Is this thing a virus?

[nerdistmonk]

Oh great a new virus:

AxBb4Z6hIO1.exe

Shut the system down and isolated it from the network, when we brought the system back up the next day, we had to find the file manually, no antivirus or antimalware could find it, and combo fix would end up causing the apocalypse.

The file was found in Appdata/Local/Temp, it has put 2 entries into the MSCONFIG startup (it says Audio HD Driver, however theres already an entrie for the actual Realtek audio, so its a fake), it has also put a registry entry into the registry so it will start even if you disable msconfig entries,

Version information says 0.0.0.0 150kb, mike.exe

Edited November 11, 2013 by nerdistmonk

[VideoRipper]

Files with names like that are most likely virusses or at least malware.

And if the version-info doesn't show anything useful it's time to scan

the system thoroughly.

Make sure you also scan for rootkits, since these are almost never detected

by virusscanners: you can use ComboFix for those.

Keep in mind ComboFix will be very thorough and may (will) reset some settings

on a system, you might not want as an administrator, so check it's log after

it's finished and re-check user permissions, preferences and services.

Greetz,

Peter.

[nerdistmonk]

Loading up good ol Vista x64 sp2 with extra vlite. mmmmmmm low fat goodness.

Edited July 29, 2010 by nerdistmonk

[Tarun]

Downgrading from 7 means you'll be even more insecure. Also, Combofix is very dangerous to use. Perhaps you should follow the directions in the pinned thread.

[dencorso]

It would be a good idea to submit the actual file to VirusTotal, too.

[nerdistmonk]

EDIT: http://www.virustotal.com/analisis/e08d36692357c3349b9eafd66acededc3391e018011f45c58b5379a381380776-1280327850

Edited November 11, 2013 by nerdistmonk

[dencorso]

It's a virus, all right! And a pretty new one, at that: Worm.MSIL.Arcdoor, according to MS.

[CoffeeFiend]

As for the remark about older versions of windows being unsafe, ill selectively ignore it as its not the age that makes a OS insecure, its the contents

Tarun is right. Vista is still pretty secure but when you start going further you really lose a lot of security. For the record, I have yet to see a single Vista or Win 7 machine with a virus, ever.

I wouldn't be so fast blame Windows either. There's just so many possibilities: infected installation media/image? end users with admin rights? careless admin? Someone carrying an infected executable (driver, app, installer, etc) on a USB memory stick to install it on there? not keeping patched? the list is endless. Also, AV's aren't 100% foolproof either, especially with really recent threats. Whatever got your win7 box infected (with up to date AV definitions), would have been infected your Vista and XP (x64 or not) boxes just as well.

[nerdistmonk]

Anyways the problem is solved, this is my final post to the thread as the problem is solved (I just didnt want you to think I abandoned the thread, so heres my final entry).

--Signing Off--

Edited November 11, 2013 by nerdistmonk

[cluberti]

Frankly, if you're running as an admin and/or have disabled UAC, 7 and Vista have basically the same security model. I've been taking this thing apart to see how it works, and you are most definitely NOT more secure on Vista when it comes to this particular one. This one appears, from disassembling it, to be a variant of the other Worm.MSIL network worms (like the PC security scam malware). The processes it spawns appear to be looking for email programs and network ports to try and replicate itself.

On Vista or Win7, if you run as admin or do not run a browser that runs as a low-integrity process (like IE or Google Chrome) and come across a site that is dropping this particular malware, it will infect Vista or Win7. If you open a .zip or .rar file that contains this and execute it's contents, it'll infect Vista or Win7. If you disable the host's firewall and are running as administrator at the time, you can get infected if the binary is executed after being dropped.

None of these things will be protected in any better way on Vista than they are on Windows 7.