Mozilla which will work fine. Never thought of it, thanks for the tip.

You're welcome. I try to use the best tool for the job to be done. (Have you tried Puppy? I use it a lot when a live boot suits the task. Sometimes I use Knopix.)

Regards,
GEWB

 

[theog]

Have you tried Norton Power Eraser?
http://security.symantec.com/nbrt/overview.aspx?ssdcat=221&serviceid=81&pName=N360&origin=stmnu&env=prod&layout=esd&tooltype=both&osver=%25WINNTVER%25

 

[RknRusty]

No I didn't know of any of those tools. I downloaded both Norton files. I'll give the Power Eraser a go and see what it can find.
I downloaded a copy of Puppy Linux too. I guess I'm out of touch with the latest.

 

[theog]

You can also look in All progarms>Norton

 

[RknRusty]

I just ran Power Eraser and it found one threat.

I removed it and ran it again and it found nothing. The first time it gave me the option of scanning that file, or at the top was a button that said Scan all files. I only clicked the one beside the found file. I didn't get any options on the second run. I wish I had clicked the All files button.
But anyway, maybe this was the root of my problems, Was this thing likely to be creating the random mystery bugs I kept finding this past week?

 

[GEWB]

Could be but I recommend re-running your program (check all files) at least twice more with a cold boot (power down) between each.

Regards,
GEWB

 

[theog]

To make sure run the NRT LiveCD.

 

[RknRusty]

MBAM found this:

Files Infected:
c:\Users\Rusty\AppData\Roaming\Adobe\plugs\kb284288063.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Users\Rusty\AppData\Roaming\Adobe\plugs\kb284288078.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Users\Rusty\AppData\Roaming\Adobe\plugs\kb284288234.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Users\Rusty\AppData\Roaming\Adobe\plugs\kb284290434.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Users\Rusty\AppData\Roaming\Adobe\plugs\kb284290481.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Users\Rusty\AppData\Roaming\Adobe\plugs\kb284290496.exe (Trojan.Agent) -> Quarantined and deleted successfully.

I also ran ESET online scanner and got a clean report.

I'm calling it solved. Sorry I took so long to get back with that

The system seems clean but for a glitch Saturday morning. This problem is being discussed in a new thread.

 

[GEWB]

I'm calling it solved.

Good news - thanks for updating your thread!

Regards,
GEWB