Jump to content

Archived

This topic is now archived and is closed to further replies.

Eyecu

Trojan.BZUB-IPV6

By Eyecu, in General Questions

Recommended Posts

Eyecu   

Eyecu
Posted

Good day,

For the past week or so I've been trying eradicate this Trojan.BZUB-IPV6 trojan that SAS keeps popping up a detection poppup on bootup. So far the three file names I can remember it saying it was is

c:\windows\system32\skeys.dll

c:\windows\system32\write.dll

c:\windows\system32\twunk_16.dll

The following is one of the scan logs with the registry entries it finds

SUPERAntiSpyware Scan Log
https://www.superantispyware.com

Generated 08/29/2008 at 06:21 PM

Application Version : 4.20.1046

Core Rules Database Version : 3551
Trace Rules Database Version: 1539

Scan type       : Quick Scan
Total Scan Time : 00:33:53

Memory items scanned      : 429
Memory threats detected   : 0
Registry items scanned    : 477
Registry threats detected : 5
File items scanned        : 18866
File threats detected     : 1

Trojan.BZub-IPV6
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{36DBC179-A19F-48F2-B16A-6A3E19B42A87}
HKCR\CLSID\{36DBC179-A19F-48F2-B16A-6A3E19B42A87}
HKCR\CLSID\{36DBC179-A19F-48F2-B16A-6A3E19B42A87}\InprocServer32
HKCR\CLSID\{36DBC179-A19F-48F2-B16A-6A3E19B42A87}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\SKEYS.DLL
HKCR\CLSID\{36DBC179-A19F-48F2-B16A-6A3E19B42A87}

So far I've run SAS, Malwarebytes, hijackthis, and trojan hunter to attempt to get rid of this pesky rodent. I've run all of these both in normal mode, safe mode, and safe mode with command prompt. Everytime it says it successfully removed it, and on the next start up I don't get the warning. But on following startups I do.

Any help would be appreciated.

P.S. for every other issue SAS has done extremely well. Good job on this product, I have been recommending it to everyone I know.

Share this post

Link to post
Share on other sites

fatdcuk   

fatdcuk
Posted

Ok first off can you upload skeys.dll to Virustotal service for 36 second opinions.If it is being flagged by any of them there then can you copy and paste the link to the Virustotal report in your next reply :)

http://www.virustotal.com/

Next up we need to dig a bit deeper to see if another file is spawning the reappearance of the originally detected file(s).

Download a copy of Autoruns :

http://technet.microsoft.com/en-us/sysi ... 63902.aspx

Run a scan but then after it completes

Click options .

Check both "verify code signatures" and "hide signed microsoft entries" . This will make the list a lot shorter .

Now press F5 to rerun the scan with the new settings.When this completes

click file tab then select "Export as" and save the log(autoruns.txt) to your desktop.

Copy and paste the contents of autoruns.txt to your next post.

Share this post

Link to post
Share on other sites

fatdcuk   

fatdcuk
Posted

lol thats a large output log...Like looking for a needle in a haystack :lol:

Okey can you please upload "msoflex.exe" to Virustotal for malware checking and post back the results :)

  • + msoflex.exe c:\documents and settings\all users\start menu\programs\startup\msoflex.exe

Share this post

Link to post
Share on other sites

Eyecu   

Eyecu
Posted

Ok well that seems to be the culprit. The virustotal site found that it had the TR/Crypt.XPACK.Gen as per Avira.

Share this post

Link to post
Share on other sites

fatdcuk   

fatdcuk
Posted

Okey then boot into safe mode and delete the sucker :P

:idea: If possible can i grab a copy of it before ya nuke it for distribution/research purposes 8)

http://www.castlecops.com/f81-Unknown_Files.html

Start a new topic there titled for my attention and attach/upload the file with your post ,no membership is required to do this :wink:

LMK if the detections persist after its removal & a couple of reboots.

Share this post

Link to post
Share on other sites

Eyecu   

Eyecu
Posted

Thanks for al your help. The file is posted i think. Can't tell I attempted to attach it twice but its not showing up on the thread. Topic title is Attn: Fatdcuk. Thank you for all your help greatly appreciated...My fiance also says to say thank you as it was on her computer that the infection was.

Share this post

Link to post
Share on other sites

fatdcuk   

fatdcuk
Posted

Okey just got your uploaded sample at CC,thankyou for uploading 8)

http://www.virustotal.com/analisis/069c ... cb36eb7c28

ThreatExpert info: http://www.threatexpert.com/report.aspx ... 04fbe15fb6

I must advise you that this is a "password stealer" bot designed to harvest PSW's on the infected system :evil:

It is highly advisable that you change all your used passwords as a matter of priority :!:

Share this post

Link to post
Share on other sites

Eyecu   

Eyecu
Posted

Already on it. Figured as much. I'm pretty computer literate on the hardware/software side of things. This one just had me stumped as no program I used found the base file...that msoflex.exe. Even though i saw it in the startup folder i should have googled it, but thought it was one of her graphics programs or something she uses. Anyways. Im on the passwrod changing. Thanks again.

Share this post

Link to post
Share on other sites

fatdcuk   

fatdcuk
Posted

Your welcome and i will also get your * bot* off to SAS HQ for inclusion in their target database 8)

Share this post

Link to post
Share on other sites

Eyecu   

Eyecu
Posted

Awesome. Just as an update no further detection as of yet so looks lilke we nailed it. Thanks again for all your help.

Share this post

Link to post
Share on other sites

fatdcuk   

fatdcuk
Posted

All good then:)

As of Database Version 3555 - 09-02-2008

SAS now has your particular variant in its target database so thankyou again for uploading this malware variant 8)

  • Trojan.Dropper/Gen-NV
    C:\DOCUMENTS AND SETTINGS\OWNER\MY DOCUMENTS\MALWARE SAMPLES\MSOFLEX.EXE

Share this post

Link to post
Share on other sites
Go To Topic Listing
×
×
  • Create New...