d2jsp
d2jsp Forums > Off-Topic > General Chat > User Blogs > Malware Analyzing And Removing
1234Next
Add Reply New Topic
ShadowFiend
Group: Member
Posts: 6,192
Joined: Dec 13 2010
Gold: 6,669.99
Sep 18 2011 08:46am
In this blog, I'll be testing random computer malware and also give a small guide on how to remove that specific infection.
Why am i doing this? Because its fun and i learn a lot :)
All post are approved by RewTheBrave before posting for security purposes.

Malware name: trojan SpyEye
Newest version detection rate: 6/44
Detected by Malwarebytes: Yes
Difficulty of removal once installed: llllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll


Introduction:

This botnet opens a backdoor to steal your passwords and banking information.
With the backdoor, the attacker can also execute a list of commands
Usually installed on a computer by an exploit on malicious sites.
Spyeye is one of the most popular botnet at this time.
This botnet injects itself into other processes and hook itself to your browser to monitor your HTTPS trafic.


Symptoms:

None


Files created:

C:\"random"\Config.bin (hidden rootkit)
C:\"random"\"random".exe (hidden rootkit)
Some popular names include usxxxxxxx.exe, recycle.bin, cleansweep.exe, windowseep.exe and syscheckrt.exe (the names of the folder are usually the same as the executable, even with the .exe at the end)


Registry key created:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\"random".exe (hidden rootkit)
{c:\"random"\"random".exe}


Removal:

Removal is quite simple, Malwarebytes can detect most variations of this malware and remove it successfully.
Download it here:
http://download.cnet.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html
Run the quick scan and click on remove selected items then restart your computer.

If malwarebytes doesn't remove it or can't detect it try the following:
Download gmer.exe here:
http://www.gmer.net/
We will need gmer to view the hidden files and registry key.
Run the program and wait until it finishes its quickscan at start.
Click on the > > > tab then on the Files tab.
Go in your C:\ drive and there should be a red folder. Double click on it and there should be 2 red files, click on them and then click on delete.
Then, click on the registry tab and locate the following key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\
On the right side, there should be a red key, double click it to modify the content, delete the path and put nothing in it then press OK then click on Save.
Restart your computer and you'll be able to see the folder in your C:\ drive with explorer simply delete it.
(if you still can't see the folder, go in start - control panel - folder options - view - show hidden files and folders)
Then click on start - run - type regedit
Go to HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\
Rightclick the key to the right created by Spyeye and delete it.


Tips:

Since this malware steals your banking passwords, it's always good to change your passwords and to contact your bank if you've used your credit card on that computer.

It's very hard to know if you have this malware or not on your computer, one of the methods to confirm is to try to create a folder with one of the names above in your c:\ drive.
If it gives you an error saying a folder with that name already exist but you cant see it, you're probably infected with Spyeye.

This post was edited by Sgull on Mar 25 2012 07:31pm
ShadowFiend
Group: Member
Posts: 6,192
Joined: Dec 13 2010
Gold: 6,669.99
Sep 18 2011 10:46am
Malware name: Rootkit ZeroAccess (AKA Max++)
Newest version detection rate: 36/44 (virustotal) - High detection rate
Detected by Malwarebytes: Yes
Difficulty of removal once installed: llllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll (extremely hard)

Rated the most dangerous rootkit of 2011
Once installed, its very hard to be detected and to be successfully removed.
This rootkit gets installed by drive-by-downloads.

ZeroAccess creates a backdoor to allow a hacker access to your computer so he can install more malware (fake anti-viruses, keyloggers, ransomware... etc) and it also steals your information.
In addition to that, it does exactly what it names says, it gives the user ZERO ACCESS to his own computer!
It may also corrupt your TCP/IP stack which will make your internet connection being unavailable.
These 2 payloads are usually triggered when scanning with an anti-virus or anti-malware program (from what i saw testing)
It also redirects your search engine to other malicious sites.

It has the following capabilities:
Modern persistence hooks into the OS – Make it very difficult to remove without damaging the host OS
Ability to use a low level API calls to carve out new disk volumes totally hidden from the infected victim, making traditional disk forensics impossible or difficult.
Sophisticated and stealthy modification of resident system drivers to allow for kernel-mode delivery of malicious code
Advanced Antivirus bypassing mechanisms.
Anti Forensic Technology – ZeroAccess uses low level disk and filesystem calls to defeat popular disk and in-memory forensics tools
Serves as a stealthy platform for the retrieval and installation of other malicious crimeware programs
Kernel level monitoring via Asynchronous Procedure Calls of all user-space and kernel-space processes and images, and ability to seamlessly inject code into any monitored image

Alright, lets start :)

Once executed, it opens explorer.exe with the command line 00000038 (the backdoor)
After a few seconds, process explorer closed itself and i was unable to reopen it(as expected, caused by this rootkit)
explorer.exe (the new one) creates a backdoor using tcp to connect to the hacker.


it creates a hidden file in c:\windows\ called 999346029:2452647876.exe
that file is executed by Services.exe (legit file)

ZeroAccess will also disable almost all usage of program. If you try to execute a program, this error message will pop-up:

It will also make anti-viruses useless by corrupting their services. (it corrupted my avast, it no longer works)

This rootkit then creates a hidden volume called \\?\C2CAD972#4079#4fd3#A68D#AD34CC121074\L\.
and stores 2 malicious files called:
B48DADF8.sys
max++.00,x86.dll - Hence the name Max++ for this rootkit


Removal:

The only way to remove this threat is with removal programs, it's simply impossible to remove it manually.

Gmer.exe detects this infection, although it cannot remove it.
Tdsskiller detects this infection and successfully removes it (only the infected driver/service, i don't know if it detects the newly created volume)

As you can see, the hidden service is actually the file in c:\windows. (make sure to delete this object and not skip it with tdsskiller)
The ZeroAccess infected the legit service MRxSmb in this case (it picks one at random). If you manually delete this file, your computer may crash and not recover. This is why you need a removal tool.

Unhackme detects this infection and successfully removes it. Although quite difficult to use, you may delete legitimate files in the process if not used correctly. You may need to pay to remove the infection with this program

aswMBR.exe detects some variation of this rootkit and can remove it.

Malwarebytes, sophos anti-rootkit, Hijackthis, Norton, MSE, kaspersky, avast, nod32, spybot, DSS, OTL, superantispyware, spywarebuster, hitman pro 3.5, combofix, etc... didn't detect any presence of it. (when installed)
In the newer versions of this rootkit, TDSSkiller and gmer.exe fails to detect it

I tested this virus on my virtual machine, did all the removal steps and I'm still having secondary symptoms of this rootkit that i am unable to fix. I may have to reformat :cry:
Deleted/corrupted my mouse driver for some reason :/

This is the reason why you should ALWAYS have an active anti-virus on your computer, the detection rate is very high when it's trying to install on your computer.
ShadowFiend
Group: Member
Posts: 6,192
Joined: Dec 13 2010
Gold: 6,669.99
Sep 22 2011 07:21am
Malware name: XP security 2012
Detection rate: 32 / 44 (72.7%) - Tested with an old sample of this malware, detection is much lower with newer versions.
Detected by Malwarebytes: Yes
Difficulty of removal once installed: llllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll

XP Security 2012 holds many different names, but they all do the same thing and the removal is the same.
For example, XP Total Security 2012 / XP Internet Security 2012 / XP Home Security 2012 / XP Anti-Virus 2012 / XP Anti-Spyware 2012 are all the same, which includes the same removal procedures.
XP will be changed to vista/windows 7 depending on your operating system. In my case, I was using windows XP.

This type of infection is called a Rogue anti-virus or a Rogue security software.
What this means is that it tries to look like a real anti-virus by doing a fake scan of files that are not even on your computer and saying that they contain viruses/worms/keyloggers etc...
It may also give you a lot of scary error messages which you should ignore.
This program is not used to destroy your computer or to steal your information, but rather to make you pay for their product by scaring the user. If you pay for this rogue anti-virus, your credit card details might also be given to them.

You might think, who would fall for that?...
Well, a similar rogue anti-virus company got caught a couple of months ago and the FBI announced that there was almost 1 million victims in just a couple of months. They made over 72 million dollars from this scam.

Here are a couple of screenshots that i took to see how real the program and error messages look.
If you see these messages on your screen, you may be infected with this rogue anti-virus.
Note that these are all fake threats, you are not infected with what is displayed by this rogue anti-virus.




This malware is usually downloaded from a drive-by-download or by a fake scanning page (that displays fake error messages and virus detections) which scares the user onto downloading the malware.

Once executed, it creates a file in C:\Documents and Settings\Administrator\Local Settings\Application Data called (3 letters).exe
(3 letters) refers to 3 random letters that the program chooses, in my case, it was ixg.exe

In the same folder, it creates a hidden system file called 7024x36o5578s5su2h

The reason why its a bit hard to remove this malware is because it blocks executable files (.exe) by modifying the Shell Open registry value.
This means, every time you try to open an executable file, it will open ixg.exe instead.

It also modifies registry keys for your firewall (disables it), automatic updates (disables it) and virus protection (disables notify, your anti-virus will still work properly)



Removal:

Malwarebytes removes this infection quite easily but... since it disables .exe files, you probably won't be able to access firefox/internet explorer/chrome...etc to download malwarebytes (or if you already have it downloaded, you won't be able to execute it)
Therefore, we will need another way to access the programs.

First of all, we will need to access folder options.
(windows xp) Open explorer and click on Tools - Folder options
(windows vista/7) Open control panel and click on Folder options
Then, click on the View tab then Uncheck hide extensions for known file types.

After this, find the file path for your internet browser
Example: C:\Program Files\Mozilla Firefox (for firefox)
C:\Program Files\Internet Explorer (for IE)
etc...

Once you've located the file path, rightclick on the browser you which to open and rename it as (browser name).COM (note, you have to change .exe to .com)
Press enter, it will display an alert message, press OK.
Double click (Browser Name).com to execute it, it will work the same as a .exe file.

Download Malwarebytes Anti-Malware (or your anti-spyware of choice)
http://download.cnet.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html

Since malwarebytes is also an executable, we will need to change the file type to .com by following the same steps as above.
Find the path file, modify MBAM.exe to MBAM.com then open it and do the full scan.

Make sure to rename all the files you've changed from .com to .exe again.

Since executable don't work even in safemode, there isn't many methods onto fixing this problem.



Extra tips and tricks:

You are still able to open task manager by pressing ctrl+alt+del if you feel the constant pop-ups are annoying you.
After you've opened task manager, go in the process tab and end task to the program (make sure its the right one, there are a few legit programs with 3 letters)
Every time you open an executable, it will reopen the malware, make sure to follow the removal steps to fix this.

If you or your anti-virus deleted the rogue (3 letter file name).exe and each time you open an executable it gives you a list of program to choose from, follow the removal instructions provided above, Malwarebytes Anti-Malware will fix this problem.

NEVER believe anything that this program tells you, if it says you're infected with a virus, make sure its your own anti-virus telling you this.
ShadowFiend
Group: Member
Posts: 6,192
Joined: Dec 13 2010
Gold: 6,669.99
Sep 26 2011 07:30am
Malware name: Trojan Sinowal / Mebroot
Newest version detection rate: 10 / 44 (22.7%)
Detected by Malwarebytes: Yes
Difficulty of removal once installed: llllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll

This malware is used to steal banking information by creating a backdoor to the attacker.
It uses rootkit abilities to hide itself on your computer. (Infects the MBR)
It's becoming more and more popular on the internet (which is very bad).
One more bad thing is, it's currently fully undetected by Avast, Microsoft security essentials and Nod32. A lot of computer users are using these anti-viruses.

Since 2008, it has stolen more than 500,000 online bank accounts and credit card details.

This malware is installed on your computer by drive-by-download and by fake codecs/plugins.
To prevent this malware to install on your computer, you should always keep up to date with your browser, add-ons and anti-virus programs and do not download plugins/codecs from unknown sites.



Once the malware has been executed (my analysis from a drive-by-download), it opens regsvr32.exe (legit program) with the command line: "C:\Windows\system32\regsvr32.exe" -s C:\.dll
It also creates the file .dll in your c:\ directory (there's no file name, only the extension)
It creates 3 temp files (names may vary)
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\14.tmp
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\15.tmp
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\18.tmp

It infects a random (or multiple) driver file in your c:\windows\system32\drivers folder
In my case, it was nsv42.sys
It also uses (but doesn't infect) disk.sys

For some odd reason, it only infects your MBR (Master Boot Record) after ~50 minutes which it could do in a few seconds which i find quite odd. Probably another method to bypass detection?
I haven't researched this completely yet, I'll have to do this when i have more time. If i find something interesting, I'll update my post.


Removal:

To remove the MBR infection, you can use the fixmbr command on your windows recovery CD.I
1. Insert the Windows XP CD into your CD drive and restart your computer. If you are prompted, select any options required to start (boot) from the CD.
2. Select the repair or recover option by pressing R.
3. When you are prompted, type the Administrator password.
4. At the command prompt, type FixMBR

Even if you fix the MBR, its always good to do additional scans with your anti-virus and anti-malware programs to make sure that it's 100% removed.

If you do not have the windows recovery cd, you'll have to fix the MBR using some anti-malware tool.

aswMBR (from Avast) Detects and can fix the infected MBR.
Download it here:
http://public.avast.com/~gmerek/aswMBR.htm
Explanations on how to use the program are on the site.

Tdsskiller can also remove the rootkit.
Download it here:
http://support.kaspersky.com/faq/?qid=208280684

If successful, Tdss should detect this:

If so, make sure it Cures the item, then restart your computer.

Do a complete scan with your current anti-virus and do a scan with Malwarebytes Anti-Malware.

Since this is a rootkit, you cannot delete the files manually and some variants of Sinowal is undetected by tdsskiller and aswMBR. If this is the case and you don't have your recovery cd, you'll need other programs to remove the infection.

Other programs may include:
Gmer.exe anti-rootkit
Sophos anti-rootkit
Unhackme
And most anti-virus can scan the MBR to see if it's infected.

Tips:

If you've been infected by this malware or any malware that steals your personal information, its always best to disconnect your computer from the internet so no further information will be given to them.
Since it's hard to detect the presence of this malware, its always good to do a quick scan with your anti-virus and anti-malware once every few days or weeks.
If a site asks you to download a plugin/codecs to view a video or to do something else, make sure to download that plugin/codecs from the official site.
Make sure that your add-ons and browser are up to date to prevent drive-by-downloads from targeting your computer.
ShadowFiend
Group: Member
Posts: 6,192
Joined: Dec 13 2010
Gold: 6,669.99
Oct 4 2011 02:00pm
Malware name: Win32/Ramnit
Detection rate: 41 / 44 (93.2%) - old version, newer versions has lower detection rate
Detected by Malwarebytes: Yes
Difficulty of removal once installed: llllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll
Symptoms: Lag spike every ~30 seconds, files not working properly.



