To the T.S.G techies

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

$teve

Thread Starter
Joined
Oct 9, 2001
Messages
9,396
This is for any any tech reading this.These are the tell tale signs of the peper.a trojan. which is a particularly difficult one to remove.

These 2 processes will morph their file size and filenames on every re-boot or H/T scan to keep from being deleted or spotted.....So dont note down the name,they always sit side by side in the running processes in the bottom third(Those of you who dont check the rp`s better start:D)
C:\WINDOWS\System32\Rcij.exe
C:\WINDOWS\System32\Szw2E5.exe

The same with this one.....The only constant is
the" [2LRX2W83X2T3MQ]"Obviously its random and different for every infection but its a dead givaway.
O4 - HKLM\..\Run: [2LRX2W83X2T3MQ] C:\WINDOWS\System32\Vju9.exe

All three are always found on the infected machine.....easy to spot but hard to remove.
We spent a couple of days banging or heads againt the wall getting rid of this baby but the best way and only real efficient way is to download TDS-3 from http://www.wilders.org/anti_trojans.htm
and update it following the instructions here:
http://tds.diamondcs.com.au/index.php?page=update
JUST A NOTE...IF THE POSTER ALREADY HAS AN A/V PROGRAM HE SHOULD DISABLE IT BEFORE RUNNING THE ABOVE!

Then enable the real-time protection and run a full system scan.

Just thought I would give you the heads up on this one.

Thanx;)
 
Joined
Jul 26, 2002
Messages
46,331
$teve

I have something that I would like clarified concerning TD-3. I have seen the instructions given to enable "Execution protection" here and at Spywareinfo. I have downloaded TD-3 to familiarize myself with it so I would know what I was talking about when I instructed someone to use it. However, I have found that you cannot enable execution protection unless you purchase a reg key ($49). I am going to purchase one myself as I think it is a great program. Am I missing something here?
 

dvk01

Retired Moderator Retired Malware Specialist
Joined
Dec 14, 2002
Messages
56,452
First Name
Derek
I have found out that NOD antivirus also stops & cures this particular trojan but the problem with N OD is that it is not a good idea to run 2 anti-viruses on your computer, so I only advise NOD trial edition when I see the infected computer hasn't got any AV running

Pieter, (MEtalica) has submitted copies of the trojan to all the major AV vendors, NOrton MCCrappy etc, but as of a couple of days ago only NOD & TD-3 could fix it.


The problem being that most AV's and the vast majority of Anti-trojans cannot deal with a polymorphic trojan/virus. Most rely on a definite signature, which this along with other polymorphic ones don't have, it changes, not just it's name but it's file size and content and contolling server each time it morphs, so you can see the problem with fixing it.

I just wish the scum who use their undoubted talents to make these trojans would put their talents to a better use
 

$teve

Thread Starter
Joined
Oct 9, 2001
Messages
9,396
Originally posted by flrman1:
$teve

I have something that I would like clarified concerning TD-3. I have seen the instructions given to enable "Execution protection" here and at Spywareinfo. I have downloaded TD-3 to familiarize myself with it so I would know what I was talking about when I instructed someone to use it. However, I have found that you cannot enable execution protection unless you purchase a reg key ($49). I am going to purchase one myself as I think it is a great program. Am I missing something here?
As far as I know mark thats the way it is till you buy the program.

;)
 
Joined
Jul 26, 2002
Messages
46,331
Thanks $teve. I just wanted to make sure. I didn't think I missed anything.
 

~Candy~

Retired Administrator
Joined
Jan 27, 2001
Messages
103,706
Hi guys, I'll pin this to the top for a bit for your continued discussion and others FOR READING PURPOSES ONLY.

Do NOT post hijack this logs to this thread!

Where's that angry smiley I had found.................

















 

$teve

Thread Starter
Joined
Oct 9, 2001
Messages
9,396
No.............like this:

DO NOT POST HIJACKTHIS LOGS IN THIS THREAD!!! GRRR! PLEASE


;)
 
Joined
Nov 7, 1999
Messages
4,504
TrendMicro lists this as having been discovered on 09/22/2003 their pattern 632 and up detects it.
 
Joined
Jul 26, 2002
Messages
46,331
wedor

Do you have a link to this info? I can't find anything on peper.a at Trend.
 
Joined
Aug 30, 2003
Messages
1,281
According to the Virus Bulletin Magazine The world's foremost independent authority on virus detection.

Nod 32 is the only virus scanner to detect 100% of Viral infections whether polymorphic or not, it is also has very fast scan rates.
I have been using it for 3 months now and it hasn't failed me yet.
I wouldn't hesitate in recommending it to anyone :)
 

dvk01

Retired Moderator Retired Malware Specialist
Joined
Dec 14, 2002
Messages
56,452
First Name
Derek
This is a link to the trend info page,
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_PEPER.A
it seems that it detects it but doesn't remove it, that has to be done manually, and we all know how bl**dy difficult, if not virtually impossible that is to do.

It might be possible to a knowledgeable person wiyh phsyical access to the infected computer, but trying to explain it via the forums or email to a non tech minded person is extremely difficult, especially due to the way it morphs.

I agree with evilye, at this time the only antivirus cappable of actually dealing with it and other polymorphic malwares is NOD 32

and the only trojan killer is TD-3
I hope other av developers will take heed and make their av's & anti-trojans capable of fixing this new breed of polymorphic pests

It looks like they are the latest form of malware and we can expect to see a lot more of them
as an example CWS is now using a similar method of polymorphic dropping and is getting harder to find & cure that infection
 
Joined
Feb 19, 2003
Messages
8,812
My systemsuite 5 uses trendmicro antivirus.. It detects it, delete's it, and keeps you from installing it. :D
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Top