Fun Cleaning off the FBI Virus

I recently had a remote laptop user that got infected with some type of fake malware FBI virus.  The virus was pretty cool, at least from a technical perspective.  The malware activated the web cam in the laptop and took a picture of the user demanding to be paid in some form of money called Moneypak in order to “decrypt” the hard drive’s files.  The laptop would not boot into safe mode without blue screening and the task manager/start menu/desktop were all locked out in normal mode.  However, we were magically able to login as another user and the FBI virus wasn’t loading for that user profile.  How someone could spend so much time doing a good job locking down the computer and then have it be bypassed with another user login is quite baffling to me.  Anyways, I tried a system restore and it wouldn’t go, saying something about it was interrupted and therefore all the changes were being rolled back.

I used regedit to load the user’s profile as a hive, cleaned the autostart entries and deleted all of the virus EXEs from the user’s profile folder, but the darn virus kept coming back.  So I did something I never did before: I gave myself rights to C:system volume information which is where system restore “hides” its restore points and then went looking in the RPXXX directories.  Going by the dates, I was able to narrow down a “good” copy of the user’s profile.  The ntuser.dat file will be in the format of something like _REGISTRY_USER_NTUSER_S-1-5-21-(long string of numbers that correspond to a particular SID).  I compared the size of his current ntuser.dat to this file and viola: we had a near match!  I copied over this file as ntuser.dat into his profile directory, had him login and viola: no more virus!

However, his profile was still trying to load EXE files that didn’t exist anymore, which meant he probably had some “sleeper” viruses that weren’t announcing their presence on his laptop.  I cleaned these “dead” entries off with Autoruns.   A full virus scan found a few more goodies on the laptop which were removed.

After doing all of this work, I found a good primer on working with system restore points manually here: http://wiki.lunarsoft.net/wiki/System_Volume_Information.  Web sites can go down, so I’ve also published the file here as a PDF.

I looked at my Windows 8 C:system volume information folder and yeah: completely different animal, so this would be a trick for Windows XP machines only.

Update #1

Of course, after a wrote this witty entry, I got a Windows 7 laptop with the same virus.  I did an offline scan with Windows Defender Offline which removed the virus and then it wouldn’t boot…in any mode and was getting critical failure BSOD.  I tried booting to WinPE and doing a system restore, however, it told me system restore was disabled for this drive even though I could see the restore points!  I unfortunately had to back up the user data from WinPE and wipe the drive and reinstall Windows.  I might try a system restore from MS DaRT next time this happens.

Update #2

Yet another laptop with this virus, although this one was nastier.  It was popping up on all logins to the laptop.  I had a copy of MS DaRT, but it didn’t have the right mass storage drivers for the Dell e6430 laptop I had, so I was getting a STOP 7B BSOD on boot and didn’t feel like messing around injecting drivers and re-burning a new CD.  System Restore failed to complete on this laptop as well.  I used Wondershare’s Liveboot 2012 and used the “Analyze System Offline” feature of Autoruns and found our little friend: a weird named DLL sitting in the user’s temp folder under their profile.  This DLL file was referenced in practically every startup location in Windows, even in ContextMenuHandlers sections and some bizzaro autorun feature of cmd.exe I never hear of before: HKEY_CURRENT_USER\Software\Microsoft\Command Processor.   I removed all the entries with Autoruns and the malware screen was gone, however, after login, I would get a black cmd.exe window and that was it (no desktop).  I could load explorer.exe from the task manager and get the desktop, but it wouldn’t autoload on its own and it looked like the shell was correctly defined.  Anyways, I manually copied the system, software and user profile files out of the snapshots directory under C:System Volume InformationRPXXX from Liveboot and again: the laptop was cured.  Well, almost.  The infection took off on the night 6/13/13, but when I ran Norton Power Eraser, it found another naughty DLL dated 4 days earlier in the user’s profile directory (it was under Application Data under a Konica folder I believe).  This means the first infection might have been a “sleeper” waiting to deliver a nasty payload at a later date or the virus skewed the time to hide.

