need to figure out if an .scr file contains a security threat

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View

Hello.

On MSN, I received an scr file and being the stupid idiot that I am, I
clicked on it. It didn't appear to do anything and when asking the
person who send it, he told me it was some kind of virus that was send
via msn. So now I'm extremely pissed off with myself but before
formatting my HD and installing everything once again, I was thinking
it might be possible to determine if the .scr file has actually
compromised my system in any way.

I've put the file online here:
http://www.ibbu.nl/~nsprakel/possible_virus.rar

I was wondering if anyone could help me out analyzing whether or not
the file is likely to have infected my computer? Or perhaps someone
can suggest a website where I could submit the file to have it scanned
to assess the potential threat.
I have my system fully updated (win xp pro sp2) and use AVG, which
didn't appear to find any virus in it.

Kind regards and thanks in advance for any help, Niek


Re: need to figure out if an .scr file contains a security threat

Quoted text here. Click to load it

I scanned the file online and it did indeed contain a virus... here is
a screenshot
of Kaspersky's scan results for that file:
http://www.ibbu.nl/~nsprakel/virus.jpg

Ok, so now what do I do... would it really be necessary to format my
HD and install all the software again or is there a less cumbersome
solution?


Re: need to figure out if an .scr file contains a security threat



|
| I scanned the file online and it did indeed contain a virus... here is
| a screenshot
| of Kaspersky's scan results for that file:
| http://www.ibbu.nl/~nsprakel/virus.jpg
|
| Ok, so now what do I do... would it really be necessary to format my
| HD and install all the software again or is there a less cumbersome
| solution?

Please REMOVE that file from the http://www.ibbu.nl server.


Complete scanning result of "possible_virus.scr", processed in VirusTotal at
06/16/2007 00:03:27
(CET).

[ file data ]
* name: possible_virus.scr
* size: 345088
* md5.: 90e8e9e296ce9e19d1d1da97db4b62b5
* sha1: d82d2262bd4087cb4b939929b2101bb5b8a2ee59

[ scan result ]
AhnLab-V3 2007.6.16.0/20070615 found nothing
AntiVir 7.4.0.32/20070615 found [BDS/Bifrose.NU]
Authentium 4.93.8/20070615 found nothing
Avast 4.7.997.0/20070615 found nothing
AVG 7.5.0.467/20070615 found nothing
BitDefender 7.2/20070615 found [Backdoor.IRCBot.ABDD]
CAT-QuickHeal 9.00/20070615 found [(Suspicious) - DNAScan]
ClamAV devel-20070416/20070615 found [Trojan.Pakes-248]
DrWeb 4.33/20070615 found nothing
eSafe 7.0.15.0/20070614 found [Win32.IRCBot.aaq]
eTrust-Vet 30.7.3721/20070615 found nothing
Ewido 4.0/20070615 found [Backdoor.IRCBot.aaq]
F-Prot 4.3.2.48/20070615 found nothing
F-Secure 6.70.13030.0/20070615 found [Backdoor.Win32.IRCBot.aaq]
FileAdvisor 1/20070615 found [Not analyzed yet]
Fortinet 2.85.0.0/20070615 found [W32/IRCBot.AAQ!tr.bdr]
Ikarus T3.1.1.8/20070615 found [Backdoor.VB.EV]
Kaspersky 4.0.2.24/20070615 found [Backdoor.Win32.IRCBot.aaq]
McAfee 5054/20070615 found nothing
Microsoft 1.2607/20070615 found nothing
NOD32v2 2334/20070615 found nothing
Norman 5.80.02/20070615 found nothing
Panda 9.0.0.4/20070615 found [W32/Gaobot.OXI.worm]
Sophos 4.18.0/20070612 found nothing
Sunbelt 2.2.907.0/20070614 found [Win32.ExplorerHijack]
Symantec 10/20070615 found nothing
TheHacker 6.1.6.133/20070615 found [Backdoor/IRCBot.aaq]
VBA32 3.12.0.2/20070615 found [Backdoor.Win32.IRCBot.aaq]
VirusBuster 4.3.23:9/20070615 found [Backdoor.IRCBot.AZA]
Webwasher-Gateway 6.0.1/20070615 found [Trojan.Bifrose.NU]

[ notes ]
packers: Themida
Bit9 info:
http://fileadvisor.bit9.com/services/extinfo.aspx?md5=90e8e9e296ce9e19d1d1da97db4b62b5




--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm



Re: need to figure out if an .scr file contains a security threat

wrote:
Quoted text here. Click to load it

Ok, done, but what do I do about my infected computer?


