Items detected by a ClamWin Scan on 2014-11-22

Malwarebytes Anti-Malware
When I scanned a Microsoft Windows 7 Professional system that had been experiencing performance problems this week with ClamWin Free Antivirus, it reported finding six batch files associated with Trojan.Agent-252657 (report - txt, pdf, rtf).

ClamWin found Trojan.Agent-252657

When I checked all of the batch files, I found each would attempt to delete a specific file from the system and that the files they would attempt to delete appeared to be ones associated with downloaded malware; apparently they were part of an attempt to hide evidence of the malware.

C:\Users\Pamela\AppData\Local\Temp>more tmp1e9dbcf0.bat
@echo off
del "C:\Users\Pamela\AppData\Local\Temp\UpdateFlashPlayer_aef1a404.exe"
if exist "C:\Users\Pamela\AppData\Local\Temp\UpdateFlashPlayer_aef1a404.exe" goto d
del /F "C:\Users\Pamela\AppData\Local\Temp\tmp1e9dbcf0.bat"

C:\Users\Pamela\AppData\Local\Temp>more tmp2949fc28.bat
@echo off
del "C:\ProgramData\Windows Genuine Advantage\{644C0BFF-2A03-43C9-B68C-830A67DDA
if exist "C:\ProgramData\Windows Genuine Advantage\{644C0BFF-2A03-43C9-B68C-830A67DDA70B}\msiexec.exe" goto d
del /F "C:\Users\Pamela\AppData\Local\Temp\tmp2949fc28.bat"

C:\Users\Pamela\AppData\Local\Temp>more tmp37d76ef8.bat
@echo off
del "C:\Users\Pamela\AppData\Local\Temp\UpdateFlashPlayer_ffe043e6.exe"
if exist "C:\Users\Pamela\AppData\Local\Temp\UpdateFlashPlayer_ffe043e6.exe" goto d
del /F "C:\Users\Pamela\AppData\Local\Temp\tmp37d76ef8.bat"

C:\Users\Pamela\AppData\Local\Temp>more tmp41b5fe46.bat
@echo off
del "C:\Users\Pamela\AppData\Local\Temp\UpdateFlashPlayer_baee5f9e.exe"
if exist "C:\Users\Pamela\AppData\Local\Temp\UpdateFlashPlayer_baee5f9e.exe" goto d
del /F "C:\Users\Pamela\AppData\Local\Temp\tmp41b5fe46.bat"

C:\Users\Pamela\AppData\Local\Temp>more tmp81ac8b47.bat
@echo off
del "C:\Users\Pamela\AppData\Local\Temp\UpdateFlashPlayer_4ff8bdc9.exe"
if exist "C:\Users\Pamela\AppData\Local\Temp\UpdateFlashPlayer_4ff8bdc9.exe" goto d
del /F "C:\Users\Pamela\AppData\Local\Temp\tmp81ac8b47.bat"

C:\Users\Pamela\AppData\Local\Temp>more tmpf8e7c342.bat
@echo off
del "C:\Users\Pamela\AppData\Local\Temp\UpdateFlashPlayer_937d179a.exe"
if exist "C:\Users\Pamela\AppData\Local\Temp\UpdateFlashPlayer_937d179a.exe" goto d
del /F "C:\Users\Pamela\AppData\Local\Temp\tmpf8e7c342.bat"


All but one of the batch files referenced an UpdateFlashPlayer_xxxxxxxx.exe file where "xxxxxxxx" was an 8-character string of random characters. The remaining one referenced C:\ProgramData\Windows Genuine Advantage\{644C0BFF-2A03-43C9-B68C-830A67DDA70B}\msiexec.exe. After deleting the files they referenced, they had a delete command to delete themselves. Though the batch files remained, none of the exe files were on the system any longer.

When I checked the time stamps on the files, I found the batch files were created between October 21 and November 4, 2014.

