Name: Anonymous 2006-02-26 3:40
Hello.
Recently, I've noticed that something has been using the legitimate "C:\WINDOWS\SYSTEM32\WINLOGON.EXE" file to write data into the memory of any browser currently active, so far it has done so with Mozilla and Internet Explorer. Once this is done, it tries to grab extra files off the Net and execute them, but the firewall and NAV have been blocking this quite adequately.
It has become quite annoying, however. In the "C:\WINDOWS\TEMP" directory, it generates a large number of 0-byte files with what appears to be a hexademical-based naming scheme progression (1, 2, 3, 4, 5, 6, 7, 8, 9, A, B, C, D, E, F and so on) with the format "WINx.TMP", where 'x' is a hexadecimal value. The only exception is a "JET2584.TMP" which contains garbage. Occasionally after writing itself into browser memory as mentioned earlier, some of the files will suddenly acquire file-size and get appended with a new format tag so that it now states "WINx.TMP.EXE" and then try to establish an outside connection, which the firewall blocks. The funny thing is, it states that WINLOGON.EXE is the one trying to run it.
Blocking it leaves it running in memory, however.
I have run scans under Safe-Mode for viruses, Trojans and the like, of which it detected two. One was Trojan.ByteVerify, the other Download.Trojan. However, getting rid of them has not solved the problem. The attempts persist, and nothing seems to detect what's wrong, inclusive of extra scans. The files in the TEMP directory are locked by whatever is creating them, and in addition it generates extra crap in the "C:/DOCUMENTS AND SETTINGS/CABAL/LOCAL SETTINGS/Temporary Internet Files/Content.IE5" folder, which it tries to execute but is blocked by NAV. Upon examining the offending file personally...
...the file size is 0 bytes. It tries multiple subfolders in that folder, each time with an execution attempt, all of which are blocked by NAV. The virus seems to run even in Safe Mode, as the TEMP files are still locked.
Anyone got any ideas?
Recently, I've noticed that something has been using the legitimate "C:\WINDOWS\SYSTEM32\WINLOGON.EXE" file to write data into the memory of any browser currently active, so far it has done so with Mozilla and Internet Explorer. Once this is done, it tries to grab extra files off the Net and execute them, but the firewall and NAV have been blocking this quite adequately.
It has become quite annoying, however. In the "C:\WINDOWS\TEMP" directory, it generates a large number of 0-byte files with what appears to be a hexademical-based naming scheme progression (1, 2, 3, 4, 5, 6, 7, 8, 9, A, B, C, D, E, F and so on) with the format "WINx.TMP", where 'x' is a hexadecimal value. The only exception is a "JET2584.TMP" which contains garbage. Occasionally after writing itself into browser memory as mentioned earlier, some of the files will suddenly acquire file-size and get appended with a new format tag so that it now states "WINx.TMP.EXE" and then try to establish an outside connection, which the firewall blocks. The funny thing is, it states that WINLOGON.EXE is the one trying to run it.
Blocking it leaves it running in memory, however.
I have run scans under Safe-Mode for viruses, Trojans and the like, of which it detected two. One was Trojan.ByteVerify, the other Download.Trojan. However, getting rid of them has not solved the problem. The attempts persist, and nothing seems to detect what's wrong, inclusive of extra scans. The files in the TEMP directory are locked by whatever is creating them, and in addition it generates extra crap in the "C:/DOCUMENTS AND SETTINGS/CABAL/LOCAL SETTINGS/Temporary Internet Files/Content.IE5" folder, which it tries to execute but is blocked by NAV. Upon examining the offending file personally...
...the file size is 0 bytes. It tries multiple subfolders in that folder, each time with an execution attempt, all of which are blocked by NAV. The virus seems to run even in Safe Mode, as the TEMP files are still locked.
Anyone got any ideas?