Possible new virus variant *updated post 30*

Preface: We are primarily in an XP environment and use IE to access most of our internal processes. We have a corporate firewall and Symantec Endpoint Protection Enterprise anti-virus on our computers.

We have had a rash of reports of slow computers. I did some investigation and discovered a common thread. They each had a program that launches at start-up located at C:\Documents and Settings\[username]\Application Data\[directory] that is about 200kb in size. The directory name matched the file name. The file names have been one of three names:

AdVantage.exe
googletalk.exe
Skype.exe

The DOS FC command indicate all three files are identical. I found them initially by using the MSCONFIG utility and clicking on the Startup tab. Unchecking the box and rebooting seemed to fix the issue of the computers being slow. AV scans of the systems came back clean.

Symantec identifies a similar virus called Trojan.Gatak [symantec.com] but the files are not being flagged. Of course the first ones I found were the AdVantage.exe file that is NOT listed in the virus description.

As a test, I emailed one of the files to myself via Yahoo Mail. No viruses were detected. I uploaded the file to a place that uses multiple anti-virus products to check for viruses [garyshood.com]. It came back clean.

I have submitted the files to Symantec and will report back when I hear something.


Have I mentioned that I just LOVE job security?

Any virus that doesn't kill msconfig, or running any and all programs, safe mode, or accessing files is no good virus in my books.

I've only seen one really really bad one that did all of the above as well as spread across a network of 5000 computers in less than 20 minutes while being undetected by all antivirus and malware programs. Any computer that was connected to the subnet was immediately infected. Feds even got involved after it resulted in 250k in money being stolen. Symantec paid for several drives to be sent in for analysis. It was a good 4 months later that a new definition was created for it. Thank got that was early on in my career and I was not the guy in charge

Since I've posted this, we have found another 5 or 6 computers that have been similarly "infected".

Today is NOT one of those days I LOVE my job.

Not new "could be a virus" .... Run Malwarebytes

http://www.prevx.com/filenames/X3...K.EXE.html

File Behavior

GOOGLETALK.EXE has been seen to perform the following behavior:

The Process is packed and/or encrypted using a software packing process
This Process is a file infector which modifies program files to include a copy of the infection
This process creates other processes on disk
Copies files
This Process Deletes Other Processes From Disk
Looks at the contents of the autoexec.bat file
Includes file creation code which could be used to test for interception by security products
Uses DNS to retrieve the IP address for web sites
Writes to another Process's Virtual Memory (Process Hijacking)
Executes a Process

GOOGLETALK.EXE has been the subject of the following behavior:

Created as a process on disk
Added as a Registry auto start to load Program on Boot up
Created by processes which appear to be checking for interception by security products
Executed as a Process
Has code inserted into its Virtual Memory space by other programs

also try hitmanpro if they have not seen the file they will do more work on classifying it

Quote from boltman2007 : Not new "could be a virus" .... Run Malwarebytes http://www.prevx.com/filenames/X3...K.EXE.html File Behavior GOOGLETALK.EXE has been seen to perform the following behavior: The Process is packed and/or encrypted using a software packing process This Process is a file infector which modifies program files to include a copy of the infection This process creates other processes on disk Copies files This Process Deletes Other Processes From Disk Looks at the contents of the autoexec.bat file Includes file creation code which could be used to test for interception by security products Uses DNS to retrieve the IP address for web sites Writes to another Process's Virtual Memory (Process Hijacking) Executes a Process GOOGLETALK.EXE has been the subject of the following behavior: Created as a process on disk Added as a Registry auto start to load Program on Boot up Created by processes which appear to be checking for interception by security products Executed as a Process Has code inserted into its Virtual Memory space by other programs

I *have* run Malwarebytes. It did not find anything. I believe it is a new variant of that virus that hasn't been inoculated yet.

Quote from komondor : also try hitmanpro if they have not seen the file they will do more work on classifying it

Thanks, I'll try that.

combofix is a great tool too.

Hitman Pro identified Skype.exe as a possible threat (the only one of the three on the computer) and I uploaded it to their cloud. I think the only reason it flagged it was the file name being the same as a previous threat rather than actually finding something.

Quote from nizzy1115 : Any virus that doesn't kill msconfig, or running any and all programs, safe mode, or accessing files is no good virus in my books. I've only seen one really really bad one that did all of the above as well as spread across a network of 5000 computers in less than 20 minutes while being undetected by all antivirus and malware programs. Any computer that was connected to the subnet was immediately infected. Feds even got involved after it resulted in 250k in money being stolen. Symantec paid for several drives to be sent in for analysis. It was a good 4 months later that a new definition was created for it. Thank got that was early on in my career and I was not the guy in charge

I can only imagine how much of a nightmare that must have been for the IT guy in charge.

I would not consider "emailing to my self via yahoo" a great test, but If I was you I would looking in to making sure that your computers are patched (including flash, java, office, etc). The virus has to get on the computer somehow as I doubt its a zero day exploit.

Quote from mrbobhcrhs : I would not consider "emailing to my self via yahoo" a great test, but If I was you I would looking in to making sure that your computers are patched (including flash, java, office, etc). The virus has to get on the computer somehow as I doubt its a zero day exploit.

You do know that yahoo at least pretends to virus check files before you download them? I do agree it isn't a great test. I wanted to see if it would catch the virus/trojan because I wasn't having any luck with anything else.

Our WSUS does push out OS and Office updates. Java is/was a version behind because it hadn't passed our validity testing yet (not within my scope). I'm not sure about the Flash version. I will check on that.

Quote from nizzy1115 : combofix is a great tool too.

Seconds combofix [bleepingcomputer.com] when it comes to these variant viruses that situate themselves in your Temp or Application Data folder and actively has a parent that recreates the child executable if it has been removed.

Quote from nizzy1115 : combofix is a great tool too.

Quote from menace33 : Seconds combofix [bleepingcomputer.com] when it comes to these variant viruses that situate themselves in your Temp or Application Data folder and actively has a parent that recreates the child executable if it has been removed.

As expected, combofix deleted the file in question along with two other files that are relatively harmless. Combofix most likely removed those files because their names have been linked to malware/virus infections in the past. At first blush, it appears Combofix did nothing more than what we have been doing manually to "fix" the issue. I will dig into the log shortly.

Additionally, we have replaced the msgina.dll with our own logon processing program that adds the ability to clock in before signing onto the computer (no physical time clocks). Combofix automatically deleted our replacement for msgina.dll and restored the default logon user interface.

Until we have more information, we will me removing the infection the old fashioned way.

Thanks for all the help.

Quote from marg_fan : As expected, combofix deleted the file in question along with two other files that are relatively harmless. Combofix most likely removed those files because their names have been linked to malware/virus infections in the past. At first blush, it appears Combofix did nothing more than what we have been doing manually to "fix" the issue. I will dig into the log shortly. Additionally, we have replaced the msgina.dll with our own logon processing program that adds the ability to clock in before signing onto the computer (no physical time clocks). Combofix automatically deleted our replacement for msgina.dll and restored the default logon user interface. Until we have more information, we will me removing the infection the old fashioned way. Thanks for all the help.

Combofix uses more of a heuristics approach in detecting things. If you notice it restarts explorer.exe and then monitors for what starts up and then analyzes it.