Whatever the cause, this kind of malware is getting almost impossible to remove without a drive wipe.  If I could figure out how it’s corrupting/attacking the system restore function, that would help a great deal.

Update #3

I found a nifty program called the System Restore Explorer.  This allows you to mount the restore points on Vista and later systems as a regular folder.  I tried it on my VM and it works great (and yes, it works on Windows 8 too)!  One little snag is that you will have to work from an elevated command prompt, since C:\windows\system32\config is a protected folder and the restore point is mounted read-only (i.e. you can’t change ACLs).  You should be able to copy the SOFTWARE and SYSTEM out to a folder and replace the ones on the system from WinPE.

There’s also this utility that does nearly the same thing that I have not tested: http://sourceforge.net/projects/vistaprevrsrcvr/

Update #4

There’s a better utility for exploring system restore points on Windows 7/8 called ShadowExplorer.  It is available in a portable edition and if you run as administrator, you can export the file directly out without having to use the command console.

– Soli Deo Gloria

Advanced Malware Cleaning

Found this video the other day on Technet of an updated video of Mark Russinovich teaching techies how to clean malware: http://www.microsoft.com/emea/spotlight/sessionh.aspx?videoid=359

NOTE: If you want an offline copy, use URLSnopper to get the hidden URL, then use a trial version of  Hidownload to download it.  I’ve provided a local copy on my web site here.  Make sure to right-click the file, do a target save-as to save it to your PC instead of streaming it.

– Soli Deo Gloria

More Tools to Fight Malware and Viruses

As time passes, viruses and malware are getting very hard to clean up when Windows is running.  Therefore, we need some tools that do offline virus scanning.  Correction: FREE tools.  After doing some reason, I have found some very decent products for doing this.

One is the F-secure Rescue CD version 3.01.  This is a Linux based rescue disc that can read/write NTFS partitions. The CD supports updating the virus definitions either via the Internet or a USB stick.  It appears that F-Secure is using the Kaspersky engine for detecting viruses and according to VB100: Kaspersky ranks up there with ESET.  The CD will rename infected files with a file extension of .virus, but will not delete or disinfect them.  I tried the manual update routine by downloading http://download.f-secure.com/latest/fsdbupdate.run to a USB stick.  I placed the USB stick in the computer, booted from the CD and it found the updates right away during the boot process.  This is very useful, especially if the CD fails to find a NIC driver for your PC.  I tried the Internet auto-updating on a Dell Optiplex 745 and GX280: both worked flawlessly.

A similar CD is available from BitDefender called BitDefender Rescue CD 2008.  The CD actually boots to a screen that says BitDefender 2009. This CD is also Linux based.  The virus tests run by VB100 show a less stellar product then F-secure.  The CD, however, has a bit more functionality.  The CD boots to a XWindows environment with Firefox and a file manager called Midnight Commander. You can also manually update virus definitions by running a script from the desktop.  It appears, however, you have to have Internet access to update the virus definitions whether using the manual script or automatic update.  BitDefender gives you options for each suspect file found: leave alone or delete.

Since I was already using a WinPE 2.0 disc to push out images, I wanted to find a free solution I could add to this disc.
(WinPE 2.0 is available for free in the latest WAIK: see http://www.svrops.com/svrops/articles/winvistape2.htm)

Sophos has a free commandline scanner called Sophos SAV32CLI at http://www.sophos.com/support/knowledgebase/article/13251.html.  Sophos ranks very well at the VB100. I suggest throwing it on a network share and then just mapping a drive to that network share.  You can also use USB drives in WinPE 2.0, so you can also place the files on a USB stick.   The readme.txt lists all of the command line options you can use, but I simply use “X:avsophossav32cli.exe -di -dn C:”. This tells Sophos to show the filenames that it is scanning and to disinfect all the files it finds. There’s also a logging option “-p=” you can use to pipe the results to a file or simply put a pause statement after this command if you are running the program from a batch file. Virus updates are available at http://www.sophos.com/downloads/ide/.  Use the ZIP file version as the self-extracting file does NOT work on Vista/Server 2003.  The command line version goes out of date after 3 months, so make sure you download a new copy or the new IDEs won’t work after a while.

