|
Joined: Aug 2004
Posts: 8
Nutrimatic drinks dispenser
|
OP
Nutrimatic drinks dispenser
Joined: Aug 2004
Posts: 8 |
AVP reports the virus TrojanDownloader.Win32.Small.na in data0002
|
|
|
|
Joined: Dec 2002
Posts: 1,541
Hoopy frood
|
Hoopy frood
Joined: Dec 2002
Posts: 1,541 |
Did you get it from one of the links from the download page or with a script that included the mirc.exe file? if so, which link did you get it from?
Those who fail history are doomed to repeat it
|
|
|
|
Joined: Aug 2004
Posts: 8
Nutrimatic drinks dispenser
|
OP
Nutrimatic drinks dispenser
Joined: Aug 2004
Posts: 8 |
I got it in mirc.com from the CA link. After I ran the exe I found a process LSAS32.EXE in the windows folder and in the start-up list inmsconfig, altho avp didn't recognise this file as a virus.
|
|
|
|
Joined: Aug 2004
Posts: 8
Nutrimatic drinks dispenser
|
OP
Nutrimatic drinks dispenser
Joined: Aug 2004
Posts: 8 |
found this in lsas32.exe with an hex editor:
e:\bobo\projects\trapp\Release\trapp.pdb
no info about it in google, maybe a varian of the virus ?
|
|
|
|
Joined: Aug 2004
Posts: 8
Nutrimatic drinks dispenser
|
OP
Nutrimatic drinks dispenser
Joined: Aug 2004
Posts: 8 |
Used this link for download http://mirc.xeol.net/mirc616.exe(california)
|
|
|
|
Joined: Jun 2003
Posts: 384
Fjord artisan
|
Fjord artisan
Joined: Jun 2003
Posts: 384 |
I can verify that since running the mirc installer from the california mirror, there is a lsas32 process running and indeed, a startup entry is in msconfig for it. I cannot, however, confirm if this is actually the result of running this version of the mIRC installer.
Norton doesn't find anything unusual with lsas32.exe. I have noticed, however, that the exe does not contain any version information, unlike most other Microsoft-created executables.
|
|
|
|
Joined: Aug 2004
Posts: 8
Nutrimatic drinks dispenser
|
OP
Nutrimatic drinks dispenser
Joined: Aug 2004
Posts: 8 |
I tried another link (australia) and it had no virus. So I tried downloading the CA one again just to recheck and avp found the virus again.
|
|
|
|
Joined: Jun 2003
Posts: 384
Fjord artisan
|
Fjord artisan
Joined: Jun 2003
Posts: 384 |
I did some more testing, and launched the 'infected' installer with taskmanager running and sure enough, lsas32.exe appeared in the process table.
Dubious.
Fortunately, you are able to kill the process with no repercussions. I tried to find the startup registry entry for the program that is listed in msconfig, but it's not there. This does not bode well.
|
|
|
|
Joined: Dec 2002
Posts: 2,962
Hoopy frood
|
Hoopy frood
Joined: Dec 2002
Posts: 2,962 |
Confirmed that the California link is suspect. Quick cross-check: Georgia: CRC: 2AFD6A5EMD5: 875a57102ad6bec1ed9bb6861b016c74California: CRC: 233A03B1MD5: 518c3d2e9cd5a04f18662414db7f6d1cIllinois (1) CRC: 2AFD6A5EMD5: 875a57102ad6bec1ed9bb6861b016c74Illinois (2) CRC: 2AFD6A5EMD5: 875a57102ad6bec1ed9bb6861b016c74Edit: All the other links I could get through to had the correct file. Othe mirror issues: I couldn't resolve http://mirc.purehostings.net (4th Singapore link). The following links didn't work: http://mirc.globalwiz.com.sg/mirc616.exe (5th Singapore link) http://mirror.pacific.net.au/mirc/mirc616.exe (2nd Australia link) http://www.mirc-help.de/mirc/mirc616.exe (3rd Germany link) Also http://mirc.vodien.com (1st Singapore link) redirected to an intermediary (mostly IRC related) page.
Spelling mistakes, grammatical errors, and stupid comments are intentional.
|
|
|
|
Joined: Mar 2004
Posts: 359
Fjord artisan
|
Fjord artisan
Joined: Mar 2004
Posts: 359 |
Will this do any harm, or nothing bad, though I don't have the lsass32.exe running I would like to inform people if this is harmful.
|
|
|
|
Joined: Feb 2004
Posts: 124
Vogon poet
|
Vogon poet
Joined: Feb 2004
Posts: 124 |
This was posted yesterday and the California download link is still there .. I wonder how many have downloaded from that link in the last 12 hours. Crazy.
