W32/Ramnit.A – aka Packed.Win32.Krap by Kaspersky or W32/Infector by Avira and others

Analysis

Virus Total Results

ThreatExpert Analysis

The good news (and I don’t have much of that here) is that it is relatively easy to spot this infection using simple tools.

From a HijackThis log:

F2 – REG:system.ini: UserInit=c:\windows\system32\userinit.exe,,c:\program files\microsoft\desktoplayer.exe
Note the text in bold is appended to the legitimate UserInit key.

O4 – HKCU\..\Run: [{223B6D2D-679B-65F9-E93A-D4F20B56A562}] “C:\Documents and Settings\Administrator\Application Data\Puzyr\umluy.exe”
The file name and folder, along with the CLSID, are randomly named and will help to start this infection up every time the computer is rebooted.

This Malware has been referred to as a “cocktail” infection. There are 3 main components:

Backdoor Trojan: This allows the attacker to have complete control of your system to do with it what they wish.
Rootkit: This component, while not malicious in itself, allows the attacker to hide the presence of Malware and the attackers activity.
File Infector: The viral piece of the infection that infects windows system files such as executables and dll files. Very similar to other infections of this type such as Virut and Sality.

While most times the first 2 components can be identified and removed, the third is very difficult to clean and most experts recommend a complete rebuild of the OS.

Removal

I will give my standard warning and disclaimer here that this information should not be used for removal instructions and is only intended as part of the analysis and testing for informational purposes. Because each infection can differ and the fact that this one allows the remote attackers to install and run pretty much anything they want, infections will vary from system to system and each case should be treated on an individual basis by an expert. As of this writing I have not had complete success in cleaning this and have not seen one cleaned successfully in the forums. The standard advice given with this infection is a complete reformat and re-install of the operating system. Care should be taken when doing this and the following should be observed:

1. You should only back up your data such as pictures, music, documents, etc… Do not back up any system files or installers as they may be infected.
2. All drives and partitions (including flash drives) should be cleaned. This infection can spread very easily so if backup or other drives are infected, when reconnected they will start the whole process over again. I won’t post the link to protect the guilty, but I saw one thread where the user had to re-install Windows 3 times because they did not follow these instructions.

The sample tested here dropped the infamous TDL3 Rootkit. While more involved tools such as GMER are usually needed to identify it, the usual tell tale signs are Google redirects. One of the most effective and simple to use tools for removal is Kaspersky’s TDSSKiller. They have also recently updated the tool so it is now a simple point and click GUI tool.

So TDL3 and the redirects are gone, but what about the rest?

Here is where it gets difficult. The 04 run key entry and file are removable using some of the more aggressive tools such as Avenger or AVZ, but the Winlogon/UserInit key and desktoplayer.exe file are locked in and will simply be recreated if you are able to remove them. Combofix also will attempt to delete the file but it just comes right back. At this point I have not been able to find a way to remove them from within the OS (and at this point have not observed a thread in the forums where they have) and my next step in the thought process will be to try a PE boot disk with the OTL plugin. This still leaves us with infected system files that may or may not be able to be repaired using one of the boot disks such as DrWeb, Kaspersky, or Avira. Another option may be to run a repair install over the OS. But as of right now my suggestion to anyone I’m helping is the format and reload approach.

I will update later when I get some time to work with the PE tools.

Update:

Using UBDC along with OTL I was able to clean this up. After clearing out the loading points from the registry and removing the files I ran scans with Avira and Kaspersky live boot disks to clean out the infected system and program files. Any .htm or .html files cannot be cleaned and need to be deleted.

You cannot reboot into the live OS after just cleaning with OTL as the infection will just come back. While cleaning this from a PE or boot disk is possible you may need to re-install some programs and it would still be hard to really trust the integrity of the system. Best advice is still to wipe it clean in my opinion.

I have also seen a few threads in the forums where users were successful by stopping all iexplore.exe (infected) processes and cleaning out the loading points quickly before it comes back. If you’re quick enough you can do this, but you are still stuck with a whole bunch of infected system and program files. In my case HijackThis.exe had become infected so when I relaunched it to check things it reloaded the infection. Fun stuff indeed…

Analysis

On the date of analysis less than half of the scanners at VT identified this sample as Malware, but I’m sure this will improve as time passes and the engines play catch up in the never ending game of cat and mouse.

Virus Total Results

Neither ThreatExpert or the Norman Sandbox picked up any malicious activity on this sample.

True dynamic analysis was impossible to do with my preferred tools (Regshot, InstallWatch, ProcessExplorer) because immediately after execution of the sample the entire system was locked and displayed the following screen.

Nothing would work, other than clicking on the link which would open up a porn page in IE. No program would run, Task Manager would not run, and the system had to be physically shut off. Safe Mode unfortunately proved to give the same results, making this pretty much impossible to remove when the OS is loaded. We see where they got the name Winlock for this one.

I cannot decipher what most of the message in the window is saying, but there does appear to be a phone number to contact the hacker and get your PC unlocked, for a small price I’m sure. So the goal of this infection is to “kidnap” your computer and demand a ransom. Obviously it is not advised to make any contact with them or give them any money.

Removal and Recovery

With this infection we need to resort to some type of boot CD which will allow us to work from outside the operating system. There are several of these Windows based PE disks such as BartPE and UBCD4 for Windows. I would also suppose you could use a Linux based disk to copy/backup files to another disk, or run some Anti-Malware tools to try and clean it.  My favorite tool for this type of work is a tool designed by one of the developers in the Anti-Malware forums, OldTimer. It’s based on the Reatogo PE disk and includes OldTimer’s OTL (formerly OTListIt), which is similar to HijackThis but provides a much more thorough system analysis. Although there are some questions around the legality of downloading and preparing such a disk and potential copyright infringements, this tool can be easily made by users with some simple instructions from a forum helper and with a little guidance can aid in the removal of the infection. My feeling is that if the user has a legal copy of Windows, then why can’t they create a disk to aid in repairing it?

Now with that out of the way, we can load the PE environment onto the infected PC and run OTL. Here we can see how this infection loads right when the PC starts. The following registry entry is created:

020-HKLM Winlogon: UserInit-(C:\DOCUME~1\Dave\LOCALS~1\Temp\bldjad.exe)

Which equates to this in our registry:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit=C:\WINDOWS\system32\userinit.exe,
C:\Documents and Settings\Dave\Local Settings\Temp\bldjad.exe

The data in red (our Malware) is loaded along with the legitimate userinit value. Userinit.exe is used on boot-up to manage the different start up sequences needed, such as establishing network connection and starting up the Windows shell.

The following file is created in the temp directory should also be deleted:

C:\Documents and Settings\Dave\Local Settings\Temp\bldjad.exe

Summary

Variations of this Malware have been around for a few years now. It is mainly seen in Russia as described in this article. Do not give the attackers any information, money, or even try to call/SMS them. As I end with most every article, seek help in one of the ASAP approved forums, or if you’re not comfortable with these types of issues bring it to a shop so they can at least recover your data before wiping the OS clean. Note that most shops will wipe the OS clean rather than trying to clean the PC, whereas in the forums we will typically do our best to clean it, within reason.

This particular variant was very aggressive and diverted my attention away from what I was doing to how can this thing be removed. Basically what happens is the random process that is created by the Malware blocks just about everything from running, including Task Manager.

C:\Documents and Settings\All Users\Application Data\01284924\01284924.exe

This process is started with a run key every time Windows starts. Even using rkill as described in the BC guide was not successful. A command window from rkill would pop-up for a quick second then close. Giving the following message from the Malware.

The removal guide says to ignore this warning and keep trying to run the tool. This was not successful in my case. Basically nothing will run, neither Windows tools or tools like HijackThis, DDS, OTL, etc…, and the desktop has been rendered blank.

Well, after playing around for a while in Normal Mode and getting nowhere, I decided to get back to basics and boot into Safe Mode. This is not anything new and we were trained to do this early on in Malware removal. This made things very simple. The process did not run, so my desktop appeared and I could run any and all tools. I simply used HijackThis to take out the run key, deleted the folder, and rebooted into Normal Mode. This will disable the active part of the Malware, allowing you to run tools like MalwareBytes to finish off the rest.

This is certainly not “earth shattering” news and Malware removal experts I’m sure are saying “no duh, Safe Mode is nothing new!!!”, but getting back to basics can be the way to go with removing Malware sometimes.