Mcafee has a command line scanner and virus definitions in their SuperDat virus files.  Download the SuperDat exe from ftp://ftp.nai.com/pub/antivirus/superdat/intel/.  Then extract the SuperDat file using the “/e” switch, for example: “sdat5569.exe /e”.  To scan the C: drive, you can use “scan c: /clean /winmem”.  There is a GUI wrapper included with BartPE for the Mcafee scanner if you want a GUI.

Update: As of 4/1/10, this trick no longer works.  They removed scan.exe, messages.dat, etc. from the SuperDat file.  You must now download vscl-w32-6.0.1-l.zip (Mcafee Commandline Tools) from Mcafee’s site using a grant number to get scan.exe.

Trend Micro has a program called Trend Micro System Cleaner.  This is a portable program that uses the regular spyware and virus definitions that their regular AV programs use.  Trend Micro is not rated at VB100, but seems like a very decent product. You will need manually download the virus and spyware definitions yourself.  Their web page is a bit confusing for updating the virus/spyware definitions, but upon running the program for the first time, it will give you the URL locations of what to download.  Currently, the virus definitions are lpt$vpn.XXX in ZIP format as lptXXX.ZIP from http://www.trendmicro.com/download/viruspattern.asp. The spyware definitions are ssapiptn.da5 in ZIP format as ssapiptnXXX.ZIP from http://www.trendmicro.com/download/spywarepattern.asp.

Upon running the scan from TSC in WinPE 2.0, I got an error message saying installation failed, but the program went on without any problems.  You will, however, need to run this from writable media, such as a USB stick or a network drive with write access.

EmsiSoft has a neat command-line scanner called a2cmd.  a2cmd can be downloaded here.   You can run a scan by running a2cmd C: /deep /dq.  To update the signatures, you simply need to be connected to the Internet and then run a2cmd /u.

Microsoft released a new standalone virus scanning tool in April 2011 called the Microsoft Safety Scanner. The download expires after 10 days.  It did not work in the WinPE 3.0 disc I tried, but it did work in the disc I built from the Win7PE project from reboot.pro

Still in beta, but handy none the less: Microsoft Standalone System Sweeper. This tool will download WinPE + the standalone system sweeper and definitions (the same one that that comes with Microsoft DaRT 6.x and beyond) and build an ISO for you, for FREE! Now you can boot from a clean WinPE CD and disinfect your PC in safety.

Now that described the elaborate ways to download the programs and the signatures that go along with them, there is a real easy of having it done for you: Multi-AV Scanning Tool.  This web site is in another language, but you should be able to find the download link (look for Download von www pctipp.ch on the bottom of the page). You run the program which will extract to C:AV-CLS.  From there, just run the menu options for each and it downloads the programs and the signatures automatically.

There is an Avira command line scanner that is available with this toolkit with a hbedv.key license file generated specifically for this tool.   The Kaspersky version that comes with this version is the DOS version and won’t run on WinPE or under x64 operating systems (the author says he will remove it in future versions).

There is another program that does nearly the same thing, but unforunately it deletes the signatures when it is done scanning the drive.  This program is called AVERT.  I prefer using the Multi-Av Scanning Tool for this reason.

These products do not work in WinPE 2.0, but can be quite useful within Windows:

MalwareBytes Anti-Malware: One of the best spyware scanners I have found. Malwarebytes Anti-Malware can be found at http://www.malwarebytes.org/.  Note that the free version just has the scanning ability.  If you want the realtime access protection, you will need to purchase the program

SUPERAntispyware Portable: Simliar to Malwarebytes, but in a portable version.  I like the speed at which it scans and how it empties the recycle bin after cleaning the files so you don’t find the dormant infection again.

