Saturday, March 31, 2012

Gimemo - France - Gendarmerie Nationale (Ransom Trojan) - 04.01.2012 - Analysis and Removal


HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows|Load
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon|Userinit
"C:\WINDOWS\system32\09AE2D586052AD446FE6.exe," [53760 2012-03-31] (nJin
IMEO\msconfig.exe: [Debugger] P9KDMF.EXE
IMEO\regedit.exe: [Debugger] P9KDMF.EXE
IMEO\taskmgr.exe: [Debugger] P9KDMF.EXE

HKU\owner\...\Policies\system: [DisableRegistryTools] 1
HKU\owner\...\Policies\system: [DisableRegedit] 1

2012-03-31 18:48 - 2012-03-01 03:26 - 0960056 ____A C:\Windows\System32\winsh324
2012-03-31 18:48 - 2012-03-01 03:26 - 0960056 ____A C:\Windows\System32\winsh320
2012-03-31 18:48 - 2012-03-01 03:08 - 0960056 ____A C:\Windows\System32\winsh323
2012-03-31 18:48 - 2012-03-01 03:07 - 0960056 ____A C:\Windows\System32\winsh322
2012-03-31 18:48 - 2012-03-01 03:07 - 0960056 ____A C:\Windows\System32\winsh321


Thursday, March 29, 2012

GEMA - Germany (Ransom Trojan) - 03.29.2012 - Analysis and Removal

 Once you are infected with GEMA, you will be prompted a white screen with text that reads:
"Please wait while the connection is beeing established."
and then the German translation...
Do not bother trying Safe Mode(s), they will not work. You need to boot using a CD or slave the hard drive to a working computer to remove one file and a few bad registry values.

I used Farbar's Recovery Scan Tool (FRST) for this.
 Here are the items that need fixing:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\K3aRyluP6SiCkoR Value deleted successfully.
HKEY_USERS\owner\Software\Microsoft\Windows\CurrentVersion\Run\\K3aRyluP6SiCkoR Value deleted successfully.
HKEY_USERS\owner\Software\Microsoft\Windows\CurrentVersion\Policies\system\\DisableTaskMgr Value deleted successfully.
HKEY_USERS\owner\Software\Microsoft\Windows\CurrentVersion\Policies\system\\DisableRegistryTools Value deleted successfully.
HKEY_USERS\owner\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Userinit Value deleted successfully.
HKEY_USERS\owner\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell Value deleted successfully.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Userinit Value was restored.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell Value was restored.
C:\Documents and Settings\owner\Application Data\flint4ytw.exe moved successfully.
The tool does not fix everything that needs to be corrected, but from here you can at least open Explorer again and the Please wait while the connection is beeing established screen is gone.

Even though you are still somewhat limited due to no desktop icons, you will be able to launch Windows Explorer so you can launch Malwarebytes' Anti-Malware.

Registry Data Items Detected: 1
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer|NoDesktop (PUM.Hidden.Desktop) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
Even after MBAM repaired this item and I rebooted, I was still missing my desktop icons.

I simply right-mouse clicked anywhere on the desktop and selected "Show Desktop Icons".
After that, everything was back to normal :-)
Misc notes:
You will be unable to right-mouse click the desktop and receive the pop-up menu until the above policy (NoDesktop) is fixed.

Update: April 28th, 2012 || file name is changed to ram_reserver64.exe (VirusTotal) Same location as listed above.

Update: May 5th, 2012 || file name is changed to itunes_service01.exe (VirusTotal) Same location as listed above.

Update: May 5th, 2012 || file name is changed to itunes_service86.exe (MajorGeeks) Same location as listed above.

Update: May 15th, 2012 || file name is changed to BSI.bund.exe (VirusTotal . MajorGeeks) Same location as listed above.

Thursday, March 15, 2012

Panda Security Creates ZeroAccess Cleaning Tool (Yorkyt.exe) - Removes Abnow Redirect

Panda Security has created an AntiZeroAccess tool that works very well compared to others I have tested in the past.

In fact, it practically removed every trace of ZeroAccess minus 2-3 dormant files. What really impressed me was that it was able to delete the heart of ZeroAccess, the $NtUninstallKBXXXXX$ folder.

I am posting my results from the scans and information I was able to gather.
I used a dropper from early March which fakes sys32 .DLLs using the Company Name: Iomega.

More details about this specific variant here in a previous post of mine.

After injection, I verify that I will be redirected to abnow after searching for anything in Google.

In this example, I wanted to try to get to the MajorGeeks website via Google.

I am being redirected to abnow.

Start looking for bad service and netsvcs data value using Autoruns.
Results in the screen to the right:

Excerpt from yorkyt.exe.log

2012-03-15 17:16:39: Bad Service: system32\csctl50.dll
2012-03-15 17:16:39: Found Service: Packet
2012-03-15 17:16:39: Display Name: AFGMp50
2012-03-15 17:16:39: Description: New service would allow parents to control their children's online activity.
2012-03-15 17:16:39: ServiceDLL: %systemroot%\system32\csctl50.dll
2012-03-15 17:16:39: MD5: B89CFBE8CB247B57D8C10ADAA66B462B (VT)
Start disinfection using yorkyt.exe

Yes, reboot

The tool does not actually delete the service. Instead, it "breaks" the service by changing the ServiceDll value of the service into a .DLL that does not exist.

This prevents the service from being able to run or start again.

For example, the tool changed the ServiceDll value of Packet to csctl50.dll.bad when it was previously csctl50.dll. See Below:

After the 2nd reboot

Finished! Now let's verify.

No longer getting redirected :-)



Files Detected: 3
C:\WINDOWS\system32\csctl50.dll (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Local Settings\temp\{E9C1E1AC-C9B2-4c85-94DE-9C1518918D02}.tlb (Rootkit.Zeroaccess) -> Quarantined and deleted successfully.
C:\Documents and Settings\NetworkService\Local Settings\temp\{E9C1E1AC-C9B2-4c85-94DE-9C1518918D02}.tlb (Rootkit.Zeroaccess) -> Quarantined and deleted successfully.

"C:\Documents and Settings\thisisu\Local Settings\Application Data\"
02E7ABF0      Mar 15 2012              "02e7abf0" -> Empty folder

SRV - File not found [Auto | Stopped] -- %systemroot%\system32\csctl50.dll.bad -- (Packet)
NetSvcs: Packet - %systemroot%\system32\csctl50.dll.bad File not found

Does not hurt to leave these broken entries, but I would recommend actually deleting both the non-functioning service and NetSvcs data value.
Misc notes:

The entire contents of the folder were removed by Panda Security's Yorkyt.exe. Impressive!

>>> Full Yorkyt.exe log here. <<<
>> Download Yorkyt.exe here. <<

Thursday, March 08, 2012

Best Virus Protection (FakeAV) bundled with RLoader (Rootkit) - 03.08.2012 - Analysis and Removal

This was performed on a virtual machine.
Looks similar to Microsoft Security Essentials, a legitimate antivirus.

It is not very aggressive.

Here is one of the alerts to the right:


¤¤¤ Bad processes: 1 ¤¤¤
[SUSP PATH] BV88e.exe -- C:\Documents and Settings\All Users\Application Data\4be81\BV88e.exe -> KILLED [TermProc]

¤¤¤ Registry Entries: 780 ¤¤¤
[SUSP PATH] HKCU\[...]\Run : Best Virus Protection ("C:\Documents and Settings\All Users\Application Data\4be81\BV88e.exe" /s /d) -> FOUND
[SUSP PATH] HKUS\S-1-5-21-515967899-484763869-854245398-1003[...]\Run : Best Virus Protection ("C:\Documents and Settings\All Users\Application Data\4be81\BV88e.exe" /s /d) -> FOUND
[] HKLM\[...]\Windows :  () -> ACCESS DENIED
[IFEO] HKLM\[...]\Image File Execution Options : a.exe (svchost.exe) -> FOUND
[IFEO] HKLM\[...]\Image File Execution Options : aAvgApi.exe (svchost.exe) -> FOUND
[IFEO] HKLM\[...]\Image File Execution Options : AAWTray.exe (svchost.exe) -> FOUND
[IFEO] HKLM\[...]\Image File Execution Options : About.exe (svchost.exe) -> FOUND
Many more IFEO entries...

