I'm curious if anybody has any input on these little critters:
On a Win98SE box, I discovered some hidden executables and DLL files in the Windows - Windows/System folders: LIDAJ.DLL, DRV2CLTR.DLL, CSVAA.EXE, RNSDIN.EXE. All installed within the past 2 days:
I was alerted by an attempt for Internet Explorer to connect (on its own) to an IP address in a 3rd world European country. I also started getting Windows Security Center alert popups which is absurd on a Win98SE platform. I now knew something had been dropped into my system but searching for suspicious open ports showed nothing. Scanning with Trend Micro Online showed nothing. AdAwareSE showed nothing unusual. SpybotS&D timed out and stalled twice for the first time ever (currently attempting to reinstall and initiate). Symantec showed a LIDAJ.DLL virus file which could not be seen in native Windows mode, it only showed up in regular boot level DOS. Panda scan showed same file plus infected Registry Start/Run key infection regarding TaskMonitor and ScanRegistry call statements possibly infected by Backdoor trojan variants. These keys have since been nulled to prevent their startup. One final hope, HJT showed absolutely nothing abnormal as compared to log histories for the past year (HJT version was updated today).
Now the funny part: nulling the Taskmonitor and Scanregistry call keys stopped the popups. Digging by hand through Windows root folders I found a RDT.INI file flagged with random casino, viagra, etc.. URL call statements and quarantined it. Hiding Windows and System folders from native windows is not an easy trick to do. Somebody posted that Microsoft made this feature possible to prevent average users from fully deleting their caches/histories. Fine, no big deal, we've all known that for years now. But moving hidden ( +s[ecret] ) files out of the Windows main directory should make them visible. These virus/trojan files listed above remain completely invisible except in boot level DOS mode. Not easy to do, and difficult for most scanners to detect (as noted above). My >.EXE< hacker program doesn't run from DOS mode, only native GUI Windows so I can't break it down to code level. The DLL's are editable in DOS but are completely binary.
Does anybody have any references/info about hiding virus files and trojans completely from native windows and is there a DOS level editor for EXE files? The hosting companies for the target URLs of these strains all center from the country of Estonia (ESTHOST.COM). I'm going to clean the files eventually but I want to preserve them first and later submit to Symantec for definition file updates. I believe they are mostly re-arranged client/server trojan programs that evade all but certain hueristic smart scannings. Any thoughts or help appreciated. Logs available upon request.
Regards,
-the CPUhatchery