Email Virus Attachment

[GSBunny]

Hi Everyone,

I was steered this direction from the Avast forums. Long story short....I received an alarming email with an attachment I should not have opened but did anyway. (Please feel free to kick me for knowing better but doing it anyway) I think I have repaired the damage but would really like to turn this .zip file over to a professional to examine. Here's my story:

Hi All,

I need to tell you about an email I received in two different accounts from two "different" senders. The first came from customercare@bestbuy.com and the second came from customercare@amazon.com. The subject line is:

Confirmation for Order Z3566043

The body of the email starts off:

Dear Customer,

Thank you for shopping at our shop !
This e-mail is to inform you that your order has been shipped out.
The following information is for your reference (see details in the attachment):
* Order No.:  Z3566043
* Order Date:  08/13/2006
------------------------------
   SUBTOTAL : $1,769.99
   SALESTAX : $0.00
   SHIPPING : $16.81
   TOTAL    : $1,786.80
------------------------------
* Ship Via:  FDX Overnight Delivery

[Ship Date :] 08/14/2006 [Tracking No:] 708745655472
Please note that if your order includes more than one package, the
packages may not be delivered at the same time due to the shipping carrier's
schedule and the delivery method, and this is out of our control.
In addition, backordered items will be shipped separately.
You may check the status of your package's progress at our website.
Simply click on "Customer Service", then log into the "Member Center".
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Attached to this email is a file called:

Z3566043.zip

Both emails had identical subject lines and email body.

I looked at this file through WinZip and saw that it was called Z3566043.exe. I knew better but was panicked that someone had stolen one of my credit cards and bought almost $2000 worth of stuff from Best Buy. As expected, clicking on the .exe opened and then quickly closed a window. Now, Outlook Express will not open (I get a blank Program Error Dialog Box when opening Outlook Express) and certain websites will not load (like this forum...I'm using another computer to write this).

A through Avast scan detected the following items:

Win32:Agent-AJN [Trj] installed in C:\WINNT\System32

and

Win32:Haxdoor-EM [Trj] installed in C:\Documents and Settings\All Users\Documents\Dr Watson

I'm running Windows 2000 Professional and, generally, have a clean system. Moving those two items to chest did not resolve my difficulties. I still have the .zip file if that would help you find the fix. Obviously, there are more components to this virus.

I should have known better than to try and open it. I understand somebody has to get these things before you can develop a fix. Malicious or fatal, I'll have to deal with the consequences. Any help is needed and welcomed.

I updated this post as follows:

Update:

I tried to install Ewido but the installation was blocked and the empty Program Error dialog box reappeared. So, I went a-hunting. I deleted all the Temp files, removed some entries with HiJack This and it seems the problems have disappeared. I was able to install Ewido which found a two problem files, APInstall_Tiny.dll and Z3566043[2].zip.

I'm still not confident that this combined threat has been removed. I sure would like to hand this .zip file to a professional to examine.

Any takers?

[Corrine]

Hi, GSBunny.  There are two things you can do with regard to that email.  First submit the zip file according to the instructions here:  http://www.landzdown.com/index.php?topic=4653.0 .  Next, if you still have the emails, submit them (with headers) to Castle Cops.  They've had great success bringing down this type of phish. CastleCops has world-wide contacts, including governmental agencies.  Go to http://www.castlecops.com/pirt .

For further assistance, we need to see a logfile.  Please download HijackThis© from:  http://www.thespykiller.co.uk/files/HJTsetup.exe . 

Note:  This is a complete installer that installs HijackThis to your computer to at C:\Program Files\HijackThis, making an entry in the start menu and also providing a desktop shortcut.

At the download prompt, choose "Save".  After the download is complete, navigate to the C:\Program Files\HijackThis folder and double-click it.  When the installation is complete, double-click the HijackThis icon on your desktop.  Select "Do a system scan and save logfile".  Select a name for this first logfile and a text file will be produced.  Please have word wrap turned ON in Notepad. Copy the text file and paste it here as a reply.