BleepingComputer.com: Horseserver.net, Klikfeed.com & Backdoor.haxdoor.d Analysis

Jump to content

How to use the self-help guides

This forum contains self-help guides on removing common malware and viruses. These guides can be advanced so please use them at your own risk.

If after following the self-help guide, or you can not find an appropriate guide, then you can receive step-by-step instructions directly from one of our experts by following the instructions in this topic:

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help
Page 1 of 1
  • You cannot start a new topic
  • You cannot reply to this topic

Horseserver.net, Klikfeed.com & Backdoor.haxdoor.d Analysis Malware Analysis - XP/2000/NT Only

#1 User is offline   Grinler 

  • Bleep Bleep!
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Admin
  • Posts: 36,600
  • Joined: 24-January 04
  • Gender:Male
  • Location:USA

Posted 02 February 2005 - 06:36 PM

Horseserver.net, klikfeed.com & Backdoor.Haxdoor.D Analysis

Note: Urls have been stripped from this public analysis to protect against infection.

This the analysis for the new infection that Hijacks search engines and creates popups. It also logs keystrokes and opens a backdoor to the machine. The keystrokes are sent as an email to an undetermined location.

Symptoms of a HijackThis log are:

Quote

O2 - BHO: (no name) - {0F9561D0-03B2-44a3-89A6-E95E417CBA25} - C:\WINDOWS\cerbmod.dll
O2 - BHO: Explorer Class - {962F12AE-2773-4BEB-99EA-B5C3AB9A6606} - C:\WINDOWS\System32\DSMANA~1.DLL
O4 - HKLM\..\Run: [tibs3] C:\WINDOWS\System32\tibs3.exe
O4 - Startup: winupdate32617713[1].exe


A file similar in name to winupdate32617713[1].exe is placed in the user's startup directory under their profile. The path is:

C:\Documents and Settings\username\Start Menu\Programs\Startup

It then launches the program. The program then does the following steps:
  • connects to ftp.freebsd.org. Unknown if this is a type of a DOS or attempting to download a file.

  • Downloads /1.gif which is an executable gif.

  • Downloads /dllr.exe. When run this connects to /dd/dial.exe?id=1277 and downloads sbar.exe. When sbar.exe is executed it downloads tibs3.exe which is part of a dialer.

  • Downloads /search.exe and saves it as a temp file. Search.exe then download and installs bin/BHO.dll. This bho is copied to c:\windows\system32\dsmanager.dll and is upx packed. DsManageris a search hijacker that when you search with www.google.com, www.yahoo.com, search.msn.com you instead get the results back from 61.131.54.618.cc on the first page. This includes their own sponsored links. If you go to a next page it will show the correct results.

    Clicking on links in this hijacked search page also opens popups from klikfeed.com

  • Downlaods /dialers/126099.exe and saves it as a temp file. This installs an app into c:\program files\WebSiteViewer which tells you how to use the adult dialer. It also adds linkes named Youn Teen Sex.lnk to your desktop and start menu. The links point to "C:\Program Files\WebSiteViewer\126099.exe" /ac:126099 /sk:tte /lc: /ul

  • downloads /private/X/537.exe which appears to be dialer related.

  • Starts popups to /1.html which attempts to install windupdates.

  • Adds itself to the Add/Remove programs as MDS Search Booster

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MDS Search Booster

  • Installs a keylogger which is a variant of Backdoor.Haxdoor.D. This keylogger will log certain keystrokes such as visiting websites, entering forms, writing in notepad or other documents, writing email, etc. The keylogger is installed as a device service on your machine and you need to modify the registry The keylogger uses the following files:

    Quote


    c:\windows\system32\klogini.dll - part of logger
    c:\windows\system32\p2.ini - part of logger
    c:\windows\system32\ps.a3d - pop3 accounts
    c:\windows\system32\vdnt32.sys - part of logger
    c:\windows\system32\vdmt16.sys - keylogger
    c:\windows\system32\winlow.sys - keylogger
    c:\windows\system32\klo5.sys - key logger log
    c:\windows\system32\drct16.dll - key logger
    c:\windows\system32\mszx23.exe - backdoor (Must end process before killing)


    To remove this infection you must remove the following registry keys:

    Quote

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\winlow
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\winlow
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vdmt16
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\vdmt16
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\drct16


    These keeps need to be removed first but you must remove all permissions to the keys, then add everyone to it with full permission and then take ownership to delete them:

    Quote

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VDMT16
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINLOW


    This can be accomplished easily in Windows XP by running:

    sc delete winlow
    sc delete VDMT16


    and then delete the Winlogon Notify key.

    Now the keylogger is gone.
--------------------------------------------

Proscribed steps to remove the infection entirely is :
  • Killbox the winupdate file so you dont reinfect the machine when the user reboots.

  • Remove the keylogger

  • Clean the rest of the log as normal.

  • Remove Add/Remove programs entry by deleting this key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MDS Search Booster

  • Advise user to change passwords.

Lawrence Abrams
Circle BleepingComputer on Google+!
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
How to detect vulnerable programs using Secunia Personal Software Inspector <- Everyone should do this!

Share this topic:


Page 1 of 1
  • You cannot start a new topic
  • You cannot reply to this topic

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users