Security Incidents mailing list archives
Possibly Unknown Virus? Care to help me analyze?!?
From: "Jeremy Junginger" <jj () act com>
Date: Mon, 10 Mar 2003 11:44:29 -0700
Hey guys, I have come upon a funny little virus that's hogging CPU cycles and basically creating a DoS condition on a Windows XP machine. There were a couple of classic symptoms: hklm\software\microsoft\windows\current version\run\onylje.exe c:\Documents and Settings\All Users\Start Menu\Programs\Startup\onylje.exe This executable appears to be a pseudo-randum name, and it called another file within the same directory called pcoo.exe. These two processes showed up in task manager, and gobbled up all the CPU cycles. I also saw some other weird things under task manager. These two processes appeared to be keeping Norton from launching: ~A.exe After I killed this one, ~9.exe appeared. Again, this looks like a pseudo-random name for these processes. I have run strings against the executables, and saw some Delphi B.S. in there as well as the following strings: <Cut from running "strings onylje.exe"> KERNEL32.DLL ADVAPI32.dll MPR.dll SHELL32.dll USER32.dll WSOCK32.dll LoadLibraryA GetProcAddress ExitProcess RegCloseKey WNetAddConnection2A ShellExecuteA PeekMessageA </Cut> <Cut from running "strings pcoo.exe"> KERNEL32.DLL ADVAPI32.dll MPR.dll SHELL32.dll USER32.dll WSOCK32.dll LoadLibraryA GetProcAddress ExitProcess RegCloseKey WNetAddConnection2A ShellExecuteA PeekMessageA </Cut> Both files are 69K, and may very well be the same executable referred to by different names. The output from running strings against these are identical as far as I can tell. Perhaps one of you guys might have a suggestion for dissassembling the executables and taking a closer look. This may be a common virus, but Norton doesn't recognize it and I'd like to know for sure what it is. I can get you the file upon request. Thanks, -Jeremy ---------------------------------------------------------------------------- <Pre>Lose another weekend managing your IDS? Take back your personal time. 15-day free trial of StillSecure Border Guard.</Pre> <A href="http://www.securityfocus.com/stillsecure"> http://www.securityfocus.com/stillsecure </A>
Current thread:
- Possibly Unknown Virus? Care to help me analyze?!? Jeremy Junginger (Mar 10)
- <Possible follow-ups>
- RE: Possibly Unknown Virus? Care to help me analyze?!? Arnold, Jamie (Mar 11)