This malware is considered a cocktail infection.
Ramnit is comprised of many different types of malware.

The first part is a backdoor which connects to the hacker. Using this backdoor, the hacker can install anything on your computer or use it to steal your information.
The second part is a rootkit which allows the hacker to hide the installed malware from the backdoor.
The third part is a file infector which its purpose is to damage as many files as it can in order to keep control of your system.

Because of this, it makes it very hard to remove the infection.



There are many different variations of this malware, I will be testing the variation Ramnit.F.

Once the file has been opened, it creates 2 browser process (your default browser). In my case, it was firefox.
The browsers are used to create the backdoor to connect to the hacker.

After this, it created the folder called C:\Program Files\jFUoTnea(Úñ~Ìjvumlstn.exe
In that folder, there was a hidden file called jvumlstn.exe (used gmer.exe to view the file)

It modifies the registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
C:\WINDOWS\system32\userinit.exe,,C:\Program Files\jFUoTnea(Úñ~Ìjvumlstn.exe\jvumlstn.exe
blue: original value
red: modified value

The file infector (jvumlstn.exe) injects a malicious code in every .exe .dll .html and .htm files. (the process is hidden)
for the .html and htm, it injects a vbscript which is almost useless because it will be blocked by your browser (assuming your browser is updated)

If you try opening the infected .exe or .dll, it will open the program normally, but it will also open jvumlstn.exe (some program, usually anti-viruses/malware, will protect themselves against this).

This infection also acts like a worm.
It creates an autorun.inf file on every USB drive.
It also places the executable (randomly named) in a folder called Recycle bin on your USB drive.
Once you place the infected USB in another computer, it will automatically open autorun.inf (unless you turn off the feature, its ON by default).
The autorun.inf will execute the virus in the Recycle bin folder.


Other variations will create different files/folders but it uses the same method of infection.
They include, C:\program files\Microsoft\watermark.exe
C:\program files\Microsoft\desktoplayer.exe
C:\program files\blvvcvww\jonimvgn.exe
(i may be missing some)
They all modify the same registry key. (userinit)



Removal:

The removal of this malware is quite annoying since it can infect anti-malware programs.

First, what you'll have to do is download an anti-virus program that can cure this type of infection.
I've tested many anti-viruses and the best one so far is Dr.Web Cureit! Free anti-virus. (explained in Extra notes)
Download it here:
http://www.freedrweb.com/cureit/?lng=en

Before you execute dr.web, you should end process to the backdoor / file infector.
To do so, open task manager (ctrl+alt+delete), go in the process tab then end process to all of your browser process.

After you've done this, install/update Dr.Web then preform the full scan.
It should cure the infected files.

Then download malwarebytes anti-malware to remove the rest of the malicious files.
http://download.cnet.com/Malwarebytes-Anti-Malware/3000-8022%5F4-10804572.html

If malwarebytes didn't detect all of the files (the rootkit), we will need to use gmer.exe
download gmer.exe here:
http://www2.gmer.net/download.php
Note: we will only need gmer.exe for certain variations of this virus, if you can see the files in the infected folder using explorer (desktoplayer.exe, Watermark.exe, etc...) then right click, delete then empty your recycle bin.
If you can't see the file, you might have the rootkit variation of this virus (jvumlstn.exe), therefore we will need gmer.exe rootkit detector.

Once downloaded, open it then press on the "> > >" tab, then click on the Files tab
Locate C:\Program files\ "Malicious Folder"\
The file should be in red, simply click it once and click on Delete on the right side.

After you've deleted the file, we will need to delete the modified registry key. (assuming malwarebytes didn't detect it)
Click on start - run - type "regedit" without the quotes
Locate HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Then on the right side, double click on Userinit then change the value to C:\WINDOWS\system32\userinit.exe,

And we're done!


Extra notes:

I've tested the removal of this virus with Avast, Kaspersky and Microsoft Security Essentials and a few others. The biggest problem I've noticed is that those anti-viruses can't cure the infected .exe or .dll.
It will only give you the option to delete or quarantine those files.
"those files" can include your games, payed programs, and additional programs on your computer that you may need.
If you delete them, you'll probably need to reinstall them.

Dr.web CureIt can cure the infected files quite easily.


Every time you open a file that has been infected by the file infector, it will create an infected file in the same folder called "FileName"mgr.exe
If this happens, make sure to delete the file with the additional "mgr" at the end of the name.
Other variations changes the end of the file name to srv.exe.


While scanning with your anti-virus/anti-malware to remove this infection, its highly recommended that you do not open any other files because they can be infected.
Lets say you're scanning with your anti-virus, it's almost done and you decide to open a file (that you didn't know it was infected, but it was).
This will recreate the virus in the c:\Program files folder, re-modify the registry key, recreate the backdoor and will continue to infect your files, which is not what you want.

This post was edited by ShadowFiend on Oct 4 2011 02:04pm
ShadowFiend
Group: Member
Posts: 6,192
Joined: Dec 13 2010
Gold: 6,669.99
Oct 16 2011 07:57am
Malware name: TDSS Rootkit / TDL-4 / Alureon
Newest version detection rate: 8/43
Detected by Malwarebytes: No
Difficulty of removal once installed: llllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll

Introduction:

The TDSS rootkit is becoming more and more popular and harder to remove. Recently, it switched from TDL-3 to TDL-4, this means it can infect 32-bit and 64-bit operating systems.
In the first three months of 2011 alone, TDL-4 infected 4,524,488 computers around the world.
This rootkit is itself a botnet which will steal your private information, credit card information and passwords.
This malware infects the Master Boot Record (MBR). This enables it to load before the operating system, right at the beginning of the computer’s boot-up sequence.

It has its own "anti-virus".
This means that this malware contains code to remove approximately 20 malicious programs including Gbot, ZeuS, Clishmic, Optima,..., etc.
Why? Because those malicious programs are it's competitors (they steal your banking information, credit card, etc..) and it doesn't want the stolen information to be given to the "other guys".

TDSS is usually installed on your computer by exploits or fake codecs/plugins. Once again, make sure all of your add-ons/browsers are up to date.


Symptoms:

Applications not working properly, kept crashing and couldn't load.
Major lag spikes. (Only for a few minutes after it got installed)
Changed windows xp into default windows classic style.
Avast anti-virus couldn't start a scan.
Changed user to NT AUTHORITY\SYSTEM. (You probably won't notice it)
Screwed up most of my drivers (they worked fine after cleaning up my computer).
Blue screens of deaths. (Usually when booting up your computer)

Files created:

Visible:
C:\Documents and Settings\Administrator\Local Settings\Temp\179.tmp (name may change)

Hidden:
cmd.dll - C&C user mode component (connects to the hacker)
cmd64.dll - C&C user mode component for 64-bit operating systems
drv64
drv32
ldr16
ldr32 - Driver loader

Creates a new driver volume called \\?\globalroot\device\XXXXXXXX\YYYYYYYY\ to hide it's malicious files.
The driver volume itself is hidden by exploiting a few vulnerabilities in Windows.


Removal:

Since this is a MBR rootkit, we can use the fixMBR command in the recovery console to fix the infected MBR.
1. Insert the Windows XP CD into your CD drive and restart your computer. If you are prompted, select any options required to start (boot) from the CD.
2. Select the repair or recover option by pressing R.
3. When you are prompted, type the Administrator password.
4. At the command prompt, type FixMBR

Fixing the MBR does not mean you've completely removed the virus.

If you do not have your recovery CD, we will need a program to fix the MBR.
The first program is TDSSKiller by Kaspersky.
Download: http://support.kaspersky.com/faq/?qid=208280684
Simply do the scan and cure/delete the infected items.

If TDSSKiller finds nothing, we will use aswMBR from Avast.
Download: http://public.avast.com/~gmerek/aswMBR.htm
It explains very well on that page how to use the program.
Simply do the scan, if it finds something click on Fix.
If it did not fix the infected MBR, click on FixMBR. This should remove the malicious MBR code and replace it with the normal operating system code.

After fixing the MBR, it's always good to do a full scan with an anti-virus and anti-malware to make sure there's no additional files that has been missed by the programs above.


Extra information:

Since this is an MBR rootkit, it may corrupt your MBR which will make your computer unable to boot up. To fix this, use the fixMBR command in the recovery console as explained above.
It may also give you constant blue screens of death on startup. Use the recovery console once again.

Sometimes it will make anti-malware programs stop working. To fix this, try restarting your computer or ending task to explorer.exe with Task Manager.
After ending task to explorer.exe, click on File - New task... on Task manager and type in Explorer.exe

The newest version of this rootkit has a very low detection rate and is undetected by a lot of anti-malware.
Make sure you know exactly what you're downloading before you actually download it and make sure it's on their official site.
ShadowFiend
Group: Member
Posts: 6,192
Joined: Dec 13 2010
Gold: 6,669.99
Nov 4 2011 01:47pm
Malware name: Zbot / Zeus trojan horse
Newest version detection rate: 11/43 (25.5%)
Detected by Malwarebytes: Yes
Difficulty of removal once installed: llllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll


Introduction:

Zbot or Zeus is a botnet used to steal private information from the infected user (credit cards, passwords, banking information, etc...)
It was first identified in July 2007 and it's still being updated to bypass anti-viruses and making the program better / less detectable.
This botnet targets mostly Windows Vista users but it can also infect Windows Xp and 7.
It's considered the largest botnet on the internet with one of the highest number of infected users.

