Viral NetScheduleJobAdd

Something unrecognized started showing Internet Explorer based popups… Obviously it is of a viral source, there is an executable with arbitrary eight character name created in %WINDIR%\system32 which also uses NetScheduleJobAdd to add a number of delayed start job to launch Internet Explorer and navigate to free lotto, diversity visa and other advertised websites. Google search on NetScheduleJobAdd, however, did not give any matching description for a known virus, trojan or malware. Fresh AdAware is also not yet aware…

Update 1: Similar symptoms described here in German.

Update 2: I started Process Monitor to record creation of a new file in %WINDIR%\system32 to find out where it comes from on next re-spawning of the popup. It took some time to wait and here it goes. There was again an IE popup and new AT/Scheduled Task entries. A new process %WINDIR%\dnQS28v6.exe was started. The image was created by another process gC5AHp1a.exe from user’s Temp which was already terminated and the file was deleted to the moment. Still logs are here.

The process gC5AHp1a.exe was created by… Mozilla Firefox 3! None of the DLLs loaded into Firefox process look suspicious.

Update 3: Firefox 3.0.1 available, fixed security issues.

Leave a Reply