April 19, 2007
2007/04/19 postcards.gif.exe (mIRC)
Date Discovered: 2007/04/19
Time Discovered: 08:45 CDT
Bot File Location: %WINDIR%\System32\Explorer.exe, %WINDIR%\System\svchost.exe, and many other mIRC-related files in %WINDIR%\System\ (Typically C:\WINDOWS\system on a Windows XP PC)
Size of Bot File: (svchost.exe is 1.70 MB, and is created once postcards.gif.exe, a self extracting executable, is run) (postcards.gif.exe is 998 KB when downloaded)
MD5sum of Bot File: (postcards.gif.exe is fdc674c1b16fb5bdf31e4427803dc70b)
Known method(s) of infection: Bogus Email message with subject of "You just recieved a Electronic Greeting." or similar. Message contains a link to http:(slash)(slash)59.106.27.38(slash)postcards.gif.exe
SAV Status: Detects explorer.exe as "W32.Jeefo", servers.ini as "Trojan Horse" and script.ini as "Backdoor.IRC.Flood". However, the rest of the IRC bot will apparently still run. (Symantec might be detecting the entire kit as "W32.Jeefo" in virus definition files dated today or later)
Installs Spyware?: not likely
Possible Removal Instructions: Right click on the transparent icon on the System Tray (typically the bottom right corner of Windows taskbar - where the clock is), and close mIRC. Then delete %WINDIR%\System\svchost.exe, and remove it from startup within the registry (using msconfig might be the easiest option on Windows XP).
Comments: Yet another "Postcard Trojan" that connects to Undernet using mIRC. These are a dime a dozen. If folks are running with typical User privileges, this can't install itself. Folks have to click the link in the Email, then choose "Open" or "Run" to be infected, or else save it to disk and run it manually. It is not exploiting any flaw in Windows, just using "Social Engineering" to spread. It doesn't spread itself, the connections to Undernet are the telltale sign of infection, especially ones that begin shortly after downloading roughly one MB from the IP address hosting the malware.
Posted by eckman at 9:42 AM | Undernet bots
April 27, 2005
4/27/2005 run.exe
Date Discovered: 2005/04/27
Time Discovered: 10:45
Bot File Location: %WINDIR%\System32\run.exe
Size of Bot File: 102 KB (105,428 bytes) (Explorer may display 103 KB)
MD5 of Bot File: 771d8b21a0e09720984a2bdfc7ea31a6
Known method(s) of infection: MSN Messenger
SAV Status: Detected as W32.Gaobot.DEY as of 11:53 AM on 2005/04/27.
Installs Spyware?: Possibly
Possible Removal Instructions: DOS Prompt: "taskkill /F /IM run.exe". Then delete the file.
Comments: Installs itself as hidden and read only, and changes its last modified date to match that of many other files. One sample machine displayed its modified date as 8/4/2004. Infected computers may also have additional malware loaded at C:\MSN.exe
Updated 12:10 2005/04/27 to reflect an update in AV status and spyware status
Posted by eckman at 10:52 AM | Bot Outbreaks
April 25, 2005
4/25/2005 kaspery.exe
Date Discovered: 2005/04/25
Time Discovered: 12:35
Bot File Location: %WINDIR%\System32\kaspery.exe
Size of Bot File: 146 KB (150,016 bytes) (Explorer may display 147 KB)
MD5 of Bot File: 06bafe6577034ef8173acf6687875ded
Known method(s) of infection: MS04-011 (LSASS), possibly others
SAV Status: Detected as of 2005/04/26 18:52 CDT.
Installs Spyware?: Possilby
Possible Removal Instructions: DOS Prompt: "taskkill /F /IM kaspery.exe". Then delete the file.
Comments: Installs itself as hidden and read only, and changes its last modified date to match that of many other files. One sample machine displayed its modified date as 8/23/2001.
Updated 10:55 AM on 2005/04/27 to reflect AV status change
Posted by eckman at 12:59 PM | Bot Outbreaks
March 31, 2005
3/31/2005 climdrv.exe
Date Discovered: 2005/03/31
Time Discovered: 16:10
Bot File Location: %WINDIR%\System32\climdrv.exe
Size of Bot File: 125 KB (128,000 bytes)
MD5 of Bot File: d42940f78831462478cd26cbd28b92aa
Known method(s) of infection: MS03-026 (RPC DCOM), possibly others
SAV Status: Detected via RapidRelease definitions starting at 19:07 on 2005/03/31
Installs Spyware?: No
Possible Removal Instructions: DOS Prompt: "taskkill /F /IM climdrv.exe". Then delete the file.
Comments: Computer should be formatted and reinstalled. This group often loads several other backdoors such as ServU FTP, Winshell and a telnet server. They likely extracted the password database from the computer. All passwords on the computer will need to be changed.
Updated 2005/04/01 14:10 eckman (SAV status update)
Posted by eckman at 4:24 PM | Bot Outbreaks
3/31/05 WSoundMngr.exe
Date Discovered: 2005/03/31
Time Discovered: 08:30
Bot File Location: %WINDIR%\System32\WSoundMngr.exe
Size of Bot File: 32.5 KB (33,280 bytes)
MD5 of Bot File: 72c10b91a4c328c55409205a6381aa88
Known method(s) of infection: AOL Instant Messenger (AIM) Away Message - manual infection
SAV Status: Detected as Backdoor.Sdbot beginning at 12:49 on 2005/03/31
Installs Spyware?: Not Immediately - Probably Soon
Possible Removal Instructions: DOS Prompt: "taskkill /F /IM WSoundMngr.exe". Then delete the file.
Comments: Sets AIM away message to "New Pics From The Beach", followed by a URL to download this bot.
Updated at 16:23 by eckman (SAV status)
Posted by eckman at 8:53 AM | Bot Outbreaks
March 25, 2005
3/25/05 sys32.exe
Date Discovered: 2005/03/25
Time Discovered: 08:48
Bot File Location: %WINDIR%\System32\sys32.exe
Size of Bot File: 58.0 KB (59,392 bytes)
MD5 of Bot File: db44b1b86681866591c1f7f2b980fd61
Known method(s) of infection: LSASS (MS04-011)
SAV Status: Detected as W32.Mytob.K@mm
Installs Spyware?: Probably Not
Possible Removal Instructions: DOS Prompt: "taskkill /F /IM sys32.exe", "taskkill /F /IM hellmsn.exe". Then delete the files.
Comments: Also installs malware at C:\hellmsn.exe (detected as W32.Mytob.L@mm) and puts copies of the bot (all detected as W32.Mytob.K@mm) at C:\see_this!!.scr and C:\my_photo2005.scr and C:\funny_pic.scr.
Posted by eckman at 9:09 AM | Bot Outbreaks
March 15, 2005
3/15/2005 RegistryManage.exe Again
Date Discovered: 2005/03/15
Time Discovered: 14:28
Bot File Location: %WINDIR%\System32\RegistryManage.exe
Size of Bot File: 90 KB (92,160 bytes)
MD5 of Bot File: b99485a75075a7b687f500002eaa1bb9
Known method(s) of infection: LSASS (MS04-011)
SAV Status: Detected in RapidRelease definitons as of 17:53, 2005/03/15
Installs Spyware?: Possibly
Possible Removal Instructions: DOS Prompt: "taskkill /F /IM RegistryManage.exe". Then delete the file
Comments: Kills task manager process before you can kill it.
Updated 09:04 2005/03/16
Posted by eckman at 4:14 PM | Bot Outbreaks
3/15/05 RegistryManage.exe
Date Discovered: 2005/03/15
Time Discovered: 14:25
Bot File Location: %WINDIR%\System32\RegistryManage.exe
Size of Bot File: 88 KB (90,112 bytes)
MD5 of Bot File: d2d8e3413bafd26120934063e34b74d2
Known method(s) of infection: LSASS (MS04-011)
SAV Status: Detected as W32.Spybot.Worm in RapidRelease definitons as of 18:50 2005/03/15
Installs Spyware?: Possibly
Possible Removal Instructions: DOS Prompt: "taskkill /F /IM RegistryManage.exe". Then delete the file
Comments: Kills task manager process before you can kill it.
updated 09:05 2005/03/16
Posted by eckman at 3:18 PM | Bot Outbreaks