Trojan Downloader Agent in Winsock a DLL with Armadillo packed/protected v1.xx - v2.xx dll name: engt32.dll RRS feed

  • General discussion

  • Symptom: engt32.dll Hooks with 2 entries in Winsock LSP's
    Internet speed may slow down by single connections 30 - 60 %
    Age: The file have been first scanned in year 2006 by www.virustotal.com and found the same results by all Antiviruses as now in year 2008.

    To found with: Spybot -Search and Destroy (unknown MS-...) 2 entries
    or Trend Micro HijackThis v2.0.2
    To remove: LSPFix cexx.org's Winsock 2 (Layered Service Provider) repair utility.

    Antiviruses that can not found it: Microsoft, Kaspersky, NOD32, Norman, TrendMicro, F-Secure, Prevx...

    Live On Care 2.x include latest Beta can not more start the integrated Live on care firewall.

    Version 2.5.2900.03

    AhnLab-V3 2008.7.8.0 2008.07.07 Win-Trojan/Agent.81920.Z
    AntiVir 2008.07.07 TR/Dldr.Agent.DLL.A
    Authentium 2008.07.07 W32/Downldr2.VEB
    Avast 4.8.1195.0 2008.07.07 Win32:Trojan-gen {Other}
    AVG 2008.07.07 Downloader.Small.BCP
    BitDefender 7.2 2008.07.08 Trojan.Downloader.AUT
    CAT-QuickHeal 9.50 2008.07.07 -
    ClamAV 0.93.1 2008.07.08 -
    DrWeb 2008.07.07 Trojan.DownLoader.12131
    eSafe 2008.07.07 -
    eTrust-Vet 31.6.5934 2008.07.07 -
    Ewido 4.0 2008.07.07 Downloader.Agent.a
    F-Prot 2008.07.07 W32/Downldr2.VEB
    F-Secure 7.60.13501.0 2008.07.08 -
    Fortinet 2008.07.07 PossibleThreat
    GData 2.0.7306.1023 2008.07.08 Win32:Trojan-gen
    Ikarus T3. 2008.07.08 Trojan-Downloader.12131
    Kaspersky 2008.07.08 -
    McAfee 5333 2008.07.07 Generic.di
    Microsoft 1.3704 2008.07.08 -
    NOD32v2 3248 2008.07.07 -
    Norman 5.80.02 2008.07.07 -
    Panda 2008.07.08 Trj/Downloader.KHR
    Prevx1 V2 2008.07.08 -
    Rising 2008.07.06 Trojan.DL.Agent.ana
    Sophos 4.31.0 2008.07.08 Mal/Generic-A
    Sunbelt 3.1.1509.1 2008.07.04 Trojan-Downloader.Gen
    Symantec 10 2008.07.08 Downloader
    TheHacker 2008.07.07 -
    TrendMicro 8.700.0.1004 2008.07.07 -
    VBA32 2008.07.07 Trojan.DownLoader.12131
    VirusBuster 2008.07.07 -
    Webwasher-Gateway 6.6.2 2008.07.07 Trojan.Dldr.Agent.DLL.A
    weitere Informationen
    File size: 81920 bytes
    MD5...: 38a169d6eb7dbc243a2c395eb981833b
    SHA1..: 1fa66f684c15566b87301c04949c8072c577a7a6
    SHA256: 9ce760b1982e32000a5637ad4422c5639dc1b334013700e303e967342595df69
    SHA512: a51f9f6aee0e488d899012e05c78296056403e94e788382c31cd65b28da1a359
    PEiD..: Armadillo v1.xx - v2.xx
    PEInfo: PE Structure information

    ( base data )
    entrypointaddress.: 0x10003969
    timedatestamp.....: 0x44bf3cca (Thu Jul 20 08:20:26 2006)
    machinetype.......: 0x14c (I386)

    ( 4 sections )
    name viradd virsiz rawdsiz ntrpy md5
    .text 0x1000 0xad5a 0xb000 6.60 1e2ac2efe8a2e97d6cdcff740aa8b8c7
    .rdata 0xc000 0x14ea 0x2000 3.89 c226fc9e70ce25bd077963ed95f88541
    .data 0xe000 0x4f0c 0x4000 0.92 573d4ed926f2ab855c9ad82a6525471f
    .reloc 0x13000 0x1160 0x2000 3.06 6a09bba2d154e82f41c98399f03643e2

