Sounds like it could be bugbear. Its recent enough to not be caught by your definitions, and the filename matches the pattern for bugbear. Grab the bugbear cleaner off the sarc site, boot into safe mode and run it...
http://www.sarc.com/avcenter/venc/data/w32.bugbear+AEA-mm.removal.tool.html +AD4- -----Original Message----- +AD4- From: Bassam ALHUSSEIN +AFs-mailto:bhussein+AEA-scs-net.org+AF0- +AD4- Sent: Saturday, October 05, 2002 2:14 PM +AD4- To: focus-virus+AEA-securityfocus.com +AD4- Cc: SECURITY-BASICS+AEA-securityfocus.com +AD4- Subject: Somebody saw this trojan ? +AD4- +AD4- +AD4- Hello .. +AD4- +AD4- I have received an e-mail today that is not supposed to be sent +AD4- to me (they +AD4- were calling somebody else that I don't know ..). When I read the +AD4- mail with +AD4- Outlook Express I noticed that the popup window of dowmloading the +AD4- attachement is invoked rapidly (Slow computer) without asking for +AD4- +ACI-Open+ACI- or +AD4- +ACI-Save as+ACI- ... +AD4- Well, I have some basic concepts about viruses and security. I am +AD4- using NAV +AD4- 2001 with the virus definitions of 16/09/2002 and it generally scans the +AD4- incoming emails. but after reading that email I noticed that NAV is not +AD4- running +ACEAIQAh- +AD4- With Ctrl-Alt-Del I Didn't see any +ACI-Strange+ACI- runnong program. +AD4- On a promt command I wrote : netstat -an and I found : +AD4- TCP 0.0.0.0:36794 0.0.0.0:0 LISTENING +AD4- I think it could be a trojan horse listning on the port 36794 .. +AD4- I ran NAV manually to scan my system...but it (NAV) soon shut down. +AD4- I ran a free +ACI-Process Viewer+ACI- and then I noticed a +ACI-strange+ACI- +AD4- running program +AD4- with the name +ACI-Hfyj.exe+ACI-, so I killed it. +AD4- With the +ACI-Regedit+ACI- I deleted the key that was invoking this program in : +AD4- +HKEY+AF8-LOCAL+AF8-MACHINE+AFw-Software+AFw-Microsoft+AFw-Windows+AFw-CurrentVersion+AFw-RunOnce +AD4- +AD4- I deleted the exe file and when I rebooted I noticed that it is +AD4- always there +AD4- and that Nav is not running. I killed the program again ..deleted the +AD4- registry key... ran Nav to scan the exe file but it sayed that it is not +AD4- infected +ACEAIQAh- +AD4- +AD4- Help.. The Resident Evil is always here and runing ... +AD4- +AD4- Note : the mail was sent from a fake address ....and I didn't +AD4- found the +ACI-To: +AD4- +ACI- statement in the header ....How could it come to me without the +ACI-To +:+ACI- +AD4- statement. +AD4- +AD4- what about sending the exe file to Symantec ??? +AD4- +AD4- +AD4- thanx +AD4- +AD4-
