MS DOS REDIR31 and RPCSR

I have been playing around with a Windows 98 machine and recently installed a
NIC card. Now every time I boot an MS Dos window pops up on the screen and
will not go away. The first window is a REDIR31 and then it goes to and
RPCSR window that stays open during the entire session. Another strange
occurrence that I cant seem to figure out
is that it says Windows 98 is now booting for the first time. This did not
happen prior to the installation of the NIC card. Is there anything I can do
to stop this process from running upon boot up and why would my boot up
screen elude to a first time run every time.

The executable file for this is conagent.exe

It seems to have affected my system performance as well. I have read some
information that eluded to the Gaobot Trojan associated with this file. I do
know that this executable file was part of the 98 start up disk. However Im
unsure about exactly what it does. Can you help?

REDIR31 is part of the Magistr worm, IIRC.

looking, looking ..... he
http://forums.techguy.org:80/securit...n-startup.html
--
Glen Ventura, MS MVP Shell/User, A+
http://dts-l.org/goodpost.htm


"misssaigon" wrote in message
...
I have been playing around with a Windows 98 machine and recently installed a
NIC card. Now every time I boot an MS Dos window pops up on the screen and
will not go away. The first window is a REDIR31 and then it goes to and
RPCSR window that stays open during the entire session. Another strange
occurrence that I cant seem to figure out
is that it says Windows 98 is now booting for the first time. This did not
happen prior to the installation of the NIC card. Is there anything I can do
to stop this process from running upon boot up and why would my boot up
screen elude to a first time run every time.

The executable file for this is conagent.exe

It seems to have affected my system performance as well. I have read some
information that eluded to the Gaobot Trojan associated with this file. I do
know that this executable file was part of the 98 start up disk. However Im
unsure about exactly what it does. Can you help?

"glee" wrote in message
...
REDIR31 is part of the Magistr worm, IIRC.

No it isn't, it may be/is the redir32.exe renamed by the magistr or
another virus. What the Magistr does is rename a file or files and even
may move it. IIRC the original did it's dirty work in three steps on a
time frame:
First it overwrites file/s and waits a set amount of days.
Second, the icons on the desktop move away from the cursor so they can't be
clicked.
After another set amount of days the third and "final" payload kicks in
which either or all overwrites the hd, erases the CMOS and flashes the
BIOS.

It also propogates via email to everyone in the users address book.

OK, the above isn't 100% in order and the info on the first of 2 Magistr's
is:


--

Brian A. Sesko { MS MVP_Shell/User }
Conflicts start where information lacks.
http://basconotw.mvps.org/

Suggested posting do's/don'ts: http://www.dts-l.org/goodpost.htm
How to ask a question: http://support.microsoft.com/kb/555375

Can you boot to Safe Mode? by either:
Just after boot where you see the POST screen and memory count,
press/hold down the CTRL key until you get the boot menu where you can then
select Safe Mode.

or continually tap the F8 key until boot menu.

or press/tap F5 to boot straight to Safe Mode.

--

Brian A. Sesko { MS MVP_Shell/User }
Conflicts start where information lacks.
http://basconotw.mvps.org/

Suggested posting do's/don'ts: http://www.dts-l.org/goodpost.htm
How to ask a question: http://support.microsoft.com/kb/555375




"misssaigon" wrote in message
...
I have been playing around with a Windows 98 machine and recently
installed a
NIC card. Now every time I boot an MS Dos window pops up on the screen
and
will not go away. The first window is a REDIR31 and then it goes to and
RPCSR window that stays open during the entire session. Another strange
occurrence that I cant seem to figure out
is that it says Windows 98 is now booting for the first time. This did
not
happen prior to the installation of the NIC card. Is there anything I
can do
to stop this process from running upon boot up and why would my boot up
screen elude to a first time run every time.

The executable file for this is conagent.exe

It seems to have affected my system performance as well. I have read
some
information that eluded to the Gaobot Trojan associated with this file.
I do
know that this executable file was part of the 98 start up disk. However
Im
unsure about exactly what it does. Can you help?