Re: need to figure out if an .scr file contains a security threat


| wrote:
Quoted text here. Click to load it
|>> I scanned the file online and it did indeed contain a virus... here is
|>> a screenshot
|>> of Kaspersky's scan results for that file:
|>> http://www.ibbu.nl/~nsprakel/virus.jpg
|>>
|>> Ok, so now what do I do... would it really be necessary to format my
|>> HD and install all the software again or is there a less cumbersome
|>> solution?
Quoted text here. Click to load it
| Ok, done, but what do I do about my infected computer?

You RAN IT ?  Oy vay...

You can use the Kaspersky module of the following Multi AV Scanning Tool and/or
the free
BitDefender 8.

I will submit the file to mAV vendors this evening.

Free BitDefender v8
--------------------
http://www.bitdefender.com/PRODUCT-14-en--BitDefender-8-Free-Edition.html


Multi AV Scanning Tool.
----------------------
Download MULTI_AV.EXE from the URL --
http://www.pctipp.ch/downloads/dl/35905.asp

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go
through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal
Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the
PC.

You can choose to go to each menu item and just download the needed files or you
can
download the files and perform a scan in Normal Mode. Once you have downloaded
the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode
[F8 key
during boot] and re-run the menu again and choose which scanner you want to run
in Safe
Mode.  It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive
PDF help
file.

Additional Instructions:
http://pcdid.com/Multi_AV.htm


* * *   Please report back your results  * * *




--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm



Re: need to figure out if an .scr file contains a security threat

wrote:
Quoted text here. Click to load it

Yes, I ran it. Twice even. :-/ *sigh*
Like I said in my first posting in this thread, I was stupid enough to
run it.

Quoted text here. Click to load it

Wouldn't it be possible to use the online kaspersky scan to clean my
computer somehow?
Is it likely it has infected all HD's or just the system HD?

Quoted text here. Click to load it
--------------------http://www.bitdefender.com/PRODUCT-14-en--BitDefender-8-Free-Edition ....
Quoted text here. Click to load it
Davehttp://www.claymania.com/removal-trojan-adware.htmlhttp://www.ik-cs.com/got-a-virus.htm



Re: need to figure out if an .scr file contains a security threat



|
| Wouldn't it be possible to use the online kaspersky scan to clean my
| computer somehow?
| Is it likely it has infected all HD's or just the system HD?
|

The online Kaspersky scanner is a "detection only" scanner.

What was the message on MSN ?  Could you post subject and body text ?

Did you keep a copy ?

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm



Re: need to figure out if an .scr file contains a security threat

wrote:
Quoted text here. Click to load it

Ok, I'll try the scanners you suggested, bit defender and kaspersky
from the multi-AV tool.

Quoted text here. Click to load it

I didn't keep a copy... it was just an MSN chat message (they don't
have subjects)
saying something like "have a look at these pictures" and a file
photos.zip that contained a file photos.scr . On msn, you have to
accept files in order to receive them when someone sends them in a
chat message. I accepted the file, unzipped it, had a look at
wikipedia.org to see what scr files are and thinking a screensaver
file was probably safe I attempted to open it. Nothing seemed to
happen of course, so I asked the person who had send it and he told me
the msg had been send automatically and he had also clicked the scr
file himself previously.

I have a huge (over 300 contacts) contactlist on MSN and I tried to
send a kind of multiple recipient message to warn other people not to
open any files in messages send by me, but that didn't work. So I
closed down MSN to avoid the virus sending itself.


