yes - those are the two forums/newsgroups I mentioned above...
Submit Your Article
Forum Rules
yes - those are the two forums/newsgroups I mentioned above...
Hi people,
thanks for your research, results, and tips!
Following this statement of yours I found its describtion on http://www.symantec.com/avcenter/ven...aphexdoor.html. Seems convincing to me. E.g., the infection length of 14,336 bytes is fitting exactly and my machine was sending out many kilobytes without asking or being ordered to (by me).Originally Posted by mikmik
Symantec describes: Backdoor.Aphexdoor
- copies itself as %Windir%\iexplore.exe,
- adds the value "IEXPLORE"="%Windir%\iexplore.exe" to the registry key HKLM\Software\Microsoft\Windows\ CurrentVersion\Run,
- attempts to connect to a predetermined IRC server, and waits for commands...
Maybe I caught a variety, that's using the name "msfirewall" instead, or it's working slow, because
- I didn't find an additional "iexplore.exe" in C:\WINDOWS, only the original one in "program files\internet explorer\"
- and the registry entry was only "C:\WINDOWS\System32\msfirewall.exe".
Thanks for the address. I've already used http://www.liutilities.com/products/...rocesslibrary/ several times, but "answersthatwork" was new to me. It's really nice!
Thanks for your kind words, but I have to confess, this results from my formerly ...unconventional way of preventing infections: just doing it by hand.
Oh yes, I remember: caught it and deleted it a few months ago.
Doing some research on "alg.exe" I stumbled over http://www.blackviper.com/WinXP/strangeservice.htm :
"IEXPLORE.EXE: ... every time you open an additional browser, you also start another one of these processes. If you close "all" browser windows, a IEXPLORE.EXE process will still be running. This is a "feature" to allow faster startup the next time you open IE. Unlike Mozilla, you cannot disable this "feature" other than directly killing the offending process."
The owning user of this "offending process" is not mentioned there. But during the last hours I held an eye on the different iexplore.exe processes:
After starting XP I had cancelled the SYSTEM owned process as usual and after several hours it suddenly reappeared. This time again, I couldn't reveal what made it come back. But as I'm running Glocksoft's Advanced Administrative Tools, now, (Network Monitor, Process Monitor, and others), I could see the following:
There were three iexplore.exe processes in the state of "listening" at a TCP or UDP port, but there were four iexplore.exe processes visible in the Task Manager and in the Process Monitor. So I reduced the priority of all user owned IE processes in the Task Manager, so - in the Process Monitor - I could identify the corresponding PIDs and compare them to the PIDs of the listening IEs in the Network Monitor.
This showed, that the SYSTEM owned ieplore.exe IS NOT searching for any contact (at least right now) - in contrast to the IEs I'd started myself. So I tend to believe in its function as an XP feature to allow faster startups.
I tested my system several times after quarantining msfirewall.exe. There is no ftp.dll to be found. Maybe I was too fast in quarantining (ok... normally that's not a key feature of mine.)
The fact, that I caught msfirewall.exe and some weeks ago discovered the system's iexplore.exe for the first time, I guess, won't have any connection.
At last: No day without a new surprise:
When I started and connected to the net today, there was another chattering something nestled anywhere invisibly. And this time even the Task Manager was not sufficient to identify the noisy cricket. Only the mentioned Network Monitor revealed "msupdate.exe" as being active on many, many ports. This catchword supplied a nice bunch of virus reports... But I've never heard about a process, that's running and at the same time succeeds in preventing the Task Manager from displaying it! But this one did (if I hadn't simply been too blind)!!!
I thought the "msfirewall.exe" file sounded familiar too, and per Minstrel's mention of Unix and being enrolled in Fundamentals of Unix class, I thought maybe I had heard it there. I ran search on a dozen or so Unix, Linux, GNU, Red Hat, and Solaris sites. Likewise checked the Cisco Networking site Glossary, and found no mention of it anywhere.
The only place I found anything, was here ~>http://www.hummingbird.com/SEARCH/search.html Where search for "msfirewall" without the execute extension, returned 50 finds which don't necessarily appear relevant to anything except firewall problems on MicroSoft OS when using the Hummingbird software.
Not knowing history on the computer, or all symptoms you're seeing, they may well be however, and you might want to browse them quickly to see if anything rings a bell. Hummingbird is a Unix Emulator, capable of running on various Windows platforms, XP being one of them. Will likewise check the man pages (help) in Solaris later in the week, to see if it's in the program and simply isn't showing up in search, however given the expanse of help we've been introduced to in the Unix/Linux family of Software, I honestly don't think that's going to be the case.
I think the thing that is so disturbing about this particular lil darlin' is that no one seems to know how they picked it up -- and it all appeared on Feb 12th -- didn't spread rapidly, or we'd have gotten more hits. I'll still getting nada in google. Looks like a variant of iexplorer.exe. I'd still recommend sending it off to a couple of the AV companies and let them beat it up a bit.
LdyGuique
Checked manpages in Solaris, both on board my workstation in class and on the Sun website to no avail. Found no mention of the file anywhere. In one search on Google last night it did however spit out two articles in what appeared to be Russian. Which since I don't read Russian I have not a clue what they were saying, but.... the msfirewall.exe file was highlighted in both. Have since been unable to get those results back up in search however.
That's okay, Rock... take whatever time you need to learn Russian (it'll give you something to do to fill up all that spare time you have) and then come back and tell us what the pages said... we'll wait. Someone pass me another ale, please?
(how does one say "msfirewall.exe" in Russian anyway?)
Well, I've followed the SEs on this one since the original post, with no avail.
To my delight, this morning, 6 of them had new results for it. They all point to this thread....
Hi all,
Just to let you know that this ones now popping up in other forums, and appears to be detected as Backdoor.Snart.m virus by kaspersky.
Sparky
Thanks for your work and the hint, Rocky. I checked it. There is a strange effect of that search machine of Hummingbird's: It returns 50 hits for msfirewall, but NOT ONE of these linked pages contains "msfirewall", only "firewall" !!
I tried to do so, searching on some AV company home pages for links for not registered-customers saying "report and send suspicious files" or something like that. I didn't find ONE!
Do you have any tips/addresses for me for future attempts of this kind?
Yes, today Google provides one other forum: http://forums.techguy.org/t203378/s.html, saying that AVP identifies msfirewall.exe as Backdoor.Snart.m.
This Snart.m is on AVP's weekly pattern update list of 13.Feb.2004, but the corresponding entry in AVP's virus description list is still missing.
Also the Symantec online check did identify msfirewall.exe, but calls it Backdoor.Smother. I didn't let msfirewall.exe work long enough to confirm, whether it tries to comunicate through port 3264, as described by Symantec on http://securityresponse.symantec.com...r.smother.html. At least the mentioned infection length of 15,872 bytes does NOT fit "my" 14,336 bytes.
Whatever it eventually may be called, it's nothing I really want to have acting on my system. So, thanks again to all of you for your help and discussion!
And, ldyguique, if you could reply or PM some contact addresses, you would make an even more happy man out of me...
Two links for submitting files for inspection -- Trend and Symantec
Trend.com's submission Wizard
Submitting a file to Symantec Security Response using Scan and Deliver
LdyGuique
Posting Permissions
Reply With Quote