    ( 5 imports )
    > KERNEL32.dll: DeleteFileW, GetModuleFileNameW, GetModuleFileNameA, WritePrivateProfileStringW, CloseHandle, CopyFileW, GetLastError, CreateMutexW, GlobalFree, GlobalAlloc, FreeLibrary, GetProcAddress, LoadLibraryW, ExpandEnvironmentStringsW, GetSystemDirectoryW, GetTempPathW, FindClose, FindFirstFileW, SetErrorMode, CreateFileW, SetFileTime, GetSystemTimeAsFileTime, CompareStringW, CompareStringA, FlushFileBuffers, GetDriveTypeA, SetStdHandle, GetStringTypeW, GetStringTypeA, LoadLibraryA, GetOEMCP, GetACP, GetCurrentDirectoryW, IsBadCodePtr, IsBadReadPtr, SetUnhandledExceptionFilter, SetFilePointer, GetTimeZoneInformation, GetSystemTime, GetLocalTime, InterlockedDecrement, InterlockedIncrement, RtlUnwind, HeapFree, HeapAlloc, FileTimeToSystemTime, FileTimeToLocalFileTime, GetDriveTypeW, GetCommandLineA, GetVersion, MultiByteToWideChar, WideCharToMultiByte, LCMapStringA, LCMapStringW, InitializeCriticalSection, DeleteCriticalSection, EnterCriticalSection, LeaveCriticalSection, ExitProcess, GetCurrentThreadId, TlsSetValue, TlsAlloc, TlsFree, SetLastError, TlsGetValue, GetModuleHandleA, GetEnvironmentVariableA, GetVersionExA, HeapDestroy, HeapCreate, VirtualFree, VirtualAlloc, HeapReAlloc, IsBadWritePtr, GetFullPathNameW, GetCurrentDirectoryA, TerminateProcess, GetCurrentProcess, SetHandleCount, GetStdHandle, GetFileType, GetStartupInfoA, FreeEnvironmentStringsA, FreeEnvironmentStringsW, GetEnvironmentStrings, GetEnvironmentStringsW, WriteFile, GetCPInfo, SetEnvironmentVariableA
    > USER32.dll: MessageBoxA
    > SHELL32.dll: ShellExecuteW
    > urlmon.dll: URLDownloadToFileW
    > WS2_32.dll: WSCDeinstallProvider, WSCGetProviderPath, WSCInstallProvider, WSCWriteProviderOrder, WSCEnumProtocols

    ( 9 exports )
    Dll_CheckRunning, Dll_GetInfo, Dll_GetVersion, Dll_Install, Dll_LoadInstance, Dll_ShowVersion, Dll_Uninstall, UpdateCore, WSPStartup

    More info: http://www.firefox123.cn/English/e/engt32.dll.htm
    Process File: engt32.dll
    Process Name: Troj_Polymorphic.File.Exploit
    Description: N/A
    Author: unknown
    Part of: unknown
    Common Path(s): Windows\system32
    Secuirty Risk (0-5): 0
    Spyware: Yes
    Adware: Yes
    Virus: Yes
    Trojan: Yes
    System Process: No
    Application: No
    Background Process: Yes
    Uses Network: Yes
    Related Process:
    IP Internet System Internet

    After Winsock LSP's the two entries are cleaned and the file been removed Live OnCare Firewall works again.




    Achtung dieser virus wird von der letzten Version ebenso den Vorgaenger Versionen von Live OnCare nicht erkannt. Es handelt sich um eine Armadillo gepackte/protect dll datei aus dem Jahr 2006 die zwei Eintraege in Winsock LSP's macht und die Live OnCare Firewall staendig nach kurzer Zeit deaktiviert. Dies trifft ebenso bei einer Neuinstallation von Live OnCare letzter Beta wie auch Version 2.5.2900.03 zu.
    Bitte fuegen Sie den Virus zur Erkennungsliste hinzu damit Live OnCare ihn finden und entfernen kann.

    Info: http://www.virustotal.com/de/analisis/948e937da2471d95f0852ae850eb7ae7


    Die dll als zip datei:
    wurde an die email gesand, fals sie nicht ankommt bitte kontaktieren Sie uns

    Vorsicht bitte an AV Center weiterrreichen!!!



    I got this message from support center:

    Technischen Support kontaktieren

    Vielen Dank, dass Sie sich an Microsoft gewendet haben.
    Die Nummer Ihrer Serviceanfrage lautet:



    Another Trojan in C++ (eMule mod embedded) Live OnCare does not found nor clean it: http://www.softwareheadlines.com/modules/planet/view.article.php/277871

    Info: http://www.virustotal.com/analisis/0b91aaa7079a5a7fce9f4ecb61eec590

    suspected of Trojan-Spy.Banker.92 (paranoid heuristics), after executing and reboot PC, when you start webbrowser, a second site will open with ads. When you close the ads site the webbrowser will close. Check for running process spoolsv.exe

    Creates spoolsv.exe and cfgmgr.vbs

    C:\Documents and Settings\...\Application Data\Microsoft\cfgmgr.vbs
    shows up by restart after deleted before spoolsv.exe

    the content of file: cfgmgr.vbs
    Set WshShell = WScript.CreateObject("WScript.Shell")WshShell.Run Chr(34)  "C:\Documents and Settings\...\Application Data\Microsoft\spoolsv.exe"  Chr(34)

    adds the registry entries:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{6778F1EE-80BB-4F27-BC69-F91B843782CD}

    Please add this active viruses to the next Virus and Spyware definitionen updates.

    Tuesday, July 8, 2008 4:42 AM

All replies