Re:Universa Application

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
Sorry, folks. I was out of town for a day and a half, and my USENET feed
has apparently already expired all the replies to my initial query; I
only saw the one from Art.

In any case, the results of the online scan Art recommended:

AntiVir    03.03.2006    TR/Dialer.OY.3
Avast    4.6.695.0    03.03.2006    no virus found
AVG    718    03.03.2006    Potentially harmful program Dialer.BCD
Avira    03.03.2006    TR/Dialer.OY.3
BitDefender    7.2    03.03.2006    no virus found
CAT-QuickHeal    8.00    03.02.2006    no virus found
ClamAV    devel-20060126    03.03.2006    no virus found
DrWeb    4.33    03.03.2006    no virus found
eTrust-InoculateIT    23.71.92    03.03.2006    Win32/SillyDl.AGC!Trojan
eTrust-Vet    12.4.2104    03.03.2006    Win32/SillyDl.AGC
Ewido    3.5    03.03.2006    Trojan.Dialer.oy
Fortinet    03.03.2006    Dloader.AUX!tr
F-Prot    3.16c    03.03.2006    no virus found
Ikarus    03.03.2006    no virus found
Kaspersky    03.03.2006    Trojan.Win32.Dialer.oy
McAfee    4710    03.03.2006    Downloader-AUX
NOD32v2    1.1428    03.03.2006    Win32/Dialer.OY
Norman    5.70.10    03.03.2006    no virus found
Panda    03.03.2006    Suspicious file
Sophos    4.03.0    03.03.2006    no virus found
Symantec    8.0    03.03.2006    no virus found
TheHacker    03.03.2006    no virus found
UNA    1.83    03.02.2006    Trojan.Win32.Dialer
VBA32    3.10.5    03.03.2006    Trojan.Win32.Dialer.oy

Which tell me the EXE file is either chok full of virii, or a single
virus with a multitude of names.

But what it doesn't tell me is who keeps putting win*.tmp.exe in my
windows\temp folder and launching it. THAT's what I'm trying to get rid of.


Re: Universa Application

CJE Culver wrote:
Quoted text here. Click to load it

filemon ( ) with an
appropriately constructed filter may be able to tell you what process
creates it...

i'd try a filter that looks like C:\WINDOWS\TEMP\win*.temp.exe

my guess is that it's probably a previous instance of itself still in
memory that creates it but there could be a dropper somewhere else, i
suppose, or perhaps some unpatched vulnerability in some component
related to the internet (browser, email, java, etc) that gets exploited
when you visit a particular site...

"it's not the right time to be sober
now the idiots have taken over
spreading like a social cancer,
is there an answer?"

Re: Universa Application

On Sun, 05 Mar 2006 23:08:27 +0800, CJE Culver

Quoted text here. Click to load it

There is little consistency, unfortunately, in naming a particular
malware by the various av companies. Also, Panda, for example
alerts heuristically meaning it doesn't have normal detection, it's
just "seeing something fishy".

What the results tell me is that the malware is likely to be fairly
new since a quick look for descriptions by the vendors didn't
turn up anything, and some of the mainstream scanners didn't
alert. But also, since it's a dialer, Trojan specific and/or spyware
scanner products may be the best bet for removal.

Quoted text here. Click to load it

Of course not. The first step was to see if any av scanners recognise
it. The second is to look for vendor descriptions once you get the
malware name(s). From a description you can figure out how to manually
remove the malware.

David Lipman will probably come along and suggest downloading his
Multi-AV and also recommend Trojan and spyware specialised
scanner/removers. I've already mentioned a few of the latter in my
first response.


Site Timeline