Do you have a question? Post it now! No Registration Necessary. Now with pictures!
- Posted on
- Re:Universa Application
- CJE Culver
March 5, 2006, 3:08 pm
rate this thread
has apparently already expired all the replies to my initial query; I
only saw the one from Art.
In any case, the results of the online scan Art recommended:
AntiVir 188.8.131.52 03.03.2006 TR/Dialer.OY.3
Avast 4.6.695.0 03.03.2006 no virus found
AVG 718 03.03.2006 Potentially harmful program Dialer.BCD
Avira 184.108.40.206 03.03.2006 TR/Dialer.OY.3
BitDefender 7.2 03.03.2006 no virus found
CAT-QuickHeal 8.00 03.02.2006 no virus found
ClamAV devel-20060126 03.03.2006 no virus found
DrWeb 4.33 03.03.2006 no virus found
eTrust-InoculateIT 23.71.92 03.03.2006 Win32/SillyDl.AGC!Trojan
eTrust-Vet 12.4.2104 03.03.2006 Win32/SillyDl.AGC
Ewido 3.5 03.03.2006 Trojan.Dialer.oy
Fortinet 220.127.116.11 03.03.2006 Dloader.AUX!tr
F-Prot 3.16c 03.03.2006 no virus found
Ikarus 0.2.59.0 03.03.2006 no virus found
Kaspersky 18.104.22.168 03.03.2006 Trojan.Win32.Dialer.oy
McAfee 4710 03.03.2006 Downloader-AUX
NOD32v2 1.1428 03.03.2006 Win32/Dialer.OY
Norman 5.70.10 03.03.2006 no virus found
Panda 22.214.171.124 03.03.2006 Suspicious file
Sophos 4.03.0 03.03.2006 no virus found
Symantec 8.0 03.03.2006 no virus found
TheHacker 126.96.36.199 03.03.2006 no virus found
UNA 1.83 03.02.2006 Trojan.Win32.Dialer
VBA32 3.10.5 03.03.2006 Trojan.Win32.Dialer.oy
Which tell me the EXE file is either chok full of virii, or a single
virus with a multitude of names.
But what it doesn't tell me is who keeps putting win*.tmp.exe in my
windows\temp folder and launching it. THAT's what I'm trying to get rid of.
Re: Universa Application
filemon (http://www.sysinternals.com/Utilities/Filemon.html ) with an
appropriately constructed filter may be able to tell you what process
i'd try a filter that looks like C:\WINDOWS\TEMP\win*.temp.exe
my guess is that it's probably a previous instance of itself still in
memory that creates it but there could be a dropper somewhere else, i
suppose, or perhaps some unpatched vulnerability in some component
related to the internet (browser, email, java, etc) that gets exploited
when you visit a particular site...
"it's not the right time to be sober
now the idiots have taken over
spreading like a social cancer,
is there an answer?"
Re: Universa Application
There is little consistency, unfortunately, in naming a particular
malware by the various av companies. Also, Panda, for example
alerts heuristically meaning it doesn't have normal detection, it's
just "seeing something fishy".
What the results tell me is that the malware is likely to be fairly
new since a quick look for descriptions by the vendors didn't
turn up anything, and some of the mainstream scanners didn't
alert. But also, since it's a dialer, Trojan specific and/or spyware
scanner products may be the best bet for removal.
Of course not. The first step was to see if any av scanners recognise
it. The second is to look for vendor descriptions once you get the
malware name(s). From a description you can figure out how to manually
remove the malware.
David Lipman will probably come along and suggest downloading his
Multi-AV and also recommend Trojan and spyware specialised
scanner/removers. I've already mentioned a few of the latter in my