This malware is usually installed on your computer by drive-by-downloads or spam emails.


Symptoms:
Computer lagging a bit.
Internet connection slower than usual.
Passwords / banking information changing.


Files created:

C:\Documents and Settings\Administrator\Application Data\XXXX\YYYYY.exe

X and Y = random numbers/letters
4 for the folder name and 5 for the program name.
In my case, it was Rain\ryxub.exe
(hidden using rootkit technology)


Registry key created:

HKEY_CURRENT_USER\software\micosoft\windows\currentversion\run\{DC71EE1E-3AE2-CE78-23BC-E3D404320484}
Value: "C:\Documents and Settings\Administrator\Application Data\XXXX\YYYYY.exe"
(also hidden)


Services created:

It creates 2 services, one with 4 random letters and one with 6 random letters.
They are also hidden.
From what I've seen, these services makes sure that the file and registry key stays on your computer.
If one of them gets deleted/moved, it will recreate it at the same location.


Removal:

First method:

Malwarebytes can detect this malware and successfully remove it.
But before doing a scan with malwarebytes, we need to remove the services created by Zbot so it doesn't continue creating the file/registry key.

Tdsskiller can detect these services
http://support.kaspersky.com/faq/?qid=208280684
Before running the scan, click on Change parameters then check both Verify driver digital signatures and Detect TDLFS file system like in the picture below.



After it detects the services, make sure you select the Delete option and not the Skip option. (it will be skip by default)

After deleting the services, run a full scan with Malwarebytes.
http://download.cnet.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html


Second method :

After deleting the services with Tdsskiller (shown in the first method), you can also manually delete the file and registry key using Gmer anti-rootkit.
http://www.gmer.net/#files

Open Gmer then click on the tab that says "> > >".
Click on the Files tab and locate C:\Documents and Settings\Administrator\Application Data\XXXX\YYYYY.exe
Then select the file and click on Delete on the right side.
The file should be in red, this means that the file is hidden from normal explorer.

After deleting the file, we will need to delete the registry value.
Click on the registry tab.
Double click on HKEY_CURRENT_USER (or click the small + on the left side).
Then double click on Software, Microsoft, Windows, CurrentVersion and then click once on Run.
The registry key should be on the right side (usually in red, meaning it's hidden).
The name should look something like {DC71EE1E-3AE2-CE78-23BC-E3D404320484}.
Double click it and delete everything in the Value Data. (you can't delete the registry key using gmer).
If you want to delete the registry key, restart your computer after renaming the value data then click on Start - Run.
Type "regedit" without the quotes in the box. This will open the registry editor from windows.
Locate yourself to HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\ (the same way as gmer).
then on the right side, the registry key should be visible. Rightclick it and select Delete.


Tips:

If you have been infected by this botnet, or any botnet/keylogger, and that you've used your banking information/credit card on that computer, you should contact your bank ASAP.

From what I've experienced, the file and registry key only gets hidden once your restart your computer or restarted the task of explorer.exe.
So you'll be able to see and delete the file and registry key (although the services will recreate them).
Although I've only tested this malware from an infected file and not an exploit.
ShadowFiend
Group: Member
Posts: 6,192
Joined: Dec 13 2010
Gold: 6,669.99
Nov 4 2011 01:49pm
Malware name: Trojan Carberp
Newest version detection rate: 15 /43 (34.9%)
Detected by Malwarebytes: Yes
Difficulty of removal once installed: llllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll


Introduction:

Trojan Carberp is a trojan downloader and also a botnet, therefore it can steal your private and banking information.
It uses rootkit techniques to hide its files which makes it harder to detect and remove.
This trojan is also known for removing silently your anti-virus program from your computer.


Symptoms:

Internet connection being slower than usual.
Open file security warning every time your computer starts up for the malicious file igfxtray.exe. (windows xp, I don't know if this is a flaw or not in the version i tested)


Files created:

Creates a rootkit (hidden) file named igfxtray.exe in c:\Documents and Settings\Administrator\Start menu\Programs\Startup
Creates wndsksi.inf in c:\Documents and Settings\Administrator\Application Data
Creates 6.tmp and 62.tmp in c:\Documents and Settings\Administrator\Local Settings\Temp
It also downloads numerous other malicious files on a server and places them in %temp% then executes them.


Registry key created:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 1609 =
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 1609 =


Process created:

Opens 3 svchost.exe from the system32 folder with the command line "-k netsvcs"
Each one of them connecting to a server. (the backdoor)


Services created:

Randomly named and hidden service.
In my case, it was named hbkepsgd


Removal:

First of all, we will need a program to detect and delete the hidden files.
Malwarebytes is a great program for this.
http://download.cnet.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html
Simply do the full scan then when it finds the infected files, click on Remove selected and restart your computer if nessesary.

