mIRC Home    About    Download    Register    News    Help

Print Thread
Page 1 of 2 1 2
#93446 10/08/04 01:08 AM
Joined: Aug 2004
Posts: 8
A
Aeris Offline OP
Nutrimatic drinks dispenser
OP Offline
Nutrimatic drinks dispenser
A
Joined: Aug 2004
Posts: 8
AVP reports the virus TrojanDownloader.Win32.Small.na
in data0002

Joined: Dec 2002
Posts: 1,541
L
Hoopy frood
Offline
Hoopy frood
L
Joined: Dec 2002
Posts: 1,541
Did you get it from one of the links from the download page or with a script that included the mirc.exe file? if so, which link did you get it from?


Those who fail history are doomed to repeat it
Joined: Aug 2004
Posts: 8
A
Aeris Offline OP
Nutrimatic drinks dispenser
OP Offline
Nutrimatic drinks dispenser
A
Joined: Aug 2004
Posts: 8
I got it in mirc.com from the CA link. After I ran the exe
I found a process LSAS32.EXE in the windows folder
and in the start-up list inmsconfig, altho avp didn't recognise
this file as a virus.

Joined: Aug 2004
Posts: 8
A
Aeris Offline OP
Nutrimatic drinks dispenser
OP Offline
Nutrimatic drinks dispenser
A
Joined: Aug 2004
Posts: 8
found this in lsas32.exe with an hex editor:

e:\bobo\projects\trapp\Release\trapp.pdb

no info about it in google, maybe a varian of the virus ?

Joined: Aug 2004
Posts: 8
A
Aeris Offline OP
Nutrimatic drinks dispenser
OP Offline
Nutrimatic drinks dispenser
A
Joined: Aug 2004
Posts: 8
Used this link for download

http://mirc.xeol.net/mirc616.exe

(california)

Joined: Jun 2003
Posts: 384
D
Fjord artisan
Offline
Fjord artisan
D
Joined: Jun 2003
Posts: 384
I can verify that since running the mirc installer from the california mirror, there is a lsas32 process running and indeed, a startup entry is in msconfig for it. I cannot, however, confirm if this is actually the result of running this version of the mIRC installer.

Norton doesn't find anything unusual with lsas32.exe. I have noticed, however, that the exe does not contain any version information, unlike most other Microsoft-created executables.

Joined: Aug 2004
Posts: 8
A
Aeris Offline OP
Nutrimatic drinks dispenser
OP Offline
Nutrimatic drinks dispenser
A
Joined: Aug 2004
Posts: 8
I tried another link (australia) and it had no virus. So I
tried downloading the CA one again just to recheck and
avp found the virus again.

Joined: Jun 2003
Posts: 384
D
Fjord artisan
Offline
Fjord artisan
D
Joined: Jun 2003
Posts: 384
I did some more testing, and launched the 'infected' installer with taskmanager running and sure enough, lsas32.exe appeared in the process table.

Dubious.

Fortunately, you are able to kill the process with no repercussions. I tried to find the startup registry entry for the program that is listed in msconfig, but it's not there. This does not bode well.

Joined: Dec 2002
Posts: 2,962
S
Hoopy frood
Offline
Hoopy frood
S
Joined: Dec 2002
Posts: 2,962
Confirmed that the California link is suspect.

Quick cross-check:
Georgia:
CRC: 2AFD6A5E
MD5: 875a57102ad6bec1ed9bb6861b016c74

California:
CRC: 233A03B1
MD5: 518c3d2e9cd5a04f18662414db7f6d1c

Illinois (1)
CRC: 2AFD6A5E
MD5: 875a57102ad6bec1ed9bb6861b016c74

Illinois (2)
CRC: 2AFD6A5E
MD5: 875a57102ad6bec1ed9bb6861b016c74

Edit:
All the other links I could get through to had the correct file.

Othe mirror issues:
I couldn't resolve http://mirc.purehostings.net (4th Singapore link).

The following links didn't work:
http://mirc.globalwiz.com.sg/mirc616.exe (5th Singapore link)
http://mirror.pacific.net.au/mirc/mirc616.exe (2nd Australia link)
http://www.mirc-help.de/mirc/mirc616.exe (3rd Germany link)

Also http://mirc.vodien.com (1st Singapore link) redirected to an intermediary (mostly IRC related) page.


Spelling mistakes, grammatical errors, and stupid comments are intentional.
Joined: Mar 2004
Posts: 359
L
Fjord artisan
Offline
Fjord artisan
L
Joined: Mar 2004
Posts: 359
Will this do any harm, or nothing bad, though I don't have the lsass32.exe running I would like to inform people if this is harmful.

Joined: Feb 2004
Posts: 124
T
Vogon poet
Offline
Vogon poet
T
Joined: Feb 2004
Posts: 124
This was posted yesterday and the California download link
is still there .. I wonder how many have downloaded from
that link in the last 12 hours. Crazy.

Anyway this is what I got when I scanned it using AVP ..
c:\temp\mirc616.exe/data0002 infected: TrojanDownloader.Win32.Small.na
c:\temp\mirc616.exe/data0004/data0001.bin corrupted.
c:\temp\mirc616.exe/data0004 mIRC: unknown format.
c:\temp\mirc616.exe/data0004 corrupted.
c:\temp\mirc616.exe corrupted.

Joined: Mar 2004
Posts: 359
L
Fjord artisan
Offline
Fjord artisan
L
Joined: Mar 2004
Posts: 359
Well, i'm going to inform people about this just to be on the safe side of things, and so I can give a reference of a antivirus to use, what does AVP stand for?

/edit\: or maybe this could be a fault on AVP's side?

Last edited by LostServ; 10/08/04 03:58 PM.
Joined: Feb 2004
Posts: 124
T
Vogon poet
Offline
Vogon poet
T
Joined: Feb 2004
Posts: 124
Antiviral Toolkit Pro

Edit: I highly doubt it's an AVP false .. even if it were AVP,
if it scanned one as dirty shouldn't it scan them all as dirty
since they are all supposed to be exactly the same files?
I scanned several and California was the only dirty, although
Housecall & PCPitstop just scanned it as clean.

Last edited by TonyTheTiger; 10/08/04 04:11 PM.
Joined: Mar 2004
Posts: 359
L
Fjord artisan
Offline
Fjord artisan
L
Joined: Mar 2004
Posts: 359
Thanks

Joined: Dec 2002
Posts: 2,962
S
Hoopy frood
Offline
Hoopy frood
S
Joined: Dec 2002
Posts: 2,962
Could someone just tell me for definite the precise name of the process and where it's located? The problem is that there are about 2 dozen viruses that use lsass.exe and variants of that name, and just a single legitimate Windows process that uses it too. Pay special attention to the filenames and the number of s'es being used.

LSAS.EXE & LSAS32.EXE
I'm reasonably certain that lsas.exe and lsas32.exe are both viruses.

LSASS.EXE
Apparently there's also several viruses which use a process called lsass.exe located in your root Windows directory (ie. C:\windows or c:\winnt) and possibly some other directories also. However, be careful because there's a legitimate Windows process which is located in the System directory (ie. c:\windows\system32 or c:\winnt\system32) called lsass.exe. I'm not sure what versions of Windows it's used on; it's definitely on WinXP Home, I can't find a trace of it on Win98SE, I'd guess it's only used on NT/XP/2000 and later.

LSASS32.EXE
There are several viruses using lsass32.exe.

LSASSS.EXE
There's at least one variant of the Sasser worm that uses a process by this name.

I can't tell you for sure what to do about any processes that using that installer might run. All I can say is that you certainly shouldn't use that mirror to download. The fact that the installer is different but still works correctly strongly suggests that it's caused by intentional tampering and is most likely malicious in intent (virus, spyware, adware, etc.).


Spelling mistakes, grammatical errors, and stupid comments are intentional.
Joined: Jun 2003
Posts: 5,024
M
Hoopy frood
Offline
Hoopy frood
M
Joined: Jun 2003
Posts: 5,024
AVG detects this as Downloader.Small.8.AK in a file C:\WINDOWS\mssli32.exe on Windows XP Home.

This has happened before with a Swedish and Singaporian mirror, they were removed swiftly. This mirror will most likely be removed (although I can give no official word) as soon as Krejt or Khaled sees this post (or the email I've sent).

Regards,


Mentality/Chris
Joined: Aug 2004
Posts: 8
A
Aeris Offline OP
Nutrimatic drinks dispenser
OP Offline
Nutrimatic drinks dispenser
A
Joined: Aug 2004
Posts: 8
I found mssli32.exe as well and removed it, well avp did.
To check for the process validity if you are unsure on
your own, try this program:

Process Explorer ( free )

from www.sysinternals.com

then double click the process and check for the box
"command line". It also has detailed information about
all the threads from the process, even stack info for
every thread, and services in use by it. Make sure you
get a firewall on as well so you can check with the PIDs
etc.

Joined: Jun 2003
Posts: 384
D
Fjord artisan
Offline
Fjord artisan
D
Joined: Jun 2003
Posts: 384
lsas32.exe is the name of the apparent virus and it resides in C:\Windows (in XP, anyway).

Joined: Aug 2004
Posts: 8
A
Aeris Offline OP
Nutrimatic drinks dispenser
OP Offline
Nutrimatic drinks dispenser
A
Joined: Aug 2004
Posts: 8
"This was posted yesterday and the California download link
is still there .. I wonder how many have downloaded from
that link in the last 12 hours. Crazy."

