msfirewall.exe

[neward]

Hi people out there,

when I started my system (Windows XP) this morning (12.Feb.04) and some time later looked into the Task Manager's process tag, there was a process I have never seen before: msfirewall.exe.

- The file resided in c:\WINDOWS\system32,
- has 14,336 bytes,
- was "created" on 5. September 2002, 00:37:09,
- and last "changed" on 29. August 2002, 02:43:26. (I bought the machine in December 2002 from the manufacturer.)
- The file has NO properties entry of firm, version, or description.
- The process was started by a NEW entry under HKLM/SOFTWARE/Microsoft/Windows/CurrentVersion/Run :
"MsFirewall" with the value C:\WINDOWS\System32\msfirewall.exe.

I didn't install any new software that day before the process appeared. I only used Microtrend's online scanner and then surfed the net for a few hours. When I used this online scanner the last time, one month ago, there was no such change in my registry. So I don't believe it's a change done by the scanner software.

I cancelled the process and locked away the file immediately, so I can't say, how it affects the system or what it does.
I did a Google search and a meta search on "msfirewall.exe", but there was NOT ONE information found !!

Does anyone know this file?
Has anyone Windows XP to confirm whether or not it's a normal part of the operating system?
Or are there addresses where suspicious files can be sent for a closer examination?

I hope, the Break Room is the right forum for a theme like this. If not, please, mods, move this to whereever it belongs.
Thanks so far for listening...

[ldyguique]

Neward --

I took a deep look at my own machine and could not find the file msfirewall.exe anywhere. I run WinXP and know that it has a firewall in Network Connections; so, I figured it might be that. I, too, did a thorough net search, on both msfirewall.exe and msfirewall -- nada. I searched Microsoft -- nada. BTW the name for the firewall that is included with WinXp = IPv6 Internet Connection Firewall

You picked up "something," but what remains to be seen. I think quarantining it is a good idea; however, it had to come from "somewhere." The fact that it showed up in system32 makes it more suspicious -- trojans and virii tend to install stuff in there. It may be new enough that sites where it's being discussed have yet to be spidered. I'd definitely keep an eye on it.

[neward]

Thanks, ldyguique, for your answer.

There is another strange thing I'm watching since about 2 months. As you run XP maybe you or anyone else experienced that, too:

When I start my system, a process "iexplore.exe" appears after less than 1 minute in the Task Manager's process tag. The user of this process is "SYSTEM". But there is no visual attempt of the system (or me) to connect the net. There is only the process "iexplore.exe", no application of IE.
When I cancel this process and work for a few hours, it sometimes reappears and sometimes doesn't. I've not discovered till now, what makes it reappear or impedes that.

I don't even know whether that's new since about two months or whether I just didn't notice it before.

Any hints?

[mikmik]

You have the Backdoor.Aphexdoor virus (most particularly if the full path showing in The Ultimate Troubleshooter is C:\Windows\Iexplore.exe or C:\WinNT\Iexplore.exe).

Found here, a good resource:http://www.answersthatwork.com/Taskl...tasklist_i.htm

I am very impressed that you keep your eye on the task list, neward. It is very prudent to become familiar with what is normally running on our computers so as to spot any suspiscious activity very quickly.

Trojans are now known to produce 80% of spam, and are used for DDoS (Dedicated Denial of Service) attacks on websites, like the recent SCO and Microsoft attacks (spread by the MyDoom worm).

They are run from user PC's and it is estimated that at least 35% of computer users are infected with these programs and are being used, AS WE SPEAK.
That is one out of three of us people, (reading this right now!!!) on the internet.


Here is another

WinTasks Process Library



iexplorer - iexplorer.exe - Process Information
Process File: iexplorer or iexplorer.exe
Process Name: iexplorer
Description: Application that is a variant of the RapidBlaster parasite that downloads advertising from the Internet and displays it periodically.
Company: N/A
System Process: No
Security Risk ( Virus/Trojan/Worm/Adware/Spyware ): Yes
Common Errors: N/A

http://www.liutilities.com/products/...rary/security/
This site, while mostly for marketting purposes (for their 'Taskmanager Professional' software) is never-the-less a good resource for explaining the Windows processes, In addition to the one I gave further above.

[ldyguique]

WTG, mikmik!!

