TDS Can't Delete Trojan - help

Discussion in 'Trojan Defence Suite' started by MarkWW, Apr 23, 2003.

Thread Status:
Not open for further replies.
  1. Patrice

    Patrice Registered Member

    Joined:
    Apr 15, 2003
    Posts:
    571
    Location:
    Antarctica
    Well, give it a try. But first update it (if you haven't done that so far).

    Greeting,

    Patrice
     
  2. jmiller

    jmiller Guest

    all right...i am going to scan my system completely with both tools tds3 and avast...thanks for all the help and support and i will post anything interesting later...gnight all... :cool:
     
  3. Patrice

    Patrice Registered Member

    Joined:
    Apr 15, 2003
    Posts:
    571
    Location:
    Antarctica
    Hi jmiller!

    Just got some thoughts about this issue here:
    Start the regedit again and search for the following strings:

    -unreal
    -awakening
    -Downloads (check what registry entries you have here)
    -corona

    Best regards!

    Patrice
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,491
    Location:
    Netherlands
    Maybe this will help in tracking it down:
    http://www.sarc.com/avcenter/venc/data/w32.coronex@mm.html

    You will have to copy and paste the link because of the @.

    Regards,

    Pieter
     
  5. Patrice

    Patrice Registered Member

    Joined:
    Apr 15, 2003
    Posts:
    571
    Location:
    Antarctica
    Good link Pieter! :D

    jmiller search your whole harddisk after corona.exe

    Regards,

    Patrice
     
  6. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Thanks a lot Pieter, strange that googling just for coronex didn't give any proper results. The list is incomplete, as "the awakening (full)" was not in that list of games names :)
    So jmiller to you the honor of a uniquity till now.
    I'm shocked to see the infected file can grow to 270mb! Hope that will never be the size it's trying to attach for resend (not, as far as i read the description, but imagine!)
     
  7. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,491
    Location:
    Netherlands
    Dumb luck Jooske. :)
    I stumbled upon a thread on a Dutch forum posted by Geeske about this worm and put two and two together. (5, right?)
    It is on the list though, third from the bottom:
    Unreal 2: The Awakening (full).exe

    Regards,

    Pieter
     
  8. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Glad you haven't been infected with this one..

    Does the trace alarm go away when you update the databases and run a trace scan again ? It must be that this is a trace scan bug, there is one other we know of :(
     
  9. jmiller

    jmiller Guest

    all right, back again.
    did a complete system scan with tds3 updated
    scanned with avast updating is automatic

    and still only trace scan from tds3 registers the worm

    my documents is still showing nothing in it, even checked properties and show zero kb

    checked the symantec site and looked in regedit under the appropriate strings and did not find the keys that were in the internet explorer or the windows boxes...

    did a complete search of harddrive "c" for corona.exe: did not find anything....

    also...i sent the file trace to tds by rightclicking the worm in the alarm section of tds but i got a message from them saying nothing was sent?

    and why doesnt the file show in my documents?
    its like a ghost.... :eek:

    thanks again for all the help :p
     
  10. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Now i'm thinking, connecting all the messages and Gavin's explanation....... possibly nothing there and no more alarm after today's update?
     
  11. Patrice

    Patrice Registered Member

    Joined:
    Apr 15, 2003
    Posts:
    571
    Location:
    Antarctica
    Yep, now it's up to DCS to help you!

    I would deinstall and reinstall TDS-3 to see if it solves the problem. But perhaps this isn't necessary. Let's wait for the answer of DCS.
     
  12. jmiller

    jmiller Guest

    the alarm is still there:

    File Trace: Default trojan filename

    Possibly Worm.Coronex - submit

    C:\My Downloads\Unreal 2: The Awakening (full).exe

    i delete it and it comes back...

    i submitted it and it hasnt been sent?

    maybe it is a ghost.... :eek:

    i will be back tomorrow(later today) with an update of my situation...

    thanks
    ;)
     
  13. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,475
    Location:
    The Netherlands
    IMO this one could - possibly - be the culprit. If my memory serves me right, this .exe can be used as a very nastie devil in disguise, detected approx February 2003. I'll drop DCS an email with specs and where to get it.

    regards.

    paul
     
  14. FanJ

    FanJ Guest

    Hi,

    I just received a warning from Sophos:

    http://www.sophos.com/virusinfo/analyses/w32coronexa.html
    [hr]
    Description
    W32/Coronex-A is an internet worm which emails itself to every contact in the Windows address book.

    The email characteristics vary depending upon the current day of the week, as follows:

    ---snip by FanJ (see that Sophos page !)---


    When first run, the worm displays a message box with the text "SARS Virus, corona virus", copies itself to the Windows folder as Corona.exe and creates the following registry entry so that corona.exe is run automatically each time Windows is started:

    [​IMG]

    The worm copies itself to the C:\My Downloads folder using 1 of the 24 filenames listed below, depending upon the current hour of the day:

    Age Of Mythology.exe
    Battlefield 1942 (full).exe
    Black Hawk Down (full).exe
    Command & Conquer: Generals.exe
    Cossacks Full Version.exe
    Dark Age of Camelot.exe
    Doom 3.exe
    Grand Theft Auto 3 (full).exe
    Jedi Knight II.exe
    Master Of Orion 3.exe
    Medel Of Honor: Allied Assault.exe
    Oni full.exe
    Quake 3 Full Version.exe
    Rainbow 6 Full.exe
    Return to Castle Wolfenstien (Full).exe
    Starcraft full.exe
    The Lord of the Rings.exe
    The Sims: Unleashed.exe
    Tribes 2 (full).exe
    Ultima Online.exe
    Unreal 2: The Awakening (full).exe
    Unreal.exe
    Warcraft III Full.exe
    White and Black.exe

    When run with a -A command line switch (i.e. on startup), the worm runs continuously in the background and emails itself when the time is 1 minute past any hour.