– Soli Deo Gloria

Columbo Files: Limited or No Connectivity

I had an interesting problem recently. A user called and was not able to get on the network. After arriving at the user’s desktop, I noted the PC had an APIPA address and the NIC noted that it had “Limited or No Connectivity”. After disabling/re-enabling the NIC, removing/readding it and rebooting the PC, I ended up with the same result. Thinking it was a network problem, I proceeded to switch ports on the network switch and trying another network jack. Same thing. I then tried another NIC in the PC: same thing. I then bought over a laptop and plugged it in: it got an IP address right away. I left the laptop with the user and bought the computer back to my desk for inspection.

When I tried pinging any host on the network, I would get a “y” symbol with two little dots above it. Ah, here it is: ӱ. Charmap lists this as a “Cyrillic Small Letter U with Diaeresis”. Well, thanks for clearing that up! I ran Winsock XP Fix and the PC connected to the network just fine! Weird.

About a day later, the mystery was starting to unravel. The same user called again starting that Internet Explorer wouldn’t start due to the fact that it was looking for a file called msvcrl.dll. This file looks innocent enough, so I went searching for it on another Windows XP workstation, but alas I could not find the file anywhere. Using my old trusty friend Google, I discovered that the file was “a Trojan allows attackers to access your computer from remote locations, stealing passwords, Internet banking and personal data.” That’s great, on a computer that some one runs our finanicals on too!

The major threat was already gone, but how was I to repair Internet Explorer? A search of the registry did not produce any results for msvcrl.dll. Perhaps it was tucked away in some binary value in the registry? I tried to reinstall IE, but it told me that a newer version was already installed. Using the “IsInstalled” registry trick from Microsoft would not fool the computer into reinstalling IE. Bummer. After digging around on Google some more, I found IEFIX. This utility repairs Internet Explorer back to its clean state by re-registering the original files from your Windows XP CD. I ran on this on the PC in question and it was fixed (finally!).

– Soli Deo Gloria

Rootkits: A New Form of Malware

Recently, two of my “high risk” Internet users caught a nasty spell of malware. How nasty? Try rootkit nasty! Rootkits go above and beyond spyware by replacing system files and concealing themselves from system utilities. The first PC had a combination of spyware named TSPY_QQPASS.BUY and a rootkit named Greypigeon. Both PCs had the latest version of Symantec Corporate Antivirus with the latest virus definitions.

I will once again will voice my displeasure with Symantec. They claim that SAV does greyware detection and therefore you should disable Windows Defender if you are running Windows Vista. However, this is the second time in 3 months that Symantec has completely failed us. It did detect the spyware on the first PC, but it was unable to clean it. It was also impossible to unload or terminate SAV to clean off the virus, as it pops in your face every time you try to delete a file. Removing the spyware was impossible: I spent over 2 hours trying to get it off only to have the executables keep returning. I ended up doing a System Restore within Windows XP to restore startup sanity and then cleaning up the dormant spyware files by hand (neither Symantec nor Mcafee would identify the majority of the bad files: I ended up Googling some of the files I kept seeing reappear like “gg.exe” and “zz.exe” and then backtracked other filenames mentioned in the article like newinfo.rxk, then deleted those one-by-one).

The spyware was clever, quite clever actually. Most spyware files are dated with the date they infect the system. However, this spyware was pre-dated back to August 2004, along with most of the other legitimate Windows files. Someone went through a lot of trouble to keep this stuff hidden, as this is the date that service pack 2 was released for Windows XP, therefore most legitimate files are dated 8/4/04. The spyware also took on legitimate looking Windows names, such as rpcs.exe and svchost.exe. Not being digitally signed, however, gives them away.