....and how is that different than what I said? ;-)

Magistr renames the legit file redir32 to regir31. The message involving REDIR31 is
a sign of a magistr infection, as I thought I stated.

Merry Christmas!
--
Glen Ventura, MS MVP Shell/User, A+
http://dts-l.org/goodpost.htm


"Brian A." gonefish'n@afarawaylake wrote in message
...
"glee" wrote in message
...
REDIR31 is part of the Magistr worm, IIRC.

No it isn't, it may be/is the redir32.exe renamed by the magistr or
another virus. What the Magistr does is rename a file or files and even
may move it. IIRC the original did it's dirty work in three steps on a
time frame:
First it overwrites file/s and waits a set amount of days.
Second, the icons on the desktop move away from the cursor so they can't be
clicked.
After another set amount of days the third and "final" payload kicks in
which either or all overwrites the hd, erases the CMOS and flashes the
BIOS.

It also propogates via email to everyone in the users address book.

OK, the above isn't 100% in order and the info on the first of 2 Magistr's
is:


--

Brian A. Sesko { MS MVP_Shell/User }
Conflicts start where information lacks.
http://basconotw.mvps.org/

Suggested posting do's/don'ts: http://www.dts-l.org/goodpost.htm
How to ask a question: http://support.microsoft.com/kb/555375

On Sun, 25 Dec 2005 23:46:42 -0600, "Brian A."
"glee" wrote in message

REDIR31 is part of the Magistr worm, IIRC.

No it isn't, it may be/is the redir32.exe renamed by the magistr or
another virus. What the Magistr does is rename a file or files and even
may move it. IIRC the original did it's dirty work in three steps

Those two are almost certainly Magistr; they will be infected copies
of REDIR32.EXE and RPCSS.EXE, respectively.

Magistr is a pure generic Win32PE infector; there is no stand-alone
pure malware "mothership" file. It finds and infects existing code
files, and adds entries to run some of these from the startup axis.

To protect these integrated infected files from being overwritten by a
re-installation of Windows, Magistr may decriment the last of the "8"
characters in the 8.3 name in a copy of the file; that's why you get
OUTLOOJ.EXE, SULFNBJ.EXE, WINHLP31.EXE and so on :-)

What Magistr does, is tricky, as it applies quite a bit of randomness
and/or logic to whatever it does. For example, it may send uninfected
code files as attachments, it infects code files in different ways so
that av scanners can sometimes miss the infection, etc.

Most interesting is the logic that triggers the destructive payload.
The virus attempts to determine whether the PC is used by someone in
the legal profession by searching for a long list of legal phrases.
Only if its criteria are met, will the destructive payload be hatched.

The payload illustrates the author's mindset, as before it runs the
CIH payload (which overwrites the first raw 1M of the HD before
attempting to trash the BIOS) it will overwrite data files with a
repeated rude phrase. Why do that, when the CIH overwriting payload
is going to destroy access to the data anyway? So that after a
recovery procedure to rebuild the file system, the contents of the
files will be garbage anyway.



---------- ----- ---- --- -- - - - -
Don't pay malware vendors - boycott Sony
---------- ----- ---- --- -- - - - -

On Mon, 26 Dec 2005 07:23:01 -0500, "glee"

...and how is that different than what I said? ;-)

You said the files ARE Magistr, which is incorrect; they CONTAIN
Magistr, which is slightly (but significantly) different.

Most modern malware exist as stand-alone files that are 100% malware,
with no original file content to be recovered. Some will generically
infect existing code files, while the bulk of the malware still
resides in a "mothership" malware as above.

Magistr is a true generic Win32PE code virus in that exists only as
code within existing code files that it infects. Even when it creates
a new copy of such files, to send as emaul attackments and/or
integrate into the startup axis, these files still contain the
original code and appear to be the original code file when run.

That is why you should approach Magistr formally, rather than ****
around with Safe Mode, etc. You aren't dealing with the common
malware practice of loose pure malware files that rely on integration
linkage to run when Windows starts (and that Safe Mode will hopefully
bypass). Because Magistr resides *within* existing code, it's as
likely to be run in Safe Mode as it is to run in normal Windows.

The best tool for managing Magistr safely (formally) in Win9x systems,
is NOD32 for DOS, as run from a DOS mode boot. It doesn't have to be
all that up to date (obviously must be newer than Magistr.B); the
point is that this tool has a more complete detection rate than my
usual favorite for Win9x, F-Prot for DOS. No matter how up-to-date
F-Prot for DOS is, it always misses a few Magistr-infected files.

Note that because Magistr is a Win32PE infector, none of the files it
infects will run from DOS mode. So you don't have to run the DOS av
scanner from a diskette boot; you can boot the HD to DOS mode (where
Win32PE won't run) and run the DOS av scanner from there.



---------- ----- ---- --- -- - - - -
Don't pay malware vendors - boycott Sony
---------- ----- ---- --- -- - - - -

Not to nit-pick, Chris, but since everyone else seems to be, I did not say the files
ARE Magistr, I said:
"REDIR31 is part of the Magistr worm, IIRC."
"Are" and "part of" the infection are *not* the same thing, in the version of
English I use, anyway. ;-)

In your own reply in this thread, you posted:
"Those two ARE (caps added) almost certainly Magistr; they will be infected copies
of REDIR32.EXE and RPCSS.EXE" It was you that used the word ARE. :-o

The infected copy of redir32.exe, which is redir31, IS (or may be) part of the
Magistr infection. I am well aware of the difference between a file which contains
(or may contain) a worm and a file which is the malware infector itself.

I also provided a link in my reply, which, if you scroll down to moderator Rollin'
Rog's posts there, gives some details those files and their relationship to the
infection.

My reply was made on Christmas Eve, with company at my home, in an attempt to help a
poster in apparent need. Two days later, I am being taken to task over semantics,
and for apparently not spending more time away from my guests to do the research
that the OP can well do themselves with the info I originally provided. Sheesh!
--
Glen Ventura, MS MVP Shell/User, A+
http://dts-l.org/goodpost.htm


"cquirke (MVP Windows shell/user)" wrote in message
...
On Mon, 26 Dec 2005 07:23:01 -0500, "glee"

...and how is that different than what I said? ;-)

You said the files ARE Magistr, which is incorrect; they CONTAIN
Magistr, which is slightly (but significantly) different.

Most modern malware exist as stand-alone files that are 100% malware,
with no original file content to be recovered. Some will generically
infect existing code files, while the bulk of the malware still
resides in a "mothership" malware as above.

Magistr is a true generic Win32PE code virus in that exists only as
code within existing code files that it infects. Even when it creates
a new copy of such files, to send as emaul attackments and/or
integrate into the startup axis, these files still contain the
original code and appear to be the original code file when run.

That is why you should approach Magistr formally, rather than ****
around with Safe Mode, etc. You aren't dealing with the common
malware practice of loose pure malware files that rely on integration
linkage to run when Windows starts (and that Safe Mode will hopefully
bypass). Because Magistr resides *within* existing code, it's as
likely to be run in Safe Mode as it is to run in normal Windows.

The best tool for managing Magistr safely (formally) in Win9x systems,
is NOD32 for DOS, as run from a DOS mode boot. It doesn't have to be
all that up to date (obviously must be newer than Magistr.B); the
point is that this tool has a more complete detection rate than my
usual favorite for Win9x, F-Prot for DOS. No matter how up-to-date
F-Prot for DOS is, it always misses a few Magistr-infected files.

Note that because Magistr is a Win32PE infector, none of the files it
infects will run from DOS mode. So you don't have to run the DOS av
scanner from a diskette boot; you can boot the HD to DOS mode (where
Win32PE won't run) and run the DOS av scanner from there.



---------- ----- ---- --- -- - - - -
Don't pay malware vendors - boycott Sony
---------- ----- ---- --- -- - - - -

Actually it was stated a little different. It just so happens to be the
way I read it, a human function that differs in all. Hope your Christmas
treated you well. Have a very Happy New Year.

--

Brian A. Sesko { MS MVP_Shell/User }
Conflicts start where information lacks.
http://basconotw.mvps.org/

Suggested posting do's/don'ts: http://www.dts-l.org/goodpost.htm
How to ask a question: http://support.microsoft.com/kb/555375




"glee" wrote in message
...
...and how is that different than what I said? ;-)

Magistr renames the legit file redir32 to regir31. The message involving
REDIR31 is
a sign of a magistr infection, as I thought I stated.

Merry Christmas!
--
Glen Ventura, MS MVP Shell/User, A+
http://dts-l.org/goodpost.htm


"Brian A." gonefish'n@afarawaylake wrote in message
...
"glee" wrote in message
...
REDIR31 is part of the Magistr worm, IIRC.

No it isn't, it may be/is the redir32.exe renamed by the magistr or
another virus. What the Magistr does is rename a file or files and even
may move it. IIRC the original did it's dirty work in three steps on a
time frame:
First it overwrites file/s and waits a set amount of days.
Second, the icons on the desktop move away from the cursor so they can't
be
clicked.
After another set amount of days the third and "final" payload kicks in
which either or all overwrites the hd, erases the CMOS and flashes the
BIOS.

It also propogates via email to everyone in the users address book.

OK, the above isn't 100% in order and the info on the first of 2
Magistr's
is:


--

Brian A. Sesko { MS MVP_Shell/User }
Conflicts start where information lacks.
http://basconotw.mvps.org/

Suggested posting do's/don'ts: http://www.dts-l.org/goodpost.htm
How to ask a question: http://support.microsoft.com/kb/555375

I doubt it will affect his Christmas or New Year. The days in between are a WRECK now, though!


--
Thanks or Good Luck,
There may be humor in this post, and,
Naturally, you will not sue,
should things get worse after this,
PCR

"Brian A." gonefish'n@afarawaylake wrote in message ...
| Actually it was stated a little different. It just so happens to be the
| way I read it, a human function that differs in all. Hope your Christmas
| treated you well. Have a very Happy New Year.
|
| --
|
| Brian A. Sesko { MS MVP_Shell/User }
| Conflicts start where information lacks.
| http://basconotw.mvps.org/
|
| Suggested posting do's/don'ts: http://www.dts-l.org/goodpost.htm
| How to ask a question: http://support.microsoft.com/kb/555375
|
|
|
|
| "glee" wrote in message
| ...
| ...and how is that different than what I said? ;-)
|
| Magistr renames the legit file redir32 to regir31. The message involving
| REDIR31 is
| a sign of a magistr infection, as I thought I stated.
|
| Merry Christmas!
| --
| Glen Ventura, MS MVP Shell/User, A+
| http://dts-l.org/goodpost.htm
|
|
| "Brian A." gonefish'n@afarawaylake wrote in message
| ...
| "glee" wrote in message
| ...
| REDIR31 is part of the Magistr worm, IIRC.
|
| No it isn't, it may be/is the redir32.exe renamed by the magistr or
| another virus. What the Magistr does is rename a file or files and even
| may move it. IIRC the original did it's dirty work in three steps on a
| time frame:
| First it overwrites file/s and waits a set amount of days.
| Second, the icons on the desktop move away from the cursor so they can't
| be
| clicked.
| After another set amount of days the third and "final" payload kicks in
| which either or all overwrites the hd, erases the CMOS and flashes the
| BIOS.
|
| It also propogates via email to everyone in the users address book.
|
| OK, the above isn't 100% in order and the info on the first of 2
| Magistr's
| is:
|
|
| --
|
| Brian A. Sesko { MS MVP_Shell/User }
| Conflicts start where information lacks.
| http://basconotw.mvps.org/
|
| Suggested posting do's/don'ts: http://www.dts-l.org/goodpost.htm
| How to ask a question: http://support.microsoft.com/kb/555375
|
|
|
|
|