C:\Users\Pamela\AppData\Local\Temp>dir tmp*.bat
 Volume in drive C is OS
 Volume Serial Number is 4445-F6ED

 Directory of C:\Users\Pamela\AppData\Local\Temp

10/21/2014  04:54 PM               234 tmp1e9dbcf0.bat
11/04/2014  05:10 PM               286 tmp2949fc28.bat
10/22/2014  08:51 AM               234 tmp37d76ef8.bat
10/22/2014  01:02 PM               234 tmp41b5fe46.bat
10/29/2014  08:13 AM               234 tmp81ac8b47.bat
10/22/2014  07:49 AM               234 tmpf8e7c342.bat
               6 File(s)          1,456 bytes
               0 Dir(s)  884,731,953,152 bytes free

The system is configured to use the backup and restore program that is included in Windows 7 (Control Panel\System and Security\Backup and Restore), to backup the system every Sunday evening to an external USB drive, so I checked to see if any of those files were included in a backup on that external drive. I found that program apparently does not backup the Temp directory beneath user's AppData\Local directories. I can understand why the backup program might aim to conserve disk space by not storing backups of temporary files.

A Trojan.Agent-252657 Worldwide Infection Rate chart at All information about Trojan.Agent-252657 showed Trojan.Agent-252657 appearing on November 9, spiking quickly to a rate of 0.13% on November 12, declining rapidly, then spking again on November 15, 2014 after which it again precipitously declined.

Trojan.Agent-252657 Worldwide Infection Rate

The description there states:

A Trojan.Agent-252657 or Trojan.Agent-252657 horse is often used by hackers to gain access to a computer in order to steal information or engage in other malicious activity. Users can unwittingly expose their computers to these programs by downloading other files or applications that contain them., a site that allows you to upload files for scanning by multiple antivirus programs, shows names other antivirus products use for what ClamWin labels Trojan.Agent-252657 at a page for

Malwarebytes Anti-Malware Premium 1x1 px is installed on the system. When I checked its quarantine log, I found it had detected and quarantined the malicious msiexec.exe file on November 6 at 7:24:26 AM. It had also quarantined several UpdateFlashPlayer exe files, though I didn't see the ones referenced in the batch files above listed as being quarantined by Malwarebytes Anti-Malware.

Trojan.Agent.DED11/20/2014 8:57:32 PMFile C:\ProgramData\Windows Genuine Advantage\{79623D25-6343-4C6D-8513-FA858BC30771}\msiexec.exe
Trojan.Agent.DED11/20/2014 8:57:32 PMFile C:\ProgramData\Windows Genuine Advantage\{D75F6D4D-FEF6-4545-825E-EDDE3C6C62AB}\msiexec.exe
Trojan.Agent11/6/2014 7:24:26 AMFile C:\ProgramData\Windows Genuine Advantage\{644C0BFF-2A03-43C9-B68C-830A67DDA 70B}\msiexec.exe
Trojan.Agent.ED11/4/2014 5:10:06 PMFile C:\ProgramData\Windows Genuine Advantage\{89B0946F-E47F-4C01-B0CF-18FD0C563569}\msiexec.exe
Trojan.Agent11/6/2014 7:24:26 AMFile C:\Users\Pamela\AppData\Local\Temp\UpdateFlashPlayer_200de97e.exe
Spyware.Zbot.ED10/29/2014 10:24:31 PMFile C:\Users\Pamela\AppData\Local\Temp\UpdateFlashPlayer_4ff8bdc9.exe
Trojan.Zemot10/29/2014 10:24:31 PMFile C:\Users\Pamela\AppData\Local\Temp\UpdateFlashPlayer_fc99e43b.exe
Trojan.Inject.ED10/29/2014 10:24:31 PMFile C:\Users\Pamela\AppData\Local\Temp\UpdateFlashPlayer_6e337c59.exe
Trojan.Zemot10/29/2014 10:24:31 PMFile C:\Users\Pamela\AppData\Local\Temp\UpdateFlashPlayer_8c8c5dd0.exe


TechRabbit ad 300x250

Justdeals Daily Electronics Deals1x1 px

Valid HTML 4.01 Transitional

Created: Saturday November 22, 2014