We are having MAJOR problems with zaSuiteSetup_61_737_000_en.exe. It is giving us pop-messages that won't go away. Something is putting GLxxx.tmp files in the TEMP folder (cd %user%).
We have 5 infected computers. This report concerns our work with only one.
Here are copies of the screen showing 3 different ZoneAlarm messages:
Note that, in the font that ZoneLabs uses in the screen copy just above, a bold capital I is identical to a bold lower case L. LSASS.EXE is a normal Windows component. ISASS.EXE is a trojan and keylogger. Whoever wrote that malware took advantage of ZoneLab's choice of fonts. However, we found no ISASS.EXE on the infected computer that we checked.
From looking at the behavior it is evident that ZoneAlarm does not see the entire infection. Since it comes back again and again even after files have been quarantined, it is obvious that the real infection is not being eliminated.
When the GLxxx.tmp files are deleted, they return after the next re-start. The GLxxx.tmp files have many dates, even though they have been newly created.
ZoneAlarm reports again and again that "BroadCastPC" and "Virtual Bouncer" have been quarantined.
Here are some of the files in the temp folder. (To go to the temp folder, in DOS do CD %user% and press the ENTER key.)
Directory of C:\DOCUME~1\CashReg\LOCALS~1\Temp
01/13/2006 12:43 AM 16,384 ~DF1047.tmp
01/13/2006 01:18 AM 32,768 ~DF3454.tmp
01/13/2006 01:18 AM 16,384 ~DF58B9.tmp
01/13/2006 12:42 AM 32,768 ~DF9BFB.tmp
01/13/2006 01:45 AM 32,768 ~DFC009.tmp
01/13/2006 01:46 AM 16,384 ~DFDDB.tmp
01/13/2006 12:43 AM 165,376 GLC2.tmp
01/13/2006 01:46 AM 165,376 GLC3.tmp
01/13/2006 01:18 AM 165,376 GLCE.tmp
07/26/2002 04:02 PM 10,752 GLF12.tmp
04/19/2004 11:15 PM 17,979 GLF13.tmp
07/26/2002 04:02 PM 10,752 GLF6.tmp
04/19/2004 11:15 PM 17,979 GLF7.tmp
07/26/2002 04:02 PM 10,752 GLF8.tmp
04/19/2004 11:15 PM 17,979 GLF9.tmp
01/13/2006 01:18 AM 384 GLG11.tmp
01/13/2006 12:51 AM 384 GLG5.tmp
01/13/2006 01:49 AM 384 GLG6.tmp
01/13/2006 12:43 AM 34,304 GLK3.tmp
01/13/2006 01:46 AM 34,304 GLK4.tmp
01/13/2006 01:18 AM 34,304 GLKF.tmp
21 File(s) 833,841 bytes
Prevx1 has some information that seems accurate:
Prevx1 calls this infection "Trojan.Droppers.Temp.A".
This part of a sentence from the Prevx1 web page accurately describes our experience:
"This [.TMP] File Type uses the file names GLB1.TMP and GLB6B.TMP and at least 65 other file names, the latest we have seen is GLB8B.TMP. It has a file size of 71,680 bytes and is found in the folder [%TEMP%\]"
In the file list above, the malware is not active, apparently, and there is no file with a size of 71,680 bytes. Note that not all the files have the same date, even though they were created within minutes of each other.
The actual operation of the malware seems to occur only under one user name, one which in this case has extremely limited rights. The malware does not seem active when logged in under a user name with Administrator rights.
We used the excellent free SysInternals FileMon.exe File activity monitoring utility to log some of the GLxxx.tmp activity:
FileMon is available at:
However, at that time the malware did not seem particularly active, and there was no file with the size 71,680 bytes in the
C:\Documents and Settings\UserNamexx\Local Settings\temp
folder. The short form of that folder is
Operating System:Windows XP Pro
Product Name:ZoneAlarm Internet Security Suite