Info

You are currently browsing the Tech Talk with Homerun Networks weblog archives for the day 9. December 2008.

December 2008
S M T W T F S
« Oct   Jan »
 123456
78910111213
14151617181920
21222324252627
28293031  
Categories
Latest Postings
Links
Archives
Meta

Archive for 9. December 2008

Hong Kong strikes again

9. December 2008 by Myke.

Starting Wednesday December 3rd of 2008, some very nice little script kitties decided to bomb the world with some very nice fun filled SPAM/Virus/Malware/Spyware/Adware.  You may or may not have seen these e-mails yet.  The claim to be from McDonald’s, Coca-Cola and Hallmark. As you can venture to guess, they are not.  They are full of all kinds of good little toys for end users to play with and help make the life of an IT person fun.

So what can you do if your end user opens one of these emails?  If you have a solid anti-virus product (NOT McAFEE) on your network and on your local machines, you should be sitting very pretty.  But lets say for grins, you use McAfee or nothing at all, which is pretty much the same thing.  You will have some cleaning to do to get rid of your annoying pests.

If you want to just fix the issue, scroll down for solution but for others we will now try and explain the issue.  These e-mails that were sent out contained a few different types of virus files.  They had the every infamous Virtumonde (Vundo) and VirTool:Win32/CeeInject.gen!J (named by Microsoft). 

The Vundo family of Trojans is one of the most common infections we find on user’s computers. This infection can cause popups that include advertisements for rogue anti-spyware programs. Some common rogue antispyware programs that are advertised include WinFixer, SysProtect and WinAntiSpyware. Users are normally targeted by false positives, fake alerts, and warning of infections on their computer. An example of this type of misleading advertisement would be popups alerting users that they are infected with a blackworm virus. The most common method of infection is through outdated versions of the Sun Java platform; older versions are being exploited so it is important to firstly make sure that your Java software is fully up to date. This infection is normally detectable by users receiving popups when they use the Internet. Your antivirus program might also notify you via an alert that you have a Vundo Trojan on your computer.

The Vundo infection has evolved over time to include harder and harder protection methods so that it cannot be easily removed. These methods are random names, random autorun locations, random CLSIDs, and rootkits to hide these locations from removal tools. Due to this, specialized tools have been created in order to target this specific infection and remove it. The following guide will explain how to use the tool, and hopefully rid your system of this malware.

VirTool:Win32/CeeInject.gen!J is a mass mailing worm that also spreads through removable media using autorun.inf, and also by copying itself to Shared folders of Peer-2-Peer applications.

Upon execution, this worm displays the following picture, to trick the user to believe that this is a harmless image file.

                                                                

Meanwhile, the worm connects to “Whatismyip.com” to get the victim’s IP address.

Depending on the variant, it then copies itself to the following locations:

  • %WinDir%\system32\vxworks.exe or
  • %WinDir%\system32\daemon.exe 

It injects itself into multiple running processes.

Depending on the variant, it drops one or more of the following malicious files:

  • %WinDir%\system32\qnx.exe
  • %WinDir%\system32\awtustsr.dll
  • %WinDir%\system32\ddcBTLfd.dll
  • %WinDir%\system32\efcDTLEX.dll
  • %WinDir%\system32\kvslgsfk.dll

Some variants create a new task to run one of the dropped DLLs in the following location:

  • %WinDir%\Tasks\dgzqcscz.job

Some variants then launch an instance of Iexplore.exe in the background and uses it to log keystrokes to a file at the following location.

  • %WinDir%\drm.ocx

This instance of iexplore.exe communicates with ip-68-226-[removed]-235.tc.ph.cox.net

Certain variants also download the following malicious dlls:

  • APSTPLDR.DLL from http://www.zylon.net/[blocked]
  • kb600179.dll from 82.98.235.65

This worm spreads by copying itself into any removable media connected to the system and creates an “autorun.inf” file to execute itself whenever the device is connected to another system.

It also has mass mailing capabilities. The worm sends e-mails, attached with a copy of itself to harvested E-mail addresses on the system.

It uses the following “Subject”, “Attachment Name” and “From address” combinations for these E-mails.