Signs of this infection are very little. The only issue I had were random, occasional re-directs using several different browsers including IE and Firefox. Here is a screenshot of a re-direct when doing a search on “Kaspersky”.

Looks just like a Kaspersky page with the color scheme and layout, but it’s not.

Also, from a GMER scan you will likely see something like the following:

---- Processes - GMER 1.0.15 ----

Library  \\74.117.114.86\max++.x86.dll (*** hidden *** ) @
C:\WINDOWS\system32\lsass.exe [744] 0x35670000

Library  \\74.117.114.86\max++.x86.dll (*** hidden *** ) @
C:\WINDOWS\system32\svchost.exe [996] 0x35670000

Dynamic Analysis:

The Malware infects a single random driver file in the drivers directory:

C:\WINDOWS\system32\drivers

It also creates a hidden configuration file in the following location:

C:\WINDOWS\system32\config

The file will be a randomly named file looking something like this:

dbeenjqi.sav

The configuration file will load all of the original properties of the clean driver file. It will intercept all calls to the driver and return legitimate file property information such as MD5, digital signing, etc… It will even intercept a copy if done within Windows. So identifying the driver file is the real challenge here. WARNING: Do not try to delete or rename the configuration file as you will be blessed with an unbootable system and a lovely BSOD.

Removal:

One way to remedy this is to work “outside” of Windows, using a BartPE, Hirens, or similar boot disk. The recovery console is also an option. Then the driver file can be identified without being masked by the rootkit. I was able to do this by simply copying over all of the driver files to a newly created folder. I could then boot back into Windows and run a sigcheck routine on the newly created folder. This will return the unsigned driver to identify it.

Replace the driver file with a clean copy, delete the configuration file, and you should be all set. Although Malware often comes along with other “friends”, and there may likely be more. So a full system scan with an updated Antivirus/AntiMalware would be in order. There have also been some nice tools developed by some of the incredible forum volunteers to help deal with this. If you are not experienced in dealing with these types of issues I would suggest you head over to one of the ASAP approved forums to get expert help.

The sample tested here is masked as an IQ Test. Since it is a worm it will spread via the usual ways such as removable drives and has also been reported embedded in legitimate websites as a self extracting download. Originally it has been reported that the Malware was developed as a prank against a small community of bikers in Slovakia, but this Malware has spread into the wild and the US has reported the highest incident rate.

The sample tested here has a pretty solid detection rate.

Virus Total IQTest.exe sample results

Analysis

As stated earlier the Malware pretends to be an IQ Test. Upon execution of the sample the entire monitor screen will go black with what I assume is an Slovakian IQ Test?

A full reboot is necessary to fully launch the Malware.

System Analysis

The following files and folders are created:

C:\Program Files\Dump                          
C:\Program Files\Dump\Dump.exe
C:\WINDOWS\system32\ainf.inf                 
C:\WINDOWS\system32\mseus.exe                
C:\WINDOWS\system32\tokset.dll         
C:\WINDOWS\system32\drivers\Mseu.sys                
C:\WINDOWS\system32\drivers\Mstart.sys

The following registry modifications are made:

Registry Keys created:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MSTART
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MSTART\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MSTART\0000\Control
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Mseu
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MSTART
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MSTART\Security
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MSTART\Enum
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\UnzipService
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSTART
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSTART\0000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSTART\0000\Control
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Mseu
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSTART
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSTART\Security
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSTART\Enum
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UnzipService

Registry Values created:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Dump = "%ProgramFiles%\Dump\Dump.exe

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MSTART\0000\Control]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MSTART\0000]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MSTART]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Mseu]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MSTART\Enum]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MSTART\Security]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MSTART]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\UnzipService]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSTART\0000\Control]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSTART\0000]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSTART]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Mseu]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSTART\Enum]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSTART\Security]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSTART]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UnzipService]

Symptoms of infection are essentially non-existent. No system slow down, re-directs, pop-ups, or any of the other usual indicators. The only indication is you will see the Mseus.exe process running in Windows Task Manager. So you say, what’s the problem? Well, the payload will hit in a matter of days (or weeks). Depending on the variant you will get a system message either after 20 or 40 days.

I was able to trigger this message by setting the clock ahead by 21 days. Clicking OK restarts the computer and on the next boot…

Ouch!!! Master Boot Record written over will cause this message, and an unbootable PC.

Removal

I tried 2 tools that are “advertised” to remove this infection.

Bitdefender removal tool

Eset Zimuse remover

Neither tool was successful. The Bitdefender tool simply stalled the system and did nothing after several hours of running. The Eset tool ran but did not remove the infection.

I was able to remove it “manually” using specialized tools, but MalwareBytes Anti-Malware was able to remove most of it and disabled the active part of the infection, allowing the Bitdefender tool to run and finish the cleanup (which could also have been done manually). Like I usually advise, you should visit one of the free forums and get expert help to make sure you’re all clean.

As opposed to the early days of script kiddies writing prank viruses, most infections these days have some motive for their operation, usually profit. This one brings us back to those days in some ways as I see no motive (other than a “prank”) for its’ existence.

Summary

The analysis done here is as usual within an isolated virtual machine. The sample was picked up from a poisoned web page.

File name: Downloads_P.com

Identified as Win32 Trojan Bancos (among many other names).

Virus Total Results – 17 of 41 scanners identified as Malware

Now, Bancos is not new (although this variant is) and there is information dating back to 2003 on this trojan.

Report from Symantec

The main goal of this Malware is to steal banking information such as login names, passwords, personal data, etc…

My goal with this analysis is to try and understand how this particular trojan actually captures the data from the compromised computer.

Analysis

Let’s take a look at what happens when the Malware installs.

When the Downloads_P.com file is run there is one window that pops up a few seconds later:

A simple click on Fechar and the windows disappears. No other visible activity takes place.

System Activity:

There are well over 100 various modifications and additions to the registry. But the main 2 are here:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CBDC705-6B7E-4B0E-89BE-B55FC00D6C42}89BE-B55FC00D6C42}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Machine Works, Inc.: "C:\WINDOWS\system32\aecces.exe"


The first is a malicious BHO (Browser Helper Object) that is installed. There is no file referenced by the BHO which makes me think something may have gone wrong here.

The second entry is a run key that restarts the Malware every time Windows reboots.

Four files are also created:

C:\WINDOWS\system32\aecces.exe
C:\WINDOWS\system32\flashdob.dll
C:\WINDOWS\Mstecf.dat
C:\WINDOWS\Oculs.log

Threat Expert Report

There are absolutely no symptoms of this trojan running on the PC. No redirects, pop-ups, or system slowdown. There is the one process, aecces.exe, that is running in task manager. It takes up only about 8k of memory and is not hogging any CPU cycles. One would never know it was running unless you were looking for it.

Network Activity:

27    62.407379000    192.168.1.7    192.168.1.1    DNS    Standard query A newvirtual200x01.rememberit.com.au
29    63.133198000    192.168.1.7    192.168.1.1    DNS    Standard query A google.com.br

The first entry is sending out a DNS query to the specified domain in bold.

+++++++++++++++++++++

Now there are many ways that the Bancos Trojan captures the data from an infected system. There is a great writeup here from Kaspersky on the many ways Trojan Bancos works.

A quick summary:

• Modifies hosts file to redirect to phishing sites
• Uses keylogger to capture data entered in to logon forms
• Uses screen capture to gather data
• Sends data back to attackers email or remote server

In the case of our Malware here there was no modification of the hosts file. The means of capturing data here appears to be coming from the flashdob.dll file, which is identified as a password stealing trojan. There were no system re-directs to phishing sites so I assume the password stealer is capturing information from live transactions.

+++++++++++++++++++++

MalwareBytes’ Anti-Malware does a nice job of cleaning this variant up. But often Malware comes with other friends and there may be more, so visiting one of the free help forums with the appropriate logs is a good idea.

Also critical here is that if you have been infected with this you need to contact all of your banks, credit card companies, and any other financial institutions that you make online transactions with. Making sure not to do this from the infected computer. Read here for more information.

Just picked up a downloader trojan for Internet Security 2010 rogue from a fellow researcher. This is a fairly new variant that is only picked up by 5 out of the 41 scanners at Virus Total as Malware. Analysis here was done in a virtual machine as the file is not VM aware.

Note that while the Malware tested here is very similar to the report and removal instructions by Grinler at Bleeping Computer, this is a new variant and the removal instructions given there will not work as of this writing (I’m sure MBAM will be updated to deal with this soon though).

Technical Analysis:

Please note that the analysis here should not be used as a removal guide for this or any other Malware. If you think you’re infected you should either go to the forums for help, bring it to a pro, or reformat the PC (which is what the pro will probably do).

Static Analysis:

File Name: winlogon32.exe

Virus Total Results

Threat Expert Report

Anubis Report

Dynamic Analysis:

Upon execution of the sample the system almost immediately generates this window dialog:

After dismissing the screen the main Internet Security 2010 window appeared.

The typical onslaught of system tray nags and pop-ups then will ensue.

System Modifications:

The following files and folders are created:

C:\WINDOWS\system32\41.exe
C:\WINDOWS\system32\helper32.dll
C:\WINDOWS\system32\IS15.exe
C:\WINDOWS\system32\smss32.exe
C:\WINDOWS\system32\winlogon32.exe
C:\program files\InternetSecurity2010\IS2010.exe
C:\windows\system32\18467.exe
C:\documents and settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Security 2010.lnk
C:\documents and settings\Administrator\Desktop\Internet Security 2010.lnk
C:\documents and settings\Administrator\Start Menu\Internet Security 2010.lnk
C:\program files\InternetSecurity2010

The following registry loading points are created (from HijackThis):

F2 – REG:system.ini: UserInit=C:\WINDOWS\system32\winlogon32.exe
O4 – HKLM\..\Run: [smss32.exe] C:\WINDOWS\system32\smss32.exe
O4 – HKCU\..\Run: [Internet Security 2010] C:\Program Files\InternetSecurity2010\IS2010.exe
O10 – Unknown file in Winsock LSP: c:\windows\system32\helper32.dll
O10 – Unknown file in Winsock LSP: c:\windows\system32\helper32.dll

This Malware also resets and sets several restrictions on your system including blocking Task Manager and running the command prompt. The Task Manager option selection is grayed out and cannot be selected, while attempting to start the command prompt results in the following:

Network Activity:

The Malware will attempt to phone home to the following IP address:

193.104.110.50

Associated with these domains:

testavrdown.com
downloadavr25.com

Removal:

I would suggest getting help in the forums with this one. The instructions given at the Bleeping Computer link from Grinler I gave earlier will not work on this variant at this point. The rkill tool will not run, resulting in the same error that running the command prompt gives. And MalwareBytes Anti-Malware will not update. It will run but will not remove all of the infection and it will re-spawn on reboot. I would guess that the tools will be updated to deal with this very soon, but the Malware may also be updated to avoid detection and removal. So the same advice goes again, look for help from one of the ASAP forums. See the links in under my blogroll.

Bagle is not necessarily new, although new variants are constantly being developed. Usually nastier with each version. This new version is absolutely nasty. Some symptoms of the infection are browser closing, system lags, system security and security tools (such as AntiVirus and Firewall) functions disabled, and the inability to run most any security tools.

Technical Analysis:

Please note that the analysis here should not be used as a removal guide for this or any other Malware. If you think you’re infected you should either go to the forums for help, bring it to a pro, or reformat the PC (which is what the pro will probably do).

Static Analysis:

On the date that the sample was captured I ran it by Virus Total and almost 60% of the scanners identified it as Malware. Not bad, but not great either and I’m sure that will get better with time.

Virus Total Results

The sample I tested was packed with Themida, which is a commercial grade packer. This pretty much rules out any real static analysis with my limited unpacking skills at this point. Note that the packing is used to help avoid detection and prevent this type of analysis.

Dynamic Analysis:

Here is where the fun begins for me…

I was able to get this sample to run in VMWare which is nice for analysis.

Upon execution of the sample the system pauses for a few seconds then generates this window:

Well, I don’t know what that means but I know what OK! means. So I proceed with that and see this next:

What looks like some kind of a Windows logon screen or something. Well again….OK is good for me.

After that not much and was wondering if it really ran in the VM. I tried to run some basic system analysis with HijackThis and a rootkit scan with GMER and neither would run. Soon after the system rebooted by itself. At this point I was pretty confident that the Malware took to the VM.

Looking at the file/folder/registry modifications with InstallWatch and RegShot showed several folders and registry entries created, very similar to the report from Threat Expert.

Threat Expert Report

As we can see quite a bit of activity and this is starting to look like some nasty stuff, but more will be revealed…

After reboot I tried HijackThis and GMER again (without success). I also tried running MalwareBytes and that would not go.

I was able to get both Old Timers OTL and sUBs DDS tools to run which showed some interesting entries (definitely Malware).
OTL:
Processes:
PRC - [2009/11/10 14:05:13 | 00,899,076 | ---- | M] () -- C:\Documents and Settings\Administrator\Application Data\drivers\downld\62359.exe
Driver Services:
DRV - [2009/11/10 14:04:59 | 00,119,188 | ---- | M] () -- C:\Documents and Settings\Administrator\Application Data\drivers\wfsintwq.sys -- (srosa)
Pseudo HJT:
O4 - HKCU..\Run: [flec003.exe] C:\Documents and Settings\Administrator\Application Data\hidires\flec003.exe (http://www.emule-project.net)

DDS showed the same process, run key, and driver that OTL did.

Now, making sure that hidden files are showing in XP, I looked for those files and registry entries but none of them were visible. The only thing I could see was a file called srosa2.sys in the drivers folder.

Now, we can pretty much deduce from these findings that there is no doubt a well planted rootkit running here. The presence of srosa (which is a well known rootkit) and the fact we cannot see anything with the normal Windows tools confirms this.

So since we cannot run my favorite rootkit tool GMER, we’ll try some others. Tried running SysProt ARK but no success there. Next tried RootRepeal and was able to run.

Hidden/Locked Files
-------------------
Path: C:\Program Files\Movie Maker\Shared
Status: Invisible to the Windows API!

Path: c:\windows\system32\ntkrnlpa.exe
Status: Allocation size mismatch (API: 24576, Raw: 2060288)

Path: C:\WINDOWS\ime\shared
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Administrator\Application Data\hidires
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Administrator\Application Data\drivers\downld
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Administrator\Application Data\drivers\wfsintwq.sys
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Administrator\Application Data\drivers\winupgro.exe
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Administrator\Application Data\hidires\flec003.exe
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Administrator\Application Data\m\flec006.exe
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Administrator\Application Data\m\shared
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\000058cb\autorun.inf
Status: Invisible to the Windows API!

Processes
——————-
Path: C:\Documents and Settings\Administrator\Application Data\hidires\flec003.exe
PID: 236    Status: Hidden from the Windows API!

Path: C:\Documents and Settings\Administrator\Application Data\drivers\winupgro.exe
PID: 472    Status: Hidden from the Windows API!

Path: C:\Documents and Settings\Administrator\Application Data\m\flec006.exe
PID: 1376    Status: Hidden from the Windows API!

Hidden Services
——————-
Service Name: srosa
Image Path: system32\DRIVERS\sr.sys

I tried removing the hidden service, sr.sys, but RR would not do it. I then was able to wipe several of the hidden files and was subsequently able to run GMER. To try and bring some brevity to an already way too long post I’m not going to show everything GMER found (which was a lot!). Here is a summary:

It confirmed the Malware we have already seen with the other tools, but it found much more.

In this hidden folder:
C:\Documents and Settings\Administrator\Application Data\drivers\downld\
There were about 30 files similar to the following, 311109.exe. All random numbers.

Then the real find and the main goal of this Malware:
C:\Documents and Settings\Administrator\Application Data\hidires\WDIR\000-484 – Enterprise Connectivity with J2EE Practice Exam Questions 1.0 (KeyGen).zip
C:\Documents and Settings\Administrator\Application Data\m\shared\12Ghosts Timer 9.0.52.5740.zip

There were about 100 zip archived files in each of the WDIR and shared hidden folders. These are not keygen files or game files like they are all labeled. Analysis showed that in each of those archives the same Bagle dropper is packed up and ready for someone to download and infect themselves. So you’re saying, how are they going to get them off my PC? Well, this entry:
O4 - HKCU..\Run: [flec003.exe] C:\Documents and Settings\Administrator\Application Data\hidires\flec003.exe (http://www.emule-project.net)


Starts up an Emule P2P host right off your machine every time it starts. Yes, as my kids say, you and your PC have been Pwnd. Your PC is serving up Malware to the world.

The scary thing with this Malware is the only real indication of its’ presence is it slows down system performance (those CPU cycles are busy serving up Malware). There are no pop-ups or redirects, and your security software has been disabled so it knows nothing. You’re browser will shut down if you try to surf to any security sites, and many tools won’t run. So if you have these symptoms I would suggest getting help.

It is possible to remove this Malware. But again, unless you really know what you’re doing I would suggest heading over to the forums and posting the required logs so an expert can take a look.

Sorry for such a long post here, but I left a lot out, trust me. This one was also real fun to play with and analyze. I hope this provides some insight into how this stuff spreads itself around. Also it should alert you to the dangers of P2P file sharing.

In follow up discussions and investigations of IObit, it has been discovered that part of their marketing plan is to use questionable search terms to drive traffic to their sites and products. NOTE: This has nothing to do with the alleged theft of intellectual property by IObit.

I have issues with at least 2 pages that they are currently hosting (note that I made sure the links below are not “clickable” and would need to be copy and pasted into your browser if you want to see them, just so it doesn’t happen by accident).

http://www.iobit.com/porn-games.html

http://www.iobit.com/naruto-hentai.html

While these pages do not explicitly host porn, they are promoting their products by directing users from those pages back to the main IObit pages. Note also that it has been proven that these pages have been up for some time now, long before the property theft scandal, and they have not been hacked.

Searching Google on very (I would assume) common terms used for folks who search on this stuff such as “hentai porn” or “porn games”, puts these pages in the top 10 or 20 rankings. Not bad, if you’re IObit. That will direct a lot of people your way, using very questionable methods.

Another product they are promoting, P2PTurbo, claims to greatly enhance and speed up peer2peer client performance. Now again, not illegal, but highly questionable.

Here is why I state that. Both online porn and P2P use are probably the number 1 and 2 ways that users get infected with Malware in the first place. I see it every day in helping folks in the forums. Many have P2P clients installed and admit to using them. And while I have no direct proof on porn I think we can all agree that the practice, while not illegal, is questionable. Tech note: If you ever want to get yourself infected (and I’m not suggesting or promoting this), fire up your favorite search engine, search on some porn keywords, click some links, and in no time you will have the opportunity to pick up some great, fresh Malware.

As far as I know, IObit has not even responded to questions on these tactics and the pages are still live as of today. In the main discussion thread at IObit I have asked that they be pulled and have adamantly voiced my opinion. The mods and the supporters have been patient and very active in this thread, but as far as I can tell no official representation from IObit has been made. Even some of its’ most emphatic supporters and losing patience and showing less support.

IObit accusation thread (warning, 33 pages of posts in 3 days).

Things just keep getting worse for IObit. MalwareBytes may have shoveled a bit of a hole for them, but they had already brought the heavy equipment and put in the foundation.

You are surfing away, maybe checking out some news, or looking for some online games. Then all of a sudden boom! You see what looks very much like a common Windows screen. It appears to be actively scanning your PC and finding all kinds of problems. A typical page will appear like a Windows page and look like it’s scanning your PC.

Some pages I’ve seen lately even appear to be giving you the dreaded Blue Screen of Death (BSOD).

This is certainly enough to alarm and concern many a knowledgeable PC user. Typically a few seconds after these pages load and appear to do their scanning you will get a prompt to download a file.

Now, the image on the left is from Internet Explorer and the image on the right is from Firefox. Aside from the screenshots being taken from different OS’s, what is the main difference here? IE has the dreaded “Run” button. When this is clicked it will download and run the file, in one shot. While at least with Firefox it will only download it first. This will not infect you. You would then have to go run the file after the download, giving you at least a few more seconds to come to your senses and not execute the file.

So, how do you prevent this from happening? Good prevention tools, the right knowledge, and a little common sense. I have covered a good prevention plan here. Also, using Firefox instead of IE (even though IE has done much to improve its’ security) will go a long way to keep you from arriving at one of these pages. Firefox versions 3.x also include the Google Safe Browsing Service by default. With sites that have been reported and blocked you will see a screen like this:

This gives one more layer of defense against this type of attack.

Bottom line….when and if you see a page like this don’t panic. You have not been infected, yet. Don’t click anything on the page. Close down the browsing session as soon as possible by using Task Manager to stop the browser process(es), as most often clicking “no” or “abort” on the page will just makes things worse.

Safe surfing,

Dave aka IndiGenus