wmedia106

Discussion in 'Malware Help (A Specialist Will Reply)' started by scottm5443, Jun 20, 2008.

  1. scottm5443

    scottm5443 Private E-2

    I also have the wmedia worm/virus. Attaching the logs, I am running eTrust Antivirus 8.0.447.0 with InocolateIT 31.6.5889.0 and VET 31.6.5889.0
     

    Attached Files:

    scottm5443, Jun 20, 2008
    #1
  2. scottm5443

    scottm5443 Private E-2

    We noticed it today, but looks like we got infected some where around 4pm on the 18th.
     

    Attached Files:

    scottm5443, Jun 20, 2008
    #2
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    What are the below two new folders for?
    Code:
    2008-06-19 18:07 . 2008-06-19 18:07 <DIR> d-------- C:\23.73.128
2008-06-19 18:06 . 2008-06-19 19:03 <DIR> d-------- C:\31.6.5889
    Uninstall the below old versions of software:
    J2SE Runtime Environment 5.0 Update 6

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

    After clicking Fix, exit HJT.

    Now we need to use ComboFix.
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Open Notepad and copy/paste the text in the below quote box into it:
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below
    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.


    Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.


    Now run Ccleaner!

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it.

    Then attach the below logs:
    • C:\ComboFix.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Jun 20, 2008
    #3
  4. scottm5443

    scottm5443 Private E-2

    OK looks like a new worm/virus

    Thank you for emailing CA Security Advisor.

    This is to notify you of the results of your submission, issue number 1390162. Please keep this issue number for future reference.

    With regards to the file "ptsmon.exe" submitted by you on 20 Jun 03:50:20 (Australian Eastern Standard Time), we have added cure instructions for Win32/ModTool.AD to the signature files.

    The Windows PE (I386,EXE) file "ptsmon.exe" has been determined to be malicious. Our researchers have analyzed the file and confirmed the result.

    Aliases reported by other AV products are listed here:
    (Downloader)

    Researcher comment:
    Win32/ModTool trojan variant

    CA products address this malware as follows:
    --------------------------------------------
    CA Anti-Virus
    Engine Update version Last Update
    31.6.0 31.6.5891 20 Jun
    The signature update is currently undergoing testing and should be
    available for download within 24 hours.
    Once the signature file is ready, it can be downloaded from
    http://www3.ca.com/support/vicdownload/


    Thank you for emailing CA Security Advisor.

    This is to notify you of the results of your submission, issue number 1390162. Please keep this issue number for future reference.

    With regards to the file "wmedia106.exe" submitted by you on 20 Jun 03:50:20 (Australian Eastern Standard Time), we have added cure instructions for Win32/Coreflood.AQ to the signature files.

    The Windows PE (I386,EXE) file "wmedia106.exe" has been determined to be malicious. Our researchers have analyzed the file and confirmed the result.

    Researcher comment:
    Win32/CoreFlood trojan variant

    CA products address this malware as follows:
    --------------------------------------------
    CA Anti-Virus
    Engine Update version Last Update
    31.6.0 31.6.5891 20 Jun
    The signature update is currently undergoing testing and should be
    available for download within 24 hours.
    Once the signature file is ready, it can be downloaded from
    http://www3.ca.com/support/vicdownload/

    Thank you for emailing CA Security Advisor.

    This is to notify you of the results of your submission, issue number 1390162. Please keep this issue number for future reference.

    With regards to the file "PAXHI.dll" submitted by you on 20 Jun 03:50:20 (Australian Eastern Standard Time), we have added cure instructions for Win32/Coreflood.AQ to the signature files.

    The Windows PE (I386,DLL) file "PAXHI.dll" has been determined to be malicious. This file appears to be a malware component. A malware component is a file that may be used by particular malware, but cannot behave maliciously by itself.
    Please restore the file from installation media or clean backup if possible.

    Researcher comment:
    Win32/CoreFlood trojan variant

    CA products address this malware as follows:
    --------------------------------------------
    CA Anti-Virus
    Engine Update version Last Update
    31.6.0 31.6.5891 20 Jun
    The signature update is currently undergoing testing and should be
    available for download within 24 hours.
    Once the signature file is ready, it can be downloaded from
    http://www3.ca.com/support/vicdownload/
     
    scottm5443, Jun 20, 2008
    #4
  5. scottm5443

    scottm5443 Private E-2

    The 2 folders you listed are CA antivirus updates.
    I have uninstalled the old J2SE.
    I didn't have any errors running analyse.exe. I exited all browser sessions before I run it.
    I didn't have any errors running cf.exe with the cfscript.txt file. I exited all browser session befire I ran it.
    I was able to run import the .reg file without any errors. At this point I still have the worm, I am waiting on the updated A/V defs from CA.
     

    Attached Files:

    scottm5443, Jun 20, 2008
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Not according to your logs! The only place the wmedia106.exe file would be found now is in the C:\QooBox folder which is not a problem. It is just a quarantine folder for ComboFix.

    What problems are you actually having if any?
     
    chaslang, Jun 20, 2008
    #6
  7. scottm5443

    scottm5443 Private E-2

    After running the utilities it cleans the worm but later I get attacked again and get reinfected.
     
    scottm5443, Jun 20, 2008
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    It was not in your logs! Where do you see the wmedia106.exe file now?

    I would also like you to run this Running GMER to detect rootkits and attach the requested log.
     
    Last edited: Jun 20, 2008
    chaslang, Jun 20, 2008
    #8
  9. scottm5443

    scottm5443 Private E-2

    I wrote a batch to just delete that file, it runs every 1 minute for now.
     
    scottm5443, Jun 20, 2008
    #9
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    If you hide the problems from our scans then we are going to have problems helping you since we need to see the problems.

    Stop using the batch file and then disconnect this PC from the network by unplugging the cable. Does the problem come back while the PC is unplugged? If yes, keep the cable disconnected and attach a new MGlogs.zip file (run GetLogs.bat again) then run ComboFix again. And then run the GMER rootkit scan I added to my last message that you may not have seen. Attach all of these logs.
     
    chaslang, Jun 20, 2008
    #10
  11. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    By the way, do you know what the below files are for?
    Code:
    "C:\WINDOWS\"
gndgggg.dat Dec 26 2007 20 "GndGGGg.dat"
kndkkkg.dat Dec 26 2007 20 "KndKKKg.dat"
ngdggfg.cfg Dec 26 2007 12 "nGdGGfg.cfg"
nkdkkfg.cfg Dec 26 2007 12 "nKdKKfg.cfg"
s9e9ec~1.tmp Apr 7 2008 24 "S9E9ECDDB.tmp"
     
    chaslang, Jun 20, 2008
    #11

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds