If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. |
|
|
|
Thread Tools | Display Modes |
#1
|
|||
|
|||
MS DOS REDIR31 and RPCSR
I have been playing around with a Windows 98 machine and recently installed a
NIC card. Now every time I boot an MS Dos window pops up on the screen and will not go away. The first window is a REDIR31 and then it goes to and RPCSR window that stays open during the entire session. Another strange occurrence that I cant seem to figure out is that it says Windows 98 is now booting for the first time. This did not happen prior to the installation of the NIC card. Is there anything I can do to stop this process from running upon boot up and why would my boot up screen elude to a first time run every time. The executable file for this is conagent.exe It seems to have affected my system performance as well. I have read some information that eluded to the Gaobot Trojan associated with this file. I do know that this executable file was part of the 98 start up disk. However Im unsure about exactly what it does. Can you help? |
#2
|
|||
|
|||
MS DOS REDIR31 and RPCSR
REDIR31 is part of the Magistr worm, IIRC.
looking, looking ..... he http://forums.techguy.org:80/securit...n-startup.html -- Glen Ventura, MS MVP Shell/User, A+ http://dts-l.org/goodpost.htm "misssaigon" wrote in message ... I have been playing around with a Windows 98 machine and recently installed a NIC card. Now every time I boot an MS Dos window pops up on the screen and will not go away. The first window is a REDIR31 and then it goes to and RPCSR window that stays open during the entire session. Another strange occurrence that I cant seem to figure out is that it says Windows 98 is now booting for the first time. This did not happen prior to the installation of the NIC card. Is there anything I can do to stop this process from running upon boot up and why would my boot up screen elude to a first time run every time. The executable file for this is conagent.exe It seems to have affected my system performance as well. I have read some information that eluded to the Gaobot Trojan associated with this file. I do know that this executable file was part of the 98 start up disk. However Im unsure about exactly what it does. Can you help? |
#3
|
|||
|
|||
MS DOS REDIR31 and RPCSR
"glee" wrote in message
... REDIR31 is part of the Magistr worm, IIRC. No it isn't, it may be/is the redir32.exe renamed by the magistr or another virus. What the Magistr does is rename a file or files and even may move it. IIRC the original did it's dirty work in three steps on a time frame: First it overwrites file/s and waits a set amount of days. Second, the icons on the desktop move away from the cursor so they can't be clicked. After another set amount of days the third and "final" payload kicks in which either or all overwrites the hd, erases the CMOS and flashes the BIOS. It also propogates via email to everyone in the users address book. OK, the above isn't 100% in order and the info on the first of 2 Magistr's is: -- Brian A. Sesko { MS MVP_Shell/User } Conflicts start where information lacks. http://basconotw.mvps.org/ Suggested posting do's/don'ts: http://www.dts-l.org/goodpost.htm How to ask a question: http://support.microsoft.com/kb/555375 |
#4
|
|||
|
|||
MS DOS REDIR31 and RPCSR
Can you boot to Safe Mode? by either:
Just after boot where you see the POST screen and memory count, press/hold down the CTRL key until you get the boot menu where you can then select Safe Mode. or continually tap the F8 key until boot menu. or press/tap F5 to boot straight to Safe Mode. -- Brian A. Sesko { MS MVP_Shell/User } Conflicts start where information lacks. http://basconotw.mvps.org/ Suggested posting do's/don'ts: http://www.dts-l.org/goodpost.htm How to ask a question: http://support.microsoft.com/kb/555375 "misssaigon" wrote in message ... I have been playing around with a Windows 98 machine and recently installed a NIC card. Now every time I boot an MS Dos window pops up on the screen and will not go away. The first window is a REDIR31 and then it goes to and RPCSR window that stays open during the entire session. Another strange occurrence that I cant seem to figure out is that it says Windows 98 is now booting for the first time. This did not happen prior to the installation of the NIC card. Is there anything I can do to stop this process from running upon boot up and why would my boot up screen elude to a first time run every time. The executable file for this is conagent.exe It seems to have affected my system performance as well. I have read some information that eluded to the Gaobot Trojan associated with this file. I do know that this executable file was part of the 98 start up disk. However Im unsure about exactly what it does. Can you help? |
