Jump to content


Photo

asdf.exe - a trojan?


  • Please log in to reply
21 replies to this topic

#1 JethroBodine

JethroBodine

    Member

  • Full Member
  • Pip
  • 25 posts

Posted 22 August 2005 - 09:14 PM

This evening, a program named asdf.exe, (location c:\asdf.exe) asked for permission to access the internet from my laptop.

ZoneAlarm first caught it as a new prgram (it first wanted permission to acess 127.0.0.1:2175), and I said no. Then in the ZA logs, I saw 22 seconds later it tried to access 66.159.17.156:80, which ZA blocked.

So I'm stumped: The executable, 4KB in size, was created at 6:22 PM in the root of C:\, but I don't know where I got it. I analyzed it with several things, TDS-3's Utilities > String Extractor, and MS AntiSpyware's Tools > Advanced Tools > File Analyzer. Neither of which showed anything interesting, TDS-3 showed only five or six text strings. A scan of the file with updated NAV did not show an infection.

The fact that it was created without my doing something, and then tried to access the internet (call home) is reason enough to believe it is malware. One more thing, there was also an entry in C:\WINDOWS\Prefetch, (the place where WinXP records what to load upon bootup to supposedly optimize memory and disk usage).

P.S: There's someone on here with a username of asdf (the first four chars on the second row of keys), searching brings up several of his/her posts, but that's it.

Any insights or advice appreciated.

#2 LostAccount

LostAccount

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 1,291 posts

Posted 23 August 2005 - 07:19 AM

I suggest that you read the FAQ and post a HijackThis log in the Malware Removal forum. One of the helpers will be able to assist you there.
<span style='font-size:8pt;line-height:100%'><b>Useful Software</b>:</span>
<a href='https://www.kaspersky.com'target='_blank'><i>Kaspersky</i></a>, <a href='https://housecall.trendmicro.com/' target='_blank'>Housecall <i>Trendmicro</i></a>, <a href='https://www.emsisoft.com' target='_blank'><i>a2 free edition</i></a>, <a href='https://www.kerio.com' target='_blank'><i>Kerio Personal Firewall</i></a>, <a href='https://www.lavasoftusa.com' target='_blank'><i>Ad-aware SE</i></a>, <a href='https://security.kolla.de' target='_blank'><i>Spybot S&D</i></a>, <a href='https://www.merijn.org/files/hijackthis.zip' target='_blank'><i>HJT</i></a>, <a href='https://www.cwshredder.net' target='_blank'><i>CWShredder</i></a>, <a href='https://www.mvps.org/winhelp2002/hosts.htm' target='_blank'><i>MVPS HOSTS file by WinHelp2002</i></a>, <a href='https://netfiles.uiuc.edu/ehowes/www/resource.htm' target='_blank'><i>IE-SPYAD by eburger68</i></a>, <a href='https://www.javacoolsoftware.com/' target='_blank'><i>Spywareguard and Spywareblaster</i></a>, <a href='https://www.winpatrol.com' target='_blank'><i>Winpatrol</i></a>, <a href='https://www.mozilla.org' target='_blank'><i>Mozilla & Firefox</i></a>

#3 JethroBodine

JethroBodine

    Member

  • Full Member
  • Pip
  • 25 posts

Posted 23 August 2005 - 11:33 AM

I suggest that you read the FAQ and post a HijackThis log in the Malware Removal forum. One of the helpers will be able to assist you there.

View Post



I didn't have any problem removing the file, it deleted witout issue.

But I am very curious because no AV or anti-malware programs identified it, yet it ws created without my intervention, and it tried to make an outside connection.

#4 LostAccount

LostAccount

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 1,291 posts

Posted 23 August 2005 - 12:03 PM

Most likely one of the simpler forms of malware. You can always submit it to http://virusscan.jotti.org for an analysis.
<span style='font-size:8pt;line-height:100%'><b>Useful Software</b>:</span>
<a href='https://www.kaspersky.com'target='_blank'><i>Kaspersky</i></a>, <a href='https://housecall.trendmicro.com/' target='_blank'>Housecall <i>Trendmicro</i></a>, <a href='https://www.emsisoft.com' target='_blank'><i>a2 free edition</i></a>, <a href='https://www.kerio.com' target='_blank'><i>Kerio Personal Firewall</i></a>, <a href='https://www.lavasoftusa.com' target='_blank'><i>Ad-aware SE</i></a>, <a href='https://security.kolla.de' target='_blank'><i>Spybot S&D</i></a>, <a href='https://www.merijn.org/files/hijackthis.zip' target='_blank'><i>HJT</i></a>, <a href='https://www.cwshredder.net' target='_blank'><i>CWShredder</i></a>, <a href='https://www.mvps.org/winhelp2002/hosts.htm' target='_blank'><i>MVPS HOSTS file by WinHelp2002</i></a>, <a href='https://netfiles.uiuc.edu/ehowes/www/resource.htm' target='_blank'><i>IE-SPYAD by eburger68</i></a>, <a href='https://www.javacoolsoftware.com/' target='_blank'><i>Spywareguard and Spywareblaster</i></a>, <a href='https://www.winpatrol.com' target='_blank'><i>Winpatrol</i></a>, <a href='https://www.mozilla.org' target='_blank'><i>Mozilla & Firefox</i></a>

#5 JethroBodine

JethroBodine

    Member

  • Full Member
  • Pip
  • 25 posts

Posted 23 August 2005 - 05:50 PM

Most likely one of the simpler forms of malware. You can always submit it to http://virusscan.jotti.org for an analysis.

View Post



The upload utility on that site says it's status is: "INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)".

How do I go about figuring out how it got through the layers of defenses I've got? Pro-active protections at the time the file was created were SpywareBaster, SpywareGuard, MS AntiApyware, Spy Sweeper, FireFox, Norton AV. Ad Aware and Spybot S&D in use, but not really doing anyting at the time. Zone Alarm is the only thing that caught it, and that was after it got in.

Have tried looking at some router logs of IP addresses, but they got roller over and overwritten. Any ideas?

#6 707

707

    Member

  • Full Member
  • Pip
  • 3 posts

Posted 24 August 2005 - 04:44 AM

funny thing is i just found this in my C: too it was named asdf it was an exe wtf? i deleted it easily but im scared my comps infected and Mcafee dont help me with that :rant:

Posted Image

#7 LostAccount

LostAccount

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 1,291 posts

Posted 24 August 2005 - 11:15 AM

I'd advise you to post a HJT log in Malware Removal as this trojan may install new malware... that is why it's trying to connect to a server. It's a Trojan Downloader...
<span style='font-size:8pt;line-height:100%'><b>Useful Software</b>:</span>
<a href='https://www.kaspersky.com'target='_blank'><i>Kaspersky</i></a>, <a href='https://housecall.trendmicro.com/' target='_blank'>Housecall <i>Trendmicro</i></a>, <a href='https://www.emsisoft.com' target='_blank'><i>a2 free edition</i></a>, <a href='https://www.kerio.com' target='_blank'><i>Kerio Personal Firewall</i></a>, <a href='https://www.lavasoftusa.com' target='_blank'><i>Ad-aware SE</i></a>, <a href='https://security.kolla.de' target='_blank'><i>Spybot S&D</i></a>, <a href='https://www.merijn.org/files/hijackthis.zip' target='_blank'><i>HJT</i></a>, <a href='https://www.cwshredder.net' target='_blank'><i>CWShredder</i></a>, <a href='https://www.mvps.org/winhelp2002/hosts.htm' target='_blank'><i>MVPS HOSTS file by WinHelp2002</i></a>, <a href='https://netfiles.uiuc.edu/ehowes/www/resource.htm' target='_blank'><i>IE-SPYAD by eburger68</i></a>, <a href='https://www.javacoolsoftware.com/' target='_blank'><i>Spywareguard and Spywareblaster</i></a>, <a href='https://www.winpatrol.com' target='_blank'><i>Winpatrol</i></a>, <a href='https://www.mozilla.org' target='_blank'><i>Mozilla & Firefox</i></a>

#8 JethroBodine

JethroBodine

    Member

  • Full Member
  • Pip
  • 25 posts

Posted 24 August 2005 - 01:01 PM

I'd advise you to post a HJT log in Malware Removal as this trojan may install new malware... that is why it's trying to connect to a server. It's a Trojan Downloader...

View Post


OK, you convinced me, I'll do that shortly. Thanks.

P.S: Still curious how it got by several layers...

#9 LostAccount

LostAccount

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 1,291 posts

Posted 24 August 2005 - 01:33 PM

P.S: Still curious how it got by several layers...


So am I... What is the version of the Firefox browser on your computer?
<span style='font-size:8pt;line-height:100%'><b>Useful Software</b>:</span>
<a href='https://www.kaspersky.com'target='_blank'><i>Kaspersky</i></a>, <a href='https://housecall.trendmicro.com/' target='_blank'>Housecall <i>Trendmicro</i></a>, <a href='https://www.emsisoft.com' target='_blank'><i>a2 free edition</i></a>, <a href='https://www.kerio.com' target='_blank'><i>Kerio Personal Firewall</i></a>, <a href='https://www.lavasoftusa.com' target='_blank'><i>Ad-aware SE</i></a>, <a href='https://security.kolla.de' target='_blank'><i>Spybot S&D</i></a>, <a href='https://www.merijn.org/files/hijackthis.zip' target='_blank'><i>HJT</i></a>, <a href='https://www.cwshredder.net' target='_blank'><i>CWShredder</i></a>, <a href='https://www.mvps.org/winhelp2002/hosts.htm' target='_blank'><i>MVPS HOSTS file by WinHelp2002</i></a>, <a href='https://netfiles.uiuc.edu/ehowes/www/resource.htm' target='_blank'><i>IE-SPYAD by eburger68</i></a>, <a href='https://www.javacoolsoftware.com/' target='_blank'><i>Spywareguard and Spywareblaster</i></a>, <a href='https://www.winpatrol.com' target='_blank'><i>Winpatrol</i></a>, <a href='https://www.mozilla.org' target='_blank'><i>Mozilla & Firefox</i></a>

#10 707

707

    Member

  • Full Member
  • Pip
  • 3 posts

Posted 24 August 2005 - 01:54 PM

so what should i do about this cause im sure it downloaded more of something in my comp

#11 LostAccount

LostAccount

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 1,291 posts

Posted 24 August 2005 - 01:59 PM

I'd advise you to post a HJT log in Malware Removal as this trojan may install new malware... that is why it's trying to connect to a server. It's a Trojan Downloader...

View Post


The staff will analyse your log and proceed from there. Or you might want to scan your system with an online antivirus scanner in the meantime.

Edited by LostAccount, 24 August 2005 - 02:20 PM.

<span style='font-size:8pt;line-height:100%'><b>Useful Software</b>:</span>
<a href='https://www.kaspersky.com'target='_blank'><i>Kaspersky</i></a>, <a href='https://housecall.trendmicro.com/' target='_blank'>Housecall <i>Trendmicro</i></a>, <a href='https://www.emsisoft.com' target='_blank'><i>a2 free edition</i></a>, <a href='https://www.kerio.com' target='_blank'><i>Kerio Personal Firewall</i></a>, <a href='https://www.lavasoftusa.com' target='_blank'><i>Ad-aware SE</i></a>, <a href='https://security.kolla.de' target='_blank'><i>Spybot S&D</i></a>, <a href='https://www.merijn.org/files/hijackthis.zip' target='_blank'><i>HJT</i></a>, <a href='https://www.cwshredder.net' target='_blank'><i>CWShredder</i></a>, <a href='https://www.mvps.org/winhelp2002/hosts.htm' target='_blank'><i>MVPS HOSTS file by WinHelp2002</i></a>, <a href='https://netfiles.uiuc.edu/ehowes/www/resource.htm' target='_blank'><i>IE-SPYAD by eburger68</i></a>, <a href='https://www.javacoolsoftware.com/' target='_blank'><i>Spywareguard and Spywareblaster</i></a>, <a href='https://www.winpatrol.com' target='_blank'><i>Winpatrol</i></a>, <a href='https://www.mozilla.org' target='_blank'><i>Mozilla & Firefox</i></a>

#12 707

707

    Member

  • Full Member
  • Pip
  • 3 posts

Posted 24 August 2005 - 02:18 PM

sorry im kinda a n00b when it comes to comps how do i analize my log? thanx alot

#13 JethroBodine

JethroBodine

    Member

  • Full Member
  • Pip
  • 25 posts

Posted 24 August 2005 - 02:38 PM

OK, I started a thread in the Malware Removal, http://www.spywarein...showtopic=54925

Just scanned entire HD with SB S&D, AdAware, NAV. Nothing found. ... but I have been getting these occasional unexplained pop ups with FF in te last few weeks.

#14 viper2002

viper2002

    Member

  • New Member
  • Pip
  • 1 posts

Posted 27 August 2005 - 11:06 AM

hi, i also got this asdf.exe file thing today and it got detected by my avg antivirus. I have a idea/theory. I download music from e-mule and i left the program last night open downloading. COuld emule or the music I downloaded be behind the asdf.exe program?

thanks

Oscar

#15 Confuddled

Confuddled

    Member

  • Full Member
  • Pip
  • 2 posts

Posted 27 August 2005 - 02:58 PM

I was alerted to this today by NAV 2004. It identified it as Trojan.Download that goes to a specific Web or FTP site that its author created and attempts to download new Trojans, viruses, worms or their components. After the Trojan downloads the files, it executes them.

Strangely NAV couldn't delete it until I scanned in Safe Mode. It found and deleted 2 files:
ASDF.exe
time.class-50c9903d-5276d895.class.

Before doing this I checked my pc and found other files created/modified/accessed at the same time 3 days ago:

C:\Windows\Prefetch\ASDF.EXE-052BEA6D.pf
C:\SDFG.exe
C:\Windows\Prefetch\SDFG.EXE-2DCC24EE.pf
C:\Documents and Settings\username\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\
JVMDetector.class-3b58dfa3-1850eb7a.class
JVMDetector.class-3b58dfa3-1850eb7a.idx
Beyond.class-5f5f539f-524a4996.class
Beyond.class-5f5f539f-524a4996.idx
jvm.class-4ce2835d-130777e1.class
jvm.class-4ce2835d-130777e1.idx
tick.class-7f63330d-2882121e7.class
tick.class-7f63330d-2882121e7.idx
time.class-50c9903d-5276d895.idx

Obviously the SDFG files are connected as they are the same format on the qwerty keyboard and have identical date/times but NAV didn't find them. I have manually deleted them. Googling SDFG.exe brings up nothing.

Checking the above times in my history file, the minute before, I accessed Virgin Airlines as saved in favourites. That page redirected me to a new Virgin Airlines front page. Just a thought, was there a problem with it? I suppose the other files could be to do with looking up flights.

#16 ssssmemyself

ssssmemyself

    Member

  • New Member
  • Pip
  • 1 posts

Posted 28 August 2005 - 10:15 AM

AVG caught this for me too. There was also a class file in Java's cache that it found during the scan. The accompanying idx file says that it came from http://63.246.16.20/d/time.class, which is currently 404ing. So, I think it's safe to say that this is a Java problem. I'd recommend disabling Java until this is firmly squashed. The file modification time is from about a week ago, and my history doesn't seem to go back that far.

#17 JethroBodine

JethroBodine

    Member

  • Full Member
  • Pip
  • 25 posts

Posted 28 August 2005 - 08:03 PM

I'm still puzzled how this got through the protections I had in place.

Was contemplating setting up a clean VMware machine and re-visiting all the sites in a history list starting about 30 minutes prior to the time I found the original file, ... but any infected web site passing on this virus could have been cleaned up by now, I suppose.

#18 JethroBodine

JethroBodine

    Member

  • Full Member
  • Pip
  • 25 posts

Posted 28 August 2005 - 08:56 PM

I was alerted to this today by NAV 2004.  It identified it as Trojan.Download that goes to a specific Web or FTP site that its author created and attempts to download new Trojans, viruses, worms or their components.  After the Trojan downloads the files, it executes them.


Strangely NAV couldn't delete it until I scanned in Safe Mode.  It found and deleted 2 files:
ASDF.exe
time.class-50c9903d-5276d895.class.

Before doing this I checked my pc and found other files created/modified/accessed at the same time 3 days ago:

C:\Windows\Prefetch\ASDF.EXE-052BEA6D.pf
C:\SDFG.exe
C:\Windows\Prefetch\SDFG.EXE-2DCC24EE.pf
C:\Documents and Settings\username\Application              Data\Sun\Java\Deployment\cache\javapi\v1.0\file\
    JVMDetector.class-3b58dfa3-1850eb7a.class
    JVMDetector.class-3b58dfa3-1850eb7a.idx
    Beyond.class-5f5f539f-524a4996.class
    Beyond.class-5f5f539f-524a4996.idx
    jvm.class-4ce2835d-130777e1.class
    jvm.class-4ce2835d-130777e1.idx
    tick.class-7f63330d-2882121e7.class
    tick.class-7f63330d-2882121e7.idx
    time.class-50c9903d-5276d895.idx

Obviously the SDFG files are connected as they are the same format on the qwerty keyboard and have identical date/times but NAV didn't find them.  I have manually deleted them.  Googling SDFG.exe brings up nothing.

Checking the above times in my history file, the minute before, I accessed Virgin Airlines as saved in favourites.  That page redirected me to a new Virgin Airlines front page.  Just a thought, was there a problem with it?  I suppose the other files could be to do with looking up flights.

View Post


Your message got me thinking, so I looked around for any files created at the same time as the ASDF.exe on my machine. I found seven of them (see below for the msimatched eighth one). In my case the files were in the folder "C:\Documents and Settings\username\.jpi_cache\file\1.0", (it appears you have a developer edition of java).

The files have the same names as what you found:
Beyond.class-5f5f539f-32811f07.class
Beyond.class-5f5f539f-32811f07.idx
jvm.class-4ce2835d-6c6fa001.class
jvm.class-4ce2835d-6c6fa001.idx
JVMDetector.class-3b58dfa3-175a8466.class
JVMDetector.class-3b58dfa3-175a8466.idx
time.class-50c9903d-7b5ac9c3.idx
NOTE: time.class-50c9903d-7b5ac9c3.class -> Norton AV '05 found it yesterday, and moved it, from what I found in the session log:
  • Source: C:\Documents and Settings\username\JPI_CA~1\file\1.0\time.class-50c9903d-7b5ac9c3.class
  • Description: The file C:\Documents and Settings\username\JPI_CA~1\file\1.0\time.class-50c9903d-7b5ac9c3.class is infected with the Download.Trojan virus.
  • Click for more information about this threat : Download.Trojan (http://securityrespo...oad.trojan.html)
Curiously I did not have the tick.class... file pair, searched my entire HD for them. Nothing found.

The \Windows\Prefetch\ folder is something XP (maybe 2000 also) uses to preload programs into memory at boot time, supposedly for quick access. It's OK, from what I learned, to delete entries from the folder, or even delete the entire folder, in hwich case it will be rebuild ... sometime (next boot, or ?).

FYI, i did not visit Virgin Airlines that day, but did visit about 45 other sites that day (can't seem to sort the history list by date AND time, only by date, in firefox), all web browsing that day was in FF, none in IE.

P.S: How did you look at your history file by time, assuming FF?

#19 Confuddled

Confuddled

    Member

  • Full Member
  • Pip
  • 2 posts

Posted 01 September 2005 - 03:33 PM

Hi JethroBodine,

Your files are almost identical to mine. Did you also have the SDFG files as NAV didn't pick them up? I originally thought tick.class was to do with ticket class as I was looking for flights!

