New Virus?



Eugene Taylor
07-09-2005, 11:50 PM
I have been infected with a couple of programs called rnaapp2.exe and
noadsense.exe I cannot find anything on google about them. The load into
registry and run at startup. I have had a devil of a time getting rid of
them. I finally found that they add a task to task scheduler to run about
every hour or so. I also installed zonealarm and caught it going to the
following ip address 70.80.195.77:6667 I am running norton anti virus
corporate edition, and microsoft antispyware. I finally had to run hijack
this and manually edit the registry. I have copies of the executables if
anyone wants to analyze.

David H. Lipman
07-09-2005, 11:50 PM
From: "Eugene Taylor" <ewtaylor2001@fake.com>

| I have been infected with a couple of programs called rnaapp2.exe and
| noadsense.exe I cannot find anything on google about them. The load into
| registry and run at startup. I have had a devil of a time getting rid of
| them. I finally found that they add a task to task scheduler to run about
| every hour or so. I also installed zonealarm and caught it going to the
| following ip address 70.80.195.77:6667 I am running norton anti virus
| corporate edition, and microsoft antispyware. I finally had to run hijack
| this and manually edit the registry. I have copies of the executables if
| anyone wants to analyze.
|

I will accept both for analysis.

Please send them both in a password protected ZIP file.
Please include the password you used to zip them with.

Results will be posted back into this thread.

Just remove ~nospam~ from the posted email address or David_H_Lipman~nospam~@Yahoo.Com

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

Eugene Taylor
07-09-2005, 11:50 PM
"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
news:OQCIqHkgFHA.2444@tk2msftngp13.phx.gbl...
> From: "Eugene Taylor" <ewtaylor2001@fake.com>
>
> | I have been infected with a couple of programs called rnaapp2.exe and
> | noadsense.exe I cannot find anything on google about them. The load into
> | registry and run at startup. I have had a devil of a time getting rid of
> | them. I finally found that they add a task to task scheduler to run
about
> | every hour or so. I also installed zonealarm and caught it going to the
> | following ip address 70.80.195.77:6667 I am running norton anti virus
> | corporate edition, and microsoft antispyware. I finally had to run
hijack
> | this and manually edit the registry. I have copies of the executables if
> | anyone wants to analyze.
> |
>
> I will accept both for analysis.
>
> Please send them both in a password protected ZIP file.
> Please include the password you used to zip them with.
>
> Results will be posted back into this thread.
>
> Just remove ~nospam~ from the posted email address or
David_H_Lipman~nospam~@Yahoo.Com
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> http://www.ik-cs.com/got-a-virus.htm
>

Thanks they are on the way!

David H. Lipman
07-09-2005, 11:50 PM
From: "Eugene Taylor" <ewtaylor2001@fake.com>

| Thanks they are on the way!
|
"noadsense.exe"

AntiVir 6.31.0.7 07.06.2005 no virus found
AVG 718 07.04.2005 no virus found
Avira 6.31.0.7 07.06.2005 no virus found
BitDefender 7.0 07.06.2005 Backdoor.SDBot.32E72B11
ClamAV devel-20050501 07.06.2005 no virus found
DrWeb 4.32b 07.06.2005 no virus found
eTrust-Iris 7.1.194.0 07.05.2005 Win32/SdBot.47283!Worm
eTrust-Vet 11.9.1.0 07.06.2005 Win32.Slinbot.AIM
Fortinet 2.36.0.0 07.06.2005 suspicious
Ikarus 2.32 07.06.2005 Backdoor.Win32.Ciadoor.N
Kaspersky 4.0.2.24 07.06.2005 Backdoor.Win32.SdBot.gen
McAfee 4529 07.06.2005 no virus found
NOD32v2 1.1161 07.04.2005 a variant of IRC/SdBot
Norman 5.70.10 07.05.2005 W32/Suspicious_M.gen
Panda 8.02.00 07.06.2005 W32/Gaobot.gen.worm
Sophos SAVCLI32 3.94.0 W32/Sdbot-Fam
Sybari 7.5.1314 07.06.2005 Backdoor.Win32.SdBot.gen
Symantec 8.0 07.05.2005 no virus found
Trend Sysclean PF 717 WORM_SDBOT.GEN
TheHacker 5.8.2.066 07.05.2005 no virus found
VBA32 3.10.4 07.06.2005 no virus found

"rnaapp2.exe"

AntiVir 6.31.0.7 07.06.2005 no virus found
AVG 718 07.04.2005 BackDoor.G-Spot.F
Avira 6.31.0.7 07.06.2005 no virus found
BitDefender 7.0 07.06.2005 Backdoor.G.Spot.2.0
ClamAV devel-20050501 07.06.2005 no virus found
DrWeb 4.32b 07.06.2005 no virus found
eTrust-Iris 7.1.194.0 07.05.2005 no virus found
eTrust-Vet 11.9.1.0 07.06.2005 no virus found
Fortinet 2.36.0.0 07.06.2005 suspicious
Ikarus 2.32 07.06.2005 IM-Worm.Win32.Sumom.C
Kaspersky 4.0.2.24 07.06.2005 Backdoor.Win32.G_Spot.20
McAfee 4529 07.06.2005 no virus found
NOD32v2 1.1161 07.04.2005 Win32/G_Spot.20
Norman 5.70.10 07.05.2005 W32/Suspicious_M.gen
Panda 8.02.00 07.06.2005 no virus found
Sophos SAVCLI32 3.94.0 Troj/Bdoor-AAG
Sybari 7.5.1314 07.06.2005 Backdoor.Win32.G_Spot.20
Symantec 8.0 07.05.2005 no virus found
Trend Sysclean PF 717 no virus found
TheHacker 5.8.2.066 07.05.2005 no virus found
VBA32 3.10.4 07.06.2005 no virus found

Both files were submitted to McAfee/AVERT
rnaapp2.exe was submitted to Trend Micro

Most of this report was obtained via submission to Virus Total
http://www.virustotal.com/flash/index_en.html

