• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

Dos64.exe tries to connect with internet? Why?

#1
I have a file named, dos64, which when I am online this file located in my Windows system and Windows System32 folders keeps trying to connect to the internet.

My Norton Internet Security blocks it. I ran Norton AV 2003 and it gave my computer a clean bill of health.

What is this file and why is it trying to connect with the internet.

I am running WinXP, home

Thanks.
 
#4
I have emailed it.

As per your request I have emailed this file. I have no idea how I got it and where it came from at all.

Thanks for your help.
 
#6
more info

Thank you very much, Enyo.

Some other bits of info.

-I have not found any reference to a "dos64.exe" file anywhere on the net (yet).

-the icon for the file looks like a small proof of purchase symbol

-it is a very small file.

-it likely sneaked into ny system when I had Norton Internet Security disabled in order to play a online game (BF42), after playing I went to some wargaming sites (forgetting to reactivate NIS) and then boom.

thanks.
Engineer
 
#7
Still waiting for the e-mail :)

Could be a dropper of some sorts (pulls a larger trojan down off the internet). Could also be totally innocent :p *waiting*
 
#8
Sorry enyo

I sent you two emails and they did not get through as my ISP blocked them because the attachement, dos64 is an exe. file.

So, I have now zipped the notorious file and I have sent it to you as a zipped file, it will therefore be able to pass through the ISP filters,

sorry for the delay.

Engineer
 
#9
When i ran it on my test box it performed actions i would characterise as suspicious. I disassembled it just a moment ago and it does not look particularly innocent to me.

I would advice you to move it out of System32 and remove the run entry it adds under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

I will have more info soon.
 
#10
I now have some info back. This is new DDoS Trojan.

As soon as a write up is published i will give you full details for now remove the exe!
 
#12
update

I removed the application from the system 32 folder and the relevant entry from the registry. I moved it to my desktop as it won't allow me to delete it. It's sitting on my desktop, and still trying to access the internet.

My Mcaffee uninstaller is powerless against it.

Nortion AV 2003, has scanned it and it is not identified as a virus.


Thanks.
 
#13
Its a new virus so NAV wont yet detect it.

You should be able to terminate the process from task manager and delete it.

I just removed it from my test box without any problem.
 
#14
Not sure i get you

I am not sure about how to delete it from task manager, can you be more specific. Do you mean the Scheduled Tasks, option in the control panel, because dos64 is not there.

thanks
Engineer
 
#15
CTRL+ALT+DEL to open task manager, on the processes tab dos64.exe will be there. Right click on it and select end process.

You can then delete the exe.
 
#16
I think were done

Oh that task manager!

Yes, I ended the process, and then removed it from my desktop. When I first got it it landed in both my System32 and System folders under Windows.

So I had to take it out of both folders.

Thanks for all your help Enyo, I really appreciate it.


Now, what exactly was dos64??? Who was it trying to connect to and why? Should someone report it to Symantec? Also I am bothered by the fact that both Norton AV and my other than Norton NIS and Spybot search & destroy were unable to detect it.

Any other programs I should get to prevent this in future?

Lastly, the only place any reference to it shows up now is in a windows folder called Prefetch, which I assume is connect to the Windows Search program which I ran to find where dos64 was in the first place.


thanks again
Engineer
 
#17
I has been sent to Symantec today by Jewelzz and i have sent it on to KAV (they knew about it already).

I have no info on what it does other than launching a Denial of Service against x target.

I have looked at the dis-assembled code but cant tell you its complete payload, i was only able to determine its file locations and where it writes to the registry (to be fair thats all i looked for!)

As soon as i know exactly what it does and where it hides in your system i will let you know.

It can take a day or two for AV vendors to provide detection for new Trojans, as far as i know it was first seen in the wild just this weekend. Detection in NAV should come by Wednesday. Detection in KAV will come in a few hours.

You can delete the contents of Prefetch.
 

Members online

No members online now.

Latest posts

Latest profile posts

Perris Calderon wrote on Electronic Punk's profile.
Ep, glad to see you come back and tidy up...did want to ask a one day favor, I want to enhance my resume , was hoping you could make me administrator for a day, if so, take me right off since I won't be here to do anything, and don't know the slightest about the board, but it would be nice putting "served administrator osnn", if can do, THANKS

Been running around Quora lately, luv it there https://tinyurl.com/ycpxl
Electronic Punk wrote on Perris Calderon's profile.
All good still mate?
Hello, is there anybody in there? Just nod if you can hear me ...
Xie
What a long strange trip it's been. =)

Forum statistics

Threads
61,962
Messages
673,240
Members
89,015
Latest member
loxioalix