Results 1 to 6 of 6

Thread: email-av.exe

  1. #1
    petergrasse Guest

    Default email-av.exe

    Does anyone know what email-av.exe is? About every 30 minutes, Zone Alarm say its trying to contact 70.84.33.226. I deny and don't seem to miss any functionality. Is it a Zone Alarm App?

    Operating System:Windows 2000 Pro
    Product Name:ZoneAlarm Internet Security Suite
    Software Version:6.0

  2. #2

    Default Re: email-av.exe

    It is absolutely not a ZoneAlarm process.Google doesn't turn out any information about it too.May I suggest you upload the file to one or both of these online analysis links:

    http://virusscan.jotti.org/

    http://www.virustotal.com/xhtml/index_en.html

  3. #3
    petergrasse Guest

    Default Re: email-av.exe

    I have searched for the file and have been unable to locate it on my PC. I also checked google without positve results.

  4. #4
    unhappy_viewer Guest

    Default Re: email-av.exe

    I actually found a similar thread on the CastleCops forum but unfortunately nobody has answered that:
    http://castlecops.com/p672203-I_thin...e_a_virus.html

    Other tahn that, doesn't seem like not much is known about this. When you are searching for the file to upload to Jotti's AV scan, ensure that you have set Windows to display all hidden files and folders. To do so, go to Control Panel and open up "Folder Options". Select the "View" tab. Look for the subheading "Hidden Files and Folders" and select "Show hidden files and folders". Click "Apply" than click "Ok". These folders and files will appear as translucent icons.

  5. #5
    tebersviller Guest

    Default Re: email-av.exe

    I had the luck of coming across this one today. It infected a laptop user that uses Internet Explorer so it could be connected.

    I checked and there weren't any registry entries that called it on startup. You also can't find the file on startup. The file in named email-av.exe and it's listed in Services. Using Process Explorer from sysinternals it shows the process is listed as email-av.exe from 8:54 PM central time on 12/6/2005. Under the TCP/IP tab there was a lot of activity, and it's listening for TCP connections on port 17215. I have no idea what it's doing, but when this sytem was online it was *very* active. I brought it offline while investigating the email-av.exe issue.

    The typical Start/Stop/Pause/Resume services button are unavailable. I set it to disabled and rebooted the system, and it didn't appear to be running so that worked. The path is reported as C:\WINDOWS\email-av.exe and the current directory is C:\WINDOWS\system32\. Even with show hidden files and folders I didn't see it on this sytem. Using attrib.exe on DOS it appears to have SHR (system file, hidden, and read only). After running attrib -h -s -r email-av.exe it should become visible.

    Under TCP/IP I saw connections to a wide range of sites using microsoft-ds so it may be related to the Sasser Worm. I'll keep investigating, and I will submit this to spyware/antivirus vendors. For the moment simply disable the service in the control panel, and wait for more. It's probably safe to delete, but I haven't done that as I'm not done investigating it.

  6. #6
    tebersviller Guest

    Default Re: email-av.exe

    Looks like most antivirus vendors have indeed identified this one:

    File: email-av.exe
    Status: INFECTED/MALWARE

    AntiVir Found Worm/SdBot.aad.313
    ArcaVir Found Trojan.Sdbot.Aad
    Avast Found nothing
    AVG Found IRC/BackDoor.SdBot.POI
    BitDefender Found Backdoor.SDBot.5FAF2BDD
    ClamAV Found nothing
    Dr.Web Found Win32.HLLW.MyBot
    F-Prot Found nothing
    Fortinet Found W32/Tilebot.AAD!bdr
    Kaspersky Found Backdoor.Win32.SdBot.aad
    NOD32 Found IRC/SdBot
    Norman Found W32/SDBot.VML
    UNA Found nothing
    VBA32 Found Backdoor.Win32.SdBot.aad


    With that said use one of the programs that found it to remove it. Hopefully my post helps someone else identify it.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •