Your symptoms describe a process that is running in the same memory space as
the shell Windows Explorer. How it is running there is usually two
scenarios, but usually the same method of process injection.
* something is loading as an accomplice to the shell Explorer
* something is loading at Windows startup/login
T.I.M. mentioned using autoruns, a nifty utility from the Sysinternals
group, now a part of Microsoft:
http://www.microsoft.com/technet/sysinternals/utilities/Autoruns.mspx
Use the 'Hide Signed Microsoft Entries' option to minimize what is displayed
and probably focus on the extranneous that's running via the registry.
There is a third option that probably isn't what's going on, but it is
possible that something infected Explorer.exe with code that performs the
routine(s) and gives the symptoms that you mention.
Regards,
Patrick Nolan
technical writer
Microsoft Corp
-----Original Message-----
From: listbounce@securityfocus.com
[mailto:listbounce@securityfocus.com] On Behalf Of T.I.M
Sent: Friday, September 28, 2007 4:26 AM
To: Isaac Perez Moncho; focus-virus@securityfocus.com
Subject: Re: stealth virus on explorer.exe
use autoruns to see a complate Autoruns options in WINDOWS
also try RunScanner
On Fri, 28 Sep 2007 10:44:49 +0200, Isaac Perez Moncho
<suscripcions@tsolucio.com> wrote:
Hello all,
I have a computer infected with a virus that act like this:
explorer.exe start opening smtp connections to several ip's
and url's
until it exceed the tcp limit of windows xp sp2.
If I kill explorer.exe and run again from task manager the virus
doesn't run anymore until reboot.
It seems that the booting process of windows pass a parameter to
explorer for launch the virus. But not found anything
interesting or
clear in the registry or boot.
I used nod32 and panda active scan for cleaning with no result. I
alsoo used spybot, adaware and superantispyware with the
same null result.
Any ideas?
Thanks
--
..:: T.I.M ::..
--------------------------------------------------------------
-------------
This list is sponsored by: Black Hat
Attend Black Hat USA, July 28-August 2 in Las Vegas, the
world's premier technical event for ICT security experts.
Featuring 30 hands-on training courses and 90 Briefings
presentations with lots of new content and new tools.
Network with 4,000 delegates from 70 nations. Visit product
displays by 30 top sponsors in a relaxed setting.
http://www.blackhat.com
--------------------------------------------------------------
-------------
---------------------------------------------------------------------------
This list is sponsored by: Black Hat
Attend Black Hat USA, July 28-August 2 in Las Vegas, the world's premier
technical event for ICT security experts. Featuring 30 hands-on training
courses and 90 Briefings presentations with lots of new content and new
tools. Network with 4,000 delegates from 70 nations. Visit product
displays by 30 top sponsors in a relaxed setting.
http://www.blackhat.com
---------------------------------------------------------------------------
