Monday, December 19, 2011

System Fix (FakeAV) - 12.19.2011 - Analysis and Removal

This was performed on a live (not Virtual) machine.


RogueKiller






¤¤¤ Registry Entries: 7 ¤¤¤
[SUSP PATH] HKLM\[...]\Run : VuCWtdJYrTTuTWk.exe (C:\Documents and Settings\All Users.WINDOWS\Application Data\VuCWtdJYrTTuTWk.exe) -> DELETED
[HJPOL] HKLM\[...]\System : DisableTaskMgr (1) -> DELETED
[HJ] HKCU\[...]\Internet Settings : WarnOnHTTPSToHTTPRedirect (0) -> REPLACED (1)
[WallPP] HKCU\[...]\Desktop : Wallpaper () -> REPLACED (C:\Documents and Settings\ali\Local Settings\Application Data\Microsoft\Wallpaper1.bmp)
[HJ] HKCU\[...]\Advanced : Start_ShowMyComputer (0) -> REPLACED (1)
[HJ] HKCU\[...]\Advanced : Start_ShowSearch (0) -> REPLACED (1)
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

¤¤¤ MBR Check: ¤¤¤
--- User ---
[MBR] 6c5ea126ce052b9f53b7c718ff0986f2
[BSP] 11d467b9f31927f29d49c85858b51038 : MBR Code unknown
Partition table:
0 - [XXXXXX] FAT16 [HIDDEN!] Offset (sectors): 63 | Size: 49 Mo
1 - [ACTIVE] NTFS [VISIBLE] Offset (sectors): 96390 | Size: 249933 Mo
User = LL1 ... OK!
User = LL2 ... OK!

__________________________________________________________________________________

SAS






Rogue.VirusTrigger
    HKCR\CLSID\{95E9BCC0-2E84-4500-8A9C-0B7A96769124}
    HKCR\CLSID\{95E9BCC0-2E84-4500-8A9C-0B7A96769124}\InprocServer32
    HKCR\CLSID\{95E9BCC0-2E84-4500-8A9C-0B7A96769124}\InprocServer32#ThreadingModel
    HKCR\CLSID\{95E9BCC0-2E84-4500-8A9C-0B7A96769124}\ProgID
    HKCR\CLSID\{95E9BCC0-2E84-4500-8A9C-0B7A96769124}\Programmable
    HKCR\CLSID\{95E9BCC0-2E84-4500-8A9C-0B7A96769124}\TypeLib
    HKCR\CLSID\{95E9BCC0-2E84-4500-8A9C-0B7A96769124}\VersionIndependentProgID
    HKLM\Software\Classes\CLSID\{95E9BCC0-2E84-4500-8A9C-0B7A96769124}
    HKCR\CLSID\{95E9BCC0-2E84-4500-8A9C-0B7A96769124}
    HKCR\AnvTrgrWarning.WarningBHO.1
    HKCR\AnvTrgrWarning.WarningBHO.1\CLSID
    HKCR\AnvTrgrWarning.WarningBHO
    HKCR\AnvTrgrWarning.WarningBHO\CLSID
    HKCR\AnvTrgrWarning.WarningBHO\CurVer
    HKCR\TypeLib\{BAE92F67-539C-41cd-9183-162BB40AAA0C}
    HKCR\TypeLib\{BAE92F67-539C-41cd-9183-162BB40AAA0C}\1.0
    HKCR\TypeLib\{BAE92F67-539C-41cd-9183-162BB40AAA0C}\1.0\0
    HKCR\TypeLib\{BAE92F67-539C-41cd-9183-162BB40AAA0C}\1.0\0\win32
    HKCR\TypeLib\{BAE92F67-539C-41cd-9183-162BB40AAA0C}\1.0\FLAGS
    HKCR\TypeLib\{BAE92F67-539C-41cd-9183-162BB40AAA0C}\1.0\HELPDIR
    HKU\S-1-5-21-1292428093-813497703-725345543-1003\Software\AnvTrgrsoft
    C:\Program Files\WEBMEDIAVIEWER\myd.ico
    C:\Program Files\WEBMEDIAVIEWER\mym.ico
    C:\Program Files\WEBMEDIAVIEWER\myp.ico
    C:\Program Files\WEBMEDIAVIEWER\myv.ico
    C:\Program Files\WEBMEDIAVIEWER\ot.ico
    C:\Program Files\WEBMEDIAVIEWER\ts.ico
    C:\Program Files\WEBMEDIAVIEWER
    HKU\S-1-5-21-1292428093-813497703-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{95E9BCC0-2E84-4500-8A9C-0B7A96769124}
    HKCR\Interface\{5C8B2A9C-24A0-4991-A74B-1E4931BD3A57}
    HKCR\Interface\{5C8B2A9C-24A0-4991-A74B-1E4931BD3A57}\ProxyStubClsid
    HKCR\Interface\{5C8B2A9C-24A0-4991-A74B-1E4931BD3A57}\ProxyStubClsid32
    HKCR\Interface\{5C8B2A9C-24A0-4991-A74B-1E4931BD3A57}\TypeLib
    HKCR\Interface\{5C8B2A9C-24A0-4991-A74B-1E4931BD3A57}\TypeLib#Version

Trojan.Media-Codec
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\System Alert Popup
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\System Alert Popup#DisplayName
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\System Alert Popup#UninstallString
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\System Alert Popup#InstDate

Rogue.WebMediaViewer
    HKU\S-1-5-21-1292428093-813497703-725345543-1003\Software\WebMediaViewer

Trojan.Agent/Gen-RogueAntiSpy
    C:\DOCUMENTS AND SETTINGS\ALL USERS.WINDOWS\APPLICATION DATA\CSJNAQKKDLC1G2.EXE
    C:\DOCUMENTS AND SETTINGS\ALI\APPLICATION DATA\MICROSOFT\INTERNET EXPLORER\QUICK LAUNCH\SYSTEM FIX.LNK
    C:\DOCUMENTS AND SETTINGS\ALI\DESKTOP\RK_QUARANTINE\VUCWTDJYRTTUTWK.EXE.VIR
    C:\DOCUMENTS AND SETTINGS\ALI\DESKTOP\SYSTEM FIX.LNK
    C:\DOCUMENTS AND SETTINGS\ALI\LOCAL SETTINGS\TEMP\592.TMP
    C:\DOCUMENTS AND SETTINGS\ALI\LOCAL SETTINGS\TEMP\SMTMP\2\SYSTEM FIX.LNK
    C:\DOCUMENTS AND SETTINGS\ALI\START MENU\PROGRAMS\SYSTEM FIX\SYSTEM FIX.LNK
    C:\DOCUMENTS AND SETTINGS\ALI\START MENU\PROGRAMS\SYSTEM FIX\UNINSTALL SYSTEM FIX.LNK
    C:\DOCUMENTS AND SETTINGS\ALL USERS.WINDOWS\APPLICATION DATA\VUCWTDJYRTTUTWK.EXE
    C:\WINDOWS\Prefetch\CSJNAQKKDLC1G2.EXE-0E3467CF.pf
    C:\WINDOWS\Prefetch\VUCWTDJYRTTUTWK.EXE-2737C7F1.pf

Browser Hijacker.Favorites
    C:\DOCUMENTS AND SETTINGS\ALI\FAVORITES\ANTIVIRUS SCAN.URL
    C:\RECYCLER\S-1-5-21-1292428093-813497703-725345543-1003\DC248.URL
    C:\RECYCLER\S-1-5-21-1292428093-813497703-725345543-1003\DC249.URL
    C:\RECYCLER\S-1-5-21-1292428093-813497703-725345543-1003\DC296.URL
    C:\RECYCLER\S-1-5-21-1292428093-813497703-725345543-1003\DC297.URL

Trojan.Agent/Gen-Krpytik
    C:\PROGRAM FILES\TURBOSOFT\TTWIN3\BIN32\AT102.DLL
    C:\PROGRAM FILES\TURBOSOFT\TTWIN3\BIN32\HLLAPI32.DLL
    C:\PROGRAM FILES\TURBOSOFT\TTWIN3\BIN32\HPVT.DLL
    C:\PROGRAM FILES\TURBOSOFT\TTWIN3\BIN32\LK250.DLL
    C:\PROGRAM FILES\TURBOSOFT\TTWIN3\BIN32\LK250DOS.DLL
    C:\PROGRAM FILES\TURBOSOFT\TTWIN3\BIN32\LK450.DLL
    C:\PROGRAM FILES\TURBOSOFT\TTWIN3\BIN32\MS_APPC.DLL
    C:\PROGRAM FILES\TURBOSOFT\TTWIN3\BIN32\MS_LUA.DLL
    C:\PROGRAM FILES\TURBOSOFT\TTWIN3\BIN32\RFC1006.DLL
    C:\PROGRAM FILES\TURBOSOFT\TTWIN3\BIN32\SERIAL.DLL
    C:\PROGRAM FILES\TURBOSOFT\TTWIN3\BIN32\SOCKSTUB.DLL
    C:\PROGRAM FILES\TURBOSOFT\TTWIN3\BIN32\SSH.DLL
    C:\PROGRAM FILES\TURBOSOFT\TTWIN3\BIN32\TELNET.DLL
    C:\PROGRAM FILES\TURBOSOFT\TTWIN3\BIN32\TTACCESS.DLL
    C:\PROGRAM FILES\TURBOSOFT\TTWIN3\BIN32\TTMREC.DLL
    C:\PROGRAM FILES\TURBOSOFT\TTWIN3\BIN32\TTRUN.DLL
    C:\PROGRAM FILES\TURBOSOFT\TTWIN3\BIN32\TTVER.DLL
    C:\PROGRAM FILES\TURBOSOFT\TTWIN3\BIN32\WANG.DLL

Rootkit.ITGRDEngine
    C:\PROGRAM FILES\TURBOSOFT\TTWIN3\BIN32\TTCOMP.DLL

__________________________________________________________________________________

MBAM




 

Registry Keys Infected:
HKEY_CLASSES_ROOT\webmedia.chl (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\The Weather Channel (Adware.Hotbar) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Online Alert Manager (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Weather Services (Adware.Hotbar) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Cpls\wxfw.dll (Adware.Hotbar) -> Value: wxfw.dll -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowControlPanel (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowHelp (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyDocs (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowRun (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

Files Infected:
c:\documents and settings\ali\local settings\Temp\59E.tmp (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\documents and settings\ali\my documents\My Music\My Music.url (Trojan.Zlob) -> Quarantined and deleted successfully.
c:\documents and settings\ali\my documents\my pictures\my pictures.url (Trojan.Zlob) -> Quarantined and deleted successfully.
c:\documents and settings\ali\my documents\my videos\My Video.url (Trojan.Zlob) -> Quarantined and deleted successfully.

__________________________________________________________________________________
 
CF





(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\ali\Local Settings\Temporary Internet Files\viewChanges.html
c:\documents and settings\ali\Start Menu\Programs\System Fix
c:\documents and settings\ali\WINDOWS
c:\documents and settings\All Users.WINDOWS\Application Data\~CsJnaqKKDLC1G2
c:\documents and settings\All Users.WINDOWS\Application Data\~CsJnaqKKDLC1G2r
c:\documents and settings\All Users.WINDOWS\Application Data\CsJnaqKKDLC1G2
c:\documents and settings\All Users.WINDOWS\Application Data\TEMP
c:\documents and settings\Shamsa  Ali\WINDOWS
c:\windows\EventSystem.log
c:\windows\Help\hp1100.hlp
c:\windows\system32\Cache
c:\windows\system32\SET1492.tmp
c:\windows\system32\SET1496.tmp
c:\windows\system32\SET149E.tmp
c:\windows\Update.bat

__________________________________________________________________________________

You are allowed to kill System Fix from Task Manager (RKill / RogueKiller not required)
Rootkit/hidden partition/MBR infection NOT included
The hidden partition you see is part of Dell Utilities
Places hidden attribute on entire OS drive.
__________________________________________________________________________________

Saturday, December 17, 2011

Security Shield 2011 (FakeAV) - 12.17.2011 - Analysis and Removal


This was performed on a live (not Virtual) machine.


RogueKiller






¤¤¤ Bad processes: 1 ¤¤¤
[SUSP PATH] uijultenx.exe -- C:\DOCUME~1\BFF093~1.MAU\LOCALS~1\APPLIC~1\uijultenx.exe -> KILLED [TermProc]

¤¤¤ Registry Entries: 3 ¤¤¤
[SUSP PATH] HKCU\[...]\Run : cdloader ("C:\Documents and Settings\B.F. Maupin\Application Data\mjusbsp\cdloader2.exe" MAGICJACK) -> FOUND
[SUSP PATH] HKUS\S-1-5-21-1801674531-706699826-1177238915-1004[...]\Run : cdloader ("C:\Documents and Settings\B.F. Maupin\Application Data\mjusbsp\cdloader2.exe" MAGICJACK) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
__________________________________________________________________________________


SAS




 
Trojan.Agent/Gen-FakeAlert[Local]
C:\DOCUMENTS AND SETTINGS\B.F. MAUPIN\LOCAL SETTINGS\APPLICATION DATA\UIJULTENX.EXE
__________________________________________________________________________________

Rootkit/hidden partition/MBR infection NOT included
__________________________________________________________________________________

Thursday, December 15, 2011

Windows 7 Internet Security 2012 (FakeAV) -- The Aftermath...

This article also applies to Windows 7 AntiSpyware 2012


These particular FakeAVs aim to break the Windows 7 Firewall as well as attempting to scam you for your financial information -- and they are very successful.
Earlier this week at work,  I had the pleasure of working on a PC with this infection. I had known before hand that the Firewall would have been compromised; and it was.

First I tried just opening the Windows Firewall settings in Control Panel.
This is what I was presented with.
Opened an elevated Command Prompt window and tried starting the services manually. At this point I was just taking notes...
That's right -- Windows Firewall (MpsSvc) is a non-existent service!
The same is true for Base Filtering Engine (BFE) service which is required for the firewall to work.
Windows Firewall Authorization Driver (mpsdrv) service appears to be in tact, the only thing we need to change is so that it starts automatically when Windows is booted.

Now typically we could import registry patches of these services from a clean Windows 7 computer, but there are permission issues on the following keys:
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_BFE
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MPSSVC
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MPSDRV\0000
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BFE
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MpsSvc
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mpsdrv
Some of the above keys may not even exist.

Once I created "Everyone" user account to have full permission to change these keys using regedit.exe, I was able to successfully import the clean registry patches from a clean Windows 7 computer.

Upon reboot I was able to turn on the Windows 7 Firewall again as shown below by the screenshot.

As you can see, malware is always improving and is capable of breaking parts of Windows that should always be secure.

Saturday, November 19, 2011

Protection Center (FakeAV) - 11.19.2011 - Analysis and Removal


====notes====
First it messes with the .exe file association so that you won't be able to run programs.

There's .inf and .reg patches to fix this.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Protection Center
HKEY_CURRENT_USER\SOFTWARE\24d1ca9a-a864-4f7b-86fe-495eb56529d8
HKEY_CURRENT_USER\SOFTWARE\7bde84a2-f58f-46ec-9eac-f1f90fead080

Folders Infected:
c:\program files\protection center (Rogue.ProtectionCenter)
c:\windows\csc\d6

Files Infected:
c:\documents and settings\infectedxp\local settings\temp\asd3.tmp.exe
c:\documents and settings\infectedxp\local settings\temp\asd4.tmp.exe
c:\documents and settings\infectedxp\local settings\temp\asd5.tmp.exe
c:\documents and settings\infectedxp\local settings\temp\kernel64xp.dll
c:\documents and settings\infectedxp\local settings\temp\wscsvc32.exe
c:\program files\protection center\cnt.db

has same icon as Zentom System Guard (fakeAV)

if MBAM is installed, it will claim that MBAM is infected and will launch its uninstaller.

