Okay…2 years since a meaningful post. Not going to cut it and I’m sorry to anyone who may be looking for updates here. But as the title says I am back with a bang here as this one is pretty nasty.

We’re going to take a look at the latest ZeroAccess/Sirefef which has been seen in the wild as of late.

Virus Total Results for dropper

By the time I tested this it had been out for some time so most of the scanners are picking it up. One noteable miss is Symantec which is interesting.

This new variant behaves and infects systems quite differently from the past. I had reviewed Max++/ZeroAccess over 2 years ago  here and this is really nothing like that.

While the methods have changed it still has the same basic intentions. Redirect google searches to ad sites. Also considering the rootkit and backdoor capabilities here, it’s quite likely that this will capture any personal information such as passwords, account numbers, and other sensitive data. If you find yourself infected with this it is very wise to call your banks and credit card companies.

—-

Testing here was done with a Windows 7 (32 bit) virtual machine. This infection will also run on 64 bit machines. So here is what happens when the dropper gets executed.

First off, there are hundreds of registry changes made to disable the Windows Firewall, Upates, Security Center, Windows Defender, ect…

Next, after deleting itself it drops several files and patches the Windows services.exe file.

C:\Windows\System32\services.exe patched
Virus Total Result

C:\Users\David\AppData\Local\{053988b8-e6f7-c759-7b46-4eaa8e2bc4dc}\@
Virus Total Result

C:\Users\David\AppData\Local\{053988b8-e6f7-c759-7b46-4eaa8e2bc4dc}\n
Virus Total Result

C:\Windows\Installer\{053988b8-e6f7-c759-7b46-4eaa8e2bc4dc}\@
Virus Total Result

C:\Windows\Installer\{053988b8-e6f7-c759-7b46-4eaa8e2bc4dc}\n
Virus Total Result

C:\Windows\Installer\{053988b8-e6f7-c759-7b46-4eaa8e2bc4dc}\U\00000001.@
Virus Total Result

C:\Windows\Installer\{053988b8-e6f7-c759-7b46-4eaa8e2bc4dc}\U\80000000.@
Virus Total Result

C:\Windows\Installer\{053988b8-e6f7-c759-7b46-4eaa8e2bc4dc}\U\800000cb.@
Virus Total Result

It also phones home to a couple of pretty shady looking ip addresses:

208.91.207.10 promos.fling.com which is located in California.
213.108.252.185 bigfatcounters.com and others located in Russia.

—-

Removal

Like always here, I will give my standard warning and disclaimer that this information should not be used for removal instructions and is only intended as part of the analysis and testing for informational purposes. Because each infection can differ and the fact that this one allows the remote attackers to install and run pretty much anything they want, infections will vary from system to system and each case should be treated on an individual basis by an expert.

There is a BIG CAUTION on the removal here. DO NOT delete the patched services.exe file as upon reboot you will be presented with the Blue Screen of Death.

All of the files located in the {053988b8-e6f7-c759-7b46-4eaa8e2bc4dc} folder can be deleted. The files in appdata will delete without issues, but the ones in the installer folder will not as they are in use. So on those they would need to be deleted on reboot with a tool or using an Antivirus scanner such as Kaspersky AVP.

You will need to replace the services.exe file with a clean version. To do that run the command prompt as administrator. Then type:

sfc /scanfile=c:\windows\system32\services.exe

Then reboot.

Run a full scan with your antivirus program to clean up any leftovers. If your Firewall will still not run then there will be more system damage that will need to be repaired which goes beyond the scope here.

Want an easier way? Well you have it! Download and run HitMan Pro (no, I’m not affiliated with them, it just works). It will clean this up nicely.

It’s good to be back posting here and I am already working on more new material to cover here.

As you all can see I have not posted here since 2010 and have very little time to put together posts, though I am going to try and do something new every month from here out. If there is anyone interested in writing articles to post here please let me know. Full credit will obviously be given and if things go well and you would like to help out on the back end of the site here that would be welcome.

To inquire just use the Contact Us button on the right side of your browser and leave your details. You can also email me directly by clicking here.

Regards,
IndiGenus aka Dave

Wow it has been quite a while since I last posted and life/work/etc… have been crazy. But I wanted to post about a new infection we’re really starting to see take off in the forums.

W32/Ramnit.A – aka Packed.Win32.Krap by Kaspersky or W32/Infector by Avira and others

Analysis

Virus Total Results

ThreatExpert Analysis

The good news (and I don’t have much of that here) is that it is relatively easy to spot this infection using simple tools.

From a HijackThis log:

F2 – REG:system.ini: UserInit=c:\windows\system32\userinit.exe,,c:\program files\microsoft\desktoplayer.exe
Note the text in bold is appended to the legitimate UserInit key.

O4 – HKCU\..\Run: [{223B6D2D-679B-65F9-E93A-D4F20B56A562}] “C:\Documents and Settings\Administrator\Application Data\Puzyr\umluy.exe”
The file name and folder, along with the CLSID, are randomly named and will help to start this infection up every time the computer is rebooted.

This Malware has been referred to as a “cocktail” infection. There are 3 main components:

Backdoor Trojan: This allows the attacker to have complete control of your system to do with it what they wish.
Rootkit: This component, while not malicious in itself, allows the attacker to hide the presence of Malware and the attackers activity.
File Infector: The viral piece of the infection that infects windows system files such as executables and dll files. Very similar to other infections of this type such as Virut and Sality.

While most times the first 2 components can be identified and removed, the third is very difficult to clean and most experts recommend a complete rebuild of the OS.

Removal

I will give my standard warning and disclaimer here that this information should not be used for removal instructions and is only intended as part of the analysis and testing for informational purposes. Because each infection can differ and the fact that this one allows the remote attackers to install and run pretty much anything they want, infections will vary from system to system and each case should be treated on an individual basis by an expert. As of this writing I have not had complete success in cleaning this and have not seen one cleaned successfully in the forums. The standard advice given with this infection is a complete reformat and re-install of the operating system. Care should be taken when doing this and the following should be observed:

1. You should only back up your data such as pictures, music, documents, etc… Do not back up any system files or installers as they may be infected.
2. All drives and partitions (including flash drives) should be cleaned. This infection can spread very easily so if backup or other drives are infected, when reconnected they will start the whole process over again. I won’t post the link to protect the guilty, but I saw one thread where the user had to re-install Windows 3 times because they did not follow these instructions.

The sample tested here dropped the infamous TDL3 Rootkit. While more involved tools such as GMER are usually needed to identify it, the usual tell tale signs are Google redirects. One of the most effective and simple to use tools for removal is Kaspersky’s TDSSKiller. They have also recently updated the tool so it is now a simple point and click GUI tool.

So TDL3 and the redirects are gone, but what about the rest?

Here is where it gets difficult. The 04 run key entry and file are removable using some of the more aggressive tools such as Avenger or AVZ, but the Winlogon/UserInit key and desktoplayer.exe file are locked in and will simply be recreated if you are able to remove them. Combofix also will attempt to delete the file but it just comes right back. At this point I have not been able to find a way to remove them from within the OS (and at this point have not observed a thread in the forums where they have) and my next step in the thought process will be to try a PE boot disk with the OTL plugin. This still leaves us with infected system files that may or may not be able to be repaired using one of the boot disks such as DrWeb, Kaspersky, or Avira. Another option may be to run a repair install over the OS. But as of right now my suggestion to anyone I’m helping is the format and reload approach.

I will update later when I get some time to work with the PE tools.

Update:

Using UBDC along with OTL I was able to clean this up. After clearing out the loading points from the registry and removing the files I ran scans with Avira and Kaspersky live boot disks to clean out the infected system and program files. Any .htm or .html files cannot be cleaned and need to be deleted.

You cannot reboot into the live OS after just cleaning with OTL as the infection will just come back. While cleaning this from a PE or boot disk is possible you may need to re-install some programs and it would still be hard to really trust the integrity of the system. Best advice is still to wipe it clean in my opinion.

I have also seen a few threads in the forums where users were successful by stopping all iexplore.exe (infected) processes and cleaning out the loading points quickly before it comes back. If you’re quick enough you can do this, but you are still stuck with a whole bunch of infected system and program files. In my case HijackThis.exe had become infected so when I relaunched it to check things it reloaded the infection. Fun stuff indeed…

The dropper sample analyzed here was picked up from a colleague in the forums. It’s identified as Trojan Winlock, Calelk.C, and other various names. It has also been known to partner up with the TDSS rootkit, although this sample did not drop that component of the infection.

Analysis

On the date of analysis less than half of the scanners at VT identified this sample as Malware, but I’m sure this will improve as time passes and the engines play catch up in the never ending game of cat and mouse.

Virus Total Results

Neither ThreatExpert or the Norman Sandbox picked up any malicious activity on this sample.

