wincfg - trojan - close encounter of the wrong kind

[default]

I acquired this pig from a usenet site somewhere. Was doing
housekeeping and trashing old files found a Quick Time Icon and double
clicked it - wrong move.

The firewall caught it trying to phone out on a restricted port - one
with an alarm setting on it so I knew about it about two hours after
double clicking on it.

It tries to phone a site in the UK or Netherlands. The executable is
a hidden file that starts from the registry. It disables regedit and
disables msconfig. Even after changing the attributes on the file
properties it won't allow you to delete the executable. No way to fix
it . . .

File hidden, masquerades as a screen saver with an scr extension, the
registry calls it a winsock2, and it kills the means to remove it.

To cure it I searched on Google and found some 244 hits on the usenet
sites and 4 on web sites (none of the virus prog vendors). I
downloaded TaskInfo2003. That let me shut down the program
(crl/alt/del didn't show it running). With the program terminated, I
was able to clear the executable and run regedit and repair the
registry. (Hijack This, may have also fixed the registry - I didn't
try it)

I'm indebted to the folks that solved this problem and posted their
findings. AdAware and Spybot do not find it. From some of the usenet
posts neither do Norton or McAfee (but norton is supposed to have a
program to do it if you are their customer and can download it)


-----= Posted via Newsfeeds.Com, Uncensored Usenet News =-----
http://www.newsfeeds.com - The #1 Newsgroup Service in the World!
-----== Over 100,000 Newsgroups - 19 Different Servers! =-----

[sponge]

default <R75/5@defaulter.net> wrote in message news:<o5dqpvgoum7bk7pqt7g0qm4h3d2ft64tn3@4ax.com>. ..
> I acquired this pig from a usenet site somewhere. Was doing
> housekeeping and trashing old files found a Quick Time Icon and double
> clicked it - wrong move.
>
> The firewall caught it trying to phone out on a restricted port - one
> with an alarm setting on it so I knew about it about two hours after
> double clicking on it.
>
> It tries to phone a site in the UK or Netherlands. The executable is
> a hidden file that starts from the registry. It disables regedit and
> disables msconfig. Even after changing the attributes on the file
> properties it won't allow you to delete the executable. No way to fix
> it . . .
>
> File hidden, masquerades as a screen saver with an scr extension, the
> registry calls it a winsock2, and it kills the means to remove it.
>
> To cure it I searched on Google and found some 244 hits on the usenet
> sites and 4 on web sites (none of the virus prog vendors). I
> downloaded TaskInfo2003. That let me shut down the program
> (crl/alt/del didn't show it running). With the program terminated, I
> was able to clear the executable and run regedit and repair the
> registry. (Hijack This, may have also fixed the registry - I didn't
> try it)
>
> I'm indebted to the folks that solved this problem and posted their
> findings. AdAware and Spybot do not find it. From some of the usenet
> posts neither do Norton or McAfee (but norton is supposed to have a
> program to do it if you are their customer and can download it)

Ugh, Norton's is horrible.

I suggest submitting it to:
http://vil.nai.com/vil/submit-sample.asp and emailing
info@kasperskylab.co.uk (without the trojan). You also email the folks
at SpyBot and Ad-Aware; if they want a sample, they'll ask for the
executable.

Sponge
Sponge's Secure Solutions
www.geocities.com/yosponge
My new email: yosponge2 att yahoo dott com

[default]

On 27 Oct 2003 12:08:16 -0800, yosponge@yahoo.com (sponge) wrote:

>default <R75/5@defaulter.net> wrote in message news:<o5dqpvgoum7bk7pqt7g0qm4h3d2ft64tn3@4ax.com>. ..
>> I acquired this pig from a usenet site somewhere. Was doing
>> housekeeping and trashing old files found a Quick Time Icon and double
>> clicked it - wrong move.
>>
>> The firewall caught it trying to phone out on a restricted port - one
>> with an alarm setting on it so I knew about it about two hours after
>> double clicking on it.
>>
>> It tries to phone a site in the UK or Netherlands. The executable is
>> a hidden file that starts from the registry. It disables regedit and
>> disables msconfig. Even after changing the attributes on the file
>> properties it won't allow you to delete the executable. No way to fix
>> it . . .
>>
>> File hidden, masquerades as a screen saver with an scr extension, the
>> registry calls it a winsock2, and it kills the means to remove it.
>>
>> To cure it I searched on Google and found some 244 hits on the usenet
>> sites and 4 on web sites (none of the virus prog vendors). I
>> downloaded TaskInfo2003. That let me shut down the program
>> (crl/alt/del didn't show it running). With the program terminated, I
>> was able to clear the executable and run regedit and repair the
>> registry. (Hijack This, may have also fixed the registry - I didn't
>> try it)
>>
>> I'm indebted to the folks that solved this problem and posted their
>> findings. AdAware and Spybot do not find it. From some of the usenet
>> posts neither do Norton or McAfee (but norton is supposed to have a
>> program to do it if you are their customer and can download it)
>
>Ugh, Norton's is horrible.
>
>I suggest submitting it to:
>http://vil.nai.com/vil/submit-sample.asp and emailing
>info@kasperskylab.co.uk (without the trojan). You also email the folks
>at SpyBot and Ad-Aware; if they want a sample, they'll ask for the
>executable.
>
>Sponge
>Sponge's Secure Solutions
>www.geocities.com/yosponge
>My new email: yosponge2 att yahoo dott com
OOPS, good point. Like a dummy I removed every vestige of the damn
thing. I should have just quarantined it. I can set up a "want"
filter and catch it when it pops up again.



-----= Posted via Newsfeeds.Com, Uncensored Usenet News =-----
http://www.newsfeeds.com - The #1 Newsgroup Service in the World!
-----== Over 100,000 Newsgroups - 19 Different Servers! =-----