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

Eugene Taylor
07-09-2005, 11:50 PM
Thanks, scary I was relying on a single anti-virus program
"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
news:O1pHdqkgFHA.2644@TK2MSFTNGP09.phx.gbl...
> From: "Eugene Taylor" <ewtaylor2001@fake.com>
>
> | Thanks they are on the way!
> |
> "noadsense.exe"
>
> AntiVir 6.31.0.7 07.06.2005 no virus found
> AVG 718 07.04.2005 no virus found
> Avira 6.31.0.7 07.06.2005 no virus found
> BitDefender 7.0 07.06.2005 Backdoor.SDBot.32E72B11
> ClamAV devel-20050501 07.06.2005 no virus found
> DrWeb 4.32b 07.06.2005 no virus found
> eTrust-Iris 7.1.194.0 07.05.2005 Win32/SdBot.47283!Worm
> eTrust-Vet 11.9.1.0 07.06.2005 Win32.Slinbot.AIM
> Fortinet 2.36.0.0 07.06.2005 suspicious
> Ikarus 2.32 07.06.2005 Backdoor.Win32.Ciadoor.N
> Kaspersky 4.0.2.24 07.06.2005 Backdoor.Win32.SdBot.gen
> McAfee 4529 07.06.2005 no virus found
> NOD32v2 1.1161 07.04.2005 a variant of IRC/SdBot
> Norman 5.70.10 07.05.2005 W32/Suspicious_M.gen
> Panda 8.02.00 07.06.2005 W32/Gaobot.gen.worm
> Sophos SAVCLI32 3.94.0 W32/Sdbot-Fam
> Sybari 7.5.1314 07.06.2005 Backdoor.Win32.SdBot.gen
> Symantec 8.0 07.05.2005 no virus found
> Trend Sysclean PF 717 WORM_SDBOT.GEN
> TheHacker 5.8.2.066 07.05.2005 no virus found
> VBA32 3.10.4 07.06.2005 no virus found
>
> "rnaapp2.exe"
>
> AntiVir 6.31.0.7 07.06.2005 no virus found
> AVG 718 07.04.2005 BackDoor.G-Spot.F
> Avira 6.31.0.7 07.06.2005 no virus found
> BitDefender 7.0 07.06.2005 Backdoor.G.Spot.2.0
> ClamAV devel-20050501 07.06.2005 no virus found
> DrWeb 4.32b 07.06.2005 no virus found
> eTrust-Iris 7.1.194.0 07.05.2005 no virus found
> eTrust-Vet 11.9.1.0 07.06.2005 no virus found
> Fortinet 2.36.0.0 07.06.2005 suspicious
> Ikarus 2.32 07.06.2005 IM-Worm.Win32.Sumom.C
> Kaspersky 4.0.2.24 07.06.2005 Backdoor.Win32.G_Spot.20
> McAfee 4529 07.06.2005 no virus found
> NOD32v2 1.1161 07.04.2005 Win32/G_Spot.20
> Norman 5.70.10 07.05.2005 W32/Suspicious_M.gen
> Panda 8.02.00 07.06.2005 no virus found
> Sophos SAVCLI32 3.94.0 Troj/Bdoor-AAG
> Sybari 7.5.1314 07.06.2005 Backdoor.Win32.G_Spot.20
> Symantec 8.0 07.05.2005 no virus found
> Trend Sysclean PF 717 no virus found
> TheHacker 5.8.2.066 07.05.2005 no virus found
> VBA32 3.10.4 07.06.2005 no virus found
>
> Both files were submitted to McAfee/AVERT
> rnaapp2.exe was submitted to Trend Micro
>
> Most of this report was obtained via submission to Virus Total
> http://www.virustotal.com/flash/index_en.html
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> http://www.ik-cs.com/got-a-virus.htm
>
>

David H. Lipman
07-09-2005, 11:50 PM
From: "Eugene Taylor" <ewtaylor2001@fake.com>

| Thanks, scary I was relying on a single anti-virus program


Sophos caught both.

You can use my Multi AC Command Line Scanner tool front end to scan your computer.

Dump the contents of the IE Temporary Internet Folder cache (TIF)
Start --> Settings --> Control Panel --> Internet Options --> Delete Files

Dump the contents of the Mozilla FireFox Cache { if you use FireFox }
Tools --> Options --> Privacy --> Cache --> Clear

Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

It is a self-extracting ZIP file that contains the Kixtart Script Interpreter {
http://kixtart.org Kixtart is CareWare } three batch files, five Kixtart scripts, one Link
(.LNK) file, this PDF instruction file and two utilities; UNZIP.EXE and WGET.EXE. It will
simplify the process of using up to 3 different Anti Virus Command Line Scanners to remove
viruses and various other malware.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode. This
way all the components can be downloaded from each AV vendorís web site.
The choices are; Sophos, Trend, McAfee, Exit the menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file.

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE and/or FTP.EXE to go
through your FireWall to allow them to download the needed AV vendor related files.

* * * Please report back your results * * *



--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

Max Wachtel
07-09-2005, 11:50 PM
Eugene Taylor wrote:
> I have been infected with a couple of programs called rnaapp2.exe and
> noadsense.exe I cannot find anything on google about them. The load into
> registry and run at startup. I have had a devil of a time getting rid of
> them. I finally found that they add a task to task scheduler to run about
> every hour or so. I also installed zonealarm and caught it going to the
> following ip address 70.80.195.77:6667 I am running norton anti virus
> corporate edition, and microsoft antispyware. I finally had to run hijack
> this and manually edit the registry. I have copies of the executables if
> anyone wants to analyze.
>
>
You should add some other spyware scanners to your arsenal.
Spybot S+D,AdAware and SpywareBlaster to start with.
I have written some pages to help you.
http://home.neo.rr.com/manna4u/keepingclean.html
-max
--
Virus Removal Instructions: http://home.neo.rr.com/manna4u/
Change nomail.afraid.org to yahoo.com to reply.
Registered Linux User #393236

