Reply
Tue 31 May, 2005 10:39 am
Symantec Antivirus 9.1 Corporate Edition:
Scan type: Realtime Protection Scan
Event: Virus Found!
Virus name: Trojan.Alwayup
File: C:\Documents and Settings\username\Local Settings\Temporary Internet Files\Content.IE5\U9OV6HE5\aun_0036[1].exe
Location: C:\Documents and Settings\username\Local Settings\Temporary Internet Files\Content.IE5\U9OV6HE5
Computer: computername
User: username
Action taken: Clean failed : Quarantine failed : Access denied
Date found: Tuesday, May 31, 2005 11:28:55 AM
DrewDad, is that why some are having problems posting, and getting em post notices?
I've stopped getting the message.
Here's what I found at Symantec (http://securityresponse.symantec.com/avcenter/venc/data/downloader.newest.html):
Trojan.Alwayup
Discovered on: March 17, 2005
Last Updated on: March 23, 2005 03:31:02 PM
Trojan.Alwayup is a Trojan horse that attempts to steal system information. The Trojan also downloads and executes the latest version of itself it on the compromised computer.
Note: Virus definitions dated March 21,2005 or earlier may detect this threat as Downloader.Newest.
Type: Trojan Horse
Infection Length: 36,864 bytes
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP
Virus Definitions (Intelligent Updater) *
March 17, 2005
Virus Definitions (LiveUpdate) **
March 17, 2005
*
Intelligent Updater definitions are released daily, but require manual download and installation.
Click here to download manually.
**
LiveUpdate virus definitions are usually released every Wednesday.
Click here for instructions on using LiveUpdate.
Wild
Number of infections: 0 - 49
Number of sites: 0 - 2
Geographical distribution: Low
Threat containment: Easy
Removal: Easy
Threat Metrics
Wild:
Low
Damage:
Low
Distribution:
Low
Damage
Payload Trigger: n/a
Payload: n/a
Large scale e-mailing: n/a
Deletes files: n/a
Modifies files: n/a
Degrades performance: Constant downloading of files may degrade network performance.
Causes system instability: n/a
Releases confidential info: n/a
Compromises security settings: n/a
Distribution
Subject of email: n/a
Name of attachment: n/a
Size of attachment: n/a
Time stamp of attachment: n/a
Ports: n/a
Shared drives: n/a
Target of infection: n/a
When Trojan.Alwayup is executed, it performs the following actions:
Copies itself as %System%\winupdt.exe.
Note: %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
Creates a mutex named "WinUpdtMutex" so that only one instance of the threat runs on the compromised computer.
Uses TCP port 80 to send an HTTP GET request every 10 seconds to the alwaysupdatednews.com domain. The threat will download and execute the latest copy of itself from this domain.
May also send system information about the compromised computer to the alwaysupdatednews.com domain.
I am pretty doubtful that a2k brings you a virus...
It's pretty clear that it was a web page, and A2K was the only page I had up at the time. I suspect maybe an advertiser, since it didn't happen on every page. In any case, it seems to have stopped.
DrewDad wrote:It's pretty clear that it was a web page, and A2K was the only page I had up at the time.
Email files go to the Temporary Internet Files folder as well. However, the description given is not sufficient for me to have any idea where you got that warning from, or even how you came to conclude it was A2K.
Quote:I suspect maybe an advertiser, since it didn't happen on every page.
If it was from A2K, that
is easly the most likely vector.