Results 1 to 4 of 4

Thread: Anyone else ran the "sims_nude(1).exe" trojan?

  1. #1
    myAvatar
    Guest

    Anyone else ran the "sims_nude(1).exe" trojan?

    Hey,
    I've search the web, and the virus sites, but havent found any info on this yet.

    The file didnt "seem" to do anything when I ran it (it has a generic EXE icon). But right after my firewall software popped up saying that "regedit" was trying to contact a website on the SMTP port.

    Now every time my PC boots, the regedit process is running (two processes actually, under the main program). Neither of which are visible in any taskbar/ALT+TAB'ing.

    I disected the file... and it appears to be in VB5 It keeps creating a file in C:\windows called "99334.exe". I deleted it 5 times, and it immediately reappeared. I tried to disassemble it, and it says its not recognized as a valid file format. So I opened it in HIEW, and I saw the text "[m52 aol password logger]" (and that's all).

    Any ideas? Anyone want it to look at it? Any places I should've searched for info on it but didnt? (I searched via google, and on the NAI website).

    Regards,
    myAvatar
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    myA
    Guest

    Sorry bout starting the new thread :)

    Hopefully someone will kill the second thread I started.

    So, the correct filename (as I downloaded it) is "nude_sims(1).exe".

    Some more info I've found. It (or actually regedit.exe) is continuously enabling an autodial key in the registry, then checking the list of service providers (DUN connectoids?) that i have (but it never tries to dial, that I've noticed... the lights on my hardware modem havent changed since its installed).

    myA
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  3. #3
    myA
    Guest

    Add'l Info

    Some more info, in the same dir that I downloaded the nude sims file to are two other files, both ending in .dat. They both start as "kazadownload" then a seemingly random string of numbers. The file was downloaded via morpheus (file shareing program).

    One of these .dat files ("kazaadownload998869459180662.dat") has the same text at the beginning of it, "[m52 aol password logger]"... it is then followed by what appears to be Javascript...

    -=CODE START=-
    Code:
    var agent_isIE = 0;
    
    var agent_Major = '5';
    var L_H_APP='MSN Search';
    var H_URL_BASE='http://help.msn.com/EN_US';
    var H_CONFIG='searchv3.ini';
    var bSearch=true;
    var H_BRAND='';
    var H_FILTER='';
    var H_TOPIC='';
    var bScreen=false;
    var L_H_TEXT='MSN Search';
    if( ( navigator.userAgent.indexOf("Nav") > 0 ) || ( navigator.userAgent.indexOf("Mozilla/4.5") > -1 ) ){
    	var agent_isNS = 1;
    } else {
    	var agent_isNS = 0
    }
    if(navigator.userAgent.indexOf("Mac") > 0){
    	var agent_isMac = 1;
    } else {
    	var agent_isMac = 0;
    }
    var agent_isAOL = 0;
    H_KEY = 'srch_rslts';
    if( navigator.appVersion.indexOf("4.")>=0) bScreen=true;
    // Wrapper function to allow me to modify the variables in the Help call and not have to set global variables to do so
    //
    // fWrapHelp( IN v_bSearch, IN v_H_KEY, IN v_L_H_TEXT )
    // WHERE
    // v_bSearch = boolean value identifying whether this is a search in help or a topic
    // v_H_KEY = if v_bSearch is false, then this is a topic, else it is a secret keyword
    // v_L_H_TEXT = if v_bSearch is false, then it's ignored, else it is a localized string displayed in UI
    function fWrapHelp( v_bSearch, v_H_KEY, v_L_H_TEXT )
    {
    	//Set each var and then call DoHelp()
    	//If a Search in enabled, then we need a KEY and TEXT values, otherwise it's a topic and we just need TOPIC
    	if( v_bSearch )
    	{
    		bSearch = v_bSearch;
    		H_KEY = v_H_KEY;
    		L_H_TEXT = v_L_H_TEXT;
    	} else {
    		H_TOPIC = v_H_KEY;
    		bSearch = v_bSearch;
    	}
    	DoHelp();
    	bSearch = true;
    }
    function newUrl()
    {
    var strID = document.all.item("q").value;
    if (strID == "")
    	{
    		window.alert("Please type the word or words you wish to search for in the Search box.");
    		SetFocus();
    	}else{
    		if (strID.indexOf("://") < 1)
    		{
    			strID = "http://" + strID;
    		}
    		self.location = strID;
    	}
    }
    function SetFocus(objMT)
    {
    	document.all.item("q").focus();
    }
    function tooltip()
    {
    	document.all.item("tips").style.display = "";
    }
    -=CODE END=-
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  4. #4
    myA
    Guest

    Add'l Info

    The file mentioned above (with the JS code) seems to be partial HTML from searches I have done (or partial HTML from IE windows that have been opened, because one references the Morpheus main page, and Morpheus itself uses IE).
    I promise that I have read the FAQ and tried to use the Search to answer my question.

Similar Threads

  1. Replies: 0
    Last Post: February 13th, 2014, 07:42
  2. how to generat "1" instead of "uncounted" license
    By joyung in forum The Newbie Forum
    Replies: 38
    Last Post: April 10th, 2012, 03:57
  3. Replies: 4
    Last Post: May 28th, 2009, 13:02
  4. Replies: 1
    Last Post: December 14th, 2007, 13:35
  5. Can't "Step" after "Pause
    By Lena in forum OllyDbg Support Forums
    Replies: 2
    Last Post: May 5th, 2004, 21:14

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •