Syscom.dll, Intlmain.dll and casinopalazzo virus

Discussion in 'Virus Information' started by Stephen, Sep 2, 2004.

  1. Stephen

    Stephen Guest

    These dll's in windows\system have creation dates and times coincident with
    my infection with the casinopalazzo virus. This is the one which deletes
    Notepad.exe from the windows directory, keeps installing desktop icons which
    link to their website, and prompts Zone Alarm to say "do you want ebek.dat
    to access the internet" (answer No, and it can be any random selection of 4
    letters then .dat, which is a file that just has been created in
    windows\temp).
    I wonder if Syscom.dll and Intlmain.dll could be the key to the
    casinopalazzo virus, since there is no mention of either on Google, which I
    find pretty unusual for a standard windows dll. Also looking at the
    properties fo these dll's they seems rather odd. The File Version
    Description for Syscom.dll says 6.00.2800.1233 (xpsp2.030604-1804), that is
    it refers to Windows XP Service Pack 2, yet the modified date for it is
    17:00 08/06/2000. It's as though the modified date has been copied from
    elsewhere in my windows\system directory, where most system dll's have this
    date and time, since it is a Windows ME system.
    Also, opening syscom.dll with notepad I find that it includes some
    javascript (see below). Isn't this also rather odd for a Microsoft dll? The
    other dll, Intlmain.dll, has a different the internal name jsconsole.dll,
    and a different original filename vbtern.dll.
    No one seems to have yet identified how the casinopalazzo virus works,
    judging by Google searches for it, which are all queries to forums and
    "hijack this" log files, but with no definitive answers anywhere.

    Javascript from within \windows\system\syscom.dll :
    R E G I S T R Y  T Y P E L I B `a HKCR
    {
    SysCom.Dloader.1 = s 'Dloader Class'
    {
    //{5F10319B-C8D4-4e49-A30C-C0E8CEE611D7}

    CLSID = s '{5F10319B-C8D4-4e49-A30C-C0E8CEE611D7}'
    }
    SysCom.Dloader = s 'Dloader Class'
    {
    CLSID = s '{5F10319B-C8D4-4e49-A30C-C0E8CEE611D7}'
    CurVer = s 'SysCom.Dloader.1'
    }
    NoRemove CLSID
    {
    ForceRemove {5F10319B-C8D4-4e49-A30C-C0E8CEE611D7} = s 'SysComDloader
    Class'
    {
    ProgID = s 'SysCom.Dloader.1'
    VersionIndependentProgID = s 'SysCom.Dloader'
    ForceRemove 'Programmable'
    InprocServer32 = s '%MODULE%'
    {
    val ThreadingModel = s 'Apartment'
    }
    'TypeLib' = s '{192CFBA6-D7C1-441e-8294-EE47817C18A5}'
    }
    }
    }
     
    Stephen, Sep 2, 2004
    #1
    1. Advertisements

  2. Stephen

    Jen Ngew Guest

    Stephen.
    yes. I agree with you that this dll seems a little odd. but i believe it
    it's a byproduct of the virus, u may not even able to remove it manually coz
    the virus will just rewrite it again.

    maybe scouring the registry based on the CLSID may help.
     
    Jen Ngew, Sep 2, 2004
    #2
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.