#5
|
|||
|
|||
MS DOS REDIR31 and RPCSR
....and how is that different than what I said? ;-)
Magistr renames the legit file redir32 to regir31. The message involving REDIR31 is a sign of a magistr infection, as I thought I stated. Merry Christmas! -- Glen Ventura, MS MVP Shell/User, A+ http://dts-l.org/goodpost.htm "Brian A." gonefish'n@afarawaylake wrote in message ... "glee" wrote in message ... REDIR31 is part of the Magistr worm, IIRC. No it isn't, it may be/is the redir32.exe renamed by the magistr or another virus. What the Magistr does is rename a file or files and even may move it. IIRC the original did it's dirty work in three steps on a time frame: First it overwrites file/s and waits a set amount of days. Second, the icons on the desktop move away from the cursor so they can't be clicked. After another set amount of days the third and "final" payload kicks in which either or all overwrites the hd, erases the CMOS and flashes the BIOS. It also propogates via email to everyone in the users address book. OK, the above isn't 100% in order and the info on the first of 2 Magistr's is: -- Brian A. Sesko { MS MVP_Shell/User } Conflicts start where information lacks. http://basconotw.mvps.org/ Suggested posting do's/don'ts: http://www.dts-l.org/goodpost.htm How to ask a question: http://support.microsoft.com/kb/555375 |
#6
|
|||
|
|||
MS DOS REDIR31 and RPCSR
On Sun, 25 Dec 2005 23:46:42 -0600, "Brian A."
"glee" wrote in message REDIR31 is part of the Magistr worm, IIRC. No it isn't, it may be/is the redir32.exe renamed by the magistr or another virus. What the Magistr does is rename a file or files and even may move it. IIRC the original did it's dirty work in three steps Those two are almost certainly Magistr; they will be infected copies of REDIR32.EXE and RPCSS.EXE, respectively. Magistr is a pure generic Win32PE infector; there is no stand-alone pure malware "mothership" file. It finds and infects existing code files, and adds entries to run some of these from the startup axis. To protect these integrated infected files from being overwritten by a re-installation of Windows, Magistr may decriment the last of the "8" characters in the 8.3 name in a copy of the file; that's why you get OUTLOOJ.EXE, SULFNBJ.EXE, WINHLP31.EXE and so on :-) What Magistr does, is tricky, as it applies quite a bit of randomness and/or logic to whatever it does. For example, it may send uninfected code files as attachments, it infects code files in different ways so that av scanners can sometimes miss the infection, etc. Most interesting is the logic that triggers the destructive payload. The virus attempts to determine whether the PC is used by someone in the legal profession by searching for a long list of legal phrases. Only if its criteria are met, will the destructive payload be hatched. The payload illustrates the author's mindset, as before it runs the CIH payload (which overwrites the first raw 1M of the HD before attempting to trash the BIOS) it will overwrite data files with a repeated rude phrase. Why do that, when the CIH overwriting payload is going to destroy access to the data anyway? So that after a recovery procedure to rebuild the file system, the contents of the files will be garbage anyway. ---------- ----- ---- --- -- - - - - Don't pay malware vendors - boycott Sony ---------- ----- ---- --- -- - - - - |
#7
|
|||
|
|||
MS DOS REDIR31 and RPCSR
On Mon, 26 Dec 2005 07:23:01 -0500, "glee"