True dynamic analysis was impossible to do with my preferred tools (Regshot, InstallWatch, ProcessExplorer) because immediately after execution of the sample the entire system was locked and displayed the following screen.

Nothing would work, other than clicking on the link which would open up a porn page in IE. No program would run, Task Manager would not run, and the system had to be physically shut off. Safe Mode unfortunately proved to give the same results, making this pretty much impossible to remove when the OS is loaded. We see where they got the name Winlock for this one.

I cannot decipher what most of the message in the window is saying, but there does appear to be a phone number to contact the hacker and get your PC unlocked, for a small price I’m sure. So the goal of this infection is to “kidnap” your computer and demand a ransom. Obviously it is not advised to make any contact with them or give them any money.

Removal and Recovery

With this infection we need to resort to some type of boot CD which will allow us to work from outside the operating system. There are several of these Windows based PE disks such as BartPE and UBCD4 for Windows. I would also suppose you could use a Linux based disk to copy/backup files to another disk, or run some Anti-Malware tools to try and clean it.  My favorite tool for this type of work is a tool designed by one of the developers in the Anti-Malware forums, OldTimer. It’s based on the Reatogo PE disk and includes OldTimer’s OTL (formerly OTListIt), which is similar to HijackThis but provides a much more thorough system analysis. Although there are some questions around the legality of downloading and preparing such a disk and potential copyright infringements, this tool can be easily made by users with some simple instructions from a forum helper and with a little guidance can aid in the removal of the infection. My feeling is that if the user has a legal copy of Windows, then why can’t they create a disk to aid in repairing it?

Now with that out of the way, we can load the PE environment onto the infected PC and run OTL. Here we can see how this infection loads right when the PC starts. The following registry entry is created:

020-HKLM Winlogon: UserInit-(C:\DOCUME~1\Dave\LOCALS~1\Temp\bldjad.exe)

Which equates to this in our registry:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit=C:\WINDOWS\system32\userinit.exe,
C:\Documents and Settings\Dave\Local Settings\Temp\bldjad.exe

The data in red (our Malware) is loaded along with the legitimate userinit value. Userinit.exe is used on boot-up to manage the different start up sequences needed, such as establishing network connection and starting up the Windows shell.

The following file is created in the temp directory should also be deleted:

C:\Documents and Settings\Dave\Local Settings\Temp\bldjad.exe

Summary

Variations of this Malware have been around for a few years now. It is mainly seen in Russia as described in this article. Do not give the attackers any information, money, or even try to call/SMS them. As I end with most every article, seek help in one of the ASAP approved forums, or if you’re not comfortable with these types of issues bring it to a shop so they can at least recover your data before wiping the OS clean. Note that most shops will wipe the OS clean rather than trying to clean the PC, whereas in the forums we will typically do our best to clean it, within reason.

I was recently doing some testing in the VM with several of the various rogues that we are seeing lately. This testing was mainly looking at how Malware modifies proxy settings and such (will be in a later article). One of the rogues that that landed was the Security Tool Malware. Most of these rogues are usually pretty simple to remove if you know what you’re doing and use the right tools. The removal method detailed by Grinler at BleepingComputer using rkill and MalwareBytes will usually do the trick removing the rogues.

This particular variant was very aggressive and diverted my attention away from what I was doing to how can this thing be removed. Basically what happens is the random process that is created by the Malware blocks just about everything from running, including Task Manager.

C:\Documents and Settings\All Users\Application Data\01284924\01284924.exe

This process is started with a run key every time Windows starts. Even using rkill as described in the BC guide was not successful. A command window from rkill would pop-up for a quick second then close. Giving the following message from the Malware.

The removal guide says to ignore this warning and keep trying to run the tool. This was not successful in my case. Basically nothing will run, neither Windows tools or tools like HijackThis, DDS, OTL, etc…, and the desktop has been rendered blank.

Well, after playing around for a while in Normal Mode and getting nowhere, I decided to get back to basics and boot into Safe Mode. This is not anything new and we were trained to do this early on in Malware removal. This made things very simple. The process did not run, so my desktop appeared and I could run any and all tools. I simply used HijackThis to take out the run key, deleted the folder, and rebooted into Normal Mode. This will disable the active part of the Malware, allowing you to run tools like MalwareBytes to finish off the rest.

This is certainly not “earth shattering” news and Malware removal experts I’m sure are saying “no duh, Safe Mode is nothing new!!!”, but getting back to basics can be the way to go with removing Malware sometimes.