Re: UPDATE: Possibly Unknown Virus? Care to help me analyze?!?

["Darwin" <darwin () netmadeira com>]

This is what I found from the files you sent me:

----- Original Message -----
From: "Jeremy Junginger" <jj () act com>

> c:\Documents and Settings\All Users\Start Menu\Programs\Startup\onylje.exe

Seems to be a copy of pcoo.exe.
Contains IRC commands, most certainly includes a IRC client embedded.
Possibly a variant of "Randon":
http://www.viruslist.com/eng/index.html?tnews=1001&id=59750
or a variant of Agobot worm:
http://www.alerta-antivirus.es/virus/detalle_virus.html?cod=2307

Many references to antivirus processes - most certainly to locate and kill
them.
Possibly a variant of Trojan.KKiller.
http://securityresponse.symantec.com/avcenter/venc/data/trojan.kkiller.html
The Trojan.KKiller Trojan Horse terminates many processes, including those
of popular antivirus and firewall programs. It also modifies a registry key,
so that it runs when you try to execute any .exe file

Includes a reference to advapi in the body.
Maybe a variant of Backdoor.IE_Patch.
http://www.f-secure.com/v-descs/ie_patch.shtml
"Capabilities of IE_Patch backdoor include sending and receiving data
(files), monitoring of existing application windows, listening to
keystrokes. The backdoor has an empty e-mail form inside. "

Found also the word "Buag", maybe a nickname or a reference.

BUAG // n.

[abbreviation, from alt.fan.warlord] Big Ugly ASCII Graphic. Pejorative term
for ugly ASCII art, especially as found in sig blocks. For some reason,
mutations of the head of Bart Simpson are particularly common in the least
imaginative sig blocks. See warlording.
http://www.antionline.com/jargon/BUAG.php


> task manager.  These two processes appeared to be keeping Norton from
launching:
See the article about Trojan.KKiller.


> <Cut from running "strings onylje.exe">

> ADVAPI32.dll
Maybe it's a genuine reference to the dll, but just in case check the
article about Backdoor.IE_Patch.

Overall it seems like a pack of old worms reassembled in a new one. I think
the threads "New ddos client" and "New virus outbreak" are also dealing with
something similar to this.

Also Bitdefender, the antivirus I'm currently using, did not identify
anything wrong with the files you sent me.

Can you possibly send me a suspicious executable?

Cheers,

Paulo


----------------------------------------------------------------------------

<Pre>Lose another weekend managing your IDS?
Take back your personal time.
15-day free trial of StillSecure Border Guard.</Pre>
<A href="http://www.securityfocus.com/stillsecure";> http://www.securityfocus.com/stillsecure </A>