My Zonealarm flashed a warning about a program (blank name) trying to access the internet when I ran a "keygen" program. Yes, I know these are known to be nasty, but I scanned it with virus scanner before running it and it came up clean.
Now, I've run the 8 steps (I think I got them all), but nothing obvious came up. There were a few "trojan" pointers, but nothing that indicated a specific virus that is still resident.
What the virus does is this: When the program (keygen.exe - 160k) runs, it creates a smaller copy of keygen.exe (92k) in my local "temp" folder (%temp%). It then creates a specific named .html file in the "%temp% folder, which gets deleted right away if the network is off. However, if I keep the program locked up with zonealarm, I can copy the .html file and see all my browser (both IE and Firefox) login accounts and passwords, including ebay, paypal, etc...
Running the smaller version of "keygen.exe" in the %temp% folder does NOT create any .html file or FTP traffic, yet it comes up with the same screens as the 160k version. Looks like the virus attached itself to the original 92k file
Now, I captured the packets using etherreal, and got the FTP login information from the virus. It logs into www-dot-0catch-dot-com with a specific user id and password. I logged into that account and was saddened to see dozens of captured files, all from different people (not my file though). All .html files have a machine name and timestamp as part of the filename. Some machines even had 2 or 3 copies of the same file, indicating the "virus" program runs a one-shot deal, and was run a few times. (I did email 0catch support about this user)
So, I'm trying to figure out what variant of a virus this is, since virus scans seem to miss it. I've seen viruses before, that were so new that McAfee, Trend, Symantec did not even detect it till 3 days later. Maybe this is another one of those?
What generic virus is out there that scans browser files for accounts and passwords, then FTPs it to a server? It looks like it may not stay resident, hence the log files may not show much.
the 3 log files look relatively clean now. The virus still activates when I run the keygen.exe file, so it does not seem to be driven by registry entries or startup areas. It does seem to be "only when program is run" type of virus. To be safe, I've blocked the entire 0catch-dot-com IP range in my firewall, but that's only safe for this variant that uses this specific FTP server. Any new version that uses another FTP server may still pass, unless I create some content filtering rule in my firewall (I'm seriously looking into it)
Now, as a final test, I created a clean version of XPSP2 under VMware, and loaded etherreal and the "keygen.exe" file. Nothing else. What happens is nothing, no network queries for 0catch, no .html files created (but did create the smaller 92k copy of "%temp%\keygen.exe"). It may be because the IE browser files are empty (I suspect), hence it has nothing to report.
Anyway, a heads up that there is this thing out there - make sure your firewall traps new outgoing programs, else you can be a victim to this type of virus/hack. If anyone has an idea of what variant this is, let me know.
Thanks
Now, I've run the 8 steps (I think I got them all), but nothing obvious came up. There were a few "trojan" pointers, but nothing that indicated a specific virus that is still resident.
What the virus does is this: When the program (keygen.exe - 160k) runs, it creates a smaller copy of keygen.exe (92k) in my local "temp" folder (%temp%). It then creates a specific named .html file in the "%temp% folder, which gets deleted right away if the network is off. However, if I keep the program locked up with zonealarm, I can copy the .html file and see all my browser (both IE and Firefox) login accounts and passwords, including ebay, paypal, etc...
Running the smaller version of "keygen.exe" in the %temp% folder does NOT create any .html file or FTP traffic, yet it comes up with the same screens as the 160k version. Looks like the virus attached itself to the original 92k file
Now, I captured the packets using etherreal, and got the FTP login information from the virus. It logs into www-dot-0catch-dot-com with a specific user id and password. I logged into that account and was saddened to see dozens of captured files, all from different people (not my file though). All .html files have a machine name and timestamp as part of the filename. Some machines even had 2 or 3 copies of the same file, indicating the "virus" program runs a one-shot deal, and was run a few times. (I did email 0catch support about this user)
So, I'm trying to figure out what variant of a virus this is, since virus scans seem to miss it. I've seen viruses before, that were so new that McAfee, Trend, Symantec did not even detect it till 3 days later. Maybe this is another one of those?
What generic virus is out there that scans browser files for accounts and passwords, then FTPs it to a server? It looks like it may not stay resident, hence the log files may not show much.
the 3 log files look relatively clean now. The virus still activates when I run the keygen.exe file, so it does not seem to be driven by registry entries or startup areas. It does seem to be "only when program is run" type of virus. To be safe, I've blocked the entire 0catch-dot-com IP range in my firewall, but that's only safe for this variant that uses this specific FTP server. Any new version that uses another FTP server may still pass, unless I create some content filtering rule in my firewall (I'm seriously looking into it)
Now, as a final test, I created a clean version of XPSP2 under VMware, and loaded etherreal and the "keygen.exe" file. Nothing else. What happens is nothing, no network queries for 0catch, no .html files created (but did create the smaller 92k copy of "%temp%\keygen.exe"). It may be because the IE browser files are empty (I suspect), hence it has nothing to report.
Anyway, a heads up that there is this thing out there - make sure your firewall traps new outgoing programs, else you can be a victim to this type of virus/hack. If anyone has an idea of what variant this is, let me know.
Thanks