Quoted text here. Click to load it
Davehttp://www.claymania.com/removal-trojan-adware.htmlhttp://www.ik-cs.com/got-a-virus.htm



Re: need to figure out if an .scr file contains a security threat

Quoted text here. Click to load it

For clarity, by MSN I mean the chat program "Windows Live Messenger".


Re: need to figure out if an .scr file contains a security threat

In alt.comp.virus, name wrote:

Quoted text here. Click to load it

"Screensaver" files have long been used as a prime way to distribute
viruses. It's called social engineering.

Then there is the chance the file was actually named:

"screensaver.scr                            .exe"

Notice the .exe way over there --->

Quoted text here. Click to load it

Then you had best pass David's instruction along to him as well, as he
is surely infected, too.

Time to post this link again?
http://outside.arc.ab.ca/staff/erkamp/security.jpg

--
   -bts
   -Motorcycles defy gravity; cars just suck

Re: need to figure out if an .scr file contains a security threat

On 16 jun, 00:43, "Beauregard T. Shagnasty"
Quoted text here. Click to load it

I don't think that was the case..  a few years ago I did click on a
file picture.jpg.exe and had a similar situation but this time I'm
fairly sure the extension was really just ".scr"

Quoted text here. Click to load it

Well, I did refer him to this thread on groups.google.com

Quoted text here. Click to load it

In retrospect you always wonder how you can be so stupid. :-/

Quoted text here. Click to load it



Re: need to figure out if an .scr file contains a security threat


Quoted text here. Click to load it

It doesn't matter, since .scr and .exe are both executable, as are a
host of other extensions.


Re: need to figure out if an .scr file contains a security threat

Quoted text here. Click to load it

aka  W32.Mubla
http://www.symantec.com/security_response/writeup.jsp?docid=2007-060108-4446-99




Re: need to figure out if an .scr file contains a security threat

Quoted text here. Click to load it

Hmmm...
Risk Level 1: Very Low

That's a bit of a comfort... I just hope I'm able to clean my computer
without a HD format.


Re: need to figure out if an .scr file contains a security threat

wrote:
Quoted text here. Click to load it

That's odd btw that symantec didn't recognize it.. since jen posted
the following link in this thread that seems to indicate symantec does
know about it:

http://www.symantec.com/security_response/writeup.jsp?docid=2007-060108-4446-99


Re: need to figure out if an .scr file contains a security threat

Quoted text here. Click to load it

Probably a new variant...   I just now got a new def, prolly covers it
:)  I have Symantec Corporate Edition.

-jen




Re: need to figure out if an .scr file contains a security threat



|
| That's odd btw that symantec didn't recognize it.. since jen posted
| the following link in this thread that seems to indicate symantec does
| know about it:
|
| http://www.symantec.com/security_response/writeup.jsp?docid=2007-060108-4446-99

It doesn't mean they are one in  the same.

It could be the same BUT... a different variant.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm



Re: need to figure out if an .scr file contains a security threat


|
| It doesn't mean they are one in  the same.
|
| It could be the same BUT... a different variant.
|

Jen is correct.
It is a new variant of what Symantec calls "W32.Mubla"

This variant uses:

HKCR\CLSID\\InProcServer32
"(Default)" = "syshelps.dll"
HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
"syshelps" = "

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm



Re: need to figure out if an .scr file contains a security threat

wrote:
Quoted text here. Click to load it
Davehttp://www.claymania.com/removal-trojan-adware.htmlhttp://www.ik-cs.com/got-a-virus.htm


Ah, that explains why AVG gave me an allert about a 'syshelps.dll'
file... bit late though after my computer had already been infected.


Re: need to figure out if an .scr file contains a security threat



|
| Ah, that explains why AVG gave me an allert about a 'syshelps.dll'
| file... bit late though after my computer had already been infected.

OK then

1.    Delete from the Registry..

HKCR\CLSID\

HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\syshelps

2.    Logoff then logon again.

3.    Delete;
%windir%\photos.zip
%windir%\system32\syshelps.dll

4.    Completely scan the PC starting at %windir%

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm



Site Timeline