Dos64.exe tries to connect with internet? Why?

Discussion in 'Windows Desktop Systems' started by Engineer, Sep 29, 2003.

  1. Engineer

    Engineer OSNN Addict

    Messages:
    89
    I have a file named, dos64, which when I am online this file located in my Windows system and Windows System32 folders keeps trying to connect to the internet.

    My Norton Internet Security blocks it. I ran Norton AV 2003 and it gave my computer a clean bill of health.

    What is this file and why is it trying to connect with the internet.

    I am running WinXP, home

    Thanks.
     
  2. Eck

    Eck .user

    Messages:
    393
    Location:
    United States
    Whatever it is, it's not part of windows.
     
  3. Enyo

    Enyo Moderator

    Messages:
    1,338
    e-mail the file to me (link in signature). I will check it for you and let you know what it is / does. For now deny it.
     
  4. Engineer

    Engineer OSNN Addict

    Messages:
    89
    I have emailed it.

    As per your request I have emailed this file. I have no idea how I got it and where it came from at all.

    Thanks for your help.
     
  5. Enyo

    Enyo Moderator

    Messages:
    1,338
    Just waiting for the e-mail and then i will get back to you.
     
  6. Engineer

    Engineer OSNN Addict

    Messages:
    89
    more info

    Thank you very much, Enyo.

    Some other bits of info.

    -I have not found any reference to a "dos64.exe" file anywhere on the net (yet).

    -the icon for the file looks like a small proof of purchase symbol

    -it is a very small file.

    -it likely sneaked into ny system when I had Norton Internet Security disabled in order to play a online game (BF42), after playing I went to some wargaming sites (forgetting to reactivate NIS) and then boom.

    thanks.
    Engineer
     
  7. Enyo

    Enyo Moderator

    Messages:
    1,338
    Still waiting for the e-mail :)

    Could be a dropper of some sorts (pulls a larger trojan down off the internet). Could also be totally innocent :p *waiting*
     
  8. Engineer

    Engineer OSNN Addict

    Messages:
    89
    Sorry enyo

    I sent you two emails and they did not get through as my ISP blocked them because the attachement, dos64 is an exe. file.

    So, I have now zipped the notorious file and I have sent it to you as a zipped file, it will therefore be able to pass through the ISP filters,

    sorry for the delay.

    Engineer
     
  9. Enyo

    Enyo Moderator

    Messages:
    1,338
    When i ran it on my test box it performed actions i would characterise as suspicious. I disassembled it just a moment ago and it does not look particularly innocent to me.

    I would advice you to move it out of System32 and remove the run entry it adds under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    I will have more info soon.
     
  10. Enyo

    Enyo Moderator

    Messages:
    1,338
    I now have some info back. This is new DDoS Trojan.

    As soon as a write up is published i will give you full details for now remove the exe!
     
  11. X-Istence

    X-Istence * Political User

    Messages:
    6,498
    Location:
    USA
    Damn little trojan bugger. Had this in between my music, and clam av caught it, so i checked it out.

    Luckily i didnt run it.
     
  12. Engineer

    Engineer OSNN Addict

    Messages:
    89
    update

    I removed the application from the system 32 folder and the relevant entry from the registry. I moved it to my desktop as it won't allow me to delete it. It's sitting on my desktop, and still trying to access the internet.

    My Mcaffee uninstaller is powerless against it.

    Nortion AV 2003, has scanned it and it is not identified as a virus.


    Thanks.
     
  13. Enyo

    Enyo Moderator

    Messages:
    1,338
    Its a new virus so NAV wont yet detect it.

    You should be able to terminate the process from task manager and delete it.

    I just removed it from my test box without any problem.
     
  14. Engineer

    Engineer OSNN Addict

    Messages:
    89
    Not sure i get you

    I am not sure about how to delete it from task manager, can you be more specific. Do you mean the Scheduled Tasks, option in the control panel, because dos64 is not there.

    thanks
    Engineer
     
  15. Enyo

    Enyo Moderator

    Messages:
    1,338
    CTRL+ALT+DEL to open task manager, on the processes tab dos64.exe will be there. Right click on it and select end process.

    You can then delete the exe.
     
  16. Engineer

    Engineer OSNN Addict

    Messages:
    89
    I think were done

    Oh that task manager!

    Yes, I ended the process, and then removed it from my desktop. When I first got it it landed in both my System32 and System folders under Windows.

    So I had to take it out of both folders.

    Thanks for all your help Enyo, I really appreciate it.


    Now, what exactly was dos64??? Who was it trying to connect to and why? Should someone report it to Symantec? Also I am bothered by the fact that both Norton AV and my other than Norton NIS and Spybot search & destroy were unable to detect it.

    Any other programs I should get to prevent this in future?

    Lastly, the only place any reference to it shows up now is in a windows folder called Prefetch, which I assume is connect to the Windows Search program which I ran to find where dos64 was in the first place.


    thanks again
    Engineer
     
  17. Enyo

    Enyo Moderator

    Messages:
    1,338
    I has been sent to Symantec today by Jewelzz and i have sent it on to KAV (they knew about it already).

    I have no info on what it does other than launching a Denial of Service against x target.

    I have looked at the dis-assembled code but cant tell you its complete payload, i was only able to determine its file locations and where it writes to the registry (to be fair thats all i looked for!)

    As soon as i know exactly what it does and where it hides in your system i will let you know.

    It can take a day or two for AV vendors to provide detection for new Trojans, as far as i know it was first seen in the wild just this weekend. Detection in NAV should come by Wednesday. Detection in KAV will come in a few hours.

    You can delete the contents of Prefetch.