Does anyone know what email-av.exe is? About every 30 minutes, Zone Alarm say its trying to contact 18.104.22.168. I deny and don't seem to miss any functionality. Is it a Zone Alarm App?
Operating System:Windows 2000 Pro
Product Name:ZoneAlarm Internet Security Suite
It is absolutely not a ZoneAlarm process.Google doesn't turn out any information about it too.May I suggest you upload the file to one or both of these online analysis links:
I have searched for the file and have been unable to locate it on my PC. I also checked google without positve results.
I actually found a similar thread on the CastleCops forum but unfortunately nobody has answered that:
Other tahn that, doesn't seem like not much is known about this. When you are searching for the file to upload to Jotti's AV scan, ensure that you have set Windows to display all hidden files and folders. To do so, go to Control Panel and open up "Folder Options". Select the "View" tab. Look for the subheading "Hidden Files and Folders" and select "Show hidden files and folders". Click "Apply" than click "Ok". These folders and files will appear as translucent icons.
I had the luck of coming across this one today. It infected a laptop user that uses Internet Explorer so it could be connected.
I checked and there weren't any registry entries that called it on startup. You also can't find the file on startup. The file in named email-av.exe and it's listed in Services. Using Process Explorer from sysinternals it shows the process is listed as email-av.exe from 8:54 PM central time on 12/6/2005. Under the TCP/IP tab there was a lot of activity, and it's listening for TCP connections on port 17215. I have no idea what it's doing, but when this sytem was online it was *very* active. I brought it offline while investigating the email-av.exe issue.
The typical Start/Stop/Pause/Resume services button are unavailable. I set it to disabled and rebooted the system, and it didn't appear to be running so that worked. The path is reported as C:\WINDOWS\email-av.exe and the current directory is C:\WINDOWS\system32\. Even with show hidden files and folders I didn't see it on this sytem. Using attrib.exe on DOS it appears to have SHR (system file, hidden, and read only). After running attrib -h -s -r email-av.exe it should become visible.
Under TCP/IP I saw connections to a wide range of sites using microsoft-ds so it may be related to the Sasser Worm. I'll keep investigating, and I will submit this to spyware/antivirus vendors. For the moment simply disable the service in the control panel, and wait for more. It's probably safe to delete, but I haven't done that as I'm not done investigating it.
Looks like most antivirus vendors have indeed identified this one:
AntiVir Found Worm/SdBot.aad.313
ArcaVir Found Trojan.Sdbot.Aad
Avast Found nothing
AVG Found IRC/BackDoor.SdBot.POI
BitDefender Found Backdoor.SDBot.5FAF2BDD
ClamAV Found nothing
Dr.Web Found Win32.HLLW.MyBot
F-Prot Found nothing
Fortinet Found W32/Tilebot.AAD!bdr
Kaspersky Found Backdoor.Win32.SdBot.aad
NOD32 Found IRC/SdBot
Norman Found W32/SDBot.VML
UNA Found nothing
VBA32 Found Backdoor.Win32.SdBot.aad
With that said use one of the programs that found it to remove it. Hopefully my post helps someone else identify it.