David H. Lipman
07-09-2005, 11:50 PM
From: "Eugene Taylor" <ewtaylor2001@fake.com>

UPDATED INFO:

My contact at Trend Micro has identified rnaapp2.exe as being "BKDR_GSPOT.E"

McAfee/AVERT identified the two; noadsense.exe as "W32/Sdbot.worm.gen.by" and
rnaapp2.exe as "Generic BackDoor.bc".

Both Trend and Mcafee will have signatures released in their next updates.

The following can be used to create an EXTRA.DAT file for McAfee.
Copy the data between the dashes ("---------------") but not including them and
paste the below into a file called EXTRA.DAT.
Using the find/search utility on your computer search for the following file:
SCAN.DAT
Then copy the EXTRA.DAT to the same folder where SCAN.DAT was found.

EXTRA.DAT
---------------

256 178 156 179 77 51 218 128 63 28 222 215 111 92 249 157
122 92 255 222 49 150 138 37 104 127 130 188 2 105 40 182
65 60 130 188 87 150 132 168 2 60 130 188 35 72 133 187
121 204 140 199 189 49 141 163 232 35 230 15 86 147 65 95
143 186 132 33 24 79 247 201 90 122 128 49 6 53 234 214
99 29 239 202 13 51 140 179 25 204 140 222 67 204 22 19
148 164 141 179 12 164 141 179 13 127 140 179 20 51 154 179
94 92 235 199 122 82 255 214 81 126 228 208 127 92 254 220
107 71 209 252 65 118 141 247 13 51 141 179 78 99 141 218
13 76 140 179 12 22 12 204 14 51 140 150 140 76 143 179
12 22 12 204 9 51 140 150 140 76 143 179 140 76 140 179
140 76 141 179 140 76 142 179 12 22 12 204 13 51 140 150
140 76 136 179 12 22 12 204 15 51 140 150 140 76 143 179
12 20 12 204 12 51 140 150 140 76 141 179 140 76 140 179
140 76 141 179 6 50 141 179 141 4 141 179 17 63 141 193
5 51 141 179 13 47 141 179 127 178 242 126 15 52 141 253
10
16162 256 13045 515 W32/Sdbot.worm

97 178 155 178 77 51 202 214 99 86 255 218 110 19 207 210
110 88 201 220 98 65 163 209 110 15 40 180 155 86 193 188
2 60 215 22 8 127 130 188 2 105 40 186 22 60 130 188
2 29 246 187 5 71 114 178 121 131 143 179 29 214 157 218
231 219 37 86 47 112 133 174 34 71 53 222 188 248 254 190
143 54 141 179 13 50 141 167 242 50 224 253 192 49 138 179
67 52
7381 256 13045 515 Generic BackDoor.bc

---------------

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

Sandy Mann
07-09-2005, 11:50 PM
David,

Is that McAfee any version, or just McAfee Professional?

May I take this opportunity to thank you for going to so much trouble.