...and how is that different than what I said? ;-) You said the files ARE Magistr, which is incorrect; they CONTAIN Magistr, which is slightly (but significantly) different. Most modern malware exist as stand-alone files that are 100% malware, with no original file content to be recovered. Some will generically infect existing code files, while the bulk of the malware still resides in a "mothership" malware as above. Magistr is a true generic Win32PE code virus in that exists only as code within existing code files that it infects. Even when it creates a new copy of such files, to send as emaul attackments and/or integrate into the startup axis, these files still contain the original code and appear to be the original code file when run. That is why you should approach Magistr formally, rather than **** around with Safe Mode, etc. You aren't dealing with the common malware practice of loose pure malware files that rely on integration linkage to run when Windows starts (and that Safe Mode will hopefully bypass). Because Magistr resides *within* existing code, it's as likely to be run in Safe Mode as it is to run in normal Windows. The best tool for managing Magistr safely (formally) in Win9x systems, is NOD32 for DOS, as run from a DOS mode boot. It doesn't have to be all that up to date (obviously must be newer than Magistr.B); the point is that this tool has a more complete detection rate than my usual favorite for Win9x, F-Prot for DOS. No matter how up-to-date F-Prot for DOS is, it always misses a few Magistr-infected files. Note that because Magistr is a Win32PE infector, none of the files it infects will run from DOS mode. So you don't have to run the DOS av scanner from a diskette boot; you can boot the HD to DOS mode (where Win32PE won't run) and run the DOS av scanner from there. ---------- ----- ---- --- -- - - - - Don't pay malware vendors - boycott Sony ---------- ----- ---- --- -- - - - - |
#8
|
|||
|
|||
MS DOS REDIR31 and RPCSR
Not to nit-pick, Chris, but since everyone else seems to be, I did not say the files
ARE Magistr, I said: "REDIR31 is part of the Magistr worm, IIRC." "Are" and "part of" the infection are *not* the same thing, in the version of English I use, anyway. ;-) In your own reply in this thread, you posted: "Those two ARE (caps added) almost certainly Magistr; they will be infected copies of REDIR32.EXE and RPCSS.EXE" It was you that used the word ARE. :-o The infected copy of redir32.exe, which is redir31, IS (or may be) part of the Magistr infection. I am well aware of the difference between a file which contains (or may contain) a worm and a file which is the malware infector itself. I also provided a link in my reply, which, if you scroll down to moderator Rollin' Rog's posts there, gives some details those files and their relationship to the infection. My reply was made on Christmas Eve, with company at my home, in an attempt to help a poster in apparent need. Two days later, I am being taken to task over semantics, and for apparently not spending more time away from my guests to do the research that the OP can well do themselves with the info I originally provided. Sheesh! -- Glen Ventura, MS MVP Shell/User, A+ http://dts-l.org/goodpost.htm "cquirke (MVP Windows shell/user)" wrote in message ... On Mon, 26 Dec 2005 07:23:01 -0500, "glee" ...and how is that different than what I said? ;-) You said the files ARE Magistr, which is incorrect; they CONTAIN Magistr, which is slightly (but significantly) different. Most modern malware exist as stand-alone files that are 100% malware, with no original file content to be recovered. Some will generically infect existing code files, while the bulk of the malware still resides in a "mothership" malware as above. Magistr is a true generic Win32PE code virus in that exists only as code within existing code files that it infects. Even when it creates a new copy of such files, to send as emaul attackments and/or integrate into the startup axis, these files still contain the original code and appear to be the original code file when run. That is why you should approach Magistr formally, rather than **** around with Safe Mode, etc. You aren't dealing with the common malware practice of loose pure malware files that rely on integration linkage to run when Windows starts (and that Safe Mode will hopefully bypass). Because Magistr resides *within* existing code, it's as likely to be run in Safe Mode as it is to run in normal Windows. The best tool for managing Magistr safely (formally) in Win9x systems, is NOD32 for DOS, as run from a DOS mode boot. It doesn't have to be all that up to date (obviously must be newer than Magistr.B); the point is that this tool has a more complete detection rate than my usual favorite for Win9x, F-Prot for DOS. No matter how up-to-date F-Prot for DOS is, it always misses a few Magistr-infected files. Note that because Magistr is a Win32PE infector, none of the files it infects will run from DOS mode. So you don't have to run the DOS av scanner from a diskette boot; you can boot the HD to DOS mode (where Win32PE won't run) and run the DOS av scanner from there. ---------- ----- ---- --- -- - - - - Don't pay malware vendors - boycott Sony ---------- ----- ---- --- -- - - - - |