Subject of E-mail                                                                   | Attachment name   | From Address
——————————————————————————————————————–
You’ve received A Hallmark E-Card!                                        | postcard.zip           | postcards@hallmark.com
Coca Cola is proud to announce our new Christmas Promotion. | promotion.zip         | noreply@coca-cola.com
Mcdonalds wishes you Merry Christmas!                                  | coupon.zip             | giveaway@mcdonalds.com

                          

                                    

Some variants create SMTP connections to the following servers on various outbound ports:

205.134.188.162
211.233.80.119
212.7.64.23
217.167.29.246
64.26.62.254
dom-reg.mediaways.net
fmx.freemail.hu
imas.ahnlab.com
lb.acantho.net
mail.samba.org
mailprot.hilton.com
maxx.shmoo.com
mx.acantho.net
origin.hilton.com
persephone.instanthosting.com.au
relais-ias89.francetelecom.com
www.alinet.it 
www.pacbell.net

This worm also spreads by copying itself into the shared folders of Peer-2-Peer Applications using the following file names.
(Generally, the file names used are of popular applications and their cracks/keygens)

Absolute Video Converter 6.2.exe
Acker DVD Ripper 2009.exe
Ad-aware 2008.exe
Adobe Acrobat Reader keygen.exe
Adobe Photoshop CS4 crack.exe
Alcohol 120 v1.9.7.exe
BitDefender AntiVirus 2009 Keygen.exe
CleanMyPC Registry Cleaner v6.02.exe
Daemon Tools Pro 4.11.exe
Divx Pro 6.8.0.19 + keymaker.exe
Download Accelerator Plus v8.7.5.exe
Download Boost 2.0.exe
FOOTBALL MANAGER 2009.exe
G-Force Platinum v3.7.5.exe
Google Earth Pro 4.2. with Maps and crack.exe
Half life 3 preview 10 minutes gameplay video.exe
Internet Download Manager V5.exe
Joannas Horde Leveling Guide TBC Woltk.exe
Kaspersky Internet Security 2009 keygen.exe
K-Lite codec pack 4.0 gold.exe
LimeWire Pro v4.18.3.exe
Microsoft Visual Studio 2008 KeyGen.exe
Motorola, nokia, ericsson mobil phone tools.exe
Myspace theme collection.exe
Nero 8 Ultra Edition 8.0.3.0 Full Retail.exe
Norton Anti-Virus 2009 Enterprise Crack.exe
Opera 10 cracked.exe
Password Cracker.exe
Perfect keylogger family edition with crack.exe
Power ISO v4.2 + keygen axxo.exe
Red Alert 3 keygen and trainer.exe
Silkroad Online guides and wallpapers.exe
Smart Draw 2008 keygen.exe
Sophos antivirus updater bypass.exe
Super Utilities Pro 2009 11.0.exe
TCN ISO cable modem hacking tools.exe
TCN ISO SigmaX2 firmware.bin.exe
Tuneup Ultilities 2008.exe
Ultimate ring tones package1 (Beethoven,Bach, Baris Manco,Lambada,Chopin, Greensleves).exe
Ultimate ring tones package2 (Lil Wayne - Way Of Life,Khia - My Neck My Back Like My Pussy And My Crack,Mario - Let Me Love You,R. Kelly - The Worlds Greatest).exe
Ultimate ring tones package3 (Crazy In Love, U Got It Bad, 50 Cent - P.I.M.P, Jennifer Lopez Feat. Ll Cool J - All I Have, 50 Cent - 21 Question).exe
Ultimate xxx password generator 2009.exe
VmWare keygen.exe
Winamp.Pro.v6.53.PowerPack.Portable [XmaS edition].exe
Windows 2008 Enterprise Server VMWare Virtual Machine.exe
Windows XP PRO Corp SP3 valid-key generator.exe
WinRAR v3.x keygen RaZoR.exe
Wow WoLTk keygen generator-sfx.exe
xbox360 flashing tools and guide including bricked drive fix.exe
Youtube Music Downloader 1.0.exe

It also injects malicious code into explorer.exe and opens backdoor by connecting to the following domain:

  • web1.ser[removed].org

The backdoor has the following functions:

  • restart/shutdown computer
  • start/stop services
  • start/stop keylogger
  • download/upload files
  • create/terminate/list process
  • perform port scanning
  • modify host file
  • spread itself by instant messenger
  • gather passwords that firefox, internet explorer saved
  • gather account information of instant messenger (msn,yahoo,miranda,aim)

Registry changes may vary according to the variant.

The following registry keys are added:

  •  HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Wallpaper\XMAS
  •  HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations
  •  HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
  •  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{77520Q86-864L-N81R-0R2W-7U2G0P22436U}
  •  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Wallpaper
  •  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Wallpaper\XMAS
  •  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\awtustsr

The following registry values are created to load the worm at system startup

  •  HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run “QnX”
      Data: %WinDir%\system32\qnx.exe
  •  HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “QnX”
      Data: %WinDir%\system32\qnx.exe
  •  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{77520Q86-864L-N81R-0R2W-7U2G0P22436U} “StubPath”
      Data: “%WinDir%\system32\qnx.exe”
  •  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run “Wind River Systems”
      Data: %WinDir%\system32\vxworks.exe

Adds the following registry entires as part of its payload.

  •  HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download “RunInvalidSignatures”
      Data: no
  •  HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Wallpaper “bsd”
      Data: 03
  •  HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Wallpaper “free”
      Data: 12
  •  HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations “LowRiskFileTypes”
      Data: .zip;.rar;.cab;.txt;.exe;.reg;.msi;.htm;.html;.bat;.cmd;.pif;.scr;.mov;.mp3;.wav
  •  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run “Daemon Tools”
      Data: %WinDir%system32\daemon.exe
  •  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run “e887a2ae”
      Data: rundll32.exe “%WinDir%system32\kvslgsfk.dll”,b

It adds the following registry key to add itself to the Firewall’s Authorised applications list.

  •  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List “C:\WINDOWS\system32\vxworks.exe”
      Data: %WinDir%\system32\vxworks.exe:*:Enabled:Explorer
  •  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List “C:\WINDOWS\system32\daemon.exe”
      Data: %WinDir%\system32\daemon.exe:*:Enabled:Explorer

The following registry values are modified.

  •  HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download “CheckExeSignatures”
      Old data: yes
      New data: 01, 00, 00, 00
  •  HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced “ShowSuperHidden”
      Old data: 00, 00, 00, 00
      New data: 01, 00, 00, 00

Symptoms

Symptoms -

  • Network activity on TCP port 25 due to e-mails being sent by the worm.
  • Presence of the files and registry entries mentioned above.

Method of Infection

Method of Infection -

  • This worm spreads by harvesting e-mail addresses on the infected system and e-mailing a copy of itself to these addresses.
  • This worm also spreads by copying itself to removable media.

REMOVAL

So to rid yourself of this stupid little “end user” hell, just follow these simple steps.

1 - Download Malwarebytes’ Anti-Malware, or MBAM, from the following location and save it to your desktop (or other download directory).
Malwarebytes’ Anti-Malware Download Link

2 - Once downloaded, close all programs and Windows on your computer, including this one.

3 - Double-click on the icon on your desktop named Download_mbam-setup.exe. This will start the installation of MBAM onto your computer.

4 - When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing, make sure you leave both the Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware checked. Then click on the Finish button.

5 - MBAM will now automatically start and you will see a message stating that you should update the program before performing a scan. As MBAM will automatically update itself after the install, you can press the OK button to close that box and you will now be at the main program as shown below.

MalwareBytes Anti-Malware Screen

6 - On the Scanner tab, make sure the the Perform quick scan option is selected and then click on the Scan button to start scanning your computer for Trojan.vundo and Virtumonde related files.

7 - MBAM will now start scanning your computer for malware. This process can take quite a while, so we suggest you go and do something else and periodically check on the status of the scan. When MBAM is scanning it will look like the image below.

MalwareBytes Anti-Malware Scanning Screen

8 - When the scan is finished a message box will appear as shown in the image below.

MalwareBytes Anti-Malware Scan Finished Screen

You should click on the OK button to close the message box and continue with the Trojan.vundo and Virtumonde removal process.

9 - You will now be back at the main Scanner screen. At this point you should click on the Show Results button.

10 - A screen displaying all the malware that the program found will be shown as seen in the image below. Please note that the infections found may be different than what is shown in the image.

MalwareBytes Scan Results

You should now click on the Remove Selectedbutton to remove all the listed malware. MBAM will now delete all of the files and registry keys and add them to the programs quarantine. When removing the files, MBAM may require a reboot in order to remove some of them. If it displays a message stating that it needs to reboot, please allow it to do so. Once your computer has rebooted, and you are logged in, please continue with the rest of the steps.

11 - When MBAM has finished removing the malware, it will open the scan log and display it in Notepad. Review the log as desired, and then close the Notepad window.

12 - You can now exit the MBAM program.

13 - Richyt-click on My Computer and select Search.  You will now want to do a search on your local C: for windaemon.exe and delete all instances of this file.  Once completed close all windows you have open.

NOTE: The following steps should only be done once a good backup of your registry has been completed.  Only modify registry settings if you are knowledgable and understand what can happen if you make a mistake.
14 - Click on Start/Run and type regedit and click Enter.

15 - With the Registry Editor open, click on Edit/Find… and search for windaemon.exe and delete all registry keys that refer to this name.  Once you hace deleted all the registry keys, close the Registry Editor.

16 - Reboot your computer.

17 - Your computer should now be free of all Virus/Malware/Spyware/Adware issues.

posted by: Myke Reinhold and Travis Sarbin
post credits: http://techtalk.homerun-networks.com, http://travis.sarbin.net/, http://www.bleepingcomputer.com/malware-removal/remove-vundo-virtumonde, http://news.cnet.com/8300-1009_3-83.html?keyword=%22worm%22, http://securitylabs.websense.com/content/Alerts/3250.aspx, http://securitylabs.websense.com/content/Alerts/3248.aspx, http://www.avertlabs.com/research/blog/index.php/2008/12/03/christmas-worm-uses-mcdonalds-and-coca-cola-as-bait/

Posted in Internet, Security, Desktops, Laptops | No Comments »

|