Another icky virus today. I found a machine that kept downloading W32/Opanki.worm.gen and W32/Kelvir.worm.gen. I ended up finding c:\windows\system32\5la.exe, c:\windows\system32\busyboy.exe, c:\windows\system32\busyboya.exe, c:\windows\system32\manstfu.exe. These turned out to be zero day virus that McAfee wasn’t detecting. I got the extra.dat about 1:50pm from Lysa at avert. I didn’t push out the enterprise since I was only seeing this on one machine, it should be in tomorrows DAT release. I have a nice perl script that loads the data from EPO to snortui. I don’t think the version on source forge has the latest version of the import script. So I can watch in semi real time. EPO only periodically updates to the EPO database so I normally watch the epo sensor with an hours worth or data or more.

If you are running the enterprise version of mcafee virus scan 8 then I recommend that you enable the access protection rules, leave the “block creation of new files in the windows folder” and the “block creation of new files in the system32 folder” enabled but change them to warn. leaving them set in block mode in a large enterprise will cause all sorts of things to fail unless you really have you package installs locked down. When you find something suspicious you can jump over to the access protection log at C:\Documents and Settings\All Users\Application Data\Network Associates\VirusScan\AccessProtectionLog.txt and view interesting things like application a.exe copied a file called b.exe to the system32 directory.

From tracing back the history I found that the route of all evil was a process called clip-bowl[1].ex. This then created xmconfig.exe (still waiting on an extra.dat that detects this). I saw that lltvr.exe created zkppnsd.exe (still waiting on an extra.dat), 5la.exe created 5b.exe (w32/sdbot.worm.gen.ak, extra.dat available), 5la.exe created nn.exe (detected as W32/Opanki.worm.gen (Virus) no extra.dat needed), 5la.exe created indexx.exe (Downloader-XZ (Trojan) no extra.dat needed), 5la.exe created 5353.exe (W32/Kelvir.worm.gen (Virus) no extra.dat needed),5la.exe created (W32/Opanki.worm.gen (Virus) no extra.dat needed) ,5la.exe created busyboy.exe (w32/kelvir.worm.dw extra.dat available), xmconfig.exe created fhhy.exe (W32/Opanki.worm.gen (Virus) no extra.dat needed). There were probably some other files that I haven’t listed since the virus software caught them

So the conclusion is that this machine was a mess.

3 Responses to “”

  1. grnfoci03 says:

    hey do you know how i can get rid of xmconfige.exe and the things associated with it such as surfya.com rk.bin rlls.dll and rluknlg.exe…i cant get rid of any of this shit with norton internet security.

  2. Anonymous says:

    I would start by renaming the files, then rebooting. That is the easiest way to get them. Otherwise look at adaware from lavasoft. Microsoft aso has a beta of their spyware tool that I have been hearing good things about.

  3. Anonymous says:

    I think this is considered a virus rather than spyware. The latest DATs from McAfee deletes the file. I would make sure that you have updated your virus defitions in norton internet security then try scanning your computer. I don’t know how long norton takes to update it’s dat. I am not sure where this virus came from but most of the recent ones have been from email or AOL instant messenger. I recommend that people do not open attachments or links in IM unless you asked for them, that also means from people you know as viruses will borrow other peoples identities to send the viruses.