"Moo" Trojan First to Use "JPEG" Exploit

trafton wrote re: "Moo" Trojan First to Use "JPEG" Exploit

on 10-07-2004 4:28

ok first off i am new to this so am trying to explain as well as i can what happened to me.

I had the m00.exe trojan or whatever it was and these are the things I noticed it did before I hopefully got rid of it.

How I got it : downloaded a .jpg file on WinMX

noticed it first when I noticed excessive downloading ( I try to monitor my connection just in case )

went into msconfig and noticed a file set to start that normally isn't called microsoft.exe in the font directory

also opened Windows Task Manager and noticed microsoft.exe and m00.exe running

tried to manually delete the m00.exe files and the file I downloaded that was the source of mess
it would not let me delete them under normal circumstances I did notice the m00.exe and the .jpg file were all listed as 0kb
also whenever i positon my cursor over the .jpg in question it would close all window I had opened at the time
not sure what it was sending or where but would be happy to help with any logs if you care to tell me where to look and what to send

trafton wrote re: "Moo" Trojan First to Use "JPEG" Exploit

on 10-07-2004 5:12

well that wasn't all it has done

it appears it has copied itself into several folders now and i am unable to remove them either manually or with anti-virus software

any help would be greatly appreciated here

also now i cannot run the major mojority of my files every time i click something it says windows is unable to find it and to check that i have typed it in correctly etc.

i can no longer even open msconfig even if i go straight to where it is i get that same error

again any help would be greatly appreciated

trafton wrote re: "Moo" Trojan First to Use "JPEG" Exploit

on 10-07-2004 5:47

Just wanted to say all is well again :)

thank heavens I have been around comps since the days of Dos and know how to work with it

Just so you know I had to manually go in and remove everything pertaining to the m00.exe files using the F8 startup then safe mode getting rid of most of it then back in with F8 and command prompt to finish remocing it then a restore back a few days to get my links and all working again

well that is the short story anyway

Well Thanks anyway typing here actually helped me think things out and really remember why I dislike Windows so much even though it easier to use it can used against itself too easily :) a file that windows protects so you don't delete it even though it is the thing that is messing everything up. You have to love it and laugh or just break down and cry

well thanks again hope this little bit helps others out there

Should title it The Story of m00 and mE

trafton wrote re: "Moo" Trojan First to Use "JPEG" Exploit

on 12-17-2004 2:31

I caught m00.exe myself and once again it came in off a downloaded jpeg file and the first I noticed was when Norton Securitys Firewall kicked in when m00.exe was trying to connect to the internet.

I tried to block it and then found m00.exe in c:/drive

I then too found I couldn't manually remove it-Nortons Security then kicked in again to say a suspicious script was running and did I want to block which I immediately did.I then turned the pc offline and ended m00.exe running in task manager and found that I could then manually delete it along with part of a file it had also downloaded also called m00.

Although I ran Nortons Anti-virus over m00.exe and had all the latest definitions and auto protect on, the anti-virus didn't seem to recognise m00.exe as a trojan or a virus.

Some other effects of m00.exe I found were that after getting rid of it I could no longer access hotmail through Internet Explorer, all I would get after logging in to msn would be a completely blank page although hotmail was still accessable through Outlook Express and other browsers and I could still sign in to msn messenger. Going back to an earlier restore point prior to picking up m00.exe soon fixed this.

trafton wrote re: "Moo" Trojan First to Use "JPEG" Exploit

on 01-19-2005 9:25

I found the m00.exe in the C:/ drive too, and I just left cliked on it, and deleted it.
dunno how it got into my pc, but I know that before I deleted I use my kaspersky antivirus with the latest definitions and didn't recognise it...
so i hope this doesn't mess up my pc xD

trafton wrote re: "Moo" Trojan First to Use "JPEG" Exploit

on 01-19-2005 20:36

I came across a site, and immediately upon opening it, all Internet Explorer crashed and a dos window came up (winxp) and tried running m00.exe.

At this point, the program seemed to crash. An error box came up. I used taskmgr to kill the process. I then googled up to see what it was and found out that it's part of the JPEG trojan I heard about a while back.