After doing this, we will need to remove the backdoor (svchost.exe)
Every time you terminate the process of svchost.exe (the one connecting by tcp/ip to a server) it will reappear after a few seconds.
This is because of the hidden service created by this trojan, so we will need to remove this service.

A simple way to remove this hidden service is to download tdsskiller by kaspersky:
http://support.kaspersky.com/faq/?qid=208280684
Before running the scan, click on Change parameters then check both Verify driver digital signatures and Detect TDLFS file system.
If done correctly, it will find an Unsigned file like the picture below:

On default, it will skip it, so make sure you change it to Delete so it deletes the service.
After the scan is complete, restart your computer.
If done correctly, the infected svchost.exe will not show up anymore.

Since this is a trojan downloader, it's always good to do a full scan with an anti-virus software of your choice to make sure nothing else has been installed on your computer by this trojan.


Tips:

Every time you try to end task to the malicious svchost.exe, the hidden service will reopen it. Because of this, you'll need to remove the hidden service before ending the task of that process.

This trojan can also completely uninstall anti-viruses from your computer. If this is the case, use my removal method then after your computer is clean, reinstall your anti-virus program.

The created registry keys won't be detected by any anti-virus or anti-malware programs because they can't do anything without the other components of this trojan.
Because of this, it's not necessary to remove them.
ShadowFiend
Group: Member
Posts: 6,192
Joined: Dec 13 2010
Gold: 6,669.99
Nov 13 2011 12:28pm
Malware name: Trojan Onlinegames
Newest version detection rate: 19/43 (44.1%)
Detected by Malwarebytes: Yes
Difficulty of removal once installed: llllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll



Introduction:

This type of trojan steals passwords (keylogger). Some variations of this trojan can also download other malicious programs on your computer.
It usually steals the passwords of popular games like World of Warcraft, Runescape and Lord of the Rings Online.
Usually installed on your computer by downloading 3rd party programs for those games.

Symptoms:

Unable to log on your gaming accounts (passwords changed).
Unable to open gaming programs.
In the presence of the files and registry keys below.


Files created:

C:\Windows\System32\jahjah01 (number may vary)
C:\Windows\system32\mgt99018.ocx
C:\Windows\system32\mgt01003.ocx


Registry key created:

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Keyboard Layouts\E0210804]
Ime File = "MGT99018.OCX"
Layout Text = "US"
Layout File = "kbdus.dll"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\E0210804]
Ime File = "MGT99018.OCX"
Layout Text = "US"
Layout File = "kbdus.dll"

[HKEY_CURRENT_USER\Keyboard Layout\Preload]
2 = "00000409"


Memory modules loaded:

mgt99018.ocx - into explorer.exe
mgt01003.ocx - into explorer.exe and jahjah01.exe




Removal:

Removal of this trojan is quite simple.
Download Malwarebytes Anti-Malware here:
http://download.cnet.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html
Install Malwarebytes and run the full scan.
After the full scan is done, remove the infected items and restart your computer.


If malwarebytes or your anti-virus doesn't detect it for whatever reason, you can always manually remove this trojan.

First, we will need to boot up the computer into safemode. To do so, follow these instructions:
1. Restart your computer
2. As your computer restarts, press F8 before the Windows screen launches
3. A black screen with a few options will appear, use the arrow keys to navigate yourself to Safemode.

After booting up into safemode, open control panel in the start menu and open Folder options.
Click on the view tab and select Show hidden files and folders.
After you've done this, open My computer and go in c:\Windows\System32 and find the files called jahjahXX (where XX = random 2 digit number)
Once you've found that file, rightclick and delete it.
Again in the system32 folder, locate the files called mgt99018.ocx and mgt01003.ocx (the numbers in the file may vary a bit)
Rightclick and delete those.

After deleting those files, click on start and click on run (or click on the search bar if windows vista/7) and type "regedit" without the quotes and press enter.
This will open the registry editor.
Simply navigate yourself to HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Keyboard Layouts\E0210804 by double clicking the "folders"
Look on the right side and delete the 3 value data by rightclicking - delete.
Do the same for HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\E0210804.
And for HKEY_CURRENT_USER\Keyboard Layout\Preload delete the value data called 2.

Since some variations of this trojan can download other malware on your computer, it's always good to do a full scan with your current anti-virus.


Extra information:

Some variations of this trojan can disable/uninstall an out of date anti-virus software. To prevent this from happening, simply make sure your anti-virus is up to date.

This malware is used specifically to steal your passwords for World of warcraft, Runescape and Lord of the Rings Online.
If you're infected with this malware and have one of those games, make sure to change your passwords ASAP on a non-infected computer.