Anyway this is what I got when I scanned it using AVP .. c:\temp\mirc616.exe/data0002 infected: TrojanDownloader.Win32.Small.na c:\temp\mirc616.exe/data0004/data0001.bin corrupted. c:\temp\mirc616.exe/data0004 mIRC: unknown format. c:\temp\mirc616.exe/data0004 corrupted. c:\temp\mirc616.exe corrupted.
|
|
|
|
Joined: Mar 2004
Posts: 359
Fjord artisan
|
Fjord artisan
Joined: Mar 2004
Posts: 359 |
Well, i'm going to inform people about this just to be on the safe side of things, and so I can give a reference of a antivirus to use, what does AVP stand for?
/edit\: or maybe this could be a fault on AVP's side?
Last edited by LostServ; 10/08/04 03:58 PM.
|
|
|
|
Joined: Feb 2004
Posts: 124
Vogon poet
|
Vogon poet
Joined: Feb 2004
Posts: 124 |
Antiviral Toolkit ProEdit: I highly doubt it's an AVP false .. even if it were AVP, if it scanned one as dirty shouldn't it scan them all as dirty since they are all supposed to be exactly the same files? I scanned several and California was the only dirty, although Housecall & PCPitstop just scanned it as clean.
Last edited by TonyTheTiger; 10/08/04 04:11 PM.
|
|
|
|
Joined: Mar 2004
Posts: 359
Fjord artisan
|
Fjord artisan
Joined: Mar 2004
Posts: 359 |
|
|
|
|
Joined: Dec 2002
Posts: 2,962
Hoopy frood
|
Hoopy frood
Joined: Dec 2002
Posts: 2,962 |
Could someone just tell me for definite the precise name of the process and where it's located? The problem is that there are about 2 dozen viruses that use lsass.exe and variants of that name, and just a single legitimate Windows process that uses it too. Pay special attention to the filenames and the number of s'es being used.
LSAS.EXE & LSAS32.EXE I'm reasonably certain that lsas.exe and lsas32.exe are both viruses.
LSASS.EXE Apparently there's also several viruses which use a process called lsass.exe located in your root Windows directory (ie. C:\windows or c:\winnt) and possibly some other directories also. However, be careful because there's a legitimate Windows process which is located in the System directory (ie. c:\windows\system32 or c:\winnt\system32) called lsass.exe. I'm not sure what versions of Windows it's used on; it's definitely on WinXP Home, I can't find a trace of it on Win98SE, I'd guess it's only used on NT/XP/2000 and later.
LSASS32.EXE There are several viruses using lsass32.exe.
LSASSS.EXE There's at least one variant of the Sasser worm that uses a process by this name.
I can't tell you for sure what to do about any processes that using that installer might run. All I can say is that you certainly shouldn't use that mirror to download. The fact that the installer is different but still works correctly strongly suggests that it's caused by intentional tampering and is most likely malicious in intent (virus, spyware, adware, etc.).
Spelling mistakes, grammatical errors, and stupid comments are intentional.
|
|
|
|
Joined: Jun 2003
Posts: 5,024
Hoopy frood
|
Hoopy frood
Joined: Jun 2003
Posts: 5,024 |
AVG detects this as Downloader.Small.8.AK in a file C:\WINDOWS\mssli32.exe on Windows XP Home.
This has happened before with a Swedish and Singaporian mirror, they were removed swiftly. This mirror will most likely be removed (although I can give no official word) as soon as Krejt or Khaled sees this post (or the email I've sent).
Regards,
Mentality/Chris
|
|
|
|
Joined: Aug 2004
Posts: 8
Nutrimatic drinks dispenser
|
OP
Nutrimatic drinks dispenser
Joined: Aug 2004
Posts: 8 |
I found mssli32.exe as well and removed it, well avp did. To check for the process validity if you are unsure on your own, try this program: Process Explorer ( free ) from www.sysinternals.comthen double click the process and check for the box "command line". It also has detailed information about all the threads from the process, even stack info for every thread, and services in use by it. Make sure you get a firewall on as well so you can check with the PIDs etc.
|
|
|
|
Joined: Jun 2003
Posts: 384
Fjord artisan
|
Fjord artisan
Joined: Jun 2003
Posts: 384 |
lsas32.exe is the name of the apparent virus and it resides in C:\Windows (in XP, anyway).
|
|
|
|
Joined: Aug 2004
Posts: 8
Nutrimatic drinks dispenser
|
OP
Nutrimatic drinks dispenser
Joined: Aug 2004
Posts: 8 |
"This was posted yesterday and the California download link is still there .. I wonder how many have downloaded from that link in the last 12 hours. Crazy."
