Anyone else ran the "sims_nude(1).exe" trojan? [Archive]

View Full Version : Anyone else ran the "sims_nude(1).exe" trojan?

myAvatar

August 26th, 2001, 18:36

Hey,
I've search the web, and the virus sites, but havent found any info on this yet.

The file didnt "seem" to do anything when I ran it (it has a generic EXE icon). But right after my firewall software popped up saying that "regedit" was trying to contact a website on the SMTP port.

Now every time my PC boots, the regedit process is running (two processes actually, under the main program). Neither of which are visible in any taskbar/ALT+TAB'ing.

I disected the file... and it appears to be in VB5

It keeps creating a file in C:\windows called "99334.exe". I deleted it 5 times, and it immediately reappeared. I tried to disassemble it, and it says its not recognized as a valid file format. So I opened it in HIEW, and I saw the text "[m52 aol password logger]" (and that's all).

Any ideas? Anyone want it to look at it? Any places I should've searched for info on it but didnt? (I searched via google, and on the NAI website).

Regards,
myAvatar

myA

August 26th, 2001, 18:52

Hopefully someone will kill the second thread I started.

So, the correct filename (as I downloaded it) is "nude_sims(1).exe".

Some more info I've found. It (or actually regedit.exe) is continuously enabling an autodial key in the registry, then checking the list of service providers (DUN connectoids?) that i have (but it never tries to dial, that I've noticed... the lights on my hardware modem havent changed since its installed).

myA

myA

August 26th, 2001, 19:01

Some more info, in the same dir that I downloaded the nude sims file to are two other files, both ending in .dat. They both start as "kazadownload" then a seemingly random string of numbers. The file was downloaded via morpheus (file shareing program).

One of these .dat files ("kazaadownload998869459180662.dat"

has the same text at the beginning of it, "[m52 aol password logger]"... it is then followed by what appears to be Javascript...

-=CODE START=-

Code:

var agent_isIE = 0;



var agent_Major = '5';

var L_H_APP='MSN Search';

var H_URL_BASE='http://help.msn.com/EN_US';

var H_CONFIG='searchv3.ini';

var bSearch=true;

var H_BRAND='';

var H_FILTER='';

var H_TOPIC='';

var bScreen=false;

var L_H_TEXT='MSN Search';

if( ( navigator.userAgent.indexOf("Nav" > 0 ) || ( navigator.userAgent.indexOf("Mozilla/4.5" > -1 ) ){

	var agent_isNS = 1;

} else {

	var agent_isNS = 0

}

if(navigator.userAgent.indexOf("Mac" > 0){

	var agent_isMac = 1;

} else {

	var agent_isMac = 0;

}

var agent_isAOL = 0;

H_KEY = 'srch_rslts';

if( navigator.appVersion.indexOf("4.">=0) bScreen=true;

// Wrapper function to allow me to modify the variables in the Help call and not have to set global variables to do so

//

// fWrapHelp( IN v_bSearch, IN v_H_KEY, IN v_L_H_TEXT )

// WHERE

// v_bSearch = boolean value identifying whether this is a search in help or a topic

// v_H_KEY = if v_bSearch is false, then this is a topic, else it is a secret keyword

// v_L_H_TEXT = if v_bSearch is false, then it's ignored, else it is a localized string displayed in UI

function fWrapHelp( v_bSearch, v_H_KEY, v_L_H_TEXT )

{

	//Set each var and then call DoHelp()

	//If a Search in enabled, then we need a KEY and TEXT values, otherwise it's a topic and we just need TOPIC

	if( v_bSearch )

	{

		bSearch = v_bSearch;

		H_KEY = v_H_KEY;

		L_H_TEXT = v_L_H_TEXT;

	} else {

		H_TOPIC = v_H_KEY;

		bSearch = v_bSearch;

	}

	DoHelp();

	bSearch = true;

}

function newUrl()

{

var strID = document.all.item("q".value;

if (strID == ""

	{

		window.alert("Please type the word or words you wish to search for in the Search box.";

		SetFocus();

	}else{

		if (strID.indexOf("://" < 1)

		{

			strID = "http://" + strID;

		}

		self.location = strID;

	}

}

function SetFocus(objMT)

{

	document.all.item("q".focus();

}

function tooltip()

{

	document.all.item("tips".style.display = "";

}

-=CODE END=-

myA

August 26th, 2001, 19:05

The file mentioned above (with the JS code) seems to be partial HTML from searches I have done (or partial HTML from IE windows that have been opened, because one references the Morpheus main page, and Morpheus itself uses IE).