Jump to content


Photo

Worm.Win32.Raleka alias W32Kelar.A


  • Please log in to reply
5 replies to this topic

#1 peterpaulmary

peterpaulmary

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 29 July 2004 - 10:56 PM

I was experimenting with 7 different online virus scans. Only one of them was able to identify "Kelar.A". in file "down.com" and I was able to "disinfect" it with the same software. After reading at several websites I learned that "Kelar or Rakela" worm creates "down.com". It also attempts to download the following additional files: svchost32.exe, ntrootkit.exe, ntrootkit.reg; two log files named Rpcss.ini and Svchost.ini and backdoor component "Backdoor.RTKit11.a". I suspect that while I was able to "disinfect the "down.com" file I may still have remnants in my Registry and elsewhere. Each time I boot my computer I have three separate requests from file svchost.exe to access my firewall. I read that "Kelar.A" modifies the file svchost.exe in the Windows system directory and overwrites its content by replaces it by a copy of the worm. I suspect that this worm is still capable of sending data from my computer to IRC Servers.
My HighJackThis log is noted below. It now contains 4 copies of svchost.exe which is 2 more copies than my last log of two days ago. Is there any sort of removal tool which might rectify things? Should I be removing the svchost.exe files and if so, how and what then? I downloaded a DOS tool from www.norman.com but haven't had much luck with it. I have also downloaded an applicable security patch from Microsoft (I thought I had them all).



Logfile of HijackThis v1.98.0
Scan saved at 8:14:16 PM, on 7/29/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\csrss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Grisoft\AVG6\avgcc32.exe
D:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
D:\PROGRA~1\Dantz\RETROS~1\ComboButton.exe
D:\WINDOWS\MXOaldr.exe
D:\PROGRA~1\Agnitum\TAUSCA~1.7\taumon.exe
D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
D:\Program Files\Messenger\msmsgs.exe
D:\WINDOWS\System32\ctfmon.exe
D:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
D:\Program Files\Logitech\MouseWare\system\em_exec.exe
D:\WINDOWS\System32\alg.exe
D:\PROGRA~1\Grisoft\AVG6\avgserv.exe
D:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
D:\Program Files\Dantz\Retrospect\retrorun.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\ZoneLabs\vsmon.exe
D:\WINDOWS\System32\devldr32.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Documents and Settings\Mary Paul\My Documents\HighJackThisSearchResults\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nytimes.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVG_CC] D:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [AdaptecDirectCD] D:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [MaxtorCombo] "D:\PROGRA~1\Dantz\RETROS~1\ComboButton.exe"
O4 - HKLM\..\Run: [MXO Auto Loader] D:\WINDOWS\MXOaldr.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [Tau Monitor] D:\PROGRA~1\Agnitum\TAUSCA~1.7\taumon.exe
O4 - HKLM\..\Run: [THGuard] "D:\Program Files\TrojanHunter 3.9\THGuard.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "D:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .mov: D:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/s...nfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab

#2 Marianna

Marianna

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 752 posts

Posted 30 July 2004 - 02:58 PM

Hi again :)

I found MORE info:

The files are downloaded to the SYSTEM folder:

NTROOTKIT.EXE (128000 bytes) Backdoor Trojan
NTROOTKIT.REG (245 bytes) Backdoor Trojan Regfile
SERVICE.EXE (27136 bytes) Application to install Services
SVCHOST32.EXE (14880 bytes) The worm itself
SVCHOST.CMD (132 bytes) Batchfile

The NTROOTKIT files are downloaded to the Windows System directory and are detected as "NTRootKit-E" with 4289 DATs or later.

After the download, the worm tries to override the SVCHOST.EXE in the SYSTEM folder with a copy of itself and executes it.

http://vil.nai.com/v...nt/v_100574.htm

Maybe you give McAfee's STINGER a shot??

http://vil.nai.com/vil/stinger/
"The only source of knowledge is experience"
Albert Einstein (1879 - 1955)

Microsoft MVP Consumer Security 2006 - 2010

#3 peterpaulmary

peterpaulmary

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 30 July 2004 - 05:43 PM

Thanks again Marianne. I tried Stinger twice but with no luck. I was hoping that some reader might be able to explain a couple of my questions in my posting relating to svchost.exe in addition to locating a removal tool. I will keep my fingers crossed that you or someone comes up with the answers I need. Have a great weekend.

#4 Marianna

Marianna

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 752 posts

Posted 30 July 2004 - 05:52 PM

It's me again :weee:

What you also could do is download The Cleaner Professional from Moosoft - is FREE for 30 days !

http://www.moosoft.c...eaner/download/

It has TC Active and TC Monitor - run both at startup- and see if you can locate anything -

After downloading and installing - UPDATE first before running !

Have a great weekend too :)
"The only source of knowledge is experience"
Albert Einstein (1879 - 1955)

Microsoft MVP Consumer Security 2006 - 2010

#5 peterpaulmary

peterpaulmary

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 30 July 2004 - 11:25 PM

Thanks again Marianne. I downloaded, updated and tried the Moosoft Cleaner but once again I had no luck. This trial and error method has a down side. Perhaps someone will come along that examines my HighJackThis Log and answers some of the questions I raised in my initial Post. Particularly about the extra svchost.exe and all the other files that Kelar.A alias W32/Raleka may have installed on my hard drive. I know the Panda software disinfected the related "down.com" file created by Kelar but I wonder if there is more for me to find and repair or remove?

#6 Marianna

Marianna

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 752 posts

Posted 31 July 2004 - 01:12 AM

I can understand you want to get rid of that "thing" !

McAfee states:

When the worm finds an unpatched system, it creates a 7bit encoded file called DOWN.COM (8954 bytes) on the victim machine and executes it with IP address and a port number of the attacking host. The file will uses the Internet Explorer to download additional files from the attacking host, rather than downloading it from the IP address mentioned above.

The files are downloaded to the SYSTEM folder:

NTROOTKIT.EXE (128000 bytes) Backdoor Trojan
NTROOTKIT.REG (245 bytes) Backdoor Trojan Regfile
SERVICE.EXE (27136 bytes) Application to install Services
SVCHOST32.EXE (14880 bytes) The worm itself
SVCHOST.CMD (132 bytes) Batchfile

As you wrote Panda disinfected down.com

As you go into SAFEMODE can you SEE the above files??

If you SEE the files - you only have to rightclick and delete them.
"The only source of knowledge is experience"
Albert Einstein (1879 - 1955)

Microsoft MVP Consumer Security 2006 - 2010




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button