Newbie (1 Posts)
1/21/2007 1:51:42 AM
your advice worked perfectly. Thanks - you pretty much said it all, I'll add a few details
1. when you look at executable in main directory "pgm.exe" and one in the bak directory (same name) you can tell something fishy. The real program in bak has the proper icon, and right click properties gives the company info, rev etc. The fake program has none of this! Also I found 7 fake programs, all were same size (about 40k)
2. One thing I like to do when I get a virus is do a file search by date. In this case I saw one infected file was from 1/15/2007 at about 9PM, so I searched for all files modified on this day then sorted by mod time. This is an extra check to make sure you catch everything - typically an infection takes place in a few minutes, you can scrutinize all the files modified in this time area.
Anyway thanks again
Upon start/restart of infected computer, said computer would over-utilize CPU performance to the point that other software functions on the machine would not be able to reasonably initiate at startup.
In actuality, the malware was creating multiple IEXPLORE.exe instances running as background tasks. These instances were then creating randomly named .EXE (0 bytes) and .DLL (22K bytes) files. These files were located on the local HDD under the path C:\Documents and Settings\"Login Name"\Local Settings\Temp and had the filename prefix characteristics of "Tnnnnnnnn", where nnnnnnnn was a randomly generated number. These files were children of the background IEXPLORE.exe tasks and could not be deleted until the respective IEXPLORE.exe task was terminated from the Task Manager utility.
This malware had initially gone in and found all non-critical executable references in the machines HKLM and HKCU Software\Microsoft\Windows\Current Version\Run registry keys. The malware then went into those directory locations for ALL executables found, created a .BAK subdirectory moved the real executables into the .BAK subdirectory and then replaced the original executables with a malware executable of the same name. In my case, this had happened about a dozen places. This malware can be determined by sudden loss of certain software-based functions on computer, in my case it was enhanced mouse features, Pop Peeper (POP3 utility) quit working, Counterspy quit loading, etc. Said malware is replaced in other .EXEs as well but this fact would not be realized immediately due to non-utilization of @ssociated functionality, so there is a lack of awareness of widespread infection on the computer. Another observation, the size of the malware executable is always 17K bytes.
Perform a complete HDD search, starting from the root directory, for "BAK". Along with files having suffix BAK (not important), the search identifies every directory path with a BAK subfolder embedded, an affected software product. At that point the malware executable can be deleted and then replaced with the proper executable found in the respective BAK subdirectory. Once the original .EXE executable is moved back to its proper location, the BAK folder can be deleted.
Prior to performing further research, as far as I can tell this is a non-destructive virus, besides chewing up m@ssive CPU resource. At this point I have not determined the URL where the stand-alone IEXPLORE.exe task was trying to connect.