Wasn't 6.16 released like a month ago ?
|
|
|
|
Joined: May 2003
Posts: 79
Babel fish
|
Babel fish
Joined: May 2003
Posts: 79 |
Norton Anti-Virus can't find any virus, but I agree there's one as I also got the lsas32.exe running which file was created on august 8th, and the mirc.exe packager didn't have any info when we check in the properties.
I think mIRC should be on it's own servers, and not hosted by some other people who offers to. It costs money I know... but at least it will be safe to download so people won't "fear" to get the last version released.
|
|
|
|
Joined: Dec 2002
Posts: 788
Hoopy frood
|
Hoopy frood
Joined: Dec 2002
Posts: 788 |
A good idea in principal but likely since each mirror would be required to be hosted on a completely differnet server to be "reliable" should one go down, also this would be required since there are some people who cant access specific websites from their geographical location.
An interesting idea that would prove somewhat reliable, would be to produce (few lines of coding) a very basic "redirection PHP page" that before it redirects you to one of the requested mirrors, remotely checks the .exe's MD5, whatnot, againest the one hosted on the mIRC server to see if it matches.
Eamonn.
|
|
|
|
Joined: Aug 2004
Posts: 8
Nutrimatic drinks dispenser
|
OP
Nutrimatic drinks dispenser
Joined: Aug 2004
Posts: 8 |
After today's AVP update it detects lsas32 as Trojan.Win32.Zapchast.
Avp has proven to be much more reliable than Norton for me many times.
|
|
|
|
Joined: Dec 2002
Posts: 2,962
Hoopy frood
|
Hoopy frood
Joined: Dec 2002
Posts: 2,962 |
To check the mirror's MD5 would require downloading the entire program, since merely having some kind of MD5 query would mean that it could easily be faked. I don't think mirrors would appreciate their traffic being doubled, nor would mIRC's hosters whose traffic would go up by about 30x. A simple solution would be just to verify them once per day or something like that. At least then we wouldn't be in the position we are now where this thread has been up for around 36 hours and the mirror is still up. Who knows how many people have been infected in that time?
Spelling mistakes, grammatical errors, and stupid comments are intentional.
|
|
|
|
Joined: Dec 2002
Posts: 788
Hoopy frood
|
Hoopy frood
Joined: Dec 2002
Posts: 788 |
Good point i suppose, hadnt really thought of it from the bandwidth suppliers point of view.
Eamonn.
|
|
|
|
Joined: May 2004
Posts: 4
Self-satisified door
|
Self-satisified door
Joined: May 2004
Posts: 4 |
I ran a few tests today to see what exactly happened once you downloaded the file from the CA mirror.
If you do a properties on the mirc616.exe from the CA mirror, there is no version information but if you compare the filesize to one of the real mirc616.exe files from another mirror they are exactly the same. Interesting I thought, how did they manage that?
Once you run it, it extracts the lsas32.exe file to C:\Windows and also the real mirc616.exe (which has the version information where it should be), which it then runs so you'd think nothing was wrong.
You have to stop the lsas32.exe process, delete the file and then remove the entry from your Run key in the registry.
---
Adding some instructions to the download page including a link to a freeware MD5 program plus the hash of the installation file to compare against might be a good idea, at least from a IT professional's view - I do realise most newbies and other computer users would probably not understand what it meant or just ignore it entirely.
Last edited by quack; 11/08/04 01:32 PM.
|
|
|
|
Joined: Feb 2004
Posts: 124
Vogon poet
|
Vogon poet
Joined: Feb 2004
Posts: 124 |
Avp has proven to be much more reliable than Norton for me many times. Same here .. same also goes for McAfee
|
|
|
|
Joined: Jun 2003
Posts: 5,024
Hoopy frood
|
Hoopy frood
Joined: Jun 2003
Posts: 5,024 |
This mirror has been removed.
Regards,
Mentality/Chris
|
|
|
|
Joined: Aug 2004
Posts: 1
Mostly harmless
|
Mostly harmless
Joined: Aug 2004
Posts: 1 |
OK great but just a suggestion xp sp2 has DEP enabled [Data Execution Prevention] this actually confirms whether the user wishes to run the program first however mirc.exec does not use this Publisher unknown shows up because the exec doesn't have a valid digital signature that verifies its publisher this problem would of been spared to us if that process would of been used to spread the program However Fortunately problems like this never effect me (much lol) because I have a habit of always running task manager at first boot up and use startup control panel by Mike Lin to check whats going to start up next boot up BTW you can get that program Here also from him to alert you when something is set to run at Startup
|
|
|
|
|