Security Incidents mailing list archives

Possibly Unknown Virus? Care to help me analyze?!?

From: "Jeremy Junginger" <jj () act com>
Date: Mon, 10 Mar 2003 11:44:29 -0700

Hey guys, I have come upon a funny little virus that's hogging CPU
cycles and basically creating a DoS condition on a Windows XP machine.
There were a couple of classic symptoms:

hklm\software\microsoft\windows\current version\run\onylje.exe

c:\Documents and Settings\All Users\Start
Menu\Programs\Startup\onylje.exe

This executable appears to be a pseudo-randum name, and it called
another file within the same directory called pcoo.exe. These two
processes showed up in task manager, and gobbled up all the CPU cycles.
I also saw some other weird things under task manager. These two
processes appeared to be keeping Norton from launching:

~A.exe
After I killed this one,
~9.exe appeared. Again, this looks like a pseudo-random name for these
processes. I have run strings against the executables, and saw some
Delphi B.S. in there as well as the following strings:

<Cut from running "strings onylje.exe">
KERNEL32.DLL
ADVAPI32.dll
MPR.dll
SHELL32.dll
USER32.dll
WSOCK32.dll
LoadLibraryA
GetProcAddress
ExitProcess
RegCloseKey
WNetAddConnection2A
ShellExecuteA
PeekMessageA
</Cut>

<Cut from running "strings pcoo.exe">
KERNEL32.DLL
ADVAPI32.dll
MPR.dll
SHELL32.dll
USER32.dll
WSOCK32.dll
LoadLibraryA
GetProcAddress
ExitProcess
RegCloseKey
WNetAddConnection2A
ShellExecuteA
PeekMessageA
</Cut>

Both files are 69K, and may very well be the same executable referred to
by different names. The output from running strings against these are
identical as far as I can tell.

Perhaps one of you guys might have a suggestion for dissassembling the
executables and taking a closer look. This may be a common virus, but
Norton doesn't recognize it and I'd like to know for sure what it is. I
can get you the file upon request. Thanks,

-Jeremy

----------------------------------------------------------------------------

<Pre>Lose another weekend managing your IDS?
Take back your personal time.
15-day free trial of StillSecure Border Guard.</Pre>
<A href="http://www.securityfocus.com/stillsecure";> http://www.securityfocus.com/stillsecure </A>

Current thread:

Possibly Unknown Virus? Care to help me analyze?!? Jeremy Junginger (Mar 10)
- <Possible follow-ups>
- RE: Possibly Unknown Virus? Care to help me analyze?!? Arnold, Jamie (Mar 11)