Does anyone have any information on this process?<
>
<
>
I've checked the process li
ary sites that I use and came up negative. I know it is not a Windows proc.<
>
<
>
*Apparantly this is Hungarian for something. If you can translate HALNAK for me that would be at least a hint to what this process does.<
>
<
>
*I think halnak means fish.<
>
<
>
<
>
<
>
<
>
<
>
<i>Edited by: Kunathar2002 at: 6/24/05 2:27 pm<
></i>

fish eh? maybe its a key logger? <i></i>

That's what I was thinking when I found some Halnak references online that pointed to it meaning "fish".<
>
<
>
I suspect it's embedded itself into the execution shell of the system which explains why I cannot stop the thing from regen'ing. <
>
<
>
I'll have the laptop again Tuesday and I'll check to see if it's in the shell...I can't think of any other way for her to be re-spawning.<
>
<
>
Btw, no malware or AV software sees this thing. To make it even more dubious, the exe is hidden from the taskmgr. Only via pview can I see the thing running.<
>
<
>
<i></i>

Contact symantec or mcafee. I'm sure they'd be interested to hear about something like this. These companies always want to be in the lead as far as detection goes.<
>
<
>
From the fact that I can't find a single reference to is as a computer program, leads me to believe it's either new, or so hidden, that it's gone undetected awhile.<
>
<
>
Also, if you've got another computer and a hub, you may think about packet sniffing the stream coming from the computer and see what you can see. <
>
<
><
>
[Tynkur Toyz][66 Gnomish Arch Convoker][Email][Magelo]<
>
<i></i>

I checked several Hungarian to English translators and dictonaries online. There was no reference for the word "Halnak". It could still be a hungarian word though. <
>
<
>
I'd let symantec know, it's surprising that the file doesn't come up on a google search.
<
>
Keep my head from exploding?... You can help!
<i></i>

The only virus I found that has the words in it is this:<
>
<
>
securityresponse.symantec.com/avcenter/venc/data/w32.erkez.a@mm.html<
>
<
>
Here's a snippet of info. Bold is mine. While I doubt this is the virus infecting you (if you even have one), since it doesn't fit the profile explained below, I'll mention it in case they missed something.<
>
<
>
-----------------<
>
<
>
When W32.Erkez.A@mm runs, it does the following:<
>
<
>
<
>
1) If the computer's date is May 1, 2004, it will display the following Hungarian text:<
>
<
>
Emberek! Magyarok szazezrei, millioi elnek naprol - napra, halnak ehen - szomjan,<
>
s szegenysegben hazankban! Mikozben jonehany felso parlamenti gazember<
>
millios vagyonokra tesz szert, mitsem torodve velunk.<
>
Latszat emberek iranyitanak, kik emelik fizetesunk, s ketszer annyi adot vonnak le,<
>
kik igazsagszolgaltatasrol regelnek, mikor a bunozoket es a novekvo agressziot vedik<
>
torvenyeikkel, kik inkabb Forma1-re pocsekoljak a penzt, mialatt hajlektalanok<
>
halnak meg naponta utcainkon, s korhazi betegek szenvednek szukseges muszerek nelkul.<
>
Hogy - hogy nem latja ezt senki ???? Miert nincs egy igaz magyar, ki vegre<
>
mar nem sajat erdekeit, hanem az orszag sulyos problemait helyezne eloterbe!!!<
>
Nem eleg akarni, s beszelni, meg szonoklatni a szepet,s jot,<
>
tenni-tenni-tenni kell, egyarant mindenkinek - mindenkiert!<
>
== HAZAFI == /Pecs,2004, (SNAF Team)/<
>
<
>
<
>
2) Terminates itself if the month is not April.<
>
<
>
3) Copies itself to the %System% folder as an eight-character, random file name with a .exe extension. It also creates the text files in the same folder with .dll extensions.<
>
<
>
<
>
4) Creates the registry key:<
>
<
>
HKEY_LOCAL_MACHINESOFTWAREMicrosoftHazafi<
>
<
>
to store the configuration information of the worm.<
>
<
>
<
>
5) Adds the value:<
>
<
>
"<random name>"="%system%<random file name>.exe"<
>
<
>
to the registry key:<
>
<
>
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun<
>
<
>
so that the worm runs when you start Windows.<
>
<
>
<
>
6) Checks for an active Internet connection by querying http:/ /www.google.com.<
>
<
>
<
>
7) Attempts to end the following processes:<
>
<
>
dfw.exe <
>
fsav32.exe <
>
fsbwsys.exe <
>
fsgk32.exe <
>
fsm32.exe <
>
fssm32.exe <
>
fvprotect.exe <
>
mcagent.exe <
>
navapw32.exe <
>
navdx.exe <
>
navstub.exe <
>
navw32.exe <
>
nc2000.exe <
>
ndd32.exe <
>
netarmor.exe <
>
netinfo.exe <
>
netmon.exe <
>
nmain.exe <
>
nprotect.exe <
>
ntvdm.exe <
>
ostronet.exe <
>
outpost.exe <
>
pccguide.exe <
>
pcciomon.exe <
>
regedit.exe <
>
regedit32.exe <
>
taskmgr.exe <
>
tnbutil.exe <
>
vbcons.exe <
>
vbsntw.exe <
>
vbust.exe <
>
vsmain.exe <
>
vsmon.exe <
>
vsstat.exe <
>
winlogon.exe <
>
zonalarm.exe<
>
<
>
<
>
Searches for the email addresses in the files with the following extensions: <
>
<
>
.htm <
>
.wab <
>
.txt <
>
.dbx <
>
.tbb <
>
.asp <
>
.php <
>
.sht <
>
.adb <
>
.mbx <
>
.eml <
>
.pmr<
>
<
>
It avoids the email addresses containing the following substrings:<
>
<
>
microsoft <
>
vir <
>
trendmicro <
>
avp <
>
f-prot <
>
hotmail <
>
gov <
>
anti <
>
panda <
>
norton<
>
<
>
<
>
--------------------------------------------------------------------------------<
>
Note: The worm stores these email addresses in randomly named .dll files in the %System% folder.<
>
<
>
--------------------------------------------------------------------------------<
>
<
>
<
>
9) Generates the email addresses from random characters, to which it also sends itself.<
>
<
>
<
>
10) Randomly selects a recently typed URL from Internet Explorer's History folder and opens it in Internet Explorer.<
>
<
>
<
>
11) Sends an email that has the following characteristics:<
>
<
>
From: (One of the following)<
>
<
>
<spoofed><
>
<
>
mailto:kepeslapok@meglep.hu<
>
<
>
Subject: kepeslap erkezett!<
>
<
>
Message:<
>
Tisztelt felhasználó!<
>
Önnek kópeslapja órkezett!<
>
A kópeslap feladója: A lapot az alábbi cimen tudja megtekinteni: <
>
http//matav.hu/viewcard/index=psp4uo5683535GSb0123fhhf578840f0623cv2
vagy a mellókelt internetlink kattintásával.<
>
Üdvözlettel: Matav e-card!<
>
http//www.netezz.matav.hu/
<
>
<
>
-----------------------------------------<
>
<
>
EDIT: Darn emoticons... <
>
<
><
>
[Tynkur Toyz][66 Gnomish Arch Convoker][Email][Magelo]<
>
<i>Edited by: Tynkur at: 6/26/05 12:51 pm<
></i>

I located that Virus also Tynk from sarc.<
>
<
>
Unfortunately it's just referenced in the hungarian text that is sent via the e-mail containing the bug.<
>
<
>
I sent the information I have gathered to SARC. Hopefully they can shed some light on this daemon.<
>
<
>
I suggest everyone to download pview (process viewer) and check your running tasks to see if this daemon is running on your system. Just out of curiousity at least.<
>
<
>
Tarot: I found the word Halnak from an online Hungarian translated Bible. Each time the word "Fish" was used in English, the Hungarian side pointed to "Halnak". I have no actual proof of Halnak meaning Fish other then what I concluded from this translated Bible. I could be wrong.<
>
<
>
Another thing that lead me to think it's Hungarian was after doing a google search for just the word Halnak, it came back with sites using the .hu root. <
>
<i>Edited by: Kunathar2002 at: 6/27/05 7:34 am<
></i>

I saw the word also on hungarian sites, but couldn't find a dictionary reference for it. So it may be a specific word you wouldn't normally see in a dictionary. Usually English to whatever language dictionaries have pretty limited vocabulary, mostly for 'common use' words.<
>
<
>
Don't have it in my task manager though, fortunately. Hope you hear soon wtf it is. (And hope it's nothing too shitty)
<
>
Keep my head from exploding?... You can help!
<i></i>