You won't be able to delete mgt99018.ocx and mgt01003.ocx if you're not in safemode since it will say the file is in use (injected into explorer.exe) unless you do the following:
If you're unable to go in safemode, you can delete those files by pressing ctrl+alt+del to open task manager- process tab and ending task to explorer.exe.
Then still in task manager, click on File and New task...
Type in CMD and press enter
then type del c:\windows\system32\mgt99018.ocx
then del c:\windows\system32\mgt01003.ocx
then type explorer.exe to reopen explorer.
You don't need to do this for the file jahjah01.exe since the file won't be in use, so you can simply open my computer and delete it normally.
ShadowFiend
Group: Member
Posts: 6,192
Joined: Dec 13 2010
Gold: 6,669.99
Nov 26 2011 03:26pm
Malware name: Trojan Cridex
Newest version detection rate: 5/42
Detected by Malwarebytes: Yes
Difficulty of removal once installed: llllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll



Introduction:

Trojan Cridex is pretty new, it has only been around for a few weeks now so it's probably going to evolve a lot more and be harder to remove from your computer.
This malware is designed to steal your private information and passwords and it can also download other malware on your computer.


Symptoms:
Cannot load drivers error with many programs including anti-viruses and anti-malware programs.


Files created:

C:\Windows\System32\Drivers/eb095a6d456945e6.sys (name may vary)
C:\Documents and settings\Administrator\Application data\KB00354986.EXE
%TEMP%\POSA7.TMP (last 2 letter/number may vary)
%TEMP%\POSA4.TMP (last 2 letter/number may vary)
C:\Documents and settings\Administrator\zli1lidy80.exe
C:\Documents and settings\Administrator\Application data\E81B4113\\E81B4113.DAT


Processes created:

C:\Windows\System32\Svchost.exe
This Svchost is used to connect to the C&C (command-and-control server) to steal your information and give instructions to your computer to preform malicious activities (DDoS for example) or download other malware.


Registry key created:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersions\Run
{"C:\Documents and Settings\Administrator\Application Data\KB00354986.exe"}
&
{C:\Documents and Settings\Administrator\zli1lidy80.exe}

HKEY_CURRENT_USER\Software\Microsoft\Windows Media Center
HKEY_CURRENT_USER\Software\Microsoft\Windows Media Center\[Random]
HKEY_CURRENT_USER\Software\Microsoft\Windows Media Center\E81B4113 (same name as the .DAT file)


Services created:

C:\Windows\System32\Drivers/eb095a6d456945e6.sys #Hidden#






Removal:

Removal of this trojan is a bit tough but if you follow these steps in order, you will be able to remove it.

Method 1:

First of all, we need to download Tdsskiller.
http://support.kaspersky.com/faq/?qid=208280684
Click on Start scan and let if finish.
It will find a locked service like this:



It will be on default Skip, so change that to Delete.
Restart your computer when asked.

After deleting the service, we will need to download Malwarebytes Anti-Malware to remove the rest of the infection.
http://download.cnet.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html
Click on Preform full scan and wait until it finishes scanning.
When it finds something, click on Remove selected.

Method 2:

If Tdsskiller does not detect the hidden service, Gmer.exe rootkit detector might be able to.
Download Gmer.exe here
http://www.gmer.net/#files
Click on Download EXE and it will download a randomly named .exe
Open the program and it do a quickscan automatically (do not do anything while it's scanning).
After it's done, the hidden service should show up in red.
Rightclick and select Delete service.
If it cannot delete it, select disable service first then restart your computer and then delete it.


If malwarebytes doesn't detect all of the files/registry keys you can always remove them manually.

First click on start and open control panel.
In control panel, click on Folder options
Click on the view tab then select Show hidden files and folders then press OK.

After this, open My Computer and locate these files and delete them:

%appdata%\KB00354986.EXE or c:\Documents and settings\"user"\Application data\KB00354986.EXE
%TEMP%\POSA7.TMP (last 2 letter/number may vary) or c:\Documents and settings\"user"\Local Settings\Temp\POSA7.TMP
%TEMP%\POSA4.TMP (last 2 letter/number may vary) or c:\Documents and settings\"user"\Local Settings\Temp\POSA4.TMP
c:\Documents and settings\"user"\zli1lidy80.exe
%appdata%\E81B4113\\E81B4113.DAT or C:\Documents and settings\"user"\Application data\E81B4113\\E81B4113.DAT (delete the folder also)

Then after this, we will need to delete the registry keys.
Click on start - run and type "regedit" without the quotes then press enter.
Locate yourself to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersions\Run
Then on the right side, delete both keys that are named KB00354986.exe and zli1lidy80.exe
Then locate HKEY_CURRENT_USER\Software\Microsoft\Windows Media Center and rightclick Windows Media Center and delete that key.


A scan with your Anti-virus will also help removing this trojan.


Tips:

If you don't know which Svchost.exe to end task (the one that connects to the C&C, simply restart your computer after your removed all of the files related to this trojan.
The Svchost.exe won't be executed anymore to connect to that server after you've deleted the files.

During the removal process, a lot of driver error poped up from gmer.exe and tdsskiller, but after pressing OK, they started normally and they were still able to detect the rootkit.
Go Back To User Blogs Topic List
1234Next
Add Reply New Topic