--

Sandy
sandymann@mailinator.com
Replace@mailinator with @tiscali.co.uk


"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
news:eo$VLNmgFHA.2852@TK2MSFTNGP15.phx.gbl...
> From: "Eugene Taylor" <ewtaylor2001@fake.com>
>
> UPDATED INFO:
>
> My contact at Trend Micro has identified rnaapp2.exe as being
"BKDR_GSPOT.E"
>
> McAfee/AVERT identified the two; noadsense.exe as "W32/Sdbot.worm.gen.by"
and
> rnaapp2.exe as "Generic BackDoor.bc".
>
> Both Trend and Mcafee will have signatures released in their next updates.
>
> The following can be used to create an EXTRA.DAT file for McAfee.
> Copy the data between the dashes ("---------------") but not including
them and
> paste the below into a file called EXTRA.DAT.
> Using the find/search utility on your computer search for the following
file:
> SCAN.DAT
> Then copy the EXTRA.DAT to the same folder where SCAN.DAT was found.
>
> EXTRA.DAT
> ---------------
>
> 256 178 156 179 77 51 218 128 63 28 222 215 111 92 249 157
> 122 92 255 222 49 150 138 37 104 127 130 188 2 105 40 182
> 65 60 130 188 87 150 132 168 2 60 130 188 35 72 133 187
> 121 204 140 199 189 49 141 163 232 35 230 15 86 147 65 95
> 143 186 132 33 24 79 247 201 90 122 128 49 6 53 234 214
> 99 29 239 202 13 51 140 179 25 204 140 222 67 204 22 19
> 148 164 141 179 12 164 141 179 13 127 140 179 20 51 154 179
> 94 92 235 199 122 82 255 214 81 126 228 208 127 92 254 220
> 107 71 209 252 65 118 141 247 13 51 141 179 78 99 141 218
> 13 76 140 179 12 22 12 204 14 51 140 150 140 76 143 179
> 12 22 12 204 9 51 140 150 140 76 143 179 140 76 140 179
> 140 76 141 179 140 76 142 179 12 22 12 204 13 51 140 150
> 140 76 136 179 12 22 12 204 15 51 140 150 140 76 143 179
> 12 20 12 204 12 51 140 150 140 76 141 179 140 76 140 179
> 140 76 141 179 6 50 141 179 141 4 141 179 17 63 141 193
> 5 51 141 179 13 47 141 179 127 178 242 126 15 52 141 253
> 10
> 16162 256 13045 515 W32/Sdbot.worm
>
> 97 178 155 178 77 51 202 214 99 86 255 218 110 19 207 210
> 110 88 201 220 98 65 163 209 110 15 40 180 155 86 193 188
> 2 60 215 22 8 127 130 188 2 105 40 186 22 60 130 188
> 2 29 246 187 5 71 114 178 121 131 143 179 29 214 157 218
> 231 219 37 86 47 112 133 174 34 71 53 222 188 248 254 190
> 143 54 141 179 13 50 141 167 242 50 224 253 192 49 138 179
> 67 52
> 7381 256 13045 515 Generic BackDoor.bc
>
> ---------------
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> http://www.ik-cs.com/got-a-virus.htm
>
>

David H. Lipman
07-09-2005, 11:50 PM
From: "Sandy Mann" <sandymann2@mailinator.com>

| David,
|
| Is that McAfee any version, or just McAfee Professional?
|
| May I take this opportunity to thank you for going to so much trouble.
|
| --
|
| Sandy
| sandymann@mailinator.com
| Replace@mailinator with @tiscali.co.uk

Sandy:

*ANY* version of McAfee AV software, Retail or Enterprise.

It was no problem nor trouble. I get the educational benefit in the process and I get to
help others while doing so.

It is my pleasure.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

Eugene Taylor
07-09-2005, 11:50 PM
"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
news:eo$VLNmgFHA.2852@TK2MSFTNGP15.phx.gbl...
> From: "Eugene Taylor" <ewtaylor2001@fake.com>
>
> UPDATED INFO:
>
> My contact at Trend Micro has identified rnaapp2.exe as being
"BKDR_GSPOT.E"
>
> McAfee/AVERT identified the two; noadsense.exe as "W32/Sdbot.worm.gen.by"
and
> rnaapp2.exe as "Generic BackDoor.bc".
>
> Both Trend and Mcafee will have signatures released in their next updates.
>
> The following can be used to create an EXTRA.DAT file for McAfee.
> Copy the data between the dashes ("---------------") but not including
them and
> paste the below into a file called EXTRA.DAT.
> Using the find/search utility on your computer search for the following
file:
> SCAN.DAT
> Then copy the EXTRA.DAT to the same folder where SCAN.DAT was found.
>
> EXTRA.DAT
> ---------------
>
> 256 178 156 179 77 51 218 128 63 28 222 215 111 92 249 157
> 122 92 255 222 49 150 138 37 104 127 130 188 2 105 40 182
> 65 60 130 188 87 150 132 168 2 60 130 188 35 72 133 187
> 121 204 140 199 189 49 141 163 232 35 230 15 86 147 65 95
> 143 186 132 33 24 79 247 201 90 122 128 49 6 53 234 214
> 99 29 239 202 13 51 140 179 25 204 140 222 67 204 22 19
> 148 164 141 179 12 164 141 179 13 127 140 179 20 51 154 179
> 94 92 235 199 122 82 255 214 81 126 228 208 127 92 254 220
> 107 71 209 252 65 118 141 247 13 51 141 179 78 99 141 218
> 13 76 140 179 12 22 12 204 14 51 140 150 140 76 143 179
> 12 22 12 204 9 51 140 150 140 76 143 179 140 76 140 179
> 140 76 141 179 140 76 142 179 12 22 12 204 13 51 140 150
> 140 76 136 179 12 22 12 204 15 51 140 150 140 76 143 179
> 12 20 12 204 12 51 140 150 140 76 141 179 140 76 140 179
> 140 76 141 179 6 50 141 179 141 4 141 179 17 63 141 193
> 5 51 141 179 13 47 141 179 127 178 242 126 15 52 141 253
> 10
> 16162 256 13045 515 W32/Sdbot.worm
>
> 97 178 155 178 77 51 202 214 99 86 255 218 110 19 207 210
> 110 88 201 220 98 65 163 209 110 15 40 180 155 86 193 188
> 2 60 215 22 8 127 130 188 2 105 40 186 22 60 130 188
> 2 29 246 187 5 71 114 178 121 131 143 179 29 214 157 218
> 231 219 37 86 47 112 133 174 34 71 53 222 188 248 254 190
> 143 54 141 179 13 50 141 167 242 50 224 253 192 49 138 179
> 67 52
> 7381 256 13045 515 Generic BackDoor.bc
>
> ---------------
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> http://www.ik-cs.com/got-a-virus.htm
>
>

Thanks David,
I ended up using Grisoft AVG, and TrendMicro Sysclean I have both of these
on my emergency cd/thumbdrive. I also have adaware, spybot, microsoft
antispyware, hijackthis, cwshredder. This one sure was a toughie, I noticed
today that my symantec corporate edition started picking up the
noadsense.exe as a virus but could not delete, or quarrantine it yet. On a
side note I want to remind people that us roaming profiles that they need to
be checked also. I thought I was finished last night, and when I came in the
virii were back. I saw that they had come from the roaming profiles, so I
had to scan the server also.

David H. Lipman
07-09-2005, 11:50 PM
From: "Eugene Taylor" <ewtaylor2001@fake.com>


| Thanks David,
| I ended up using Grisoft AVG, and TrendMicro Sysclean I have both of these
| on my emergency cd/thumbdrive. I also have adaware, spybot, microsoft
| antispyware, hijackthis, cwshredder. This one sure was a toughie, I noticed
| today that my symantec corporate edition started picking up the
| noadsense.exe as a virus but could not delete, or quarrantine it yet. On a
| side note I want to remind people that us roaming profiles that they need to
| be checked also. I thought I was finished last night, and when I came in the
| virii were back. I saw that they had come from the roaming profiles, so I
| had to scan the server also.
|

One final note Eugene.

In the context of viruses, there is no such terminology as 'viri' or 'virii'. The plural of
virus is viruses.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm


New Virus?