Wow it has been quite a while since I last posted and life/work/etc… have been crazy. But I wanted to post about a new infection we’re really starting to see take off in the forums.

W32/Ramnit.A – aka Packed.Win32.Krap by Kaspersky or W32/Infector by Avira and others

Analysis

Virus Total Results

ThreatExpert Analysis

The good news (and I don’t have much of that here) is that it is relatively easy to spot this infection using simple tools.

From a HijackThis log:

F2 – REG:system.ini: UserInit=c:\windows\system32\userinit.exe,,c:\program files\microsoft\desktoplayer.exe
Note the text in bold is appended to the legitimate UserInit key.

O4 – HKCU\..\Run: [{223B6D2D-679B-65F9-E93A-D4F20B56A562}] “C:\Documents and Settings\Administrator\Application Data\Puzyr\umluy.exe”
The file name and folder, along with the CLSID, are randomly named and will help to start this infection up every time the computer is rebooted.

This Malware has been referred to as a “cocktail” infection. There are 3 main components:

Backdoor Trojan: This allows the attacker to have complete control of your system to do with it what they wish.
Rootkit: This component, while not malicious in itself, allows the attacker to hide the presence of Malware and the attackers activity.
File Infector: The viral piece of the infection that infects windows system files such as executables and dll files. Very similar to other infections of this type such as Virut and Sality.

While most times the first 2 components can be identified and removed, the third is very difficult to clean and most experts recommend a complete rebuild of the OS.

Removal

I will give my standard warning and disclaimer here that this information should not be used for removal instructions and is only intended as part of the analysis and testing for informational purposes. Because each infection can differ and the fact that this one allows the remote attackers to install and run pretty much anything they want, infections will vary from system to system and each case should be treated on an individual basis by an expert. As of this writing I have not had complete success in cleaning this and have not seen one cleaned successfully in the forums. The standard advice given with this infection is a complete reformat and re-install of the operating system. Care should be taken when doing this and the following should be observed:

1. You should only back up your data such as pictures, music, documents, etc… Do not back up any system files or installers as they may be infected.
2. All drives and partitions (including flash drives) should be cleaned. This infection can spread very easily so if backup or other drives are infected, when reconnected they will start the whole process over again. I won’t post the link to protect the guilty, but I saw one thread where the user had to re-install Windows 3 times because they did not follow these instructions.

The sample tested here dropped the infamous TDL3 Rootkit. While more involved tools such as GMER are usually needed to identify it, the usual tell tale signs are Google redirects. One of the most effective and simple to use tools for removal is Kaspersky’s TDSSKiller. They have also recently updated the tool so it is now a simple point and click GUI tool.

So TDL3 and the redirects are gone, but what about the rest?

Here is where it gets difficult. The 04 run key entry and file are removable using some of the more aggressive tools such as Avenger or AVZ, but the Winlogon/UserInit key and desktoplayer.exe file are locked in and will simply be recreated if you are able to remove them. Combofix also will attempt to delete the file but it just comes right back. At this point I have not been able to find a way to remove them from within the OS (and at this point have not observed a thread in the forums where they have) and my next step in the thought process will be to try a PE boot disk with the OTL plugin. This still leaves us with infected system files that may or may not be able to be repaired using one of the boot disks such as DrWeb, Kaspersky, or Avira. Another option may be to run a repair install over the OS. But as of right now my suggestion to anyone I’m helping is the format and reload approach.

I will update later when I get some time to work with the PE tools.

Update:

Using UBDC along with OTL I was able to clean this up. After clearing out the loading points from the registry and removing the files I ran scans with Avira and Kaspersky live boot disks to clean out the infected system and program files. Any .htm or .html files cannot be cleaned and need to be deleted.

You cannot reboot into the live OS after just cleaning with OTL as the infection will just come back. While cleaning this from a PE or boot disk is possible you may need to re-install some programs and it would still be hard to really trust the integrity of the system. Best advice is still to wipe it clean in my opinion.

I have also seen a few threads in the forums where users were successful by stopping all iexplore.exe (infected) processes and cleaning out the loading points quickly before it comes back. If you’re quick enough you can do this, but you are still stuck with a whole bunch of infected system and program files. In my case HijackThis.exe had become infected so when I relaunched it to check things it reloaded the infection. Fun stuff indeed…

The dropper sample analyzed here was picked up from a colleague in the forums. It’s identified as Trojan Winlock, Calelk.C, and other various names. It has also been known to partner up with the TDSS rootkit, although this sample did not drop that component of the infection.

Analysis

On the date of analysis less than half of the scanners at VT identified this sample as Malware, but I’m sure this will improve as time passes and the engines play catch up in the never ending game of cat and mouse.

Virus Total Results

Neither ThreatExpert or the Norman Sandbox picked up any malicious activity on this sample.

True dynamic analysis was impossible to do with my preferred tools (Regshot, InstallWatch, ProcessExplorer) because immediately after execution of the sample the entire system was locked and displayed the following screen.

