Trojan Horse Virus

Discussion in 'Tech Talk' started by XShrike, Jul 9, 2008.

  1. XShrike
    Guest

    I caught a Trojan Horse Virus from a ZSNES that was apparently from a bad source. McAfee detected it but, was unable to remove the file. I tried AVG and that removed it. Should I change all my passwords? Because there are a lot of them.

    After I removed the virus I changed the "important" passwords. Both emails, Steam, Amazon, XoO, and WAR beta.
     
    Last edited by a moderator: Jul 9, 2008
  2. OrleanKnight
    Guest

    Joined:
    Jun 27, 2008
    Messages:
    112
    Likes Received:
    0
  3. doctorie
    Veteran

    Joined:
    Jun 22, 2008
    Messages:
    4,493
    Likes Received:
    8
    Occupation:
    volunteer worker for alchoholics anon
    Location:
    Wellington, New Zealand
    Thanks to all above....didn't find anything..but good to know.
     
  4. Molotof
    Guest

    Joined:
    Jun 26, 2008
    Messages:
    395
    Likes Received:
    4
    Occupation:
    Sr. Systems Administrator
    Location:
    San Francisco
    do you know the name of the Trojan or the Virus? that would help considerably as to whether you need to be concerned about any personal information leaks.
     
    1 person likes this.
  5. XShrike
    Guest

    C:\WINDOWS\ydpty.pif McAfee calls it a Generic.dx

    I think the was trying to turn my comp into a zombie because McAfee also deleted Local Settings\Temp\server.exe also a Generic.dx

    It wasn't there long and while the scanners were going I disconnected my computer from the net.

    Thanks for the help everyone.
     
    Last edited by a moderator: Jul 9, 2008
  6. Molotof
    Guest

    Joined:
    Jun 26, 2008
    Messages:
    395
    Likes Received:
    4
    Occupation:
    Sr. Systems Administrator
    Location:
    San Francisco
    sorry I don't know ydpty.pif and unfortunately "Generic.dx" is McAfees way of saying "it looks like a Trojan but we don't have a case/name for it yet (also true with unknown *.pif files)"

    Seeing as how it was trying to establish a possible bot out of your machine you best assume that there may be a key logger installed as well. Are you certain that this Trojan you installed did install that server.exe and that is all it installed?

    you may want to check out these tools to see if that is in fact all it installed and who your machine may still be talking to. the problem with bots is that once you run the Trojan it buries it's installers in hidden files and often checks to see that its uncompressed executables (such as the one you found) are still there and if not re-installs them. If you can not confirm that the executed Trojan is completely removed, unfortunately you may need to rebuild your system (worse case scenario).
    but like i said...check out those tools, read your logs and watch your network traffic (TCPView is great for that), File, Process and Registry Traffic (Precess/File Req Mon are good tools). If all looks cool after a couple days then don't stress it and just make certain your virus scan is clean, updated and through. if you keep finding installers that you didn't install after you think you have cleaned the system then prepare to rebuild.

    Trojans, unlike viruses, do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc. So be careful what you run from sources that are less then trustworthy to avoid this in the future.
     
  7. XShrike
    Guest

    Is there anything particular I should be looking for? This is the first time I have used these programs. The Process Monitor and the File Monitor, I have been telling it to exclude programs that I know what they do and are just filling up the sheets with their functions. Programs like McAfee, AVG, Spybot's Teatime, and Firefox.

    I have also been through and googling the various .exe and process. As I find out what they do I have been excluding them from the lists. The only ones left in the Process Monitor are explorer.exe, services.exe, rundll32.exe, and MDM.exe. In the File Monitor all that is left is explorer.exe. They are left because the sites I am getting this information from says that they have potential to be exploited by Trojans.
     
    Last edited by a moderator: Jul 9, 2008
  8. Molotof
    Guest

    Joined:
    Jun 26, 2008
    Messages:
    395
    Likes Received:
    4
    Occupation:
    Sr. Systems Administrator
    Location:
    San Francisco
    unfortunately these programs takes some getting used to as have to first learn what is normal computer communications and what is not.

    TCPView: the best one to start with and watch what IPs your box is chatting to. If it never babbles to anything other than what you expect it to then I wouldn’t worry too much. you can sort by remote address or process (run your computer with no other programs running to minimize these lists) and see if there are processes or IPs you do not know. From there you can Google the processes and see if they are legit and use programs like Sam Spade by Blighty Design to see who owns what IPs. It will take some getting used to but after some time you will start to recognize what is OK and what looks suspicious. If you don't see any suspicious communications over the period of perhaps an hour then you could stop here and assume all is cool. if you do see a process that is communicating suspiciously and you can’t account for it then move on to the next step...

    Process Monitor: Same thing...kill all unnecessary programs to make the list easier to view. Look up processes you don't know and filter out ones that are confirmed legit (this will take some time).
    If you found a process via TCPView that looked suspicious then you can have the filter only show that questionable process and see what it is doing. Through this program you can see the Registry and File paths the process accesses. This will help you track down hidden installations. BE EXTREMELY CAREFUL & FULLY RESEARCH A SUSPECTED PROCESS, REG AND FILE PATH BEFORE YOU DELETE ANYTHING. With all these tools move slowly and research your questions and findings as you may accidentally be looking at a legitimate system process/file with suspicion.

    File Monitor: This program is very similar to Process Monitor and Registry Monitor, in that it tells you what processes are doing with what files and can further help you investigate suspicious files.
    With these four programs, some work and online research you should be able to track down just about any virus, Trojan or active hack and clean it out.
     
    Last edited: Jul 9, 2008
  9. XShrike
    Guest

    Again thank you tremendously for all the help.

    About the only process in TCPView that I can't figure out what it is are 5 System: 4.
     
  10. Molotof
    Guest

    Joined:
    Jun 26, 2008
    Messages:
    395
    Likes Received:
    4
    Occupation:
    Sr. Systems Administrator
    Location:
    San Francisco
    System is your System process. It's commonly process ID 4. It deals internal processes and file/print sharing which is why those ports are listening. In most cases perfectly normal.

    If you aren't seeing anything weird after an hour or so...I would say you're cool and not stress to much about your 'puter. Changing your passes are always a good idea, but I seriously doubt they were in trouble. My guess is you had an extremely unsophisticated Trojan that tried to establish a file or ftp server on your box (most likely for warez), of which your McAfee caught early on. If that was the case these Trojans rarely care about your personal information, but are more so interested in your bandwith and hard drive. hard to tell without seeing it first hand :)
     
  11. XShrike
    Guest

    Thanks again, I have been watching it for some time and nothing out of the ordinary. Except for [System Process]:0 but, what I found is that is just the system idling. The state is TIME_WAIT. I could link you the file. It is in a .rar folder and the virus only seemed to activate when you execute the ZSNES. I am going to ask first because I don't want to some how cause problems.
     
  12. EF2
    Veteran

    Joined:
    Jun 22, 2008
    Messages:
    1,307
    Likes Received:
    5
    Occupation:
    Media Photographer
    Location:
    Pittsburgh
    That's exactly what the Trojans did, and look where it led them.

    Oh, and if you want zsnes that bad, why don't you go straight to the source?

    http://www.zsnes.com/
     
  13. Molotof
    Guest

    Joined:
    Jun 26, 2008
    Messages:
    395
    Likes Received:
    4
    Occupation:
    Sr. Systems Administrator
    Location:
    San Francisco
    oooohhh the forums first double entendre?
    grats EF2 for raising the bar with ancient history and modern technology. hard to do.
     
  14. XShrike
    Guest

    The one that was infected I got off or rapidshare that came with 55 ROMs. The ROMs with it was why I went with it instead of getting it directly from that site.
     
  15. Yizelin
    Veteran

    Joined:
    Jun 22, 2008
    Messages:
    1,364
    Likes Received:
    9
    only 55? snes roms (sega genesis too) come in 500+ packs and without trojans.
     
  16. XShrike
    Guest

    Most of the 55 were games I was going to hunt down anyway. I know there are lot of games but, most of them aren't worth playing.
     
  17. SamHamwich
    Veteran

    Joined:
    Jun 24, 2008
    Messages:
    1,637
    Likes Received:
    0
    Location:
    Halifax, NS
    all snes games are worth playing
     
  18. EF2
    Veteran

    Joined:
    Jun 22, 2008
    Messages:
    1,307
    Likes Received:
    5
    Occupation:
    Media Photographer
    Location:
    Pittsburgh
    You haven't tried Alien vs Predator yet, have you?
     
  19. Seth_Almighty
    Veteran

    Joined:
    Jun 22, 2008
    Messages:
    107
    Likes Received:
    0
    Occupation:
    Working Man
    Location:
    Atlanta
    On computer (I don't know if it is on any other platforms), AVP2 is THE shit. I never played AVP though, so maybe it isn't as good.
     
  20. EF2
    Veteran

    Joined:
    Jun 22, 2008
    Messages:
    1,307
    Likes Received:
    5
    Occupation:
    Media Photographer
    Location:
    Pittsburgh
    Alien vs Predator is the worst game I've had the misfortune to buy. Wasn't sure what I was thinking...it also ranks up there with Super Play Action Football...

    AvP on the PC is pretty cool, but I could never play through the alien part in #2. I love the arcade version by Capcom the best though (side-scrolling beat em up as Predators or space marines!).
     

Share This Page