powers
join:2000-01-17
Australia
clubs:
|  I ran an .SHS file,should I worry??
Last night I ran a text file I had downloaded, it turned out to be a .SHS file. I later found two 0 byte files and a file called ~50F3.exe in Windows Temp (The same name as the original file, I did not run this one). I had the latest Virus definitions loaded at the time (McAfee) I also have vbs scripting turned off.
My OS is Win 95b, I use Netscape and Jammer, I connect to the net through a Win98 computer running ICS, Zone alarm and Jammer. No alarms have shown up on either of these. I also can't find any changes to my system, and the three computers I have networked seem to be running ok.
I wonder if someone could take a look at this program and find out what it was supposed to do.
A zipped copy of the file is here. »members.optusnet.com.au/~powers_w/~50F3.zip
Warren |
|
Sarah
Premium,ExMod 2002-05
join:2001-01-09
Cambridge, MA
clubs: | Yes, .shs files can be malicious. Here is some more info:
»www.stiller.com/shs.htm
Not sure if yours was bad or not though. |
|
Jason Levine
Premium
join:2001-07-13
USA
| reply to powers
When a SHS file unloads it's payload, it puts the files into the Windows temp folder and then automatically executes the files. So while you might not have executed the exe file, the SHS file did and you might be infected. I'd do a complete virus scan and maybe even download a trojan scanner to check for trojans. Also, you might want to install Script Sentry to prevent SHS files from being accidentally run in the future.
--
-Jason Levine
»www.jasons-toolbox.com/ |
|
xp9
join:2002-01-16
| reply to powers
I can tell you now and be sure that that is an Optix Lite trojan server !!
Quick run through a debugger shows the following :
Listening on Port : 2458
Copied to : msnetcfg.exe (C:\Windows\OLEFiles probably !!)
Server Password : 280963
ICQ Number : 42466126
Start up : Search registry, and System.ini for the word RunProg
Restoration : Winstart.bat
It's also activly disabling your Anti Viral and Firewall products (have a list if you want it)
ICQ lookup shows someone called Melanie ?!
Best way again, is to connect to yourself and REMOVE the server that way !
Can download the client from www.evileyesoftware.com
Need any more help or questions answering just ask me.
xp |
|
psalms 139
Seeing The Glass As Half-Full
join:2002-01-18
| reply to powers
Sarah,
I just had a run in around 2 weeks ago with a shs file that showed up on my desktop at start up. It was in text form and was linked to MSDOS. You can still find my post about it here on the security forum. What I did was ask them all here about it, went to some links and decided in the end to rename it. But, I had other problems from getting 4 viruses that same time so I threw in the towel and since 2 of the 4 got through, i chickened out and re-formatted. There are some that say that you can go in and do a quick view of the shs file but I was too afraid to. Just renamed it. I had innoculateIT at the time as well as tauscan and they were not reporting any viruses/worms yet I had that thing on my quick start menu!  Unbelievable yet true, never had i had a virus in my life until 2 weeks ago! A friend of mine told me a few days ago that the magistr.b and related viruses are spreading like wildfire right now, that's the report I got. Anyway, I will try and find some more info on SHS. for you. |
|
xp9
join:2002-01-16
| reply to powers
It's Optix Lite ... trust me 
The backed up server that the Winstart.bat restores is C:\Windows\system\tapisvc.sys
If server is removed, the backup is copied to Start Menu\Programs\Startup\ folder so it will run instantly during current windows boot. Obviously this only works on 9*/ME OS's.
Also (S)he has set your username to be something offensive so I shall not mention it here. They get notifed like so :
Visitorþþþ þ3þSender IP: 127.0.0.1
Hello IP Addy(s): [127.0.0.1]Optix Lite is online.
Port: 2458
Pwd: 280963
Where 127.0.0.1 is you real IP (or IP's if you have a network IP)
xp
[text was edited by author 2002-01-23 09:19:05] |
|
psalms 139
Seeing The Glass As Half-Full
join:2002-01-18
|  reply to powers
Here is a link to my post on the scrap.shs file i got...
ps- sorry about replying to sarah in my previous reply. I am getting the hang of this, slowly
»Please explain ports 22 and also what is shhhh? |
|
Mcrobrewer
Premium
join:2001-03-04
Trenton, NJ
clubs:
| reply to xp9
I agree with xp..... OPtix Lite.... both macafee and tds-3 caught it....
Sadly The Cleaner... another antitrojan program I run did not catch it....
Did anyone try try to id it with NAV 2001 or 2002???
I wonder why The Cleaner did not find it... the trojan is listed in their database?????
--
The only thing that stands between us and the animals is a really good beer
[DSLR]Mcrobrewer---DSLR UT Clan Admin |
|
xp9
join:2002-01-16
| reply to powers
I should really start using an AV ... he, not likely, each to their own though. Never used an AV, and I never will.
Now. Optix Lite is written in Delphi 5 and comes "unpacked", all the user has to do is edit the file then pack (runtime compress) it using one of the many packers avaliable freely on the net. This is also the newest version of the server. (0.4b)
As I said, the server disables a LOT of AV's and Firewalls, so here is a list of all thouse I have found so far ... please forgive the length.
sharedaccess
vsmon
minilog
SVW3
BlackICE
NISUM
NISSERV
ZONEALARM.EXE
ZAPRO.EXE
MINILOG.EXE
VSMON.EXE
BLACKD.EXE
BLACKICE.EXE
NISUM.EXE
NISSERV.EXE
NMAIN.EXE
IAMAPP.EXE
IAMSERV.EXE
FRW.EXE
PERSFW.EXE
LOCKDOWN.EXE
LOCKDOWN2000.EXE
SPHINX.EXE
NPROTECT.EXE
NDD32.EXE
SMC.EXE
NETUTILS.EXE
LDNETMON.EXE
PORTMONITOR.EXE
CONNECTIONMONITOR.EXE
navapsvc
NAV Auto-Protect
SymProxySvc.exe
SweepNet
SWEEPSRV.SYS
McShield
AvSynMgr
AvgServ
_AVP32.EXEÿ
_AVPCC.EXE
_AVPM.EXE
AVPCC.EXE
AVPM.EXE
AVP.EXE
AVP32.EXE
NAVAPW32.EXE
RTVSCN95.EXE
DEFWATCH.EXE
VPC32.EXE
VPTRAY.EXE
POPROXY.EXE
NAVAPSVC.EXE
ALERTSVC.EXE
NAVLU32.EXE
NAVW32.EXE
LUALL.EXE
SWNETSUP.EXE
ICLOAD95.EXE
ICMON.EXE
ICSUPP95.EXE
ICLOADNT.EXE
ICSUPPNT.EXE
IFACE.EXE
ADVXDWIN.EXE
ANTS.EXE
ANTI-TROJAN.EXE
WRCTRL.EXE
WRADMIN.EXE
CLEANER3.EXE
CLEANER.EXE
TC.EXE
TCA.EXE
TCM.EXE
MOOLIVE.EXE
MGAVRTCL.EXE
MGAVRTE.EXE
MCSHIELD.EXE
VSHWIN32.EXE
VSMAIN.EXE
SCAN32.EXE
SCRSCAN.EXE
ALOGSERV.EXE
VSECOMR.EXE
WEBSCANX.EXE
AVCONSOL.EXE
VSSTAT.EXE
MCTOOL.EXE
AVXW.EXE
AVXMONITORNT.EXE
AVXMONITOR9X.EXE
AVXQUAR.EXE.EXE
AMON9X.EXE
AVGSERV.EXE
AVGW.EXE
AVGCC32.EXE
IOMON98.EXE
WEBTRAP.EXE
PCCWIN98.EXE
PCCIOMON.EXE
POP3TRAP.EXE
TDS-3.EXE
SS3EDIT.EXE
DOORS.EXE
JEDI.EXE
MONITOR.EXE
RAV7WIN.EXE
RAV7.EXE
SWEEP95.EXE
MCAGENT.EXE
MCUPDATE.EXE
CLAW95.EXE
CLAW95CF.EXE
NORMIST.EXE
NVC95.EXE
VET95.EXE
VETTRAY.EXE
AUTODOWN.EXE
RESCUE.EXE
AVKSERV.EXE
ACKWIN32.EXE
DVP95.EXE
DVP95_0.EXE
F-AGNT95.EXE
F-PROT95.EXE
EXPERT.EXE
FP-WIN.EXE
F-STOPW.EXE
VIR-HELP.EXE
F-PROT.EXE
SPYXX.EXE
ATWATCH.EXE
ATUPDATER.EXE
ATCON.EXE
PVIEW95.EXE
WGFE95.EXE
AVGCTRL.EXE
LDPROMENU.EXE
LDSCAN.EXE
GENERICS.EXE
PROCESSMONITOR.EXE
PROGRAMAUDITOR.EXE
AVSYNMGR.EXE
GUARD.EXE
TFAK.EXE
LUCOMSERVER.EXE
WIMMUN32.EXE
AutoTrace.exe
NWService.exe
NTXconfig.exe
NeoWatchLog.exe
NSCHED32.EXE
WATCHDOG.EXE
ISRV95.EXE
REALMON.EXE
Also there is a variable here so the user can add their own process to kill.