I just got in here to check up on my posting and noticed you'd done some research of your own. Frankly, I'm braindead enough that I prolly wouldn't have bothered to research it -- I've no memory, per se, of that particular lil darlin' and iexplore.exe in the in SYSTEM didn't trigger any bells.

I would be concerned that the online scanning with PC Doctor didn't pick it up, though. I run Trend's PC-Cillan myself and feel that it does a good job. It may be that the online scan isn't as thorough as an installed program, and I didn't realize that.

[mikmik]

Ha!

I don't have a life haha hehe :o)

Anyways, thanks. You are the master at researching - holy smokes. But I know brain dead, I am well versed at that ;o>

I started doing online scans, like you, to back up my results of my system A-V, Norton 2003.

Iwas shocked that House-call would find things that Norton would miss, or vise versa.
Now I also go to Sophos for a checkup, just to be sure.

I have had some false positives with Symantec (Norton, of course) lately, but both were pronounced clean later. So I also wonder about some of the more esoteric trojans that are found - mayhaps falsely accused on the back-up scans?

[ldyguique]

Well, mikmik -- if you're basic strategy is to NOT open unexpexted attachments, you're within the 99.9% safety zone. The very few virii and trojans that come in otherways tend to make such a big news flash and cause such worldwide chaos that one tends to be aware of them (i.e., msblaster). To my knowledge, the variants of "bubbleboy" or the virii that open automatically in the Preview Pane have all been fixed by a MS update back in November 1999 for OE5.0. All later versions of IE/OE included the fix.

Although as a followup (and some sleep). . .I had tried to find the trojan last night on Trend and zeroed in on it, but it was discovered last July and wasn't in the wild (see details below). And it put a file on for ftp.exe and ftp.dlln - - but backdoors can be slimy devils and he had msfirewall.exe show up mysteriously. . .so I mulled

Neward is specifically denoting iexplore.exe vs iexplorer.exe

Internet Explorer = iexplore.exe

The trojan = iexplorer.exe

When I do load in IE6 -- I get an iexplore.exe in Owner -- not SYSTEM

SYSTEM = files loading in during startup

I'm quite sure that he's picked up "something." But what is the issue and it's not showing up in searches, yet. It's possible that it's a relatively benign spyware of somesort; however, it's definitely something that I'd keep an eye on. Aphex may have a varient (it gets over 280 hits in Trend when searching just for Aphex itself) that hasn't been turned in to any AV company yet.

I'd recommend forwarding msfirewall.exe to Trend for checking.

Aliases: Aphex’s Firewall-Blocking FTP, AFWBFTP.A
Trend's detail:
This backdoor malware is written and compiled in Borland Delphi, a high-level programming language. This File Transfer Protocol (FTP) backdoor malware exploits a known security hole in personal firewall applications, which is its preset listing of trusted applications that are allowed to transfer data to and from the system. It manipulates this weak spot to bypass firewall security monitoring.

Upon execution, it drops the file, FTP.DLL, in the current directory where it is executed. This file is the main backdoor FTP server.

This malware takes advantage of the fact that personal firewalls include Internet Explorer in its list of trusted applications.

First, it opens a hidden instance of Internet Explorer, executing C:\Program Files\Internet Explorer\Iexplore.exe. It opens this process and hooks it so that, FTP.DLL, is also executed simultaneously. This tricks the firewall into providing it with trusted access to the system.

This malware opens and listens to TCP ports 65878 and 65879. On port 65878, it executes the hidden FTP service that anyone with the right username and password can access.

On port 65879, this malware services the screen capture feature. If a remote user connects to this port using any Web browser, a screen shot of the compromised system is displayed in JPEG format.

[minstrel]

The only information I could find about msfirewall.exe were entries in two other forums - as here, nobody knew what the file was other than that it was not a native Windows or other Microsoft file, and therefore, as here, the threads were suggesting a trojan of some sort. Interestingly, one of the posts was in a Linux thread although it wasn't clear if it appeared on a Linux system (many Linux users of course have a dual boot system).

[mikmik]

Hi, ldyguique.
Hi, David.
I sound like janeth, hey?

Anyhow, I think that this may be a tougher nut to crack than the Aux.txz caper, back in '03.

Let's do it. ;o)

[ldyguique]

I just searched Google newsGroups and got two hits -- from two different ppl asking about msfirewall but no one knew anything -- both are dated 2/12/2004