On to the next PC…this time it was called into the Help Desk as being a problem with Microsoft Excel. It seems that data in Excel wasn’t scrolling when the user scrolled with the mouse cursor using the right side bar. Excel was also slow and “crash prone”. I suggested we try to remove Microsoft Office and reinstall it. Upon trying to doing this, I noted the system was extremely sluggish. Opening the process list in Process Explorer revealed 4 copies of svchost.exe running: unsigned of course, along with something called rpcs.exe that was kicking off iexplore.exe and other files such as “nortons.exe” and “winform.exe”. Cleaning this up was easy actually: using a combination of Process Explorer and Autoruns, I was able to clean off most of the bad guys, except rpcs.exe kept showing back up after reboots.

Unfortunately, Rootkit Revealer would just freeze up on this system. I then tried the System Repair Engineer from kztechs.com. Right away SRE lets me know that something is wrong:

Clicking on details gives me this:

The really funny part is if you go into Windows explorer and go to C:windowspss, you will see nothing there. That’s because this rootkit is incepting our calls to see this directory and is feeding us false information. If you were boot from BartPE, you would actually see the files there. We’ll proceed to the Smart Scan within SRE…all this does is create a text report of any bad stuff going on with our system. From this report, we are warned once again about C:windowspss3.dll being a dangerous API hook, as well as 3.exe running as a hidden process. SRE also goes through the services and shows us any services that aren’t digitally signed. I find that Greypigeon installed a service for us! Pigeons usually crap all over the place and this is no exception: attacking via a service is not common attack vector and therefore will likely get missed (I missed it myself the first few passes).

SRE also has a few nifty repair utilities in, including the ability to restore hijacked file extensions, restore Winsock back to its default state, restore default Windows policies and restore safe mode services (some spyware removes the Safeboot key to keep you from booting into safe mode to remove them). Unfortunately, SRE cannot terminate hidden processes or locked files: we have to use Icesword for that. Icesword was written in Chinese and was translated to English, so you don’t get any documentation with it. However, it’s pretty easy to use and who ever reads documentation anyways? As Dogbert once said: “While you’re waiting, read the free novel we sent you. It’s a spanish story about a guy named “Manual” .

We can click on the Process icon and find our victim:

We can then go back into SRE and delete the GreyPigeon service:

If someone could combine Autoruns, Process Explorer, Icesword and SRE into one product, that would be so cool!

If you want to play around with this rootkit, I’ve uploaded it here. Make sure you only load it into Virtual PC or VMware and not on your PC! THIS FILE IS FOR EDUCATIONAL PURPOSES ONLY AND I CANNOT BE HELD RESPONSIBLE FOR ANY RESULTS YOU GET FROM RUNNING IT! YOU HAVE BEEN WARNED!

So the lesson here is that just because a user gets malware does not mean we have to wipe the machine. What would we learn if we wiped the machine? Interacting with various types of malware and program bugs brings us a closer understanding of the operating system.

– Soli Deo Gloria

Spyware: The Never Ending Story

Those spyware boys are getting smarter! Recently had a remote laptop user that kept having his home page hijacked by www.securitynetpage.net even though the home page in Internet Explorer was set to our company web site. Autoruns showed no suspicious BHOs. After poking around in the registry and finding nothing, I took a look at the Internet Explorer Addins and lo and behold: isaddon.dll. Sounds important, doesn’t it? Appears to be related to some SmitFraud spyware.

Here’s one of the prompts from the web site. The user in question thought he was infected:

Note the spelling mistakes. A lookup of the domain name on www.whois.sc shows that the web site is blacklisted by many other sites.

I found another useful site for slamming down spyware: Jotti. You know those little pests like to randomize the filenames so you cannot find them via Google? Well, you can submit a suspicious file to Jotti and it will tell you what it is!

Just for the record: I again recommend you use Ewido for cleaning off spyware. You can install and run it within Windows PE: it does work.

– Soli Deo Gloria

More Spyware Fun

Countless articles could be written on spyware. Recently, I ran into Troj/LdPinc-LZ on a PC. The really bad part is that Spysweeper didn’t detect this piece of malware even with the latest definitions! I am therefore recommending that you use Ewido as the software can be used passed 30 days (the real-time protection will get disabled if you don’t register it, but you can still use the on demand scanner). The trial version of Spysweeper won’t even clean the malware off your PC anymore and will shortly be removed from my web site.

