Jump to content

Malwarebytes

Trojan WinNT/Alureon ? gaopdxtnsxcebw.sys

Started by Maurice Naggar, Mar 04 2009 02:53 AM

5 replies to this topic

#1
Maurice Naggar
Posted 04 March 2009 - 02:53 AM

    Eradicator de logiciels malveillants

  • Moderators
  • PipPipPipPipPipPip
  • 4,245 posts
  • Gender:Male
  • Location:USA
  • Interests:Security, Windows, Windows Update, malware prevention
Hello,

I have posted at Malware-research and thought I'd post here as well, to see if your researchers have more info on a new trojan.

I have an OP at Aumha.net Malware Removal forum with something quite similar (if not the same) to Trojan WinNT/Alureon , which was tagged and removed by MBAM.
These files were found:
gaopdxsrrytwpm.dll
gaopdxtnsxcebw.sys

My question is whether the "GAOPDX" in the root of filename is significant to this infector ?
Also, if your researchers have more info on these files or filetypes?

snippets from MBAM log

Quote

Folders Infected:
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\freshplay (Trojan.DNSChanger) -> Quarantined and deleted successfully.

Files Infected:
C:\Windows\System32\gaopdxsrrytwpm.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Windows\System32\drivers\gaopdxtnsxcebw.sys (Trojan.Agent) -> Quarantined and deleted successfully.

REF http://aumha.net/viewtopic.php?f=30&t=...=212631#p212631

~~ Added notes ~~

I found some very helpful notes on McAfee
http://vil.nai.com/v...nt/v_154186.htm

and yes, the prefix "gaopdx" IS significant
The dll file was paired with a driver.
~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)

#2
lkpederson
Posted 14 April 2009 - 06:14 PM

    New Member

  • Members
  • Pip
  • 1 posts
Windows Malware remover is finding winnt/alureon.c but the latest version of MB is not. Having trouble getting the little sucker out of there. Ideas?

#3
Maurice Naggar
Posted 14 April 2009 - 09:20 PM

    Eradicator de logiciels malveillants

  • Moderators
  • PipPipPipPipPipPip
  • 4,245 posts
  • Gender:Male
  • Location:USA
  • Interests:Security, Windows, Windows Update, malware prevention
If you believe your system has malware, then see and follow the instructions here
I'm infected - What do I do now?

Good luck.
~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)

#4
Fatdcuk
Posted 14 April 2009 - 10:52 PM

    Malware BBQ'er

  • Moderators
  • PipPipPipPipPipPip
  • 16,155 posts
  • Gender:Male
  • Location:127.0.0.1
lkpederson,

Some variants of the CLB Rootkit infection have MBAM blacklisted so either we are unable to install or in somecases can install but not update the software database inorder to attack the infection.

Here's a walkthrough i knocked up for attacking the CLB driver infection and how to get MBAM back into the fight :)
http://www.malwareby...showtopic=12709

Hi Maurice,

They are from the same family of RK infections with the following prefix's TDSS,Seneka and UAC
Microsoft classifyfies them as WinNT.Alureon because they are RK type
The payload bots are classified as Win32.Alureon
http://www.microsoft.com/security/portal/S...winNT%2FAlureon
Ade Gill
Research Engineer

Posted Image

Follow us: Twitter, Become a fan: Facebook

#5
Guest_remixed_*
Posted 15 April 2009 - 12:50 AM

  • Guests
I suffered a similar fate a short time ago through being complacent with Internet Antivirus and ended with a rather stubborn rootkit;
C:\Documents and Settings\All Users\Application Data\microsoft\network\dlls\bjjixtbsvf.dll
C:\Documents and Settings\All Users\Application Data\microsoft\network\dlls\iemodule.dll
C:\Program Files\system guard 2009\systemguard.exe
C:\Program Files\system guard 2009\uninstall.exe
C:\Windows\System32\senekabiysufkk.dll
C:\Windows\System32\senekabpqxxnos.dll
C:\Windows\System32\senekakorduymb.dll
C:\Windows\System32\senekapxywyksp.dll
C:\Windows\System32\senekauetqxtiq.dll
C:\Windows\System32\senekavivximpc.dll
C:\Windows\System32\winscenter.exe
C:\Documents and Settings\Neil2\Local Settings\Temp\\file.exe
Threw everything at it and just when i thought....back it came. MBAM was either non-functional or effective depending on the stage of recovery.

#6
Maurice Naggar
Posted 15 April 2009 - 07:25 PM

    Eradicator de logiciels malveillants

  • Moderators
  • PipPipPipPipPipPip
  • 4,245 posts
  • Gender:Male
  • Location:USA
  • Interests:Security, Windows, Windows Update, malware prevention

View PostFatdcuk, on Apr 14 2009, 05:52 PM, said:

lkpederson,

Hi Maurice,

They are from the same family of RK infections with the following prefix's TDSS,Seneka and UAC
Hello Ade,
Yes, thanks. I got some clues a day or two after initial post. :)
~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)
Back to Newest Rogue Threats · Next Unread Topic →


1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users

  1. Malwarebytes Forum
  2. Research Center
  3. Newest Rogue Threats

Products

About

Partners

Follow Us