Nothing would work, other than clicking on the link which would open up a porn page in IE. No program would run, Task Manager would not run, and the system had to be physically shut off. Safe Mode unfortunately proved to give the same results, making this pretty much impossible to remove when the OS is loaded. We see where they got the name Winlock for this one.

I cannot decipher what most of the message in the window is saying, but there does appear to be a phone number to contact the hacker and get your PC unlocked, for a small price I’m sure. So the goal of this infection is to “kidnap” your computer and demand a ransom. Obviously it is not advised to make any contact with them or give them any money.

Removal and Recovery

With this infection we need to resort to some type of boot CD which will allow us to work from outside the operating system. There are several of these Windows based PE disks such as BartPE and UBCD4 for Windows. I would also suppose you could use a Linux based disk to copy/backup files to another disk, or run some Anti-Malware tools to try and clean it.  My favorite tool for this type of work is a tool designed by one of the developers in the Anti-Malware forums, OldTimer. It’s based on the Reatogo PE disk and includes OldTimer’s OTL (formerly OTListIt), which is similar to HijackThis but provides a much more thorough system analysis. Although there are some questions around the legality of downloading and preparing such a disk and potential copyright infringements, this tool can be easily made by users with some simple instructions from a forum helper and with a little guidance can aid in the removal of the infection. My feeling is that if the user has a legal copy of Windows, then why can’t they create a disk to aid in repairing it?

Now with that out of the way, we can load the PE environment onto the infected PC and run OTL. Here we can see how this infection loads right when the PC starts. The following registry entry is created:

020-HKLM Winlogon: UserInit-(C:\DOCUME~1\Dave\LOCALS~1\Temp\bldjad.exe)

Which equates to this in our registry:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit=C:\WINDOWS\system32\userinit.exe,
C:\Documents and Settings\Dave\Local Settings\Temp\bldjad.exe

The data in red (our Malware) is loaded along with the legitimate userinit value. Userinit.exe is used on boot-up to manage the different start up sequences needed, such as establishing network connection and starting up the Windows shell.

The following file is created in the temp directory should also be deleted:

C:\Documents and Settings\Dave\Local Settings\Temp\bldjad.exe

Summary

Variations of this Malware have been around for a few years now. It is mainly seen in Russia as described in this article. Do not give the attackers any information, money, or even try to call/SMS them. As I end with most every article, seek help in one of the ASAP approved forums, or if you’re not comfortable with these types of issues bring it to a shop so they can at least recover your data before wiping the OS clean. Note that most shops will wipe the OS clean rather than trying to clean the PC, whereas in the forums we will typically do our best to clean it, within reason.

I was recently doing some testing in the VM with several of the various rogues that we are seeing lately. This testing was mainly looking at how Malware modifies proxy settings and such (will be in a later article). One of the rogues that that landed was the Security Tool Malware. Most of these rogues are usually pretty simple to remove if you know what you’re doing and use the right tools. The removal method detailed by Grinler at BleepingComputer using rkill and MalwareBytes will usually do the trick removing the rogues.

This particular variant was very aggressive and diverted my attention away from what I was doing to how can this thing be removed. Basically what happens is the random process that is created by the Malware blocks just about everything from running, including Task Manager.

C:\Documents and Settings\All Users\Application Data\01284924\01284924.exe

This process is started with a run key every time Windows starts. Even using rkill as described in the BC guide was not successful. A command window from rkill would pop-up for a quick second then close. Giving the following message from the Malware.

The removal guide says to ignore this warning and keep trying to run the tool. This was not successful in my case. Basically nothing will run, neither Windows tools or tools like HijackThis, DDS, OTL, etc…, and the desktop has been rendered blank.

Well, after playing around for a while in Normal Mode and getting nowhere, I decided to get back to basics and boot into Safe Mode. This is not anything new and we were trained to do this early on in Malware removal. This made things very simple. The process did not run, so my desktop appeared and I could run any and all tools. I simply used HijackThis to take out the run key, deleted the folder, and rebooted into Normal Mode. This will disable the active part of the Malware, allowing you to run tools like MalwareBytes to finish off the rest.

This is certainly not “earth shattering” news and Malware removal experts I’m sure are saying “no duh, Safe Mode is nothing new!!!”, but getting back to basics can be the way to go with removing Malware sometimes.

Although not widespread there is a rootkit that has been going around for the past few months called ZAccess, aka Zeloaces, or aka Max++ (version 2). It is really nothing like “version 1″ of Max++ and the mode of operation is quite simple, at least on the surface. I have not seen too many of these very recently as the mebroot/helpassistant rootkit infections seem to be more prevalent right now.

Signs of this infection are very little. The only issue I had were random, occasional re-directs using several different browsers including IE and Firefox. Here is a screenshot of a re-direct when doing a search on “Kaspersky”.

Looks just like a Kaspersky page with the color scheme and layout, but it’s not.

