Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


File Found By Autoruns

  • Please log in to reply
3 replies to this topic

#1 Interface Systems Inc.

Interface Systems Inc.

  • Members
  • 3 posts
  • Local time:04:29 AM

Posted 01 December 2006 - 03:47 PM

Some time in the last week our network was infected with some sort of virus that we have been having major trouble finding information on -- it is being referred to in the pop-ups from our virus software as Win32.Worm.Viking.AT and it appears to be a virus that infects .exe files.

Our research brought us to the BleepingComputer site where we learned about the Autoruns program and started running it on the infected machines. So far, it seems to be a lifesaver but we'll know better if we get past today and no longer have pop-up window alerts about this virus showing up. However, in checking out the suspicious files found with the Autoruns program, we have one which is not found in either the Startup or Files Databases and since it is located in a folder that has to do with Microsoft, we looked for this particular file name on their site and found nothing. We also just Googled the file name and came up with nothing.

The file is called 20d91f1a.dll and part of the reason we are suspicious that this particular file may be bad is the creation date is 11/17/2006 - the day on which we believe the virus got into our network system.

When we checked your Startup Files database and came up with nothing, your little message advised you'd like to know about files that can't be found in your system and asked us to register and tell you all about it so here we are. For now, we've left the file alone but if there is more information that can be provided about this file, please don't hesitate to let us know.

BC AdBot (Login to Remove)


#2 boopme


    To Insanity and Beyond

  • Global Moderator
  • 73,490 posts
  • Gender:Male
  • Location:NJ USA
  • Local time:05:29 AM

Posted 01 December 2006 - 10:30 PM

Hello and welcome
Try submitting the file to Virustotal.
Virustotal offers a free service for scanning suspicious files using several antivirus engines.
Use the upper textbox to select and send any suspicious file to Virustotal for a scan. If you wish, you can also send files using your email client. In that case, please follow these steps:

Create a new message with scan@virustotal.com as destination address of your email.
Write SCAN in the Subject field (write SCAN- if you do not want to distribute your sample to any AV company).
Attach the file to be scanned. Such file must not exceed 10 MB in size. If the attached file is larger, the system will reject it automatically.
You will receive an email with a report of the file analysis. Response time will vary depending on the load of the system at the time of placing your request.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 Papakid


    Guru at being a Newbie

  • Malware Response Team
  • 6,636 posts
  • Gender:Male
  • Local time:04:29 AM

Posted 02 December 2006 - 02:16 PM


Thanks for the info. Unfortunately, the file you mention appears to be randomly named, so for obvious reasons it doesn't make sense to add it to the Startups Database. It is possible that the file is a new one and has a static name, but 99% of the time when you get no hits of it on Google it means it is a randomly named malicious file. This is a relatively recent trend to avoid detection and removal--and being put on such a database.

Please be advised that for submissions to the Startup Programs Database we need certain data, so please review the How To Submit A Startup Entry. Information about any startup, whether wanted or not is appreciated.

If the file was listed in Autoruns, it is essential for us to know the startup method (what registry entry it is under) and the file location (what folder it is in).

Symantec apparently calls this worm by another name (which is common for AV vendors and the source of much confusion) and a write up on it can be found here: W32.Looked.P

There is no mention there of this or a randomly named file but it fits the characteristics that you have described in that it infects executable files on a network. That could be because this is a variant of the same worm, i.e., it is in the same family but some file names and methods are changed (also very common). Or, more likely and in addition, the file was downloaded post infection--those are more commonly randomly named. See section 8 in the Technical Details tab of the Symantec article.

So if the file is listed in Autoruns, please let us know and where. If it is not listed, it would not be considered a startup and thus would be outside the scope of this subforum. Boopme's suggestion to have the file scanned at Virustotal (or Jotti's) is a good one. It will usually give you the final word on if the file is malicious or not. There is the added advantage that scanned files are submitted to the top AV vendors so that their definitions can be updated (using methods other than file names).

If you would, post the results here, just as a point of interest.

The thing about people

is they change

when they walk away.--Mipso

#4 Interface Systems Inc.

Interface Systems Inc.
  • Topic Starter

  • Members
  • 3 posts
  • Local time:04:29 AM

Posted 04 December 2006 - 12:51 PM

Thank you both for the feedback. We sent the file to Virustotal and out of the 29 AntiVirus packages that showed up in the report, only 3 reported no virus found where all the rest show it to be one form or another of a Trojan virus. Nice, huh?

So, at this point we're pretty sure this is the root of the virus that has infected our system and thanks to your feedback on the virus defined at the Symantec site and another definition we found on another site (http://www.sophos.com/security/analyses/trojqqrobaas.html), we think we finally might have it cleaned up.

We did find the original file while running Autoruns and this is what we can tell you based on that:

Filename: 20d91f1a.dll
Registry Value Name: HKLM\Software\Microsoft Windows\CurrentVersion\Explorer\ShellExecuteHooks
Command: (not sure?)
File Location: C:\program files\common files\Microsoft Shared\msinfo\20d91f1a.dll
Description: There is no description for the file.
Status: X
Additional Note: File found under the "Explorer" tab in the Autoruns program.

We went and looked up the file where it was said to be located on our "C" drive and found two (2) other files that were created on the same date and time -- they were 20d91f1a.dat and wshmcepts.chm. We googled the second file which is how we found the information on the sophos site noted above. We only disabled the file in Autoruns the first time. Now we're gonna go in and kill it along with these other two files we found and hopefully that will be the end of it.

It should also be noted that all three (3) files had properties of hidden and read only.

If there is any other information you feel would be helpful or useful to others, let us know. We'll gladly provide what we can.

And thank you again for your feedback!


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users