basad.exe - Anyone seen this virus/worm/trojan before?

I had a client who could not connect to our servers using citrix. While investigating the problem i came across basad.exe in the winnt/repair folder after checking the obvious registry entrys. I started it up (on a test machine it to see what is was and what it does:

It creates a file called dasab.ini which does not appear to be a true ini file. It contain machine language gibberish, not configuration stuff as a regular ini does.

It place a registry entry in HKEY_LOCAL_MACHINE/Software/microsoft/windows/currentversion/Browserhelperobjects
Key=F32F8ECD-459D-82F2-****
This presumably starts/restarts basad.exe when the browser is opened, or performs some browser related task.

Another registry entry is placed in the HKEY_LOCAL_MACHINE/Software/microsoft/windows/currentversion/RunOnce where *basad.exe is set to run each time the machine boots.

I have searched everywhere for info, but come up blank. Anyone seen this before? or does anyone with more skills than i want to investigate this thing?

 

READ ME FIRST: Basic Spyware, Trojan And Virus Removal

Hijack This Tutorial And How To Post Your Log File

 

Well, thanks.... my question is about the specifics of this particular infection. I would like to know what it is, what it does, how one gets it etc. I was hoping some had run into it before, as a search reveals nothing. Generic virus info is not what I am looking for......

 

Until you run a scan with Ad-aware, or run Hijack this as Kodo suggested in the links he gave you, we cant help. Most Viruses/trojans expand themselves in to an EXE file, and they use a random name generator to make the file. Hence as its random only a scanner will be able to identify the trojans internal pattern.

We cant look at that file and just know which trojans random naming created it

 

Adaware comes up with nothing. I had the basad.exe sent to me, and then ran it, so results could be different to the machine it was originally on..

 

do you know who sent it and were you expecting it? if not, then I'd say it's a virus.

 

Yes. It was on a clients machine. I wanted to check it out so it was emailed to me and i ran it on a test machine.

 

Vray - Kodo et. al. I just joined, in part because I have the same thing on a client computer. I'll be going through http://forums.majorgeeks.com/showthread.php?t=35407 tomorrow. I have done some of it already, but not in this specific order. Will post what I find out. Basad.exe is a tough little you-know-what. Can't delete it even when booted to DOS. refuses to take Attrib -h -s or any variant.

 

Logout as the user. Boot safe mode and logon as the box admin. stop the basad.exe process, and delete the basad.exe file (you have three seconds to accomplish this, so fast mousing is req). Control Panel, Users and groups, make the user "restricted". reboot and logon as the user.

Now remove file and remnents (dasab.ini dasab.dat) and remove from registry (Run and RunOnce).

Minty-fresh

 

Basad.exe is identified as Vundo trojan.