UPDATE: Possibly Unknown Virus? Care to help me analyze?!?

["Jeremy Junginger" <jj () act com>]

This is getting pretty fun.  Check this out.  

In addition to these two (or four) files, we have noticed that there are several other "interesting" characteristics.  
The following Reg Keys have been modified:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
        "W1N32.DLL"="C:\\WINDOWS\\WINLOGON .exe" (Note the space)
        "Windows Explorer"="Explorer .exe" (Note the space)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
        "Windows Explorer"="Explorer .exe" (Again, note the space)

We found the files that these keys refer to and I'm taking a look at them.  If you would like to get a copy, let me 
know, and I'll get it out to you on request.  Thanks again for the many helpful responses I've received.  What a fun 
way to spend a Monday!  ;-)

-Jeremy

-----Original Message-----
From: Jeremy Junginger 
Sent: Monday, March 10, 2003 11:44 AM
To: incidents () securityfocus com
Subject: Possibly Unknown Virus? Care to help me analyze?!?


Hey guys, I have come upon a funny little virus that's hogging CPU cycles and basically creating a DoS condition on a 
Windows XP machine.  There were a couple of classic symptoms:

hklm\software\microsoft\windows\current version\run\onylje.exe

c:\Documents and Settings\All Users\Start Menu\Programs\Startup\onylje.exe

This executable appears to be a pseudo-randum name, and it called another file within the same directory called 
pcoo.exe.  These two processes showed up in task manager, and gobbled up all the CPU cycles.  I also saw some other 
weird things under task manager.  These two processes appeared to be keeping Norton from launching:

~A.exe
After I killed this one, 
~9.exe appeared.  Again, this looks like a pseudo-random name for these processes.  I have run strings against the 
executables, and saw some Delphi B.S. in there as well as the following strings:

<Cut from running "strings onylje.exe">
KERNEL32.DLL
ADVAPI32.dll
MPR.dll
SHELL32.dll
USER32.dll
WSOCK32.dll
LoadLibraryA
GetProcAddress
ExitProcess
RegCloseKey
WNetAddConnection2A
ShellExecuteA
PeekMessageA
</Cut>

<Cut from running "strings pcoo.exe">
KERNEL32.DLL
ADVAPI32.dll
MPR.dll
SHELL32.dll
USER32.dll
WSOCK32.dll
LoadLibraryA
GetProcAddress
ExitProcess
RegCloseKey
WNetAddConnection2A
ShellExecuteA
PeekMessageA
</Cut>

Both files are 69K, and may very well be the same executable referred to by different names.  The output from running 
strings against these are identical as far as I can tell.  

Perhaps one of you guys might have a suggestion for dissassembling the executables and taking a closer look.  This may 
be a common virus, but Norton doesn't recognize it and I'd like to know for sure what it is.  I can get you the file 
upon request.  Thanks,

-Jeremy

----------------------------------------------------------------------------

<Pre>Lose another weekend managing your IDS?
Take back your personal time.
15-day free trial of StillSecure Border Guard.</Pre>
<A href="http://www.securityfocus.com/stillsecure";> http://www.securityfocus.com/stillsecure </A>