Internet Security 2010
Introduction:
Just picked up a downloader trojan for Internet Security 2010 rogue from a fellow researcher. This is a fairly new variant that is only picked up by 5 out of the 41 scanners at Virus Total as Malware. Analysis here was done in a virtual machine as the file is not VM aware.
Note that while the Malware tested here is very similar to the report and removal instructions by Grinler at Bleeping Computer, this is a new variant and the removal instructions given there will not work as of this writing (I’m sure MBAM will be updated to deal with this soon though).
Technical Analysis:
Please note that the analysis here should not be used as a removal guide for this or any other Malware. If you think you’re infected you should either go to the forums for help, bring it to a pro, or reformat the PC (which is what the pro will probably do).
Static Analysis:
File Name: winlogon32.exe
Dynamic Analysis:
Upon execution of the sample the system almost immediately generates this window dialog:
After dismissing the screen the main Internet Security 2010 window appeared.
The typical onslaught of system tray nags and pop-ups then will ensue.
System Modifications:
The following files and folders are created:
C:\WINDOWS\system32\41.exe
C:\WINDOWS\system32\helper32.dll
C:\WINDOWS\system32\IS15.exe
C:\WINDOWS\system32\smss32.exe
C:\WINDOWS\system32\winlogon32.exe
C:\program files\InternetSecurity2010\IS2010.exe
C:\windows\system32\18467.exe
C:\documents and settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Security 2010.lnk
C:\documents and settings\Administrator\Desktop\Internet Security 2010.lnk
C:\documents and settings\Administrator\Start Menu\Internet Security 2010.lnk
C:\program files\InternetSecurity2010
The following registry loading points are created (from HijackThis):
F2 – REG:system.ini: UserInit=C:\WINDOWS\system32\winlogon32.exe
O4 – HKLM\..\Run: [smss32.exe] C:\WINDOWS\system32\smss32.exe
O4 – HKCU\..\Run: [Internet Security 2010] C:\Program Files\InternetSecurity2010\IS2010.exe
O10 – Unknown file in Winsock LSP: c:\windows\system32\helper32.dll
O10 – Unknown file in Winsock LSP: c:\windows\system32\helper32.dll
This Malware also resets and sets several restrictions on your system including blocking Task Manager and running the command prompt. The Task Manager option selection is grayed out and cannot be selected, while attempting to start the command prompt results in the following:
Network Activity:
The Malware will attempt to phone home to the following IP address:
193.104.110.50
Associated with these domains:
testavrdown.com
downloadavr25.com
Removal:
I would suggest getting help in the forums with this one. The instructions given at the Bleeping Computer link from Grinler I gave earlier will not work on this variant at this point. The rkill tool will not run, resulting in the same error that running the command prompt gives. And MalwareBytes Anti-Malware will not update. It will run but will not remove all of the infection and it will re-spawn on reboot. I would guess that the tools will be updated to deal with this very soon, but the Malware may also be updated to avoid detection and removal. So the same advice goes again, look for help from one of the ASAP forums. See the links in under my blogroll.
