Rob Kraft's Software Development Blog

Software Development Insights

Another virus bagged and tagged

Posted by robkraft on August 14, 2009

A friend sent me his computer recently so that I could remove a virus from it. The only problem he noticed was when doing google searches, if he clicked on a result it usually went to a different URL. I think the first time you went to a site it worked, but then subsequent searches would go to the wrong site. He was redirected to nasty sites; just incorrect sites; perhaps to get him to believe that those sites were responsible for the redirects and any retaliation he made would be against them.
I discovered other problems once I received his PC. I could not run regedit or regedt32. When I launched them from explorer, there would be a pause and then explorer itself would shut down and restart. So I downloaded another registry tool and used it to look in the registry but I found nothing suspicious. After some monitoring of processes, and using msconfig to boot into minimal windows and still experiencing the problem with regedit, I finally decided to disable all the browser add-ins to see if I could get google search to work. One of those add-ins was the problem, and I used a process of elimination to determine it was an addin called googletoolbar1.dll that was the lone file in a subfolder in c:\program files. Googletoolbar1.dll is usually a helpful tool, but this particular version of it was infected.
So I got the browser to work and I was beginning to suspect that the CA Security Center product installed on his PC was preventing me from running regedit. However there were two other problems I was experiencing. One, CA Security Center could not receive its updates (which is often the sign of a virus), and two, Adobe udpater was failing to update. Any product that cannot receive its updates may be experiencing said problem because the virus does not want the updates applied.
I just happened to notice a process appear briefly in task manager with a suspicious name. I caught that it ended with .qea and when I searched the hard drive I found jjbkqmy.qea in c:\windows. I googled and binged for that file name but found zero matches. This told me that it was a file with a randomly generated name and most certainly was a virus. I deleted it; but it came right back. I rebooted to windows minimum mode and deleted it, and it came right back.
I assumed that the file was getting copied from another area of the hard drive immediately after the delete, so I looked for a file of the same size elsewhere on the drive.
The file size was 19k and I found hundreds of other files that were also 19k. I also noticed that the creation date/time of the file seemed to have occurred during the install of the OS, or perhaps application of XP2 or some major upgrade that replaced almost all OS files.
To narrow my search, I searched at the dos prompt to find the exact bite size (18,944 I think). I then used a dos search to dump all files names and sizes to a text file. I then opened the text file with notepad and searched it for all files that had the exact size of 18,944. There were still quite a few; but most I found another copy of the exact file name in the Recycle bin. When I looked in the recycle bin through windows explorer, I could not see it even though windows explorer was “showing all files”; but at a dos prompt using show hidden option “/ah” I could see the file. There were 3 other suspicious files in the recycle bin, so I deleted all the .exe files in the recycle bin (and jjbkqmy.qea) using dos.
I then opened the jjbkqmy.qea file in c:\windows using notepad and cut out half of its contents then saved it. I rebooted windows.
The virus was gone (I guess it could not reload the damaged “c:\windows\jjbkqmy.qea” back into explorer). I was able to download updates to CA Security Center and adobe updates; and I could run regedit again. I ran CA Security Center and it found some viruses and trojans and quarantined them; but it did not mark the jjbkqmy.qea file I had determined was a virus. Note, before I modified the file using notepad I had made a backup of the file and put it in another folder. I specifically had CA Security Center scan that file but it did not identify it as containing a virus. I also had Spybot scan the file but Spybot found nothing to complain about.
The CA Security Center product contained a link to report potential viruses so I used that link to upload the jjbkqmy.qea backup file I had. Within 12 hours CA had sent me a reply:
“Analysis of your submission #1542929 has been completed”,
The Windows PE (I386,DLL) file “jjbkqmy.qea” has been determined to be
Aliases reported by other AV products are listed here :
(Trojan-PSW.Win32.Kates.c) (Lando) (Infostealer.Daonol)

And an email a few hours later included:
With regards to the file “jjbkqmy.qea” submitted by you on 11 Aug
17:30:49 (Australian Eastern Standard Time), we have added detection for Win32/Daonol.K to the signature files.
The Windows PE (I386,DLL) file “jjbkqmy.qea” has been determined to be malicious. Our researchers have analyzed the file and confirmed the result. The file has been identified as Win32/Daonol.K trojan.
Aliases reported by other AV products are listed here :
(Trojan-PSW.Win32.Kates.c) (Lando) (Infostealer.Daonol)
Researcher comment:
Win32/Daonol Trojan Variant
CA products address this malware as follows:
CA Anti-Virus
Engine Update version Last Update
31.6.0 31.6.6675 13 Aug
Please check for the latest signature updates.


2 Responses to “Another virus bagged and tagged”

  1. […] Another virus bagged and tagged « Rob Kraft's Software Development … […]

  2. Easily, the post is actually the freshest topic on the best registry cleaner in 2009. I harmonize with your conclusions and will thirstily look forward to your incoming updates. Saying thanks will not just be adequate, for the tremendous lucidity in your writing. I will right away grab your rss feed to stay privy of any updates.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: