Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[jazz]

Hi - don't know if anyone can offer advice on this but here goes....

I am running Windows XP Home Edition

I ran my Avast! AV prog (free version) this morning - a job I do every Friday.

It is reporting a Trojan found in file name C:\\WINDOWS\MEMORY.DMP

The Malware name is Win32:Agent-BHA which is reported to be a Trojan.  After Googling it the only reference I can find is on a spanish website and I didn't find it very helpful.

The Avast! program recommends moving the file to the Virus Chest as the preferred course of action but then reports that there is insufficient room for the file on disk.  The other option is to Delete but this would delete the entire file and not just remove the Trojan.  I have assumed that this would be undesirable!!

The malware is not detected by Spybot or by Adaware.  I have also visited Trendmicro Housecall but their scan did not pick up any virus or malware on my computer.

I'm not very technically minded but can follow any instructions pretty well.  Any ideas or suggestions for what I should do next??

[kitz]

Ive also done been doing a google and I find it very strange that nothing comes up under this name - even on the Avast site... and the fact that no other scanner is picking this up.

--------

Memory dumps are normally written if your PC enexpectedly stops due to an error.  They dont really have any info in them that is intellible to us mere mortals and are normally for debugging system problems etc. Depending upon the type of dump then they can be quite large.

MS help has this to say

Choosing recovery actions if Windows stops unexpectedly

Using Startup and Recovery in System in Control Panel, you can configure Windows to do the following when a severe error (called a Stop error or Fatal system error) occurs:

- Write an event to the system log.
- Alert administrators.
- Dump system memory to a file that advanced users can use for debugging.
- Automatically restart the computer.
 
The dump of system memory to a log file can be valuable for debugging the cause of the Stop error. If you contact your technical support representatives about the error, they might ask for the log file. Note that Windows writes the log file to the same file name (Memory.dmp, by default) each time a Stop error occurs.

If your system is running fine and you dont have any problems then it should be safe to delete the whole file. Out of curiousity when was the file generated?

Because the file is so large then its likely that your system is set to do a complete memory dump.  Mine is set as per the screen cap below. (which is the XP default)  The only dumps that I have go back to a couple of years ago to a time when I was having probs with my graphics card overheating and the system kept shutting down unexpectedly.

Theres some good info on dump files here which may help you decide if you want to delete the whole file. 
http://www.networkworld.com/news/2005/041105-windows-crash.html

[jazz]

Thanks for your reply Kitz. 

The file is 522,416KB in size which is why it won't fit in the virus chest.  It was created at 1340hrs on 31 May 2007.  I was reading The Register at the time (www.theregister.co.uk) and clicked a link to a news story about the Independent newspaper website being hacked - I never got to the news item as Windows then interrupted the browsing session with a notification that it was going to close down.  It suggested that if I had installed new software or drivers that I should remove these after rebooting.  I had not installed anything for several weeks and when I rebooted all worked fine and the computer sent an error report to Microsoft.  With hindsight I presume that this was when the trojan installed itself (though I have Avast on permanent realtime scan).

I am contemplating deleting the file to the recycle bin (which Avast offers as an option) and then see how the system works.  If it is ok over the following few days then I presume it should be ok to delete it permanently from  the computer?

Thanks for your linky - I'll have a look at that.  I'll keep researching what this is before taking any action but obviously I don't want the thing doing any harm to my system or moving on to harm other people.

[jazz]

Just a quick update.....I found information on the www.ca.com website which appears to identify the trojan as Win/SillyDI.CVE also known as Troj/Agent-BHA (Sophos) or Win32.Agent.gj (Kaspersky).  However the site also indicates that the trojan is normally installed via Internet Explorer exploits though I use Opera (and ocacasionally Firefox)  and have all my OS security, AV, and Firewall up to date.

Anyway, if I find out nothing more I shall delete the offending file to the Recycle Bin in the morning and see if the computer pines for the Windows.DMP file before deleting it altogether early next week!  I'll let you know how I get on

By the way Kitz......how do you get to that Startup and Recovery Window that you show in your posting??

[kitz]

Thanks for those links I'll have a read later..

Just wanted to quickly answer

>> how do you get to that Startup and Recovery Window that you show in your posting??

Control Panel >>
System >>
"Advanced" Tab >>

At the bottom under "Startup and recovery" - Click the "Settings" Button - which will open a new window as per the image.

[jazz]

Thanks for your help and advice Kitz.  I have now removed the trojan.  8)

For the benefit of others who may have the same problem I proceeded as follows:-

With my router disconnected I ran Avast! and located the file containing the trojan (your explanation of the purpose and probable content of a windows\memory.dmp file was invaluable in giving me the reassurance I needed to proceed!).  I got Avast! to delete the file to the Recycle Bin then switched off and restarted my computer (still with the router disconnected).  I then checked that all my programs that did not need internet access wouldstill  operate ok and that the computer seemed to be acting normally without the file that was in the Recycle Bin.

I then switched off the computer, switched on the router and started the computer again and checked that I could access the internet ok.  Once I had confirmed that it was alright I went to the router main page and disconnected.  I then emptied the Recycle Bin and ran Avast! once more to check that the trojan was no longer anywhere on my system.  Once that was complete I switched on the router and rebooted the computer.

This may have been a bit "belt and braces" for the techies out there but I felt happier doing the whole thing with the minimum of connection to the net.  Anyway, I'm now going to access the Startup and Recovery page (thanks for the directions Kitz) and reset the memory dump as you suggest to make things easier in the future.

