Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Winrar generating .exe file disguised as a JPG


  • Please log in to reply
17 replies to this topic

#1 makka

makka

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:12:12 AM

Posted 17 December 2008 - 03:56 AM

Hi

I basically downloaded a rar file that had a JPG within it, and I had the 'Hide extensions for known file types' activated so didn't realise that it was a .exe in disguise, had I de-selected the hide extensions option I would have realise it was a .exe and would have left it alone. But stupidly I clicked on the JPG, school boy error I know, and it did nothing, so that then made me suspicious. Then I uploaded rar file, re-downloaded it to make sure everything worked ok, and inside the rar file was one of these JPGs that is really a .exe.

I first downloaded the initial rar that contained the mysterious JPG/.exe file I clicked on the JPG and nothing happened, but now it seems to be generating these files everytime I compress to rar. When I first compress something the file size increases slightly, which is obviously the opposite of what should happen, and when I unpack it the JPG isn't there. Then, when I upload it, and then re-download it the file appears!!?? I have tried various file hosting sites and it happens on all of them so it isn't site specific.

I then tried uploading a small rar I downloaded, a completely new file from here, one that I didn't initially compress, after uploading and re-downloading that, it agin seemed to have this mysterious file inside. That really baffled me because I didn't compress it, I just downloaded it, re-upped it, the downloaded it again. So I decided to change the name of the JPF from .exe to .JPG, this then turned the JPG icon into a .exe installer type icon and AVG popped up and said 'warning hidden file extension .exe' .

I scanned the rar file with the JPG inside and AVG, Malware & Spybot didn't detect anything. I made sure I used ATF Cleaner to clear out temporary files prior to scanning too. Mediafire wouldn't sucessfully upload the rar file with the JPG inside, it said 'bad archive' but other hosting sites had no problem with it. So I tried to upload it in it's JPG form to Kaspersky online search, that wouldn't allow me to upload it, but other sites did. Again, those that did came back with nothing. So I tried to scan my system with Kaspersky and F-Secure online, again they both found nothing!?!

Everything I've scanned it with has the latest definitions, all my Windows updates are current, Java is current with all old instances removed, and I even switched off system restore to eliminate any files being stored by that. I looked on AVG website and their info on 'hidden file extension.exe' is very vague and not helful at all. I tried to locate exactly what this was, looked on loads of forums etc and the only things that seemed remotely similar were ZPharaoh virus and sasser worm. So I scanned with a sasser worm tool, that came back negative. The ZPharaoh virus doesn't seem to have a patch and all the info I found on that said that it would create certain files in the system folder and registry and possibly in root drives, I did thorough searchs for said files and again I found nothing. I'm hoping it isn't the ZPharaoh because that looks like a right nasty virus, attaching itself to all exe files, which will them corrup any files you open using that program.

I unistalled winrar, removed every instance of it from my machine even the registry, I also ran registry mechanic. I then installed a new different winrar and if I compress a file the file size still increases slightly but if I then unpack it straight away there is no JPG.exe inside, but as before, if I upload somewhere, then download that rar agin and unpack, low and behold the JPG appears again?!

Obviously what ever this is, is still on my machine and is regenerating itself! I haven't opened any programs for a few days, just in case. I have back ups but maybe my external back up drive may possibly be infected too. But I've seen no deterioration in performance, no strange system activity so it's either a new virus that's set to activate on a specific date and is currently dormant from an attacking point of view until said date or it's just some kind of false scare?!

I find it strange that AVG only found it when I re-named the JPG.exe back to JPG and then it gave no information on exactly what type of virus it was. Maybe that is because they don't have the answers yet, or maybe it's a load of old cobblers?! I'm still not opening any programs until I clear the matter up, whatever it is it's still there but nothing detects it and currently seems like a false positive. Perhaps you could ask your friends at AVG about this because I'm naturally concerned.

I could wipe my drive but it may be a mental mission for nothing, and if it is a really nasty one waiting to go off then I will have to delete every file I own and right now I'm definitely not going to do that unless it's absolutely necessary because it would take me a lifetime to put everything back to how it was etc.

If anyone could advise me on this or offer up any information it would be seriously appreciated. Thanks

BC AdBot (Login to Remove)

 


#2 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 17 December 2008 - 06:36 AM

Hi,

Could you please do a new full scan with MalwareBytes' Anti-Malware? Post the contents of that logfile in your next reply. :thumbsup:

#3 makka

makka
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  

Posted 17 December 2008 - 01:38 PM

Hi, thanks for responding to this! Here is the log of a scan I did earlier today using Malware Bytes...


