New malware

[mrdob]

After visiting a less-than-savory website, my WinXP Pro SP3 system began encountering (not surprisingly) some spontaneous IE sessions and pop-up windows, with sound--despite the fact that iexplore.exe wasn't even ACTIVE. Unfortunately, neither the current versions of Ad Aware, AVG Anti-Spyware, Trend Micro online scan, nor SUPERAntispyware were able to identify or the eliminate the problem.

When this particular malware instantiates itself, an entry would appear on my Windows task list: 5i3524v1.exe. Although I would end the process tree, it would invariably respawn itself. Oddly, a Google search on this file yielded NO results.

I searched my C: drive and found this file and an apparent mate, 5i3524v1.exe.a_a, in my \system32 folder, and performed a hard delete of them. And yet still, some time later, both the these files AND the spawned task would manifest themselves again.

I searched again and used the Detail view in Explorer to sort the files by creation date. Three other files had the same date/time stamp as the offending ones: RC3B1t8.exe, R4C3B1t8.exe.a_a, and yIqmpbVo.dll. I appended all five files with a ! character to keep them from launching. (Yep, nothing on Google for these, either!) Next, I searched the registry and found this REG_SZ entry under Software|Microsoft|Windows|ShellNoRoam|MUICache:

C:\WINDOWS\system32\R4C3B1t8.exe with a value of R4C3B1t8

Renaming/deleting the files and and the corresponding registry entry seemed to do the trick.

I saved the renamed files in a ZIP archive for analysis if anyone's interested.

[SUPERAntiSpy]

Thanks for the detail! Send it to samples AT superantispyware.com and we'll handle it!