I've learned a few more things about my computer from this incident and after several years of doing weekly checks with my AV it's nice(in a strange kind of way!) to know that the routine is worth it even if you only come across a problem once in a blue moon.  Thanks again for your help!

regards

Tony

[soms]

Glad you removed the trojan successfully 

It does seem odd how it got onto your PC and took refuge in the memory.dmp file. I expect that shutdown notice was the result of something like that Remote Procedure Call service or whatever it is, which if anything throws it shuts down Windows within 60 seconds. Perhaps the website was the source of this malicious activity and the trojan found itself a home when the computer did a memory dump?

On this speculation I have disabled memory dumps, they serve me no purpose anyway and I guess they are used for error reporting? or maybe not? Anyway, I doubt they are very beneficial, especially if they might prove a vulnerability of some description.

[jazz]

I'm beginning to doubt the value of the memory dump too - I didn't know much about it till yesterday but I'm sure I would never understand it if I were to look in it!  I think it is primarily for error reporting (I presume just the last 64KB or so goes to Microsoft in the Error Report so I've reduced my dump to that amount as Kitz indicated).  I don't suppose I'll ever know how the trojan got in but just glad the computer shut down and my AV was able to pick it up and identify it!

[kitz]

Just had chance to read those links - interesting to note that according to ca this variant is classified as newly discovered and it looks like you were perhaps one of the first to be infected.

31 May 2007 Win32/SillyDl.CVC
Also known as: W32/Downloader2.EKK (exact) (F-Secure), Trojan-Downloader.Win32.Small.eqz (Kaspersky), TROJ_TrojanDownloader:Win32/Small!78BF (MS OneCare), TROJ_Downloader (Symantec), TROJ_Mal/Basine-C (Sophos), TROJ_DLOADER.NMD (Trend)
 

Since they are reporting 31st of May thats probably the reason why we couldnt find anything when we both tried looking yesterday morning, as it probably hadn't yet been indexed by the search engines.
Some of the AV/security sites only started reporting and implementing patches/removal instructions as from yesterday.


Out of curiosity I just googled again just now using the same keywords and the ca link is now there.

I did however find highly amusing was that if you do a  today on google search today on "Agent-BHA", look whats at the top of the list,
 whilst the CA one is 5th down.


---------------------

What I do find disturbing is the fact that you picked this up by following a link from the register.  Did you try following a link to the Independent website?

Judging from the time of the report on the register, and the time on your dump file then it looks like you tried to access the site whilst it was still having problems.. and therefore could perhaps have been inadvertently hosting the virus on the web-server??

Win32/SillyDl variants may be installed via Internet Explorer exploits when users visit malicious web pages; other trojan downloaders or components; or they may be packaged with software that the user has chosen to install.

An alarming number of big name servers seemed to have been "hacked" over the past couple of weeks.  Some of the names involved have stated openly that exploits have been deposited.. some have said nothing or little about the incidents.
Some of the companies involved with site problems/hacking in the past week or so have been
AbbeyNat (problems), Plusnet webmail (compromised), Telegraph, Mirror (hacked) Independant (they ain't saying).



--------------

Some trojans do hide themselves in valid windows files (or a url in the case of key-clickers which they write to say the host file).
It does seem that using hacked or rogue websites to deposit downloaders/key loggers on users machines right now is in vogue.
Its also vital to make sure that you have installed all the latest windows updates.


Som's explanation sounds likely, but IMHO it was just "that file" it picked.. it could have been any windows file.

For you in a way it was quite lucky - because .dmp files arent necessary and if you read between the lines of my posts yesterday, I was trying to say yeah they are safe to delete cause you dont really need them
- without having any recourse on myself it things went belly-up..  :/

[jazz]

Yes - it looks like it was a new one!!  I'm quite impressed that Avast! picked it up so quickly.  The program does update its virus file very frequently.  My McAfee used to update daily from Mon to Friday but Avast! is updating at least once and sometimes twice a day (even three times on one occasion!).  It also does updates quite often at the weekend as well.

Yes, I was interested in the number of high profile sites that had been affected over the last couple of weeks (I'm with PlusNet and felt the effect of that hack with my first Spam in well over 10 years using the net).  I had read the Register item on 30 May about the Daily Mirror and when I saw the item about the Independent on 31 May I clicked on that link too (to the Register news item - I didn't try to go to the Independent website) but never got there.  After the problems in Estonia and all the issues going on in the world you could be forgiven for wondering if someone is testing things before trying to cause major problems - just shows how vulnerable we are to this sort of thing nowadays.

As you say - it was probably lucky that the trojan hid in a disposable file - perhaps a good reason for soms to keep one around (like a plastic carrier bag to put the fish and chip papers in!)

Anyway - thanks again Kitz

regards
Tony

[kitz]

glad its all sorted now.

As regards to the spam thing - I got hit too - unfort not just my username -since there was also an association with this site that also got targeted.  I read somewhere on one of the security sites last week (sorry cant remember where now), that DDoS for sites was now seen as *old hat*, and that targeting for spam is much more profitable.

Spamming as a whole does seem to have increased across the board and one thing Ive noticed that is random names at domains seems rife and although Ive never used addresses such as admin@ sales@ mail@ etc they also get hit fairly hard - so I just blackhole them now.

[atce]

I then emptied the Recycle Bin and ran Avast! once more to check that the trojan was no longer anywhere on my system.

jazz,

Have you also deleted all your Win XP restore points as the trojan could well still be hidden away there ? (I believe access to the restore points is denied to virus checkers, etc)

[tickmike]

You said "It suggested that if I had installed new software or drivers that I should remove these after rebooting"

Just a thought, you do run your computer as a USER setting and NOT the Administrators setting.?

[jazz]

@atce
Thank you for the warning - I was not aware of that and will take action

@tickmike
I usually go on as a User but I think that on that occasion I was in Administrator mode and did not switch users before going on to the net.....a salutary lesson!!  Thanks for the reminder!