#9
|
|||
|
|||
MS DOS REDIR31 and RPCSR
Actually it was stated a little different. It just so happens to be the
way I read it, a human function that differs in all. Hope your Christmas treated you well. Have a very Happy New Year. -- Brian A. Sesko { MS MVP_Shell/User } Conflicts start where information lacks. http://basconotw.mvps.org/ Suggested posting do's/don'ts: http://www.dts-l.org/goodpost.htm How to ask a question: http://support.microsoft.com/kb/555375 "glee" wrote in message ... ...and how is that different than what I said? ;-) Magistr renames the legit file redir32 to regir31. The message involving REDIR31 is a sign of a magistr infection, as I thought I stated. Merry Christmas! -- Glen Ventura, MS MVP Shell/User, A+ http://dts-l.org/goodpost.htm "Brian A." gonefish'n@afarawaylake wrote in message ... "glee" wrote in message ... REDIR31 is part of the Magistr worm, IIRC. No it isn't, it may be/is the redir32.exe renamed by the magistr or another virus. What the Magistr does is rename a file or files and even may move it. IIRC the original did it's dirty work in three steps on a time frame: First it overwrites file/s and waits a set amount of days. Second, the icons on the desktop move away from the cursor so they can't be clicked. After another set amount of days the third and "final" payload kicks in which either or all overwrites the hd, erases the CMOS and flashes the BIOS. It also propogates via email to everyone in the users address book. OK, the above isn't 100% in order and the info on the first of 2 Magistr's is: -- Brian A. Sesko { MS MVP_Shell/User } Conflicts start where information lacks. http://basconotw.mvps.org/ Suggested posting do's/don'ts: http://www.dts-l.org/goodpost.htm How to ask a question: http://support.microsoft.com/kb/555375 |
#10
|
|||
|
|||
MS DOS REDIR31 and RPCSR
I doubt it will affect his Christmas or New Year. The days in between are a WRECK now, though!
-- Thanks or Good Luck, There may be humor in this post, and, Naturally, you will not sue, should things get worse after this, PCR "Brian A." gonefish'n@afarawaylake wrote in message ... | Actually it was stated a little different. It just so happens to be the | way I read it, a human function that differs in all. Hope your Christmas | treated you well. Have a very Happy New Year. | | -- | | Brian A. Sesko { MS MVP_Shell/User } | Conflicts start where information lacks. | http://basconotw.mvps.org/ | | Suggested posting do's/don'ts: http://www.dts-l.org/goodpost.htm | How to ask a question: http://support.microsoft.com/kb/555375 | | | | | "glee" wrote in message | ... | ...and how is that different than what I said? ;-) | | Magistr renames the legit file redir32 to regir31. The message involving | REDIR31 is | a sign of a magistr infection, as I thought I stated. | | Merry Christmas! | -- | Glen Ventura, MS MVP Shell/User, A+ | http://dts-l.org/goodpost.htm | | | "Brian A." gonefish'n@afarawaylake wrote in message | ... | "glee" wrote in message | ... | REDIR31 is part of the Magistr worm, IIRC. | | No it isn't, it may be/is the redir32.exe renamed by the magistr or | another virus. What the Magistr does is rename a file or files and even | may move it. IIRC the original did it's dirty work in three steps on a | time frame: | First it overwrites file/s and waits a set amount of days. | Second, the icons on the desktop move away from the cursor so they can't | be | clicked. | After another set amount of days the third and "final" payload kicks in | which either or all overwrites the hd, erases the CMOS and flashes the | BIOS. | | It also propogates via email to everyone in the users address book. | | OK, the above isn't 100% in order and the info on the first of 2 | Magistr's | is: | | | -- | | Brian A. Sesko { MS MVP_Shell/User } | Conflicts start where information lacks. | http://basconotw.mvps.org/ | | Suggested posting do's/don'ts: http://www.dts-l.org/goodpost.htm | How to ask a question: http://support.microsoft.com/kb/555375 | | | | | |
|
Thread Tools | |
Display Modes | |
|
|