Malwarebytes' Anti-Malware 1.31
Database version: 1510
Windows 5.1.2600 Service Pack 3

17/12/2008 15:23:27
mbam-log-2008-12-17 (15-23-27).txt

Scan type: Full Scan (C:\|E:\|F:\|G:\|H:\|I:\|N:\|O:\|)
Objects scanned: 172352
Time elapsed: 6 hour(s), 15 minute(s), 28 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


It didn't detect the problem and winrar is still generating thes .exe files!! Thanks for your help!

#4 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 17 December 2008 - 01:40 PM

Please use the Internet Explorer browser (or FireFox with IETab), and do an online scan with Kaspersky Online Scanner

Note: If you have used this particular scanner before, you MAY HAVE TO UNINSTALL the program through Add/Remove Programs before downloading the new ActiveX component

Click Yes, when prompted to install its ActiveX component.
(Note.. for Internet Explorer 7 users: If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.)
The program launches and downloads the latest definition files.
  • Once the files are downloaded click on Next
  • Click on Scan Settings and configure as follows:
    • Scan using the following Anti-Virus database:
      • Extended
    • Scan Options:Scan Archives
      Scan Mail Bases
  • Click OK and, under select a target to scan, select My Computer
When the scan is done, in the Scan is completed window (below), any infection is displayed.
There is no option to clean/disinfect, however, we need to analyze the information on the report.
Posted Image
Posted Image
To obtain the report:
Click on: Save Report As (above - red blinking arrow)
Next, in the Save as prompt, Save in area, select: Desktop
In the File name area, use KScan, or something similar
In Save as type, click the drop arrow and select: Text file [*.txt]
Then, click: Save
Please post the Kaspersky Online Scanner Report in your reply.

#5 makka

makka
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:12:12 AM

Posted 18 December 2008 - 07:59 AM

Hi Superbird

I set the scan off before I went to bed but totally forgot to Extended set the scan options, i.e Extended/scan archives/scan mail bases but I did set it to scan my computer. It did throw up some threats, which AVG didn't pick up when I did a full scan with AVG. However, what it found was on my 'I' drive, which is an old drive i used to use just for music production and although Windows XP is still on there I really only use it for storage. These might be old threats because the current problem is effecting my current windows installation, which is on my 'C' drive.

I'm not sure how much difference it makes not seleceting 'Extended/scan archives/scan mail bases' but I will do another one overnight to see if it throws anything else up. I obviously know nothing about threats, well maybe a little but not much so maybe those on my 'I' drive are what's causing the issue but it seems strange that there isn't any threats on my 'cC' drive.

Below is the text scan report from Kaspersky online scan.

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Thursday, December 18, 2008
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Thursday, December 18, 2008 01:13:01
Records in database: 1474046
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\
K:\
L:\
N:\
O:\
P:\

Scan statistics:
Files scanned: 688654
Threat name: 4
Infected objects: 5
Suspicious objects: 0
Duration of the scan: 06:35:03


File name / Threat name / Threats count
I:\Program Files\Common Files\Real\Toolbar\RealBar.dll Infected: not-a-virus:AdWare.Win32.MegaSearch.s 1
I:\WINDOWS\system32\lssas.exe Infected: not-a-virus:Server-FTP.Win32.Serv-U.25.f 1
I:\WINDOWS\system32\msthost.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.603 1
I:\WINDOWS\system32\qos.dll Infected: Backdoor.IRC.Zapchast 1
I:\WINDOWS\system32\tcp.dll Infected: Backdoor.IRC.Zapchast 1

The selected area was scanned.


Just get back to me when you can, I'm sure you must be really busy! I think people like yourself who volunteer to do stuff like this are marvelous! Thanks you! 8)

#6 makka

makka
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  

Posted 18 December 2008 - 08:03 AM

BTW, I just checked what settings I used for the scan and it set Scan Archives/Scan Mail Base by default anyway. Cheers

#7 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 18 December 2008 - 08:43 AM

Open Notepad.
Copy this in the Notepad-file:

@ECHO OFF
IF EXIST log.txt DEL log.txt
ECHO Deleting files>>log.txt
FOR %%g in (
I:\WINDOWS\system32\msthost.exe
I:\WINDOWS\system32\qos.dll
I:\WINDOWS\system32\tcp.dll) DO (
IF EXIST %%g (
ATTRIB -r -s -h %%g
DEL %%g
IF EXIST %%g (
ECHO %%g not deleted>>log.txt
) ELSE (
ECHO %%g deleted>>log.txt)
) ELSE (
ECHO %%g not found>>log.txt))
>>log.txt (
ECHO.
ECHO Deleting folders)
FOR %%I in (
"I:\Program Files\Common Files\Real") DO (
IF EXIST %%I (
RD /S /Q %%I
IF EXIST %%I (
ECHO %%I not deleted>>log.txt
) ELSE (
ECHO %%I deleted>>log.txt)
) ELSE (
ECHO %%I not found>>log.txt))
START NOTEPAD.EXE log.txt

Go to File - Save as...
Fill in the next values:
Location: Desktop
File name: del.bat
File type: All files (*.*).
Now, click Save.
Doubleclick del.bat.
Post the contents of the logfile that opens in your next reply.

