Computer Help and Spyware Removal Computer Help and Spyware Removal Computer Help and Spyware Removal Computer Help Forums Windows Startup Programs Database Virus, Spyware, and Malware Removal Guides Computer Tutorials Uninstall Database File Database Computer Glossary Computer Resources
 

Welcome Guest ( Log In | Click here to Register a free account now! )



Register a free account to unlock additional features at BleepingComputer.com
Welcome to Bleeping Computer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.
Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

> How to use the self-help guides

This forum contains self-help guides on removing common malware and viruses. These guides can be advanced so please use them at your own risk.

If after following the self-help guide, or you can not find an appropriate guide, then you can receive step-by-step instructions directly from one of our experts by following the instructions in this topic: Preparation Guide For Use Before Posting A Hijackthis Log

 
Reply to this topicStart new topic
> Horseserver.net, Klikfeed.com & Backdoor.haxdoor.d Analysis, Malware Analysis - XP/2000/NT Only
Grinler
post Feb 2 2005, 06:36 PM
Post #1


Bleep Bleep!
******

Group: Admin
Posts: 31,022
Joined: 24-January 04
From: USA
Member No.: 3
Horseserver.net, klikfeed.com & Backdoor.Haxdoor.D Analysis


Note: Urls have been stripped from this public analysis to protect against infection.

This the analysis for the new infection that Hijacks search engines and creates popups. It also logs keystrokes and opens a backdoor to the machine. The keystrokes are sent as an email to an undetermined location.

Symptoms of a HijackThis log are:

QUOTE
O2 - BHO: (no name) - {0F9561D0-03B2-44a3-89A6-E95E417CBA25} - C:\WINDOWS\cerbmod.dll
O2 - BHO: Explorer Class - {962F12AE-2773-4BEB-99EA-B5C3AB9A6606} - C:\WINDOWS\System32\DSMANA~1.DLL
O4 - HKLM\..\Run: [tibs3] C:\WINDOWS\System32\tibs3.exe
O4 - Startup: winupdate32617713[1].exe


A file similar in name to winupdate32617713[1].exe is placed in the user's startup directory under their profile. The path is:

C:\Documents and Settings\username\Start Menu\Programs\Startup

It then launches the program. The program then does the following steps:
  • connects to ftp.freebsd.org. Unknown if this is a type of a DOS or attempting to download a file.
  • Downloads /1.gif which is an executable gif.
  • Downloads /dllr.exe. When run this connects to /dd/dial.exe?id=1277 and downloads sbar.exe. When sbar.exe is executed it downloads tibs3.exe which is part of a dialer.
  • Downloads /search.exe and saves it as a temp file. Search.exe then download and installs bin/BHO.dll. This bho is copied to c:\windows\system32\dsmanager.dll and is upx packed. DsManageris a search hijacker that when you search with www.google.com, www.yahoo.com, search.msn.com you instead get the results back from 61.131.54.618.cc on the first page. This includes their own sponsored links. If you go to a next page it will show the correct results.

    Clicking on links in this hijacked search page also opens popups from klikfeed.com
  • Downlaods /dialers/126099.exe and saves it as a temp file. This installs an app into c:\program files\WebSiteViewer which tells you how to use the adult dialer. It also adds linkes named Youn Teen Sex.lnk to your desktop and start menu. The links point to "C:\Program Files\WebSiteViewer\126099.exe" /ac:126099 /sk:tte /lc: /ul
  • downloads /private/X/537.exe which appears to be dialer related.
  • Starts popups to /1.html which attempts to install windupdates.
  • Adds itself to the Add/Remove programs as MDS Search Booster

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MDS Search Booster
  • Installs a keylogger which is a variant of Backdoor.Haxdoor.D. This keylogger will log certain keystrokes such as visiting websites, entering forms, writing in notepad or other documents, writing email, etc. The keylogger is installed as a device service on your machine and you need to modify the registry The keylogger uses the following files:

    QUOTE

    c:\windows\system32\klogini.dll - part of logger
    c:\windows\system32\p2.ini - part of logger
    c:\windows\system32\ps.a3d - pop3 accounts
    c:\windows\system32\vdnt32.sys - part of logger
    c:\windows\system32\vdmt16.sys - keylogger
    c:\windows\system32\winlow.sys - keylogger
    c:\windows\system32\klo5.sys - key logger log
    c:\windows\system32\drct16.dll - key logger
    c:\windows\system32\mszx23.exe - backdoor (Must end process before killing)


    To remove this infection you must remove the following registry keys:

    QUOTE
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\winlow
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\winlow
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vdmt16
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\vdmt16
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\drct16


    These keeps need to be removed first but you must remove all permissions to the keys, then add everyone to it with full permission and then take ownership to delete them:

    QUOTE
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VDMT16
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINLOW


    This can be accomplished easily in Windows XP by running:

    sc delete winlow
    sc delete VDMT16


    and then delete the Winlogon Notify key.

    Now the keylogger is gone.
--------------------------------------------

Proscribed steps to remove the infection entirely is :
  1. Killbox the winupdate file so you dont reinfect the machine when the user reboots.
  2. Remove the keylogger
  3. Clean the rest of the log as normal.
  4. Remove Add/Remove programs entry by deleting this key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MDS Search Booster
  5. Advise user to change passwords.


--------------------
Lawrence
Become a BleepingComputer fan: Facebook
Go to the top of the page
 
+Quote Post
« Next Oldest · Spyware and Malware Removal Guides and Reading Room · Next Newest »
 

Reply to this topicStart new topic
1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)
0 Members:

 

Display Mode: Standard · Switch to: Linear+ · Switch to: Outline

Track this topic · Email this topic · Print this topic · Subscribe to this forum

Lo-Fi Version Time is now: 3rd July 2009 - 11:17 PM


Advertise   |   About Us   |   Terms of Use   |   Privacy Policy   |   Contact Us   |   Site Map   |   Chat   |   Tutorials   |   Uninstall List   |   Virus Removal Guides
Discussion Forums   |   The Computer Glossary   |   Resources   |   RSS Feeds   |   Startups   |   The File Database   |   Malware Removal Guides Archive

© 2003-2009 All Rights Reserved Bleeping Computer LLC.

Powered By IP.Board © 2009  IPS, Inc.