Just wanted to give some info on this bug.
I found it while browsing around my xp sys32 folder.
it started off as 2 files ddaya.dll and ddaya.exe. Neither file is recognised by any virus software. I ran kaperky, avg, avast and symantics. Not a one found it, none of the spyware software worked either.
Did a little searching and found out that ddaya is a trojan dropper. But it is polymorphic.
Hijack this worked for just 1 boot. After that?, it corrupted the HJT files. Tried to reinstall HJT but it just wouldn't work after the first report. Process monitor worked but then its log files became encrypted. From what I gathered it was a keylogger, history reporter. At this point it was intrusive but not destructive and it embbeded code into smss.exe.
The fun started when I tried to delete the files in safe mode. They deleted until the next boot. Then they were back but with buddies. ddaya.dll and ddaya.exe had been joined by ayadd.dll and ayadd.exe. I also had two instances of smss.exe running and two instances of msconfig.exe . I them boot to a command prompt. Delete each file and replace the real smss.exe with a fresh file from the xp disc. Everything seems good, till the next boot.
Now they are all back and even more friends.
all the files above were copied from the sys32 folder to other windows folders. Like help folder, pchealth folder, system, web, temp, resorces and inf. I also now had extra copies of infected svchost files starting to pop up and 15 instances of svchost processes and smss process. I also had some extra winlogon.exe's running.
So now I call the big guns and get to talk to the techs at avast.
They are aware of the bug but at this time there is nothing that can be done to get rid of it. It's been around since june and he called it a mutating polymorphic spiraling trojan. It can come into your system embedded in a picture, a web page, and just about anything else that it can embed itself into. Its also been found on linux and apple system's. So this one is not picky.
So the guys went thru all the details of its personality and code and behaviors.Long story short, it can't be gotten rid of at this point. It can be detected, but that starts an entire chain of events that are worse. So thats why no software will detect it .
Then they tell me that one person reported being able to delete all the files and recover by installing the drive as a slave on another system and going in and deleting all the infected files and replacing many of the windows files with fresh copies from a backup cd.
So I remove the drive and 5 hours later after deleting and reinstalling tons of files, I reinstall the drive into my system and everything seems cool.
Till the next boot!
It takes 45 minutes to load windows and the windows folder has grown by a factor of 3. Its now over 9 gb in size. I had 102 processes running, countless svchost.exe, smss.exe, winlogon.exe, firefox.exe,alg.exe,sytem.exe, lsass.exe. explorer.exe, msconfig.exe and more.
So now I know its a futile attempt, but I just want to see if any antivirus software can find it. So I boot into safe mode and have at it. NO VIRUS, WORMS OR TROJANS DETECTED. So just out of curisity I boot into a command prompt and replace the entire windows system folder, system32 and pchealth folder with copies I made earlier. They were most likely infected but no where near what it was now. Reboot.
Seemed a little slow but it came up and worked. Then it rebooted itself.
This time it took over 2 hours to come up and when it did? the windows file had grown to 21GB. then it rebooted itself again. so I go to bed.
Next morning it still hasn't come up, but its trying. Finally after almost 6 hours it loads. 276 process's and 100% memory and cpu usage. Then it reboots again.
This time a "oUT of memory error" appears on the load screen after a couple of hours.
So I pull the drive and install it on another to look at the drives contents.
131 GB windows folder and almost ever other file on the system had been doubled and tripled.
So I reformatted the drive! along with all the other drives in the house.
Now its all gone.
So if you get curious and go looking and find something? realize what can happen.
If you do have it or any variant of ddaya, which could be ayadd, dayad,yyayd, ect ect ect. Realize that you are being monitored. So don't do anything important.
Make backups of anything important and set aside till a resolution is found, don't use when you fix the OS because it will most likely just get infected again.
The entire hard drive has to be erased and reformatted, this includes all partitions and boot sectors.
But on the other hand, if you just leave it alone? it will watch you and spread to other systems but the monitoring of your activities goes off into never never land. There's nowhere for it to be sent. Home is gone, so the packet just floats in cyberspace trying to get home.
Like the guy from avast said, "This was probably made by a 6 year old hacker, just for the fun of it"
I found it while browsing around my xp sys32 folder.
it started off as 2 files ddaya.dll and ddaya.exe. Neither file is recognised by any virus software. I ran kaperky, avg, avast and symantics. Not a one found it, none of the spyware software worked either.
Did a little searching and found out that ddaya is a trojan dropper. But it is polymorphic.
Hijack this worked for just 1 boot. After that?, it corrupted the HJT files. Tried to reinstall HJT but it just wouldn't work after the first report. Process monitor worked but then its log files became encrypted. From what I gathered it was a keylogger, history reporter. At this point it was intrusive but not destructive and it embbeded code into smss.exe.
The fun started when I tried to delete the files in safe mode. They deleted until the next boot. Then they were back but with buddies. ddaya.dll and ddaya.exe had been joined by ayadd.dll and ayadd.exe. I also had two instances of smss.exe running and two instances of msconfig.exe . I them boot to a command prompt. Delete each file and replace the real smss.exe with a fresh file from the xp disc. Everything seems good, till the next boot.
Now they are all back and even more friends.
all the files above were copied from the sys32 folder to other windows folders. Like help folder, pchealth folder, system, web, temp, resorces and inf. I also now had extra copies of infected svchost files starting to pop up and 15 instances of svchost processes and smss process. I also had some extra winlogon.exe's running.
So now I call the big guns and get to talk to the techs at avast.
They are aware of the bug but at this time there is nothing that can be done to get rid of it. It's been around since june and he called it a mutating polymorphic spiraling trojan. It can come into your system embedded in a picture, a web page, and just about anything else that it can embed itself into. Its also been found on linux and apple system's. So this one is not picky.
So the guys went thru all the details of its personality and code and behaviors.Long story short, it can't be gotten rid of at this point. It can be detected, but that starts an entire chain of events that are worse. So thats why no software will detect it .
Then they tell me that one person reported being able to delete all the files and recover by installing the drive as a slave on another system and going in and deleting all the infected files and replacing many of the windows files with fresh copies from a backup cd.
So I remove the drive and 5 hours later after deleting and reinstalling tons of files, I reinstall the drive into my system and everything seems cool.
Till the next boot!
It takes 45 minutes to load windows and the windows folder has grown by a factor of 3. Its now over 9 gb in size. I had 102 processes running, countless svchost.exe, smss.exe, winlogon.exe, firefox.exe,alg.exe,sytem.exe, lsass.exe. explorer.exe, msconfig.exe and more.
So now I know its a futile attempt, but I just want to see if any antivirus software can find it. So I boot into safe mode and have at it. NO VIRUS, WORMS OR TROJANS DETECTED. So just out of curisity I boot into a command prompt and replace the entire windows system folder, system32 and pchealth folder with copies I made earlier. They were most likely infected but no where near what it was now. Reboot.
Seemed a little slow but it came up and worked. Then it rebooted itself.
This time it took over 2 hours to come up and when it did? the windows file had grown to 21GB. then it rebooted itself again. so I go to bed.
Next morning it still hasn't come up, but its trying. Finally after almost 6 hours it loads. 276 process's and 100% memory and cpu usage. Then it reboots again.
This time a "oUT of memory error" appears on the load screen after a couple of hours.
So I pull the drive and install it on another to look at the drives contents.
131 GB windows folder and almost ever other file on the system had been doubled and tripled.
So I reformatted the drive! along with all the other drives in the house.
Now its all gone.
So if you get curious and go looking and find something? realize what can happen.
If you do have it or any variant of ddaya, which could be ayadd, dayad,yyayd, ect ect ect. Realize that you are being monitored. So don't do anything important.
Make backups of anything important and set aside till a resolution is found, don't use when you fix the OS because it will most likely just get infected again.
The entire hard drive has to be erased and reformatted, this includes all partitions and boot sectors.
But on the other hand, if you just leave it alone? it will watch you and spread to other systems but the monitoring of your activities goes off into never never land. There's nowhere for it to be sent. Home is gone, so the packet just floats in cyberspace trying to get home.
Like the guy from avast said, "This was probably made by a 6 year old hacker, just for the fun of it"