Also, from a GMER scan you will likely see something like the following:

---- Processes - GMER 1.0.15 ----

Library  \\74.117.114.86\max++.x86.dll (*** hidden *** ) @
C:\WINDOWS\system32\lsass.exe [744] 0x35670000

Library  \\74.117.114.86\max++.x86.dll (*** hidden *** ) @
C:\WINDOWS\system32\svchost.exe [996] 0x35670000

Dynamic Analysis:

The Malware infects a single random driver file in the drivers directory:

C:\WINDOWS\system32\drivers

It also creates a hidden configuration file in the following location:

C:\WINDOWS\system32\config

The file will be a randomly named file looking something like this:

dbeenjqi.sav

The configuration file will load all of the original properties of the clean driver file. It will intercept all calls to the driver and return legitimate file property information such as MD5, digital signing, etc… It will even intercept a copy if done within Windows. So identifying the driver file is the real challenge here. WARNING: Do not try to delete or rename the configuration file as you will be blessed with an unbootable system and a lovely BSOD.

Removal:

One way to remedy this is to work “outside” of Windows, using a BartPE, Hirens, or similar boot disk. The recovery console is also an option. Then the driver file can be identified without being masked by the rootkit. I was able to do this by simply copying over all of the driver files to a newly created folder. I could then boot back into Windows and run a sigcheck routine on the newly created folder. This will return the unsigned driver to identify it.

Replace the driver file with a clean copy, delete the configuration file, and you should be all set. Although Malware often comes along with other “friends”, and there may likely be more. So a full system scan with an updated Antivirus/AntiMalware would be in order. There have also been some nice tools developed by some of the incredible forum volunteers to help deal with this. If you are not experienced in dealing with these types of issues I would suggest you head over to one of the ASAP approved forums to get expert help.

This one has been big in the news as of late and I received a few samples to play with. I have not seen any cases in the forums yet but I’m wondering if it’s because of the fact there are almost no indications of it running. This could be unfortunate because if it goes undetected for either 20 or 40 days, depending on the variant, it will overwrite the Master Boot Record on the system and render it un-bootable.

The sample tested here is masked as an IQ Test. Since it is a worm it will spread via the usual ways such as removable drives and has also been reported embedded in legitimate websites as a self extracting download. Originally it has been reported that the Malware was developed as a prank against a small community of bikers in Slovakia, but this Malware has spread into the wild and the US has reported the highest incident rate.

The sample tested here has a pretty solid detection rate.

Virus Total IQTest.exe sample results

Analysis

As stated earlier the Malware pretends to be an IQ Test. Upon execution of the sample the entire monitor screen will go black with what I assume is an Slovakian IQ Test?

A full reboot is necessary to fully launch the Malware.

System Analysis

The following files and folders are created:

C:\Program Files\Dump                          
C:\Program Files\Dump\Dump.exe
C:\WINDOWS\system32\ainf.inf                 
C:\WINDOWS\system32\mseus.exe                
C:\WINDOWS\system32\tokset.dll         
C:\WINDOWS\system32\drivers\Mseu.sys                
C:\WINDOWS\system32\drivers\Mstart.sys

The following registry modifications are made:

Registry Keys created:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MSTART
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MSTART\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MSTART\0000\Control
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Mseu
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MSTART
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MSTART\Security
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MSTART\Enum
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\UnzipService
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSTART
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSTART\0000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSTART\0000\Control
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Mseu
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSTART
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSTART\Security
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSTART\Enum
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UnzipService

Registry Values created:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Dump = "%ProgramFiles%\Dump\Dump.exe

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MSTART\0000\Control]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MSTART\0000]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MSTART]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Mseu]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MSTART\Enum]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MSTART\Security]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MSTART]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\UnzipService]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSTART\0000\Control]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSTART\0000]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSTART]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Mseu]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSTART\Enum]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSTART\Security]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSTART]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UnzipService]

Symptoms of infection are essentially non-existent. No system slow down, re-directs, pop-ups, or any of the other usual indicators. The only indication is you will see the Mseus.exe process running in Windows Task Manager. So you say, what’s the problem? Well, the payload will hit in a matter of days (or weeks). Depending on the variant you will get a system message either after 20 or 40 days.

I was able to trigger this message by setting the clock ahead by 21 days. Clicking OK restarts the computer and on the next boot…

Ouch!!! Master Boot Record written over will cause this message, and an unbootable PC.

Removal

I tried 2 tools that are “advertised” to remove this infection.

Bitdefender removal tool

Eset Zimuse remover

Neither tool was successful. The Bitdefender tool simply stalled the system and did nothing after several hours of running. The Eset tool ran but did not remove the infection.

I was able to remove it “manually” using specialized tools, but MalwareBytes Anti-Malware was able to remove most of it and disabled the active part of the infection, allowing the Bitdefender tool to run and finish the cleanup (which could also have been done manually). Like I usually advise, you should visit one of the free forums and get expert help to make sure you’re all clean.

As opposed to the early days of script kiddies writing prank viruses, most infections these days have some motive for their operation, usually profit. This one brings us back to those days in some ways as I see no motive (other than a “prank”) for its’ existence.