A Trojan that has variations appearing with different company names, descriptions etc. like Niceware, iNiceware iNWare.inc reminds me of the ernel.dll on the TDL thread.
http://www.virustotal.com/file-scan/rep ... 1289431542
Attached is one group of file when testing in real world one of the variants of a Guy.
SOFTWARE / CURRENT VERSION / RUN : [Random] C:\\Documents and Settings\[username]\Local Settings\Temp\ [random 3 characters].exe
C:\WINDOWS\[random 6 characters].exe
C:\WINDOWS\System32\sshnas21.dll
C:\Documents and Settings\[username]\Local Settings\temp[random 3 characters].exe or C:\WINDOWS\temp [random 3 characters].exe (can be multiple files)
Scheduler change: Tasks: C:\windows\tasks\[random characters].job (may be more than one for the infection)
On My PC
Processes
C:\WINDOWS\system32\rundll32.exe , this file is legit but is being used by sshnas21.dll
C:\WINDOWS\Tvehoa.exe
C:\DOCUME~1\John\LOCALS~1\Temp\Tch.exe
Entries
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http= [address]
HKCU\..\Run: [U36VRSFLG6] C:\DOCUME~1\John\LOCALS~1\Temp\Tch.exe
HKUS\S-1-5-21-484763869-1275210071-1644491937-1003\..\Run: [U36VRSFLG6] C:\DOCUME~1\John\LOCALS~1\Temp\Tch.exe (User '?')
Files
C:\WINDOWS\tasks\{22116563-108C-42c0-A7CE-60161B75E508}.job
C:\WINDOWS\tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job
(Opera Software) -- C:\WINDOWS\Tvehoa.exe
(Opera Software) -- C:\WINDOWS\System32\sshnas21.dll
C:\\Documents and Settings\John\Local Settings\Temp\Tch.exe
C:\\Documents and Settings\John\Local Settings\Temp\Tcg.exe
C:\\Documents and Settings\John\Local Settings\Temp\Tcf.exe
C:\\Documents and Settings\John\Local Settings\Temp\a.dat
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSHNAS
If you keep just stopping the processes and deleting the files in the temp folder(s) after awhile the task(s) restarts the .exe's that may still be there and the temp files get recreated.
http://www.virustotal.com/file-scan/rep ... 1289431542
Attached is one group of file when testing in real world one of the variants of a Guy.
SOFTWARE / CURRENT VERSION / RUN : [Random] C:\\Documents and Settings\[username]\Local Settings\Temp\ [random 3 characters].exe
C:\WINDOWS\[random 6 characters].exe
C:\WINDOWS\System32\sshnas21.dll
C:\Documents and Settings\[username]\Local Settings\temp[random 3 characters].exe or C:\WINDOWS\temp [random 3 characters].exe (can be multiple files)
Scheduler change: Tasks: C:\windows\tasks\[random characters].job (may be more than one for the infection)
On My PC
Processes
C:\WINDOWS\system32\rundll32.exe , this file is legit but is being used by sshnas21.dll
C:\WINDOWS\Tvehoa.exe
C:\DOCUME~1\John\LOCALS~1\Temp\Tch.exe
Entries
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http= [address]
HKCU\..\Run: [U36VRSFLG6] C:\DOCUME~1\John\LOCALS~1\Temp\Tch.exe
HKUS\S-1-5-21-484763869-1275210071-1644491937-1003\..\Run: [U36VRSFLG6] C:\DOCUME~1\John\LOCALS~1\Temp\Tch.exe (User '?')
Files
C:\WINDOWS\tasks\{22116563-108C-42c0-A7CE-60161B75E508}.job
C:\WINDOWS\tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job
(Opera Software) -- C:\WINDOWS\Tvehoa.exe
(Opera Software) -- C:\WINDOWS\System32\sshnas21.dll
C:\\Documents and Settings\John\Local Settings\Temp\Tch.exe
C:\\Documents and Settings\John\Local Settings\Temp\Tcg.exe
C:\\Documents and Settings\John\Local Settings\Temp\Tcf.exe
C:\\Documents and Settings\John\Local Settings\Temp\a.dat
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSHNAS
If you keep just stopping the processes and deleting the files in the temp folder(s) after awhile the task(s) restarts the .exe's that may still be there and the temp files get recreated.
Attachments
pass = infected
(1.25 MiB) Downloaded 65 times
(1.25 MiB) Downloaded 65 times