The sypthoms were actually quite interesting. When the user went to CNN, Internet Explorer would just crash. When the user went to a specific realator site, the whole computer rebooted! Very little information exists on mssync20.sys, but by booting into safe mode and deleting all the mssync files from C:windowssystem32, I cleaned the little bugger off. It appears from the event logs it was also trying to load as a service and failed, so if you happen to get infected with this pest, make sure to check your services for a mssync20 service. After trying to load Spyware Blaster, it complained it couldn’t find MSINET.OCX. The spyware must have kicked this file out of C:windowssystem32, so I connected to my machine and copied it back over and life was good again.

Upon my searches on Google about spyware, I found some interesting articles. This one by Michael Horowitz goes through a nice series of steps when dealing with malware. He mentions the fact that the new version of Bagle actually has a trick to disable Safe Mode on PCs by deleting the SafeBoot key in the registry! This is explained in more detail at Didier Steven’s WordPress blog, with yet another link to Chris Quirke’s web blog on how to boot with BartPE to restore the Safeboot tree.

– Soli Deo Gloria

A Look at Look2Me Malware

We looked at killing off spyware before. That spyware was pretty mild. Let’s look at some really nasty stuff! Here is an installer for Look2Me. Note: DO NOT INSTALL THIS ON A PRODUCTION COMPUTER! Use Virtual PC or Vmware if you want to take a look at this spyware. The file is ZIPed, then RARed, so you’ll need WinRAR to unpack it. Before running INSTALLER.EXE, let’s start up Process Explorer. Upon launching INSTALLER.EXE, we notice that EXPLORER.EXE dies and then restarts itself. After this happens, a pop-up ad! Hmm! Looking at Process Explorer, we see nothing out of the ordinary:

The processes in blue were loaded after INSTALLER.EXE ran. Hmm….notice anything? All processes are digitally signed either by Vmware, Sysinternals or Microsoft. Where is the malware? RUNDLL32 allows programmers to run DLLs as programs. In order to find out the malware is, we have to go EXPLORER.EXE and click on the Threads tab:

The sRfrcdlg.dll is the actual malware DLL launching the pop up ads. Let’s kill all the DLLs out of memory. We locate sRfrcdlg.dll in C:windowssystem32. Attempts to delete the file fail. What is locking the file? EXPLORER.EXE! If we head back to Process Explorer and go to Find>Find Handle, you will see that EXPLORER.EXE still has a handle or lock into sRfrcdlg.dll. Highlight the entry, then go to Handle>Close Handle. It will warn about about doing so, but proceed. Now try to delete the file. The file still cannot be deleted! What gives?! If we do a DLL search we find this:

EXPLORER.EXE still has a lock on the file, even though sRfrcdlg.dll doesn’t appear to be running. To delete the program, we can use a nifty little program called Unlocker. This program is freeware and works very well! It installs itself as a menu extension, so all we have to do is locate the file in Windows Explorer, right-click on the file and pick Unlocker. Pick Delete and Unlock all and flush goes the file!

Now there’s only one thing left to do: delete it out of autostartup. If you look in all the familar places you won’t see it, but if you happen to look under Winlogin, there it is:

If you attempt to delete this key while Look2Me is running, it restores it! Whether you boot into Safe Mode or not, this key will always load and it loads even before you log into the system. Nasty! That’s why you have to delete the DLL from memory and the disk before you attempt removing it from the registry.

Another ingenious solution for deleting the file was posted over at the Sysinternals forum by bmccool2003. This involves setting the “Deny” NTFS permission on the file for the Everyone group (and removing SYSTEM and CREATOR OWNER from the rights section). When you reboot, the OS doesn’t have permission to use the file and thus you can login and take ownership of the file. This will then let you delete the file.

– Soli Deo Gloria