I use IE6 and listed history by date. Right clicking on properties gives you the last time a page was looked at. Only the Virgin Airlines redirect page had the relevant time on it as I had revisited the rest.

The Windows Prefetch I have also looked into a little. Looks like it can be turned off in the registry. Check this out:
http://msdn.microsof...ingPrefetch.asp

Bring back Windows 3.1 when you had some control over your pc! Just kidding, but with XP stuff just keeps getting added and set up for you whether you want it or not. Altering the registry seems to be the only way of doing anything about them which I am not over confident in doing.

Have you tried deleting the Prefetch folder yet and did it get rebuilt?

#20 JethroBodine

JethroBodine

    Member

  • Full Member
  • Pip
  • 25 posts

Posted 02 September 2005 - 11:09 AM

Greetings,

I do not have an SDFG.* file (searched entire HD for it), nor did NAV pick one up.

Yes, I deleted my entire PreFetch folder, old one is in my Recycle Bin, and there's a new one under my C:\WINDOWS\Prefetch folder.

The PreFetch is s actually a good thing to have, from what I read. It works in conjunction with Disk Optimization, in that files needing to be pre-fetched at boot time are all located on the outer edges of the disk, to allow quick and efficient loading into memory. Can't find where I read that.

#21 Paranoid

Paranoid

    Forum Deity

  • Full Member
  • PipPipPipPipPip
  • 533 posts

Posted 02 September 2005 - 01:09 PM

AVG caught this for me too. There was also a class file in Java's cache that it found during the scan. The accompanying idx file says that it came from http://63.246.16.20/d/time.class, which is currently 404ing. So, I think it's safe to say that this is a Java problem. I'd recommend disabling Java until this is firmly squashed. The file modification time is from about a week ago, and my history doesn't seem to go back that far.

View Post


What version of Java are you using?
Please note that the software I recommend above is entirely based on only my own experience and testing. In no way should my comments,opinions and endorsements be construed as an endorsement by the forum, nor do they reflect the advise or recommendations by the experts or helpers at spywareinfo.


#22 hornet777

hornet777

    Forum Deity

  • Full Member
  • PipPipPipPipPip
  • 607 posts

Posted 17 September 2005 - 05:22 AM

Please try to understand that securing a computer is an ongoing process, and not a set it once and forget it kind of thing. It really doesn't matter how many firewalls, AV or spyware scanners or whatnot one has installed on one's computer, if one is just going to continue to keep doing the same unsafe things one always did, and expect to get by with it. In most cases, and despite the presence of "drive-by" infections, malware problems happen in 95% of the cases because the user let it happen.

There is really no substitute for educating oneself in computers generally, their use and care, and how bad things come to be installed on them. I know this won't be received well by many, but it remains the case; Gates was wrong then advocating computer use for all (meaning non-technical users). Windows is an extremely complicated set of software, and expecially with XP, despite of its simplistic interface, there is so much going on "under the hood" so to speak, there is just no way an uneducated user can be expected to keep his/her system healthy and in top-notch condition. Any time spent understanding this will pay handsome dividends in the long run.

That said, even with 98 (here) I occasionally get the file (where did this come from?) Most resist even the most strenuous t'shooting methods as regards determining the source. My personal "faves" are the ones that aren't signed at all (no identifying marks or signatures, just PE code executable). How can one reasonably be able to determine their origin? Its impossible is the answer, so stop worrying about it. All one can do is use the emergency console (in XP) or boot to DOS in (in 98) and delete the bugger; then get on with life.

SO the btm line I guess is that one has to find one's "middle course" so to speak in these matters, and each individual will be different. The point is that both laxity or paranoia is to be avoided, for this stuff is SUPPOSED to be fun, huh! Aight. :-)
After all is invested in correctness, then how does it stand with truth?




Member of UNITE
Support SpywareInfo Forum - click the button