I searched my hard drives, including my network mapped drives, and found a single instance of it on my c drive. It wouldn't right click-delete, so I used procexp.exe (process explorer), found the handle, removed the handle, and then proceeded into a cmd.exe to delete it manually at a prompt.

I also removed any occurrence of m00.exe in the registry for good measure. Hopefully it's gone, and hopefully it hasn't done any damage...

trafton wrote re: "Moo" Trojan First to Use "JPEG" Exploit

on 01-20-2005 5:19

asfierm.exe
asmadopew.dll
asploint.exe
assetfgi.dll
aswinln.exe
sipot.exe
vcsystem.exe

check if the m00.exe has created this ones, they are other trojan downloaders, so better keep an eye on them.

trafton wrote re: "Moo" Trojan First to Use "JPEG" Exploit

on 01-23-2005 5:03

I also found m00.exe on my system, except it was NAVCE 7.0 that found it and removed it for me. My definitions are 1/21/2005. I have no idea where it came from, as it was my daily 3 a.m. scan that found it.

trafton wrote buy codeine

on 02-16-2005 12:52

trafton wrote re: "Moo" Trojan First to Use "JPEG" Exploit

on 02-24-2005 17:51

I just got this from a jpeg, googled up m00.exe. Launched m00.exe and sys1000.exe. Right after I checked my MSconfig and it put itself in start up, I'm still trying to get rid of it as I'm typing it. Norton didn't find anything.

just found M00.EXE-1CA6E80B.pf in c drive

trafton wrote re: "Moo" Trojan First to Use "JPEG" Exploit

on 03-05-2005 20:56

I got the m00.exe just tonight, got 2 m00 files, 1 on my "desktop", and 1 in my "my documents". cant delete
i windows, and not in safemode, it dont have a prosess..
"hijack this" diddent find anything, nothing on NOD32.
and my firewall diddent notice that i got it.
allso tryed scanning with "webroot spy sweeper"
still nothing.
any ideas how i can get rid of this virus, ore where i might find the dude that made it? wanna have a chat with him.

trafton wrote re: "Moo" Trojan First to Use "JPEG" Exploit

on 03-08-2005 4:25

I got it too a cpl of times through surfing misc. sites :-O

After suddenly sensing a lot of "action" on my HD my BullGuard firewall alerted me of this thing wanting to change my registry. I expect this is where it will load itself on your next restart. I denied it and killed it through task-manager, but i did get a little sweatty as I thought i was safe with Antivirus and firewall (ok - in effect i was but i still have this sense of being "had" in the b...)

So keep your firewall alive allthough it's a hassle during normal activities !

trafton wrote re: "Moo" Trojan First to Use "JPEG" Exploit

on 03-20-2005 10:17

I got this last night. I was on a website that seemed to "hang" immediatedly after loading. Soon after, IE crashed and closed both of the windows that were up - one was on a different site that was uninfected. This was odd, but based on Windows/IE I just shrugged it off. But - then I noticed this "m00.exe" file on my desktop.

Apparently there's some sort of latency between when it is downloaded and when it runs, because I was able to quickly throw it in the recycle bin before it executed - then I emptied recycle bin. I've done searches and checked for the damage others have reported, but it's not there. Not exactly a fool-proof way to prevent this trojan, but apparently it worked.

trafton wrote re: "Moo" Trojan First to Use "JPEG" Exploit

on 03-24-2005 5:44

This morning I turned my computer on at which point it requested the win2k disc due to another program overwriting files needed for windows funtionality (something to that effect). Then a m00.exe file appeared on my desktop!

Avast 4.6 home didnt seem to recognise it as anything dangerous but after a google for the file I decided it was best deleted which was easy enough. I searched my drives for any other m00's and did a thorough scan with avast but nothing else...

The previous night I had been surfing around and hit a few webs generating pop ups that avast warned me about so I chose the 'abort connection' option. Perhaps that's why I got a relatively neuted (I hope) version of this m00 thing.

Hope I'm clean now :S

trafton wrote re: "Moo" Trojan First to Use "JPEG" Exploit

on 04-01-2005 18:00

Syndication

Recent Posts

Tags

Write-Ups

Security Blogs

Miscellaneous Blogs

Security Sites

Archives

Comments