From: "thanatoid" <waiting@the.exit.invalid>
> Hi gang,
>
> I have a dual boot 98SE Lite and XPSP3 system. I use 98SE Lite
> 99.9% of the time. (Let's not get into a discussion of this,
> please.)
>
> Two peculiar things happened recently on my XP partition and on
> my external USB drive, seemingly unrelated except that they
> happened about 10 days apart and I have only gotten one other
> infection in over 20 years of doing this.
>
> I should mention that I have the XP partition although I hate XP
> and almost never use it. I have it ONLY because of a piece of
> hardware which only has XP drivers. Also, another advantage of
> having it is that I can run MBAM.
>
> A few days ago I thought it might be time to do an MBAM scan, so
> I did. As usual, it found a few minor things (like the fact I
> have the Windows Firewall off and do not wish to be informed of
> this every time I boot into XP), and one which was not at all
> minor - 3 copies (well, it actually listed 3 "memory processes")
> of a file called csrss.exe in "Documents and Settings" - NOT the
> file which is in the System32 directory. MBAM said it was a
> "Trojan.Agent", I let it delete the file and that was that. No
> ill effects were observed.
>
> Specifically, the report says, 3 times with a diff. #:
>
> Memory Processes Infected:
> e:\documents and settings\admin\application data\csrss.exe
> (Trojan.Agent) -> 1336 -> Unloaded process successfully.
>
> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
> NT\CurrentVersion\Winlogon\Shell (Hijack.Shell.Gen.A) -> Bad:
> (Explorer.exe "E:\Documents and Settings\admin\Application
> Data\csrss.exe") Good: (Explorer.exe) -> Quarantined and deleted
> successfully.
>
> The date of this file was July 14 2011.
>
> There was also this:
> HKEY_CURRENT_USER\SOFTWARE\VB AND VBA PROGRAM
> SETTINGS\Micronsoft (Malware.Trace) -> Quarantined and deleted
> successfully.
>
> and
>
> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
> \MSWUpdate (Trojan.Agent) -> Value: MSWUpdate -> Quarantined and
> deleted successfully.
>
> (Since I never go on the net with XP, I have auto updates turned
> off, I don't know what else to say about this.)
>
> I Googled for Micronsoft and got almost nothing except for a
> tiny Indian site with some desi actress photos and a few semi-
> nasty programs (a crack downloader, etc.) which I have never
> seen before.
>
> HOW the csrss.exe file got into the XP partition is a mystery,
> since I do not go on the net with XP and I have not installed
> anything (let alone a cracked program from a suspicious source)
> on the XP partition in months. The main drive with its C
> partition with the trusty 98 SE Lite was fine - nothing found.
>
> As usual, I did not bother scanning the other partitions with
> MBAM since they only contain data and since I work with them all
> the time I would have probably noticed anything strange.
>
> OK, that was more or less "normal", although a little baffling
> (as in "where did it come from since I do nothing on that
> drive"). I suppose I /did/ do /something/ but never noticed
> anything wrong and forgot whatever it was that I did.
>
> Now for the really strange part.
>
> After doing the above, I rebooted into 98SE and switched on my
> external USB drive. (It is actually just a regular drive I've
> had for several years which I recently put into a $15 USB box. I
> use it mainly for data storage/backup, and do not switch it on
> every time I use the computer. It works fine. It actually works
> better under 98SE Lite than under XP - in XP it gives me one
> partition twice, and the partition order and letters are always
> totally messed up. Whatever. XP /is/ better, right?)
>
> Everything was fine.
>
> However, when I switched on my USB drive yesterday, I instantly
> noticed that EVERY PARTITION on the USB drive had two new files
> in its root:
>
> Autorun.inf
> SYSTEM.EXE
>
> Both with hrs attribs, and both dated July 23, 2011. I am
> 99.9999% sure they were not there when I was in XP and ran MBAM
> on that day.
>
> The contents of the autorun.inf file are as follows:
>
> [autorun]
> shELlexEcUtE=sYStEM.EXE
> ;
> ICON=%WInDir%\SYsTEM32\sHeLl32.DLl,4
> ;
> actioN=Open folder to view files Using explorer
> ;
> shelL\OpeN\coMMAnd=SYSTEM.EXE
> shELL\explore\COmmaNd=SYSTEM.EXE
> UsEautOPLaY=1
>
> Rather than booting into XP just to see what would happen ;-) I
> thought I'd take the cowardly way out, and removed the hrs
> attributes of all the files (I have 11 partitions on that drive,
> so 22 files total - let's not get into a discussion of
> partitions, please), and deleted them. No problem.
>
> I scanned the files with ESET and it informed me that SYSTEM.EXE
> was a variant of Win32/Injector.HTF trojan. I also looked at
> "properties" as well as inside the file and it contained the
> name "jgk.exe" as the original file name, and a few other
> things, like the author's name, which I have a feeling may not
> be authentic ;-) (it's "Riordan Barton", FWIW).
>
> While nothing /really/ happened, I am curious as to how these
> two files got onto my external USB drive which is only used
> occasionally ***while NOTHING happened to the main drive inside
> the computer***.
>
> And, of course, where they came from in the first place.
>
> I think I may have booted into XP for about ten minutes on the
> 23rd, I'm not sure.
>
> I don't know if this has anything to do with the fake csrss.exe
> file which, according to MBAM, appeared on my system a few days
> earlier (and is dated about 9 days earlier).
>
> Since I was unable to find anything on the web, I thought I'd
> post this story here. I would welcome any comments and
> hypotheses, etc.
>
> I have both files saved (renamed) if anyone wants to examine
> SYSTEM.EXE or possibly even run it in Sandboxie or however you
> guys play with these things.
>
> (I apologize for the length of the post. I try, but I can not be
> concise.)
All that you posted were malware. No doubt about that with the last being an AutoRun
worm.
No execxutables should be in %appdata%. They are there because you have full rights to
write there rather than limited rights (using LUA) in the %windir% folder.
I'll be glad to look at ant file you have; http://www.uploadmalware.com/ and report back
my findings.
--
Dave
Multi-AV Scanning Tool - http://multi-av.thespykiller.co.uk
http://www.pctipp.ch/downloads/dl/35905.asp
|
|