19:33:12.0787 2416    ACPI            (d8fb7d1c3f5bfa3f53fe9cc6367e9e99) C:\WINDOWS\system32\DRIVERS\ACPI.sys
19:33:12.0797 2416    Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\ACPI.sys. Real md5: d8fb7d1c3f5bfa3f53fe9cc6367e9e99, Fake md5: 8fd99680a539792a30e97944fdaecf17
19:33:12.0797 2416    ACPI ( Virus.Win32.Rloader.a ) - infected
19:33:12.0797 2416    ACPI - detected Virus.Win32.Rloader.a (0)

19:34:04.0641 2408    C:\WINDOWS\system32\DRIVERS\ACPI.sys - will be cured on reboot
19:34:04.0641 2408    ACPI ( Virus.Win32.Rloader.a ) - User select action: Cure


Registry Values Detected: 16
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun|0 (Security.Hijack) -> Data: msseces.exe -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun|1 (Security.Hijack) -> Data: MSASCui.exe -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun|2 (Security.Hijack) -> Data: ekrn.exe -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun|3 (Security.Hijack) -> Data: egui.exe -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun|4 (Security.Hijack) -> Data: avgnt.exe -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun|5 (Security.Hijack) -> Data: avcenter.exe -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun|6 (Security.Hijack) -> Data: avscan.exe -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun|7 (Security.Hijack) -> Data: avgfrw.exe -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun|8 (Security.Hijack) -> Data: avgui.exe -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun|9 (Security.Hijack) -> Data: avgtray.exe -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun|10 (Security.Hijack) -> Data: avgscanx.exe -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun|11 (Security.Hijack) -> Data: avgcfgex.exe -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun|12 (Security.Hijack) -> Data: avgemc.exe -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun|13 (Security.Hijack) -> Data: avgchsvx.exe -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun|14 (Security.Hijack) -> Data: avgcmgr.exe -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun|15 (Security.Hijack) -> Data: avgwdsvc.exe -> Quarantined and deleted successfully.

HKCR\SOFTWARE\Microsoft\Internet Explorer\SearchScopes|URL (Hijack.SearchPage) -> Bad: (hxxp://{searchTerms}) Good: (hxxp://{searchTerms}&{language}&ie={inputEncoding}&oe={outputEncoding}&startIndex={startIndex?}&startPage={startPage}) -> Quarantined and repaired successfully.

Files Detected: 5
C:\Documents and Settings\All Users\Application Data\4be81\BV88e.exe (Rogue.PersonalSecuritySentinel) -> Quarantined and deleted successfully.
C:\Documents and Settings\thisisu\Desktop\Best Virus Protection.lnk (Rogue.BestVirusProtection) -> Quarantined and deleted successfully.
C:\Documents and Settings\thisisu\Application Data\Microsoft\Internet Explorer\Quick Launch\Best Virus Protection.lnk (Rogue.BestVirusProtection) -> Quarantined and deleted successfully.
C:\Documents and Settings\thisisu\Start Menu\Programs\Best Virus Protection.lnk (Rogue.BestVirusProtection) -> Quarantined and deleted successfully.
C:\Documents and Settings\thisisu\Start Menu\Best Virus Protection.lnk (Rogue.BestVirusProtection) -> Quarantined and deleted successfully.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
c:\documents and settings\thisisu\Application Data\Best Virus Protection
c:\documents and settings\thisisu\Application Data\Best Virus Protection\Instructions.ini
c:\documents and settings\thisisu\Recent\ANTIGEN.dll
c:\documents and settings\thisisu\Recent\CLSV.dll
c:\documents and settings\thisisu\Recent\CLSV.tmp
c:\documents and settings\thisisu\Recent\delfile.dll
c:\documents and settings\thisisu\Recent\eb.tmp
c:\documents and settings\thisisu\Recent\energy.drv
c:\documents and settings\thisisu\Recent\fix.drv
c:\documents and settings\thisisu\Recent\PE.dll
c:\documents and settings\thisisu\Recent\PE.exe
c:\documents and settings\thisisu\Recent\PE.tmp
c:\documents and settings\thisisu\Recent\runddlkey.exe
c:\documents and settings\thisisu\Recent\SICKBOY.drv
c:\documents and settings\thisisu\Recent\sld.dll
c:\documents and settings\thisisu\Recent\sld.sys

"C:\Documents and Settings\All Users\Application Data\"
4BE81         Mar  8 2012              "4be81"
BVVJIFP       Mar  8 2012              "BVVJIFP" -> BVNYP.cfg

 Directory of C:\Documents and Settings\All Users\Application Data\4be81

03/08/2012  07:24 PM             4,286 BVP.ico
03/08/2012  07:24 PM    <DIR>          BVPSys
03/08/2012  07:24 PM    <DIR>          Quarantine Items
               1 File(s)          4,286 bytes

"C:\Documents and Settings\thisisu\Desktop\"
525.mof       Mar  8 2012         340  "525.mof"
BVPSYS        Mar  8 2012              "BVPSys"
QUARAN~1      Mar  8 2012              "Quarantine Items"
Misc notes:

Adds its own entry to the Security Center cache / WMI.

Use Windows Repair by -> Repair WMI to fix. __________________________________________________________________________________

Tuesday, March 06, 2012

ZeroAccess Authors Are Now Faking Company Name: Iomega

In a previous post I mentioned that ZeroAccess authors were faking the Company name: Oak Technologies Inc. Well, they have changed who they want to disguise their malicious .dll files to the company Iomega. Oak Technologies Inc. will still be used but be prepared to start looking out for files with the company name Iomega as well.

I decided to give HitmanPro a go on this one to see how effective it is versus this variant of ZeroAccess. Here are my results. Please note, I am not trying to insinuate anything here. I am a fan of the HitmanPro staff and am subscribed to their blog which I read daily. I am simply posting my results from this one encounter. That is all. Your results my vary.

HitmanPro did detect the .dll in system32 which is great. I was really interested to see if it would also be able to find and remove the service (WavxDMgr) and netsvcs data value (WavxDMgr) associated with symlcbrd.dll (VT).

Unfortunately that was not the case as I had to remove the broken NetSvcs entry and Service myself after the reboot.

Not all bad news though as HitmanPro was also able to find out that cdrom.sys was patched by ZeroAccess and a folder with some ZA related files.

I believe the authors of these tools have the skills needed to program practically anything they wish but are likely taking a cautious approach to this variant -- at least until more information is gathered about it. I am sure they realize that deleting drivers, services, and items from the registry is risky in general. This is relatively new variant and I am sure a lot of testing is involved before updated tools are released to the public.

Infections like these quite often lead to BSODs and other startup issues if not properly disinfected.

Saturday, March 03, 2012

Windows 8 Consumer Preview - Windows Smart Partner (FakeAV) - 03.03.2012 - Analysis and Removal

This is the new Metro UI in Windows 8

I figured I should start experimenting with Windows 8. What better way to learn Windows 8 than infecting the OS with a Fake Antivirus and then removing it? :-D

I did disable Windows Defender before I was able to get infected. Windows Defender was actually blocking my previous attempts to get infected :-) So far I am impressed with the new Windows Defender considering these were some of the latest droppers I could find.

Here is the main GUI of Windows Smart Partner. It is in the same family as Windows Telemetry Center and Windows Functionality Checker
It creates hundreds (700+) of bad entries in the following key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\currentversion\image file execution options

I did try to turn on Windows Defender after I had gotten infected but it simply did not open. I did not receive any error message at all.
Keep in mind, that this type of infection prevents you from using Task Manager. The only Task Manager you will be able to launch is the FakeAV's version of Task Manager, at least until its process is stopped.
I didn't have any tools handy but noticed I was able to launch Command Prompt even while the FakeAV was present.

From here I was able to find out which processes were running and kill the malicious one. In this case, it was Protector-bst.exe.

The taskkill command is still present in Windows 8 and works the same way as in previous versions of Windows.
So the process is stopped therefore I have some control over the OS again. Now I can find and delete Protector-bst.exe. The last 3 letters of the file name (Protector-bst.exe) are randomized.
For purposes of showing you what Explorer looks like in Windows 8, I hunted it down using Explorer.
You will be able to delete it as long as the process is stopped beforehand.
Note: result.db is also related to this infection and ones similar to it. Therefore, it should be deleted.
A new feature in Windows 8 is that when you press the Delete key now, you are no longer prompted with the "Are you sure you want to delete the selected item?" message. Pressing Delete now sends the item directly to the Recycle Bin without any warning prompt.


Registry Keys Detected: 753
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\a.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\aAvgApi.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\About.exe (Security.Hijack) -> Quarantined and deleted successfully.
Hundreds more...

Registry Values Detected: 2
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System|DisableRegedit (Hijack.Regedit) -> Data: 0 -> Quarantined and deleted successfully.
HKCU\Software\Microsoft\Windows\CurrentVersion\Run|Inspector (Trojan.FakeAlert) -> Data: C:\Users\thisisudax\AppData\Roaming\Protector-bst.exe -> Quarantined and deleted successfully.

Files Detected: 2
C:\Users\thisisudax\AppData\Local\Temp\RarSFX0\temp.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Smart Partner.lnk (Rogue.WindowsSmartPartner) -> Quarantined and deleted successfully.

Full log here: