Dos64.exe tries to connect with internet? Why?

Engineer

OSNN Addict
Joined
1 Mar 2004
Messages
89
I have a file named, dos64, which when I am online this file located in my Windows system and Windows System32 folders keeps trying to connect to the internet.

My Norton Internet Security blocks it. I ran Norton AV 2003 and it gave my computer a clean bill of health.

What is this file and why is it trying to connect with the internet.

I am running WinXP, home

Thanks.
 
e-mail the file to me (link in signature). I will check it for you and let you know what it is / does. For now deny it.
 
I have emailed it.

As per your request I have emailed this file. I have no idea how I got it and where it came from at all.

Thanks for your help.
 
Just waiting for the e-mail and then i will get back to you.
 
more info

Thank you very much, Enyo.

Some other bits of info.

-I have not found any reference to a "dos64.exe" file anywhere on the net (yet).

-the icon for the file looks like a small proof of purchase symbol

-it is a very small file.

-it likely sneaked into ny system when I had Norton Internet Security disabled in order to play a online game (BF42), after playing I went to some wargaming sites (forgetting to reactivate NIS) and then boom.

thanks.
Engineer
 
Still waiting for the e-mail :)

Could be a dropper of some sorts (pulls a larger trojan down off the internet). Could also be totally innocent :p *waiting*
 
Sorry enyo

I sent you two emails and they did not get through as my ISP blocked them because the attachement, dos64 is an exe. file.

So, I have now zipped the notorious file and I have sent it to you as a zipped file, it will therefore be able to pass through the ISP filters,

sorry for the delay.

Engineer
 
When i ran it on my test box it performed actions i would characterise as suspicious. I disassembled it just a moment ago and it does not look particularly innocent to me.

I would advice you to move it out of System32 and remove the run entry it adds under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

I will have more info soon.
 
I now have some info back. This is new DDoS Trojan.

As soon as a write up is published i will give you full details for now remove the exe!
 
Damn little trojan bugger. Had this in between my music, and clam av caught it, so i checked it out.

Luckily i didnt run it.
 
update

I removed the application from the system 32 folder and the relevant entry from the registry. I moved it to my desktop as it won't allow me to delete it. It's sitting on my desktop, and still trying to access the internet.

My Mcaffee uninstaller is powerless against it.

Nortion AV 2003, has scanned it and it is not identified as a virus.


Thanks.
 
Its a new virus so NAV wont yet detect it.

You should be able to terminate the process from task manager and delete it.

I just removed it from my test box without any problem.
 
Not sure i get you

I am not sure about how to delete it from task manager, can you be more specific. Do you mean the Scheduled Tasks, option in the control panel, because dos64 is not there.

thanks
Engineer
 
CTRL+ALT+DEL to open task manager, on the processes tab dos64.exe will be there. Right click on it and select end process.

You can then delete the exe.
 
I think were done

Oh that task manager!

Yes, I ended the process, and then removed it from my desktop. When I first got it it landed in both my System32 and System folders under Windows.

So I had to take it out of both folders.

Thanks for all your help Enyo, I really appreciate it.


Now, what exactly was dos64??? Who was it trying to connect to and why? Should someone report it to Symantec? Also I am bothered by the fact that both Norton AV and my other than Norton NIS and Spybot search & destroy were unable to detect it.

Any other programs I should get to prevent this in future?

Lastly, the only place any reference to it shows up now is in a windows folder called Prefetch, which I assume is connect to the Windows Search program which I ran to find where dos64 was in the first place.


thanks again
Engineer
 
I has been sent to Symantec today by Jewelzz and i have sent it on to KAV (they knew about it already).

I have no info on what it does other than launching a Denial of Service against x target.

I have looked at the dis-assembled code but cant tell you its complete payload, i was only able to determine its file locations and where it writes to the registry (to be fair thats all i looked for!)

As soon as i know exactly what it does and where it hides in your system i will let you know.

It can take a day or two for AV vendors to provide detection for new Trojans, as far as i know it was first seen in the wild just this weekend. Detection in NAV should come by Wednesday. Detection in KAV will come in a few hours.

You can delete the contents of Prefetch.
 

Members online

No members online now.

Latest profile posts

Also Hi EP and people. I found this place again while looking through a oooollllllldddd backup. I have filled over 10TB and was looking at my collection of antiques. Any bids on the 500Mhz Win 95 fix?
Any of the SP crew still out there?
Xie wrote on Electronic Punk's profile.
Impressed you have kept this alive this long EP! So many sites have come and gone. :(

Just did some crude math and I apparently joined almost 18yrs ago, how is that possible???
hello peeps... is been some time since i last came here.
Electronic Punk wrote on Sazar's profile.
Rest in peace my friend, been trying to find you and finally did in the worst way imaginable.

Forum statistics

Threads
62,015
Messages
673,494
Members
5,621
Latest member
naeemsafi
Back