Help Needed Unknown Virus

[oziweb]

I am running a w2003 SP1 system. I use Windows Defender and Malwarebytes to check for virus etc.

The system is setup as an application server, terminal server and file server

I have what appears to be a virus -

it creates files such as w19d4d928.exe in the following directories ( it chooses the directory on a random basis it appears.)
C:\WINDOWS\Temp
C:\Documents and Settings\Administrator\Local Settings\Temp

The virus appears to create an 8Kb file which appears to run and create another file in the same file name type as above but with 12K or 64K

The internet access will slow right down when these files are created

If I delete the file ie go into process explorer and kill the file then delete it from the directory it will again reappear after some time but may appear in another directory.

Its appearence appears random ie I cannot link any running program to its appearance.

If I let the thing run then it will over time create more of these exe files

There are no pop ups etc and windows defender has no problem with these exe's

I dump the strings in these exe files to see if there is any tag but can't find any - search the web but can't find any reference - the antivirus programs do not see these exe's as virus

At present I simply suspend the exe's when they load.

This is driving me around the bend
does any one out there have experience with similar incidents.

The most visual thing about this 'virus' is
it creates 9 character exe file that always starts with W

John

 

[raybay]

It appears you have done your homework. The problem you posted is atypical. This strange error seems like a programming errror, defect, or software damage of software installed, rather than a virus... although virus or spyware might want to do that, I suppose?
Any reason why you have not installed W2003 Service Pack 2?
Is this set up as a server? How many other computers are on it? Do any of these other computers develop the same 9 character file starting with W?
What you report is very much like program language for Fopen specifications where the W is there to prevent a re-write of specific code as in ftopen and fdopen writes? It is possible that some software installed on your computer is corrupted or damaged?
I iwould also run some basic tests of hard drive fitness test, memtest86, defrags and such.
Please give us a list of these W errors as they come up.
Do you have the original software if you need to reinstall? You might want to reinstall in repair mode.

 

[raybay]

Humor me a little here. Go to www.majorgeeks.com and download the free RegCleaner, the one by Juoni Viourno. It is a very simple and provides a good registry inventory.
I don't know if it will run on Windows 2003, but It should.
Install and run the program and see if you find any listings beginning with W that correspond to your problem, as you have described it..
This will tell if it is an installed program or infestation.
If found, you have the choice to remove it to the backup file. Then if something doesn't work properly, it can be easily reinstalled.

 

[oziweb]

It appears you have done your homework. The problem you posted is atypical.

The main reason for not installing sp2 at the moment is that access to internet is on dial up and Telstra has restricted the line to 28 baud due to damage on the line - so the download time is a bit too long.

The system is used as a test bed basically setup as per hosting server so that I can mirror my clients sites for developemnt etc - I do have a vista laptop used basically as a thin client via wireless so I can work on the system when I am not in the office. So basically only at most two clients on the system at any one time.

If I just link the lap top via wireless and use as a normal network attach then the w files are not created on the laptop.

I setup a second w2003 on another patition on the server to get over the problem and the only thing I copied over from the first was the outlook 2003 data files - both op's show the same problem - so stopped using outlook and used outlook express - still the same problem

Development on the system is VB.NET using net1 and net 2.

I did some time ago attach a client lap top via wireless to copy some files across to her lap top and I have a feeling that is when the problem started but cannot be sure - checked her system and it comes up clean.

Defrag etc is done on a regular basis - Using Visual studio 2003/2005 so will remove them and reinstall but I really don't think it is them.

It appears that the first w*.exe file which is always 8kb creates the second w*.exe file which can be 12kb or larger once the second runs then the first stops and can be deleted -

It does not matter what browser I use IE,Opera or Firefox The thing is related to being on the web -

The thing does not show any visual signs except that the access to the web is slowed down while these exe's run

I will setup a third w2003 and use it clean on the web to see if the thing runs on it - then introduce outlook and test again and continue down the line till I find the cause.

John

 

[oziweb]

Humor me a little here. .

will do that.
I have just checked the current w*.exe file running and it appears to be trying to access the ip address sls=eb9p9.dca.superb.net:3822

suburb.net is a web site hosting site. It appears to be using ort 4028 on my system.

If I resume it then it appears to link to client.hopone.net:smpt
thus it is sending mail
hopone.net is again a company that provides services to isp's

So I might have a talk with supurb.net to see if I can track down the source of this.


I installed process explorer and it does give a lot of info on what is running

 

[oziweb]

fixed

I used a snooper and allowed the virus to run - it linked to mail servers some it got into and sent emails some it did not however when it could get into a mail server it had a talk with a russian site - in a very short time it had access to mail servers just about every where.

It is the tanatos virus - had several variants on the server and the lap top. AVG 8 server version with the latest update actually found it - on the lap top some 600 instances of it and on the server over a 1000

It only attaches to exe files and can infect across network shares - it also seems to infect about every antivirus except agv8 - with malwarebytes it simply infects it and as you scan it infects other exe files.

Disinfected the laptop then setup a new w2003 on drive e then did another scan with avg8 across the whole netowrk. So far seems to have worked

This virus is a real nasty little beast - on a standard home computer just format it and start fresh -

Main method it uses to infect is via html emails those with iframe tag - as soon as you view them its up and running ( turn your reader panel off in outlook). I got mine from a clients laptop via wireless.