Dear friends,

This is a re-post and update of something I originally put in my AP-Tracking-Net thread. Kimberly kindly informed me that this sort of thing normally goes here (I'm still learning my way around).

I ran across a virus on the Gnutella neworks using Shareaza that I haven't seen before, and it's especially nasty.

I downloaded a bogus search-term fake file in order to scan it for infections, but a scan wasn't necessary: The moment it finished downloading, its virus load executed, causing AntiVir to pop up a warning message right in front of Shareaza's window. AntiVir identified the virus as "DR/Agent.Delf.OJ dropper" and although the Avira web site listed the infection, I found no details.

The file appears as a 226, 228, 336, or 337 kB .exe with my search terms plus "KeyGen." Usually only one "hit" for this file appears in the search window, but it may download from several sources. I haven't seen it on eDonkey.

I don't know if this is news to you. I searched the forums various ways and didn't find anything that really matched.

Attached is a list of the IPs I've found hosting the file so far. I am splitting these off from my fake-file IP lists on the other thread because of the elevated nature of the threat, and will continue to post those IPs here.



[Well, the attach-file function doesn't seem to be working for me just now, so I'll have to send that later when it starts working again. It's been on-again off-again lately. What's up with that?]

Strange, attachments should work fine, text (txt) format. Browse to the file on your computer, hit "Add Attachment" button, wait for page to reload, then submit your post. Let us know if further problems The Netweasel.

Aside from that, p2p worms have been running on the networks since ages. Usually the user isn't even aware he's distributing the file. He might have been hit on a website, the downloader just looks for p2p apps and duplicates itself in the upload folder under different names (keygen, movies, games). IP's are often useless to block, they are simply average joe infected users.

If without infecting yourself you can lay your hands on one of those executables, you may always upload it to my chan here. I'll have a peek at it and see if IP's need to be blocked or not.

Thanks, Kimberly.

I tried to attach the list again just now and it still didn't work. Sometimes it does, sometimes not. I find that I can get it to work if I just keep trying every few hours. The .txt file doesn't change -- the board does, somehow (?) -- during the intervening period.

I may be able to send you a copy of the infected file. I think AntiVir has a way to do so without turning it into encrypted gibberish in the process. I'll give it a go.

Kimberly,

Sometimes I think I'm a genius. When you download a file using Shareaza, you have the option to rename it while it's downloading. I simply appended ".txt" to the end of the file name, and thus obtained a copy of the beastie that failed to automatically execute when the download was finished!

I have some new info for you as well. One of the reasons I couldn't obtain detailed information from Avira is because the viruses (plural) were only added to their detection files within the last eight days.

The one I'm going to try to send to the link you provided above contains TR/Delf.adw, added to AntiVir's definitions 16 December 2008. The one I first discovered contained DR/Agent.Delf.OJ, added 12 December.

This time frame corresponds perfectly with when I first started seeing the new bogus files and reported them.

If you want to look at what little Avira does say about them (basically just the addition date, and VDF file contents and version number), you can see them on this page and this one.

WARNING: If you strip my added .txt extension from the file when you get it, there's no telling what will happen! I shall also try to attach to this post a list of the IP numbers that sent me this one file. I also discovered, during this exercise, that this class of infection has now also appeared on the eDonkey network, although I failed to catch that URI.



Well, the attach didn't work so here it is "in the clear:"

Optus Internet autoexec virus:58.107.153.157-58.107.153.157
BellSouth.net autoexec virus:65.4.158.128-65.4.158.128
Cegetel/gaoland dyn pools autoexec virus:80.185.170.71-80.185.170.71
ProXad/Free SAS static ADSL autoexec virus:82.245.136.114-82.245.136.114
France Telecom/orange autoexec virus:193.248.71.159-193.248.71.159

No worries for that, I manipulate & play with viruses every day. I'll peek at the file tomorrow, it's way late now.

Not a nice file. I'll add those 4 IP's to the spywarelist although some are prolly just infected users but they will be blocked until they clean up their mess. The file does contact the IP's below to get additional file. I'll get them added too and hope it will not affect the use of the program but they need to be blocked.

