Well my suspicions were confirmed on this. That file is the VBS_INOR.U Trojan. SEVEN days and Trend Micro still has not had an update. But, I downloaded their beta virus def's and it identified this usb_d.exe as the Trojan above. Intelligently, the persons that had something to do INDIRECTLY with the UCE that contained the link to the Trojan have changed the image on their server to read "VIRUS ALERT"...etc, etc, instead of the original product. So, in the UCE that I kept there is now that image instead of the original image about an e-card. (Someone from China [again, no surprise] was spoofing them in an email using an image from their website with it href'd to the Trojan download. EV1.net STILL has not done anything about it and the Trojan can still be downloaded!) -Clint
----- Original Message ----- I talked to Ben yesterday off list and we got it straight as to what the culprit was that was setting off security alerts. I believe he explained it was something in this post below I pasted from a file. I removed that part from this post, and I'm posting it again without it. In place of it** I've placed a link where I uploaded it. It may still give some of you an alert when you view it, but it's just a text .txt file. (Peter, a reply to your post is still immediately below). There was also something coincidentally in the part I removed that I had filtered so I couldn't see any replies to this for those of you that WERE able to reply. -Clint ---------------------- Nope, the only USB device I've ever had hooked up is a external USB 2.0 media card reader and it's only hooked up when I need to get images off my digicam CF card, then I remove it. This file was also created right after I downloaded the page.hta file. FWIW, MS update MS03-040 is 828750 and I have that installed. Yesterday when I was searching for it I did what Roger suggested about dropping the .exe and found hits on that but didn't investigate them very much since I did a cross-search for things like "virus", "trojan", "worm", etc. and nothing turned up. I don't think it's a stray USB driver Roger, because it was added to the system32 folder right after I downloaded that page.hta file. The page.hta file starts out like this: <html> <script language="VBScript"> szBinary = szBinary & "4D5A90000300000004000000FFFF0000B80000000000000040000000000000 0000000000000000000000000000000000000000000000000000000000E0000 0000E1FBA0E00B409CD21B8014CCD21546869732070726F6772616D" Then there is a BUNCH of lines similar to that above but with mostly zeroes, then a hundred or so lines similar to this: szBinary = szBinary & "BBEEF2C11E1F719AA4A5952873BB7667F76941CE6629007544FEC010EC9D23 974BA0A038228CA560839D6E273B95217516FD3B57B1E18B45E2D4990012E7E 4EC49A8EB0F9A17A111E5DDA0B490A8F80F8D8F528BAEE9EEF08A8C" Then towards the end several of these: szBinary = szBinary & "F0F000FF0F0FF00FF000F0F00F0F00F0F0F000FF0F0FF00FF000F0F00F0F00 F0F0F000FF0F0FF00FF000F0F00F0F00F0F0F000FF0F0FF00FF000F0F00F0F0 0F0F0F000FF0F0FF00FF000F0F00F0F00F0F0F000FF0F0FF00FF000" **...and ends with: [**this is the part that was setting off AV software and other security alerts. I removed it, and uploaded the text here: http://orpheuscomputing.com/tests/temp.txt I'll keep that there for a few days, then delete it.] Looks like some kind of "exploit". I had no AV updates yesterday or today, so the file is still showing clean. -Clint Happy Holidays to all & God Bless Clint Hamilton, Owner http://OrpheusComputing.com ----- Original Message ----- From: "Peter Kaulback" <[EMAIL PROTECTED]> Clint, do you by chance have a PDA connected to your system by USB? I can't remember the reference file specifically but a relative had this on his system after he installed his sync software for his PDA. Try a google on usb_d and drop the extension. The page.hta in windows and IE is the Object Type validation vulnerability, there is a patch for it from MS with more info from CERT here: http://www.cert.org/advisories/CA-2003-22.html Happy holidays, Peter Kaulback In the hour of 04:16 AM 12/26/2003, [EMAIL PROTECTED] spoke this: >Does anyone know what usb_d.exe is? I cannot find it at any >search engine. I'm presuming it's a worm, virus, Trojan, etc. >because of the behavior that was exhibited it getting it. Some >parasite is sending out SPAM and when you click the link in it >http://antwan052.com/special/ (which I did to find any email >addresses at the site & no surprise is Ch*inese), it goes to a >page that gives you download dialog box from 66.98.188.67 >which prompts you to OPEN "page.hta". I instead of course >saved it. I got no AV software alert and my AV software is >updated. Of course this could easily be a new malicious >code and no def's are available yet. I also right clicked and >scanned it, still no alert. It's 62k in size. I opened it in >Notepad and it's a VBScript file which in ASCII format >resembles that of a worm. Out of curiosity (yeah, I know) >I clicked the page.hta file and got a firewall warning (see >below) from 66.98.188.67 & cjdra.com (both EV1) and >cjdra.com is registered to the same parasite of the URL >in the SPAM. I of course denied the firewall request. That >file usb_d.exe is in the folder specified below and was just >put there (and I deleted it from the system32 folder). Right >clicking it gives absolutely no info on what exactly it is. >It's 27k in size. When I ctrl-alt-del'd, usb_d.exe was >running and I closed it down. While it may not be a worm >or virus, it does appear to be some type of spyware with >Trojan behavior that sends info back to the sender. > >All of my anti-spyware programs showed nothing. However SpyBot >showed it (usb_d) WAS added to the startup group which I >removed. I had run MSCONFIG prior to this and oddly it didn't >show in the startup tab then. I searched the registry for >usb_d and it showed up only under "run-disabled" which of >course was there due to the fact I disabled it from starting >up. I deleted that key. > >Firewall warning: > >File Version : >File Description : C:\WINDOWS\system32\usb_d.exe >File Path : C:\WINDOWS\system32\usb_d.exe >Process ID : 508 (Heximal) 1288 (Decimal) >Connection origin : local initiated >Protocol : TCP >Local Address : 192.168.0.134 >Local Port : 3312 >Remote Name : cjdra.com >Remote Address : 66.98.188.67 >Remote Port : 80 (HTTP - World Wide Web) >Ethernet packet details: >Ethernet II (Packet Length: 62) > Destination: 00-50-18-09-61-4c > Source: 00-07-e9-02-0c-58 >Type: IP (0x0800) >Internet Protocol > Version: 4 > Header Length: 20 bytes > Flags: > .1.. = Don't fragment: Set > ..0. = More fragments: Not set > Fragment offset:0 > Time to live: 64 > Protocol: 0x6 (TCP - Transmission Control Protocol) > Header checksum: 0xc967 (Correct) > Source: 192.168.0.134 > Destination: 66.98.188.67 >Transmission Control Protocol (TCP) > Source port: 3312 > Destination port: 80 > Sequence number: 351767516 > Acknowledgment number: 0 > Header length: 28 > Flags: > 0... .... = Congestion Window Reduce (CWR): Not set > .0.. .... = ECN-Echo: Not set > ..0. .... = Urgent: Not set > ...0 .... = Acknowledgment: Not set > .... 0... = Push: Not set > .... .0.. = Reset: Not set > .... ..1. = Syn: Set > .... ...0 = Fin: Not set > Checksum: 0xcb1d (Correct) > Data (0 Bytes) >Binary dump of the packet: >0000: 00 50 18 09 61 4C 00 07 : E9 02 0C 58 08 00 45 5C | >.P..aL.....X..E\ >0010: 00 30 12 CF 40 00 40 06 : 67 C9 C0 A8 00 86 42 62 | >[EMAIL [EMAIL PROTECTED] >0020: BC 43 0C F0 00 50 14 F7 : 8B DC 00 00 00 00 70 02 | >.C...P........p. >0030: F7 80 1D CB 00 00 02 04 : 05 A0 01 01 04 02 | >.............. > >-Clint ============= PCWorks Mailing List ================= Don't see your post? Check our posting guidelines & make sure you've followed proper posting procedures, http://pcworkers.com/rules.htm Contact list owner <[EMAIL PROTECTED]> Unsubscribing and other changes: http://pcworkers.com =====================================================