    The worm also changes the start page for Microsoft Internet Explorer by setting the registry entry

    HKCU\Software\Microsoft\Internet Explorer\Main\Start Page
    ---deleted by FanJ---
     
  15. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,475
    Location:
    The Netherlands
    Nice catch, Jan!

    regards.

    paul
     
  16. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    I notice even though the pages you both posted and newsgroups discussions about this nasty excist loud and clear, pasting the coronex or any complete name in google doesn't give any results any more, while before one just needed to name any nasty and in some cases adding trojan or worm or virus with that would bring the valid search results.
    I noticed in more cases google doesn't give this kind of wanted information so i really hope they're not cutting down their once fabulous service. Will try copernic now even though i don't really like that one.

    The sophos info is about identical of the symantec; on that page it says it's only discovered 21 april and page written 22 april. so it is a rather new nasty.
    Wondering why it keeps coming back, unless you have to deal with cleaning - disable system restore - reboot - enable system restore - make a new restore point manually and it should really be gone.

    I'm running a FSS now myself did one too yesterday with the other update and had no alarms of that one, today with yesterday's and today's updates ran trace scans several times and not that alert nowhere. So ............ hmm
    Could more people please run the trace scan and see if anything suspicious jumps up?
     
  17. FanJ

    FanJ Guest

    Thanks Paul, but:
    The honour goes to Pieter !!! ;)
     
  18. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Yeah, I'm getting it, too (since yesterday).

    Still got it after doing this mornings' scan with the latest DB. (See screenshot).
     

    Attached Files:

  19. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hey Pete, that is surprising!
    Thanks for your alert! Yours is at least telling it was submitted, so Gavin has proof now i hope if the file was not empty.
    Could it be some systems are affected by this and others not? (like win98se ?)
     
  20. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Hi, Jooske!

    The only reason I tried to send it in again this morning was because I had the same situation as jmiller - DCS never got anything when I sent it to them yesterday.

    I went through the same procedure as jmiller (looking for "corona.exe" - nope, not here - looking for the registry key indicated in the Sophos description - don't have it, sorry - homepage was never hi-jacked (three different programs aboard to prevent that anyway! :) ).

    I notice also that it's always detected as the "Unreal2: The Awakening (full).exe" - the name doesn't change as indicated by Sophos according to the hour of the day.

    I'm pretty much leaning towards this as being a false positive, possibly caused by a plain-text sig that's "hitting" on either "corona.exe" (are there any other programs than the malware one that use that?) or "Unreal2.." itself. Pete

    *I guess I need to go into my son's profile on here and scan from there, too, though.
     
  21. MarkRaa

    MarkRaa Guest

    Yep, it remains on my computer as well...

    I've searched my whole harddisk after corona.exe -- comes up with nothing.

    Ran a complete scan with TDS-3....continues to identify it being there and all attempts to delete with TDS fail.

    I ran a full scan (deep) with the latest NOD-32 - nothing detected and the AMON memory monitor by NOD continues to find nothing as well!

    Submitted the file to TDS through the program - can't find it in folders to submit any other way.
     
  22. MarkRaa

    MarkRaa Guest

    Searched Registry...

    Negative



    You Wrote to the other fellow:

    Just got some thoughts about this issue here:
    Quote from: jmiller on Today at 02:46:01am C:\My Downloads\Unreal 2: The Awakening (full).exe



    Start the regedit again and search for the following strings:

    -unreal
    -awakening
    -Downloads (check what registry entries you have here)
    -corona

    Best regards!

    Patrice
     
  23. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Let's keep it on a false positive bug for the moment as nothing was found on your system and of al the others.
     
  24. MarkRaa

    MarkRaa Guest

    I'm not so sure...

    The other day, someone who received a file from me a real audio (.ram) stated their anti-virus indicated it had a virus, although it didnt' identify it. I thought there antivirus might be simply mis-identifying a real audio file .ram as a virus.

    Since I run NOD-32, latest version and it scans ALL incoming & outgoing files, I assumed they were mistaken but now I'm beginning to wonder.

    Especially with the information I read at:
    http://www.sophos.com/virusinfo/analyses/w32coronexa.html

    If this is a false positive, why are there only two of us reporting it?
     
  25. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Three by now, SPY1 too.
    Did the other person tell which file it was and did you scan it with TDS with every scanoption checked and worm slider on highest sensitivity?

    Do you keep copies of your sent mail? Might be worth to do so if not and save a few outgoing emails in another folder outside the email client for deep scanning.


    I still wonder if maybe only windows XP could be effected here? I run win98se and no alerts, not yesterday and not today outside my test files.
    The database is surely growing, with olders files now alerted on with possible new names then before.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.