#8 makka

makka
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:12:12 AM

Posted 18 December 2008 - 10:22 AM

Hi superbird, thanks for the ultra fast reply!!

Sorry for sounding dumb but when you say...

Fill in the next values:
Location: Desktop
File name: del.bat
File type: All files (*.*).
Now, click Save.
Doubleclick del.bat.

Do you mean add this to the bottom of the text document? I'm not exactly sure where to add this info to!? Sorry, this is all new to me!! Thanks

BTW, for some reason I had trouble posting this reply, the site is displaying incorrectly, it's like it's in some kind of basic mode but other sites are displaying ok. Thought I should let you know.

#9 makka

makka
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:12:12 AM

Posted 18 December 2008 - 10:49 AM

Hi Superbird, Here's the log from the del.bat script. I sussed out what you meant in the end!! It has deleted those files that were in the virus scan. I am going to see if winrar is still generating those suspicious JPGs and I will get back to you. Thanks!!

Deleting files
I:\WINDOWS\system32\msthost.exe deleted
I:\WINDOWS\system32\qos.dll deleted
I:\WINDOWS\system32\tcp.dll deleted

Deleting folders
"I:\Program Files\Common Files\Real" deleted

#10 makka

makka
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  

Posted 18 December 2008 - 11:16 AM

After the del.bat script deleted those files that kaspersky found I zipped up an empty folder and just as before the file size of that rar increased to 60 kb, and then after uploading it and re-downloading the rar it increased to 125 kb and that .exe file appeared once again!! Unfortunately the problem is still there. My computer isn't acting strangely except for this. There must be something on my machine that is generating these hidden file extension files. I'm scared to open any of my music projects in case any of my files become corrupted. I have read that some virus' infect all .exe files then corrupt files from infected programs so I'm not doing anything until I can stop this weird files from being generated.

It may be a hoax, strange how none of the programs I've scanned my machine with find anything other than what was on 'I' drive, which I reckon were old nasties.. Hmmmm, not sure what to do right now!!??!! Thanks

#11 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 18 December 2008 - 12:15 PM

Hi,

Please remove WinRAR first.

Then, do a full scan with MBAM, restart your computer after that.
Post the logfile o MBAM in your next reply.

After that, do a new scan with Kaspersky Online Scanner, and include that logfile in your next post too. :thumbsup:

Edited by superbird, 18 December 2008 - 12:16 PM.


#12 makka

makka
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:12:12 AM

Posted 19 December 2008 - 01:10 PM

Good evening Superbird!

Finally finished the scans, epic!! Took forever! I removed winrar and all instances of it from the registry and anywhere else on my machine, there were a lot of registry entries, far more than I expected!

MBAM found nothing and after that Kaspersky found lssas.exe in the 'I' drive again, although I thought we killed that last time?! How did it come back? Maybe because my machine was online without anti-virus for a long while whilst doing the Kaspersky scan? Now winrar is removed those JPG files are obviously not being re-generated, but I can't tell if the thing that was causing it is still there because it was only winrar that showed it up. I'm sure if I put winrar on again it would do it again? Obviously nothing else is showing so i'm baffled and do not know if it is safe to start making music again? I hope so!!

Here are the logs anyway...


Malwarebytes' Anti-Malware 1.31
Database version: 1517
Windows 5.1.2600 Service Pack 3

19/12/2008 09:50:51
mbam-log-2008-12-19 (09-50-51).txt

Scan type: Full Scan (C:\|E:\|F:\|G:\|H:\|I:\|N:\|O:\|)
Objects scanned: 696867
Time elapsed: 8 hour(s), 34 minute(s), 56 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Friday, December 19, 2008
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Friday, December 19, 2008 07:38:45
Records in database: 1480857
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\
K:\
L:\
N:\
O:\
P:\

Scan statistics:
Files scanned: 690801
Threat name: 1
Infected objects: 1
Suspicious objects: 0
Duration of the scan: 07:25:28


File name / Threat name / Threats count
I:\WINDOWS\system32\lssas.exe Infected: not-a-virus:Server-FTP.Win32.Serv-U.25.f 1

The selected area was scanned.



Can I just delete the lssas.exe manually or will I need a special script? How can I stop this from happening? Sprry for all the questions! BTW, I have 7zip on my machine too, I tried zipping up a file then uploading/downloading and that doesn't contain anything untoward. Please advise me what is the best course of action.

Thanks Superbird!

