RE: aretzj.exe -- reappearing unknown system file

[Joe George <j.george () conservation org>]

Kevin, 

We use a very powerful anti-spyware application called Xoftspy
(http://www.paretologic.com).  Not to sound like an advertisement, but
I've had about 98% success using it to detect and permanently remove
MalWare processes, reg values/keys and Trojans.  Of course, it isn't
free though. It's a nice tool to have at least one or two licenses handy
for this sort of thing. 

Winternals ProcMon is fantastic to use to study any processes that look
suspicious when you fail to turn anything up from searches on the
Internet.  Aretzj.exe seems like an anomaly to me.  If you really want
to have some fun and spend time and study it in detail, I'd recommend
backing up your client's data and deleting it from the WINNT\S32 or
renaming it aretzj.old.  

Good luck,

Joe G.


----- Original Message ----- 
From: "Kevin Snively" <kevinsnively () comcast net>
To: <security-basics () securityfocus com>
Sent: Friday, May 27, 2005 6:27 AM
Subject: aretzj.exe -- reappearing unknown system file


> I've come across, on a client's machine, a reappearing / self
propogating
> read only system file. The box is running a copy of XP pro fully
patched.
> c:\windows\system32\aretzj.exe
>
> When Internet explorer is brought up this program (aretzj.exe) asks
for
> internet access via ZoneAlarm. When deleted it reappears at bootup and
even
> if the computer has not been restarted.
>
> I can not find any reference in Technet or any of the search engines.
It is
> read only and when deleted the XP claims it is a system file. I tried
about
> 20+ search engines. One mentioned a Name an author of a book published
in
> 1935 - author ha'aretz (without the "j").
>
>
> What I have done to try and identify the source:
>
> 1. looked for other "unknown" files inside of system32, including
checking
> dates of files such as the KERNEL and KERNEL32 and looked for
"suspicious"
> files. No results except aretzj.exe
>
> 2. cleaned out the [prefetch] folder (no positive results)
>
> 3. [Downloaded prgram files] is and was empty
>
> 4. Checked c:\program files\internet explorer
> Looked for suspicous or unknown folders in common files.
>
> 5 Spent an almost inordinate amoutn of time poking around in general
looking
> for clues, identifying plugins, checking system and hidden folders to
no
> avail.
>
> I am not sure what it is but as I renamed the file to a .txt extension
and
> read through the "readable" portion of the binary file hoping for some
hook
> on identifying it.
>
> At this point I am concerned as it is "unidentifable" the terminology
inside
> the binary file might be construed with "data mining" and the client
does
> run propriatary databases - Oh Yes, and I have checked with the vendor
of
> the clients database software. They tell me nothing is stored on the
PC nor
> is anything except a browser required to view the database.
>
> We are now using firefox but the unknown file continues to reappear.
The
> only solution I have come up with is to wipe everything reinstall and
> restore actual data from a backup.
>
> Any  help or suggestions will be greatly appreciated.
> Or has anyone run across this culprit?
>
> Sincerely,
> Kevin Snively
>
> The HelpDesk Inc (r)
> kevin () thehelpdeskinc com
> 615-781-1922 (office)
> 615-582-0877 (Mobile)