====music====
Ensiferum - Victory Song

Saturday, November 12, 2011

System Restore v1.1 (FakeAV) - 11.12.2011 - Analysis and Removal


====notes====
JGFMXz1Ipf65 and JGFMXz1Ipf65.exe in %CommonAppData%

"System Restore" entry in the start menu and an icon on the desktop.

Mostly likely will need to make use of TDSSKiller as appears it installs a TDLFS and Rookit.Boot.SST.b which causes browser redirects.

====music====
Funf D - Counted

Thursday, November 10, 2011

Dorkbot (Worm) - 11.10.2011 - Analysis and Removal


====notes====
Creates a heh.cmd file with the following commands:
ping -n 15 127.0.0.1
taskkill /f /im gagajeje.exe
taskkill /f /im marcia.exe
taskkill /f /im hula.exe
taskkill /f /im official27.exe
taskkill /f /im ev0ga.exe
ping -n 15 127.0.0.1
ev0ga.exe

Creates the following files in user's %appdata%:
13.exe, 14.exe, 15.exe, 16.tmp, 17.exe, Ahiaia.exe.

Creates "kakao2" folder in user %appdata%.

"newmoon15.exe" in startup menu

a c:\documents folder according to CF.


====music====
Music: Bassnectar - Bass Head (MRK1 remix)

Friday, November 04, 2011

Privacy Protection (FakeAV) - 11.05.2011 - Analysis and Removal


"Privacy Protection" is a fake AV in the same category as "Cloud Protection".

Most likely will come bundled with a newer variant of the Max++/Sirefef/ZeroAccess rootkit

Audio: Those Two Guys - 33 Rev (Blake Jarrell and Starkid Mix)

Sunday, October 23, 2011

Security AntiVirus (FakeAV) - 10.22.2011 - Analysis and Removal


This was performed on a Virtual Machine.

Modifies host file

Some obvious traces missed by MBAM shown.

Security Sphere 2012 (FakeAV) - 10.22.2011 - Analysis and Removal


This was performed on a Virtual Machine.

Zentom System Guard (FakeAV) - 10.20.2011 - Analysis and Removal


This was done on a Virtual Machine on 10.20.2011

Possibly included a ZeroAccess driver if it were not for me being on a VM.

Did not find the random RunOnce registry .exe spawns like I wanted to analyze.

Max++/Sirefef/ZeroAccess Rootkit Analysis . Volume III


Testing ESET's removal tool for this infection. Results shown.

Max++/Sirefef/ZeroAccess Rootkit Analysis . Volume II

Max++/Sirefef/ZeroAccess Rootkit Analysis

 

September 2011 max++/sirefef/zaccess sample used.

ComboFix did warn that TCP/IP was infected as well but I didn't capture that footage unfortunately. The video program I was using must have closed. The same happened when I was testing RKill and RogueKiller. Both were unsuccessful.

Prior to removing any components of infection, here are the results of various tools:

webroot's antiza tool v0.8.0.1 = PASS
tdsskiller v2.6.2.0 = PASS
hitman pro v3.5.9.130 = PASS
aswmbr v0.9.8.986 = FAIL (was shutdown during middle of scan)
ntfsaccess v2.1 = FAIL (did not restore permissions while rootkit was active, restored permissions successfully afterwards)
grantperms v3.3.6.1 = FAIL
rkill (.scr, .com, and .exe versions) = FAIL
roguekiller (winlogon.exe) v6.1.1.0 = FAIL (reports it terminated process, but process is still running in taskmgr)
mbam (mb.exe) v1.51.2.1300 = FAIL (shuts down within ~10 seconds)
sas v5.0.1128 = FAIL (shuts down within ~25 seconds)
processexplorer = FAIL (shutdown immediately after injection)