xp |
|
davidovv
join:2001-06-19
Netherlands | Nice diagnostics, xp.
regards.
paul
»www.wilders.org security |
|
Mcrobrewer
Premium
join:2001-03-04
Trenton, NJ
clubs:
| reply to xp9
Hey xp... question... does it just disable the FW AV by 'seeing' the name or by some other method... What If I was to change the zone alarm exe file name??????
--
The only thing that stands between us and the animals is a really good beer
[DSLR]Mcrobrewer---DSLR UT Clan Admin |
|
xp9
join:2002-01-16
| reply to powers
Yeah, it just uses the ProccessHandles / EXE names. If you can rename your ZoneAlarm without it giving you any errors then I'd advise you do so. However if you are going to change it make sure you change it completely, to say, Blah.exe rather than 1ZoneAlarm.exe as thats easily bypassed by putting the EXE name into a string and concaterating it to get the filename
Also if you rename it you must rename the startup keys in your registry other wise when it comes to rebooting it will not start and you may forget about it.
xp |
|
davidovv
join:2001-06-19
Netherlands
| reply to Mcrobrewer
Mcrobrewer,
In principal, renaming an .exe file should do the trick. Problem is, renaming very often will cause conflicts - if accepted at all.
regards.
paul
»www.wilders.org security |
|
davidovv
join:2001-06-19
Netherlands | reply to xp9
beat me within a minute or so, xp
regards.
paul
»www.wilders.org security |
|
xp9
join:2002-01-16 | reply to powers
heh
Was a close race though |
|
New Years$
join:2001-12-20 |  You two are so fun to watch in ACTION. |
|
powers
join:2000-01-17
Australia
clubs:
| reply to xp9
Sorry I have taken so long to get back to everyone. I downloaded and ran TrojanHunter it found the file I had uploaded to my web site, while it was running McAfee found a virus in win/temp. That wasn't there yesterday. Now doing a full scan again.
xp, just what can the user at the other end see or do on my computer?
Warren |
|
xp9
join:2002-01-16
| reply to powers
Sorry ... I should have mentioned this before.
They can upload and execute ANYTHING on your computer.
This means they can upload bigger and more fully functioned trojans such as SubSeven and Bionet, which basically have FULL control over your machine.
Optix lite also has a small task manager by the looks of things, meaning they can see every application running on your computer and terminate any of them (stop them running).
It's the uploading and executing you have to worry about most though, as once they can do this your machine is wide open to them.
xp |
|
powers
join:2000-01-17
Australia
clubs: | I did some online banking today would they have been able to see any of the passwords or credit card numbers I used?
What about my dialup passwords?
warren |
|
xp9
join:2002-01-16
| reply to powers
If they have uploaded another trojan then the answer is YES, they would have been able to see. Even if they didn't I suggest you get your passwd changed NOW !
Dial Up passwds are easy to rip, but again, they would have needed another trojan to do this.
xp |
|