If that did run on your PC, you should get it cleaned.

aniraws.com - 77.221.159.194
gwebcache.spearforensics.com - 67.19.83.21
figgn.net - 67.205.46.160
gweb2.4octets.co.uk - 78.105.113.36
gwc.pantheraproject.net - 174.132.114.45
grantgalitz.com - 174.132.114.252
gofoxy.net - 75.126.71.42 - 75.126.71.43 - 75.126.199.206 - 75.126.248.194
gwc.chickenkiller.com - 91.121.104.146
gnutelladev2.udp-host-cache.com - 67.202.39.192
gwc.ak-electron.eu - 92.51.131.180

File enormi-flatus-KEYGEN_1_.exe received on 12.21.2008 15:31:03 (CET)Antivirus Version Last Update Result
AhnLab-V3 2008.12.19.3 2008.12.21 -
AntiVir 7.9.0.45 2008.12.19 TR/Clicker.FH
Authentium 5.1.0.4 2008.12.21 -
Avast 4.8.1281.0 2008.12.20 -
AVG 8.0.0.199 2008.12.20 Agent.APEL
BitDefender 7.2 2008.12.21 Trojan.Agent.11348
CAT-QuickHeal 10.00 2008.12.20 -
ClamAV 0.94.1 2008.12.20 -
Comodo 783 2008.12.20 -
DrWeb 4.44.0.09170 2008.12.21 -
eSafe 7.0.17.0 2008.12.18 -
eTrust-Vet 31.6.6271 2008.12.20 -
Ewido 4.0 2008.12.21 -
F-Prot 4.4.4.56 2008.12.21 -
F-Secure 8.0.14332.0 2008.12.21 Trojan-Downloader:W32/Agent.IER
Fortinet 3.117.0.0 2008.12.21 PossibleThreat
GData 19 2008.12.21 Trojan.Agent.11348
Ikarus T3.1.1.45.0 2008.12.21 BehavesLike.Trojan.WinlogonHook
K7AntiVirus 7.10.560 2008.12.20 Trojan.Win32.Malware.1
Kaspersky 7.0.0.125 2008.12.21 Trojan.Win32.Agent.avuo
McAfee 5470 2008.12.20 Generic.dx
McAfee+Artemis 5470 2008.12.20 Generic.dx
Microsoft 1.4205 2008.12.21 -
NOD32 3709 2008.12.20 Win32/Delf.NTT
Norman 5.80.02 2008.12.19 W32/Malware.EQJS
Panda 9.0.0.4 2008.12.21 Suspicious file
PCTools 4.4.2.0 2008.12.21 -
Prevx1 V2 2008.12.21 Malicious Software
Rising 21.08.62.00 2008.12.21 -
SecureWeb-Gateway 6.7.6 2008.12.19 Trojan.Delf.adw
Sophos 4.37.0 2008.12.21 Mal/Behav-304
Sunbelt 3.2.1801.2 2008.12.11 -
Symantec 10 2008.12.21 -
TheHacker 6.3.1.4.195 2008.12.20 -
TrendMicro 8.700.0.1004 2008.12.19 -
VBA32 3.12.8.10 2008.12.21 Win32.Delf.NTT
ViRobot 2008.12.20.1528 2008.12.21 -
VirusBuster 4.5.11.0 2008.12.20 -

Additional information
File size: 344064 bytes
MD5...: 1aa83b9ad05f6f64159ea2159bccdc8d
SHA1..: f69808d78536e7a5dee6a5b1bd3d3dc5ebfc06ea
SHA256: 39e45ef745bbaaa52d9808c87cfe883a51908f7a26687332f761a38f34a537cc

http://info.prevx.com/aboutprogramtext.asp...6F67700663D2929
http://www.threatexpert.com/report.aspx?md...59ea2159bccdc8d

Thanks for the info, Kimberly. I notice a lot of blank spaces in your list of equivalents/synonyms. Whoever is propagating this stuff seems to still be at it -- I'm seeing new file sizes appearing almost daily for what are clearly similar infections. First I found one trojan, then there was a different one, and now maybe more.

It did run on my machine, on December 13, prior to Avira including it in their updates. I did a complete system scan last night, which deleted the infected files, and the links you provided helped me delete the Windows Registry entry and the leftover detritus (I hope) on my hard drive.

Thank you for your help!

Not sure I understand what you mean. I didn't post the IP's in a usable format, just a simple resolving name/ip one.

There have always been p2p worms and this isn't bound to stop. One sees the same files in driveby infections or in files downloaded from crack / warez sites. The p2p is just another infection vector in order to touch a maximum of people.

Avira or another AV not having the files in its detections is not something extra-ordinary, most infected files are often (if not daily) rebuild by their creators to evade detections from AV solutions.

Check out the TE report for registry keys and files. The downloaded file is an updated copy of itself and should be the file in red below - might be a random name tho.

%Windir%\$NtUninstallKB950762-v3$\data.bin
%System%\api.dat
%System%\api32.dll
%System%\updatenf.dll

In hijackthis you should see the O20 line refering the updatenf.dll, needs fixing too.

We seem to be working at cross purposes simultaneously. I just updated my post to reflect what really happened (it wasn't, for example, in a system-restore backup). I am working the problem at this very moment ... maybe I should have followed your links before posting.

The list I'm referring to is the one that lists all the various antivirus programs and each company's name for the infection, e.g., McAfee calls it "Generic.dx." I was just noticing that a lot of them didn't show anything.

No worries.

Ah ok, that's the scan result from virustotal. It has improved as the scan from 4 days ago did show less antivirus products detecting the file. I always re-scan them if the last scan report is over 1 day / 2 days old.

Kimberly,

Okay, I think I have everything sorted out now. Sorry about any confusion I may have caused. I knew before going to bed last night that AntiVir had eradicated the infected files from my computer, and simply wanted to let you know after reading your post this morning that I had been infected and offer a few details. Then I followed the links you provided, checked out my hard drive and discovered that some of my details were wrong.

My post being only a few minutes old, I thought I could do a quick edit and correct my mistakes, but you'd already seen it. Now I'm embarassed. I won't do that again.

Anyway, I went through the list of files, folders and registry keys and all the junk listed is gone from my machine now. The folder you highlighted in red was present but empty, since AntiVir deleted the file last night during my system scan.

Thanks again for your help and patience. I got a bit nervous after following your links and discovering that the clean-up wasn't finished after all.

Don't feel embarassed lol.
When malware related and I know or suspect a user is / has been infected, I get back asap when I get an email notification. Timing is often very important, even during cleanup, a reboot can re-infect someone.

Good to know that the junk is gone from your PC.

Just a small suggestion if you don't mind. When playing with such stuff, you could either make sure you have a recent clean image of your computer or even use a Virtual Machine. You were lucky, some viruses may cause way more damage and are sometimes much more difficult to kill especially if rootkits are involved.

Thanks. I am going to be more circumspect about downloading these things in future. If it had been anything but an .exe, it wouldn't have been a problem.



Here is a list of the other P2P numbers I found hosting these to date, not including the ones I posted above.

Hey Kim,

Just curious about the file/s this scumware gets from
gwc.pantheraproject.net, were they bad news also?

gwc.pantheraproject.net I think is the official Shareaza gwc (gwebcache), I know the Shareaza Forums & Wiki etc. are on pantheraproject.net.
I was thinking if that gwc is sending bad files somehow then I'd mention it to them.
The purpose of a gwc from what I can gather is only to output hosts to other clients on the network/s.
If the file/s just contain source/host info then it's probably normal behaviour by the gwc itself.

Sounds like the scumware's been modified to query gwc's after it's been run.
I'm not sure what it would be doing querying gwc's, probably looking for more IP's to infect I guess

EDIT: the Shareaza Wiki page for GWC's - http://www.pantheraproject.net/wiki/index.php?title=GWC
I don't understand most of that page but I guess it makes it easy for scumware programmers to take advantage of it.

Shanu .. I've removed those gwc IP's. I hope lists haven't been updated yet in meanwhile or people are gonna yell lol.

It gets the source list and once it has that, connection goes crazy. It's using the gwc in order to connect and spread itself through the network I think.


Everything is encrypted and wireshark capture is huge. File patches svchost.exe in memory so that you think it is normal network activity and in order to bypass firewall.

Cool, thanks for the info

I'm rather curious how the file executed without being opened? Was it an exploit (software vulnerability) of the Gnutella software that it used to launch itself, buffer overflow or something like that? Or was Avira just pro-actively detecting it?

Avira doesn't proactively scan files as they're being moved around, so the file had to be opened for AntiVir to issue a warning. I didn't open the file -- had no chance to, in fact, because it activated itself the instant the download completed.

How it managed this, I don't know. The first thing that comes to mind is that there must be a security flaw in Shareaza that someone has found a way to exploit. But I am not equipped to ascertain the precise mechanism by which the file delivered its bomb.

All the infected files I had found prior to this one were safe to download, scan for viruses, and then simply delete -- mp3s, mpgs, zip archives, and exes. So this one came as a nasty surprise, and I'm not going to be downloading any more exe files for testing purposes.

I have another new virus development to report. It's new to me, anyway.

File-sharing self-executing virus files are no longer limited to executables (exe's). I obtained a zip file this morning that started itself the moment the download completed, just like the exe's that started this thread.

File size was 197 kb, and it was loaded with (Avira's ID) Worm/Rbot.174080. There are a couple of variants, but they're both keyloggers and steal personal information, among other things. They've been around the block a few times, appearing in 2006 and 2007, although this may be a new variety.

Viral behavior is not my area of expertise, but I think it's clear that Shareaza is the agent opening these files. I don't see how an archive could start itself. When a file finishes downloading, Raza creates a "hash" for it, meaning that Raza has to read the file, and I think this is likely where the program's security breaks down.

Here is a list of the users who participated in sending me this zip file (both Gnutella and eDonkey):

Telefonica de Espana ed2k autovirus zip:80.59.3.55-80.59.3.55
ProXad/Free SAS static ADSL Gnu autovirus zip:82.243.159.76-82.243.159.76
ProXad/Free SAS dynamic ADSL ed2k autovirus zip:82.253.41.30-82.253.41.30
telefonica.com.br Gnu autovirus zip:200.207.231.79-200.207.231.79
Netvision Ltd. (cable) ed2k autovirus zip:212.143.42.12-212.143.42.12

Additionally, here is a short list of users offering the "usual" self-starting virus exe's today:

Shaw Communications (cable) Gnu autovirus exe:24.77.206.25-24.77.206.25
UCOM Corp. Gnu autovirus exe:59.87.253.5-59.87.253.5
Neostrada Plus/TPNET Gnu autovirus exe:83.26.55.126-83.26.55.126
PPPoX Pool - se1.applwi Gnu autovirus exe:99.145.120.189-99.145.120.189

Good hunting!

Interesting, I wonder if it's the plugins being enabled causing that.
There's a 7-zip builder, also RAR & ZIP builders plugins enabled by default.

EDIT: I can remember previewing the contents of a partially downloaded .zip file (contained images)
a while ago so I guess it could be plugins or something making them run.

Keep in mind that some so called zip files are NOT zip files but executables. They are simply posing as zip content.

What to you search for in Shareaza to get these files ? I might install it on a VM and see why these get run directly. Sounds an interesting point to investigate.

My instinct is that it's Raza's automatic hash creation for the new library file that is causing the files to deploy their virus loads, since that's the first thing that happens when any new file hits the download folder. I mean, the infection executes so fast -- virtually instantaneously. I myself don't open the file (I know better than that!), so I think Raza must be the active software agent that unwittingly deploys it. If, as Kimberly points out, an executable is masquerading as an archive, then Raza's built-in archive software may have nothing to do with it. If the file is in fact an archive, then the opposite may be true.

Raza doesn't automatically create previews, does it? I don't preview these things, so I don't think that has any bearing in my case.

How I find these files involves knowing how they're promulgated and what to look for. They're apt to appear in almost any search for a legitimate file, but if you want to deliberately find lots of bogus files, it's easy in Shareaza:

1. Start a search for "any file type" (rather than specifically images, music, video or whatever).

2. Type nonsense words into the box for what to search for. An example might be, fryzto uqfas.

3. Right-click on the resulting search-results window, click on "Filter Results," and un-tick such things as "bogus files," "non-matching files," "DRM files," etc.

4. Watch the broad spectrum of fake files pour in, with your nonsensical search terms and added words as file names!

From this point you can download the files to see what malware they contain, or right-click on individual hosts to copy their URNs into a text file for later processing and reporting, as I do.

I'm not sanguine that the .zip file I downloaded is in fact an executable. It seems to me it would have to have an .exe extension. I'm not doubting your word, Kimberly (that would be exceeding great silliness on my part!), but if the software mechanism by which these files are executing in Shareaza is what I suspect, even a true archive could be made to dump its malware load ... and maybe shanu's thought about Raza's built-in archive extraction would have a bearing in such a case.

Would you like me to obtain a copy of the file and send it to you, Kimberly, as I did before, using the added .txt extension trick? No trouble at all, for me, if you think it would be useful.

And thanks, both of you, for the replies: They got me to thinking.

If no trouble and no risk for you getting infected (that's the most important for me), yes send me a copy please. I'll see directly if it's an exe or zip.

Yes I think it does, I know it shares them by default, doing that I guess they're created by default also.
Sharing of previews can be turned off on the uploads tab in settings.
I guess disabling the relevant plugin/s would stop the preview creations though I'm not certain of that or even of what previews it creates by default.
I see you got a reply on the Raza forum, I'd say you should get a definate answer to those questions there.

That's pretty much how I look for new spammers etc. also.
Search for something random like rflrwtphjgeh, for any type of file with the search filtering disabled.

I haven't been able to locate that zip file again, but I'll keep looking.

At the suggestion of someone in the Raza forum, I tried downloading a known infected 290 kb exe file with ALL Shareaza's plugins disabled (yes, I restarted the program after unticking them), but nothing changed. AntiVir still popped up a warning immediately the download completed.

At the risk of repeating myself, what has me so hot and bothered about all this is that AntiVir never did this before. I was able to download files, scan them for infections, delete them, and move on. Having AntiVir pop up a warning the instant a download completed was something I hadn't seen in several months of using Shareaza. This, combined with the fact that these infections were so new that I managed to catch one before they were identified by the antivirus companies gave me to believe I was onto something new and scary.

After working for a few days with the Raza crowd, though, I am starting to question my own credibility.

Wait hmm .... Antivir detecting the file immediately the download completed does not necessarely mean that the file does actually run.

Example:

When I download a virus uploaded to my malware channel, KIS does alert me too once the download completed that the file is infected (if detection for it) but it does not mean the file did actually run. Antivir has very high heuristic rates too, maybe the reason why you never got much alerts before.

Could be. I have no way to tell from my end, without putting myself at additional risk. If the virus isn't actually deploying on download, then I am at a loss to understand how I contracted it -- and nearly a month away from the event, it's hard to piece my precise activities back together. It would have been out of character for me to deliberately open a suspicious file, but after all the discussion I'm prepped to believe anything.

It now sounds likely that I've committed an error by describing this virus as "auto-executing" via P2P. I don't think I have anything more to offer by way of evidence or speculation. From now on, I'll simply report IPs as hosting a virus, and drop the "auto" part of it.

No, at this point nothing can be confirmed. I really have to install this prog and test. I'll be able to see if it runs immediately after download. It is possible, a worm is meant to spread by itself.

Don't worry about it, don't put yourself at risk, I'll do some testing asap.

I have a question. In fact, several questions.

I reported the new shift in AP-Tracking-Net's IP numbers many days ago, in the thread I started dealing with that specific subject, and even mentioned it in another thread as well. I waited several days for the blocklists to pick up my report and add the new range, but nothing happened. Someone else recently detected the same range, and now suddenly it is included in the blocklists.

I don't mean to cause a problem, but this makes me wonder whether my submissions are being taken seriously.

Here is another question:

If I manage to submit an attachment to one of my posts, in ProtoWall format, and after several weeks I see that the number of downloads is zero, does that mean that I have wasted my time? Or does it mean that none of the Bluetack members have downloaded it, but the Bluetack administration has? I suspect that if and when admin views my submissions, that fact doesn't show up in the "downloads" number. Please tell me how this works.

My best to all,
The Netweasel

Hello, I'm the operator / webmaster of grantgalitz.com.

I am aware of this virus/trojan spreading across Gnutella.
It seems to be hitting my GWebCache, as well as others. I have already blocked its pattern in my code, as I wrote Beacon Cache GWC myself. It's blocked by default now in all Beacon Cache II GwebCache scripts as of the 0.2.X series.

It seemed to definitely slam my cache with unnecessary traffic before I blocked it. There may be tens or hundreds of thousands of people infected by my quick estimation.

In short, a GwebCache is a bootstrap for peer-to-peer networks, and that trojan/virus seemed to call a query to it to grab hosts in GWC spec-2 format. I was able to block it, as LimeWire has a vendor code of 'LIME',not 'limewire', as the programmer of the virus/trojan made that folly that made me able to block it from bootstrapping.

The trojan/virus now gets a nice little message: I|WARNING|Banned Vendor Code


Beacon Cache II project page: http://sourceforge.net/projects/beaconcache/
My own cache running: http://grantgalitz.com/Beacon/gwc.php

If you want my honest answer, if someone can attempt to email those cache operators to switch to Beacon Cache II, or specifically block the client vendor code 'limewire', then this stupid trojan might be knocked down a notch on spreading.
(ignore the beacon cache operators, as Beacon already blocks the trojan as of 0.2.X)

Hi Grant Galitz,

Thanks for jumpin' in and give us some details about the worm and your blocking feature.

Yeah, first connection out is to caches indeed as it uses the network to spread.

Yes, many people are infected with that stuff as it usually contains words like keygen or crack thus something that many people seek.

That would be awsome indeed. Personally I don't know anyone holding these caches but I presume some people could get their contact details or a common forum place so you guys can fix this.