Regards

Makka

#13 Guest_superbird_*

Guest_superbird_*

  • Guests
  • OFFLINE
  •  

Posted 19 December 2008 - 01:13 PM

Hi,

Go to www.virustotal.com
Upload the file: I:\WINDOWS\system32\lssas.exe
Post the results in your next reply. :thumbsup:

Edited by superbird, 19 December 2008 - 01:13 PM.


#14 makka

makka
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:12:12 AM

Posted 19 December 2008 - 06:33 PM

Hello again Superbird..

Here are the results from the Virus Total site... I'm guessing I need to remove this now! I wont do anything until you say so though.. Cheers!


AhnLab-V3 - - Win-AppCare/ServU.424960
AntiVir - - BDC/ServU-Based
Authentium - - is a security risk or a backdoor program
Avast - - Win32:Trojan-gen {Other}
AVG - - Potentially harmful program ServU.AAG
BitDefender - - Backdoor.ServU.4004.A
CAT-QuickHeal - - RiskWare.FTP.Serv (Not a Virus)
ClamAV - - -
DrWeb - - BackDoor.Servu.221
eSafe - - Win32.ServU
eTrust-Vet - - Win32/IRCFlood
Ewido - - -
F-Prot - - W32/Malware!eab5
F-Secure - - Backdoor.Win32.ServU-based
FileAdvisor - - -
Fortinet - - W32/Lssas.U
Ikarus - - not-a-virus:Server-FTP.Win32.Serv-U.25.f
Kaspersky - - not-a-virus:Server-FTP.Win32.Serv-U.25.f
McAfee - - potentially unwanted program ServU-Daemon
Microsoft - - Backdoor:Win32/Servudoor.H
NOD32v2 - - probably a variant of Win32/ServU-Daemon
Norman - - W32/ServU.ET
Panda - - Application/ServUBased.A
Prevx1 - - Generic.Malware
Rising - - Backdoor.ServU-based.nz
Sophos - - Mal/EncPk-M
Sunbelt - - Backdoor.ServU.4004.A
Symantec - - Bloodhound.Morphine
TheHacker - - Aplicacion/Riskware.FTP.Serv-U.25.f
VBA32 - - -
VirusBuster - - Backdoor.ServU-based.C
Webwasher-Gateway - - Trojan.Backdoor.ServU-Based
Additional information
MD5: b85fdfd93b10f6b56cdc7898bcf05d99
SHA1: 1cccab5d0658eceaacc3aadf5c8bd6a85ac84f09
SHA256: 1245e98c7de7659493968731860daf82e7ef9ba8c6423fc6abce9f66251faf14
SHA512: 4b7443e3b204248536f94dc5157f6d8324a6856400a824da789b0d238b03c96440f5a15c89ce53ba344787439f6128687b24a6c9be244932c3d9b146a2a27c7c

#15 makka

makka
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:12:12 AM

Posted 19 December 2008 - 07:02 PM

I had uploaded the .exe JPG file that was appearing in my compressed winrar files the other day when trying a few things out so I downloaded it so I could let Virus Total have a look at it.. Here is what came back when I uploaded the rar file...

Rising 21.08.42.00 2008.12.19 Trojan.Win32.Undef.usf

File size: 144801 bytes
MD5...: 1dd51614bf2588dcca3837bc47d0abd0
SHA1..: f6bec3ab18ec9ee92b3e37be7562e402169d9c5a
SHA256: a330e18a2574cabb5dab84b94d04a5b80eb44f6178f1174c64acc047c2daae7b
SHA512: 4bd6240561298e842af9ed9fc7962b5c4a3c25d5d27f9f8096e0fd9ed023a897
c6fea903d984764cd8abe7435763b5d6838b0afca8aec103d76c3cecb12dfed6
ssdeep: 3072:7hVd6QYYU0VnOxOoVDMDKqAaNs8bbbDTJnJ6K96nFPi/3auO6kw6q2:7L1Y
85oNMoabbJsFPiCZ6kw6q2
PEiD..: -
TrID..: File type identification
RAR Archive (83.3%)
REALbasic Project (16.6%)
PEInfo: -
packers (Kaspersky): PE_Patch.UPX, UPX



Then I extracted to a folder and uploaded the file in it's normal uncompressed state. This is what Virus Total came back with...

Rising - - Trojan.Win32.Undef.usf

MD5: afaef9d6574a7e08ebfcf4a069571775
SHA1: ea26a29a389126d79624be159b43e8c71d1d67ca
SHA256: 7f1a4f25b9902288ea4f4acd7ee60cd1e545f420ae49948bc019c725cbe81b49
SHA512: d8aa086947137ac27147b23160a004799663191875bc89d980e52288a9713bcebbd607793c30995c0993ba6d23b48b10d0990a3f5bd9e9533fda2a4b519bb590



Now I have done the virus check I will put it in the trash. However, I did leave Issas.exe on 'I' drive still.

Thanks :thumbsup:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users