A clever little malware...

By Zanaffer
in Microsoft (Windows)

 Share

Recommended Posts

Collaborator

Zanaffer

Posted
Posted

I'm having difficulty with one of my client's machines. It seems to have been infected with some extremely vicious malware.

The malware itself is quite subtle. I seek to disable enough of the malware's functions so that my cleanup tools will work.

I don't even have a virus name to reference this by at the moment. Here's what it does:

1. It pops up web browser windows in whatever web browser happens to be open. This includes firefox portable, interestingly enough.

2. It hides the BHOs from HiJackThis. For this reason, I don't have a virus name, as I am unable to look up the .dlls responsible. Hell, if I could get a name for this malware, I could probably kill it.

3. It prevents any internet traffic to certain sites, including *.symantec.com. I didn't browse long, but one of the customer complaints is that "some web sites don't work," so there is probably a list of sites this malware is blacklisting.

4. It makes safe mode crash during boot so safe mode is currently unusable.

Tools at my disposal:

1. Symantec Antivirus Corporate and NOD32, installed on separate clean computers. I tried a Symantec scan and it came up a few files put in there by malware (tdssl.dll in specific) and those were cleaned, but it did not nuke the BHOs' .dll file apparently as HiJackThis is still crippled.

2. HiJackThis with enough knowledge to use it, provided the BHOs are accessible.

3. As mentioned above, I have access to two clean computers. Both of which have autorun turned off, and up-to-date scanners.

4. A flash drive with a write-protect switch.

5. Internet access through a heavily corporate firewall. Additional malware is unlikely to be downloaded when the machine is online.

6. Boot CDs including UBCD4Win and Parted Magic and Ubuntu.

Of course, I could always just nuke the thing, and I probably will anyways to be safe, but this is a first that I've come across something quite this interesting. I've never seen a malware hide the BHOs from HiJackThis before. This is not your typical AntiVirus2008/2009/VistaAntivirus infestation.

Link to comment
https://www.neowin.net/forum/topic/678346-a-clever-little-malware/
Share on other sites
Grand Master

redvamp128

Posted
Posted

I would also use this tool--- It may have blocked your ctl-alt-del task manager... but it probably didn't block this one.

http://technet.microsoft.com/en-us/sysinte...s/bb896653.aspx

Process Explorer...

Also I would boot with Ubuntu and mount the drive and check the Local locations--- Temp folders, User Start menu Startup Folder--- as well as manually remove the IE temp Cache. Also Check the USER Desktop to see if it has seeded itself as a Desktop Web Page. Also try running Stinger.exe..(not from Ubuntu) http://vil.nai.com/VIL/stinger/

Collaborator

Zanaffer

Posted
  • Author
Posted

That would be a good step, however this particular malware does not look like your usual vundo-variant that SmitFraudFix was designed to tackle. Vundo and its variants all seem to have some sort of fake AV or tuneup or registry cleaner UI that pops up and demands money, I don't see any of that with this particular malware... hence me describing it as "subtle."

Another issue is that when I do run SmitFraudFix, I like to do so from Safe Mode, which is currently inaccessible.

EDIT: I forgot to mention that I already cleared out the usual hiding places: The temp folders, and I also looked for suspicious looking folders or files in the program files folder too. Nada.

Grand Master

redvamp128

Posted
Posted (edited)

cmd line possible --sfc /scannow

Also check the hosts file--- It could be as simple as a redirect for all web traffic to their site.

You can use Ubuntu for that one...it opens just like a txt file.

That Hosts file could be the one blocking those websites.

Also try Spybot Search and Destroy.

http://www.safer-networking.org/index2.html

Also a quick edit-- of the hosts file (if you know the site it is taking them to) could block that site and give you the chance to minimize damage (or redownload) of the Software.

Edited by redvamp128
Rookie

dmelanson24

Posted
Posted

I've been cleaning out machines for 3 years, and in that time, Malwarebyte's Anti-Malware is by far the best software I have used. Disable all start up programs using MSCONFIG, install and run MBAM, remove threats. Boot to safe mode (if possible), update and run MBAM again (as a full scan, not partial), and remove any threats found. You are officially clean. Run AVG free scan to ensure safety. PM me with questions/results! Good luck!

Collaborator

Zanaffer

Posted
  • Author
Posted

Oh, thanks for replying, I had forgotten I had made this thread. The computer in question has been reformatted and reinstalled already. But this is after I did defeat the virus. Turns out that, according to NOD32, the malware was a virtumonde (Vundo) variant. However, I did find out that I could manually browse to the BHOs in the registry manually by using regedit and then look up their corresponding CLSID via simple search, this allowed me to track down the actual DLL file that was loading as a BHO that prevented HiJackThis from being able to see the BHOs.

NOD32 also was able to detect all the copies of the malware that squirreled themselves away inside the Windows folder. The system looked clean, however there was some funny page rendering problems left in IE which prompted me to wipe and reload the system.

Thanks for the hints everyone.

This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.