Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

mssecure.exe


  • Please log in to reply
1 reply to this topic

#1 JamieC

JamieC

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:09:34 PM

Posted 27 March 2005 - 02:12 PM

Dear All,

Just googled "mssecure.exe" and discovered it listed as a security threat on your site.

I can confirm that this is a trojan and uses a registry key in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run to start up.

It is not detected by my antivirus app (Norton 2005, fully updated) or my antispyware app (AdAware Personal, fully updated).

As far as I can tell, it is a spam-virus which runs its own mailserver. It's picked up by Norton if you have 'Scan outgoing emails' selected. In this case, Norton shows hundreds of emails going out, and returns any errors returned by the recieving SMTP servers - typically these are 'Your mail was rejected due to spam-like headers' or 'Mailbox does not exist' type messages.

I was going to run ethereal and try and pick up any extra info, but i'm not expert with this and besides, i just wanted rid of it :-)

I seem to have successfully removed it by ending the process, deleting the file and removing the registry entry. I have since restarted and it has not re-emerged, although it could still be running in a different guise.

Any further info on this thread would be appreciated, especially the reason why it is not listed in Symantec's latest virus definitions!!

- Jamie

Mod Edit: This will be moved to a more appropriate Forum.

Edited by scarlett, 28 March 2005 - 11:39 AM.


BC AdBot (Login to Remove)

 


#2 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,649 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:34 PM

Posted 28 March 2005 - 11:05 AM

Hi Jamie,

Sounds like you did a good job getting rid of the trojan. :thumbsup: There appears to be more to do tho. Have a look at this article by Sophos on the Troj/Borobot-E--be sure to click the advanced tab:
http://www.sophos.com/virusinfo/analyses/trojborobote.html

The main thing you should be concerned about is the integrity of your security products. Make sure all your Norton related processes are running and if you are not sure the easiest way to deal with that would be to just reinstall your AV. If you go that route be sure to shut down any system monitors before you uninstall.

I would also check the reg key mentioned in that article whether you are using the SP2 Firewall or not.

You can also check your proxy settings.

I you like you can post a HijackThis log and I'll look it over to make sure all's Kosher and nothing else got downloaded thru the backdoor. How to post a HijackThis Log

As for why Symantec doesn't have this threat defined, I supposed you'd have to ask them. It may be a case of they do have the definitions in their database but it didn't get onto yours if the trojan was successful in disabling LiveUpdate. You may want to consider switching to another AV. It is also always a good idea to run some free online av scans as a second opinion.

eTrust Antivirus Web Scanner
TrendMicro's HouseCall
Panda ActiveScan
BitDefender

I'm not familiar with Ethereal--could you provide some more information on that--perhaps a link to a features page?

The thing about people

is they change

when they walk away.--Mipso





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users