Wasn't 6.16 released like a month ago ?

Joined: May 2003
Posts: 79
A
Babel fish
Offline
Babel fish
A
Joined: May 2003
Posts: 79
Norton Anti-Virus can't find any virus, but I agree there's one as I also got the lsas32.exe running which file was created on august 8th, and the mirc.exe packager didn't have any info when we check in the properties.

I think mIRC should be on it's own servers, and not hosted by some other people who offers to. It costs money I know... but at least it will be safe to download so people won't "fear" to get the last version released.

Joined: Dec 2002
Posts: 788
C
Hoopy frood
Offline
Hoopy frood
C
Joined: Dec 2002
Posts: 788
A good idea in principal but likely since each mirror would be required to be hosted on a completely differnet server to be "reliable" should one go down, also this would be required since there are some people who cant access specific websites from their geographical location.

An interesting idea that would prove somewhat reliable, would be to produce (few lines of coding) a very basic "redirection PHP page" that before it redirects you to one of the requested mirrors, remotely checks the .exe's MD5, whatnot, againest the one hosted on the mIRC server to see if it matches.

Eamonn.

Joined: Aug 2004
Posts: 8
A
Aeris Offline OP
Nutrimatic drinks dispenser
OP Offline
Nutrimatic drinks dispenser
A
Joined: Aug 2004
Posts: 8
After today's AVP update it detects lsas32 as
Trojan.Win32.Zapchast.

Avp has proven to be much more reliable than Norton
for me many times.

Joined: Dec 2002
Posts: 2,962
S
Hoopy frood
Offline
Hoopy frood
S
Joined: Dec 2002
Posts: 2,962
To check the mirror's MD5 would require downloading the entire program, since merely having some kind of MD5 query would mean that it could easily be faked. I don't think mirrors would appreciate their traffic being doubled, nor would mIRC's hosters whose traffic would go up by about 30x. A simple solution would be just to verify them once per day or something like that. At least then we wouldn't be in the position we are now where this thread has been up for around 36 hours and the mirror is still up. Who knows how many people have been infected in that time?


Spelling mistakes, grammatical errors, and stupid comments are intentional.
Joined: Dec 2002
Posts: 788
C
Hoopy frood
Offline
Hoopy frood
C
Joined: Dec 2002
Posts: 788
Good point i suppose, hadnt really thought of it from the bandwidth suppliers point of view.

Eamonn.

Joined: May 2004
Posts: 4
Q
Self-satisified door
Offline
Self-satisified door
Q
Joined: May 2004
Posts: 4
I ran a few tests today to see what exactly happened once you downloaded the file from the CA mirror.

If you do a properties on the mirc616.exe from the CA mirror, there is no version information but if you compare the filesize to one of the real mirc616.exe files from another mirror they are exactly the same. Interesting I thought, how did they manage that?

Once you run it, it extracts the lsas32.exe file to C:\Windows and also the real mirc616.exe (which has the version information where it should be), which it then runs so you'd think nothing was wrong.

You have to stop the lsas32.exe process, delete the file and then remove the entry from your Run key in the registry.

---

Adding some instructions to the download page including a link to a freeware MD5 program plus the hash of the installation file to compare against might be a good idea, at least from a IT professional's view - I do realise most newbies and other computer users would probably not understand what it meant or just ignore it entirely.

Last edited by quack; 11/08/04 01:32 PM.
Joined: Feb 2004
Posts: 124
T
Vogon poet
Offline
Vogon poet
T
Joined: Feb 2004
Posts: 124
Quote:
Avp has proven to be much more reliable than Norton
for me many times.


Same here .. same also goes for McAfee

Joined: Jun 2003
Posts: 5,024
M
Hoopy frood
Offline
Hoopy frood
M
Joined: Jun 2003
Posts: 5,024
This mirror has been removed.

Regards,


Mentality/Chris
Joined: Aug 2004
Posts: 1
D
Mostly harmless
Offline
Mostly harmless
D
Joined: Aug 2004
Posts: 1
OK great but just a suggestion xp sp2 has DEP enabled

[Data Execution Prevention]

this actually confirms whether the user wishes to run the program first however mirc.exec does not use this

Publisher unknown shows up because the exec doesn't have a valid digital signature that verifies its publisher

this problem would of been spared to us if that process would of been used to spread the program

However Fortunately problems like this never effect me (much lol) because I have a habit of always running task manager at first boot up and use startup control panel by Mike Lin to check whats going to start up next boot up

BTW you can get that program Here

also from him to alert you when something is set to run at Startup

Page 1 of 2 1 2

Link Copied to Clipboard