BleepingComputer.com: Trojan setting aux2= in the windows registry

I've been struggling to identify a trojan/virus for the last two days, and came to this site a bit late, having sort of fixed the problem, so don't have the appropriate logs.

I'm a very careful sort of guy (well, I thought I was!), with anti virus software and windows defender running; never opening unknown attachments; never clicking on ads, checking out web site quality before I visit them; etc, etc.

So, I'd greatly appreciate some help in understanding what I had, where it might have come from, and what it might have been doing - I cannot find a description of it (or even a name for it) on any of the anti-virus provider web sites. All I found here was the description of the problem and symptoms.....

The problem manifested itself as cmd.exe and regedit.exe not working. When they were run they did nothing, but closed Internet Explorer and Windows Explorer if they were open. (From other posts, it seems it modifies google toolbar settings, but I don't have that.)

I made cmd.exe & regedit.exe functional by copying to a different directory and renaming them (leaving them in the same directory and renaming them xcmd.exe and xregedit.exe did not work).

Runing regedit I found a dodgy entry in HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32 - "aux2"="D:\WINDOWS\system32\..\eof.fju", so I deleted the entry.

I also found an odd entry in HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run - "stid1690"="c:\windows\stid1690.exe", which I disabled with msconfig.

Rebooted and cmd.exe and regedit.exe worked fine. And no new entries in HKLM\.....\drivers32 or HKLM\.....\run (or since).

However, the odd thing was that I could not find either of these two files to delete (and yes, I have show hidden and show system on the folder, used the cmd.exe and hijackthis as well; and tried in safe mode). I'm not even sure that stid1690.exe is relevant - it may have been old web cam software now defunct.

So, can anyone tell me anything about this trojan? Scans with latest Virgin PCGuard, and Windows Defender showed nothing (and since the changes show nothing).

Does anyone knows how this infection would have arrived, whether it created other files, how the aux2= entry works (does it run on startup, or just with a specific ap), and what exactly was it doing? And is it waiting to reappear?

Thanks!

Hi,

This may be the answer to your question: http://miekiemoes.blogspot.com/2008/10/fak...archengine.html

Did you delete the eof.fju file from the Windows folder?

The link looks very interesting, and will merit a detailed look. Thanks.

In reply, I could not find any evidence of the eof.fju file in the Windows directory. Hence my confusion, and my desire to understand by what the registry was altered, and what the "eof.fju" file does when running. I did wonder whether the trojan script couldn't complete properly (eof meaning just that), and whether an aux2= entry to an invalid file would have the cmd.exe / regedit.exe effects; or whether it mutates and hides if the key is removed.....

Thanks.

Hi,

If you, or a scanner didn't delete the file, then it should still be present in your D:\Windows directory though. You won't find it here: D:\WINDOWS\system32\..\eof.fju
This because the \..\ is no folder, but actually means, go two up, so this means, it points to the Windows folder.
That file is indeed responsible for blocking regedit, cmd, a lot of other programs, crashes your taskbar, blocks this forum, blocks my blog, so it all makes sense. So, in general, the malware was properly installed though.
You'll read more on my blog and in the comments how this one gets installed and what its purpose is. As you see, there have been a few variants already.

Hi.

I was looking in the "windows" folder, not windows/system32 (though I looked there as well, as well as the various temp folders, other driver letters:\windows, etc.). Just not present.

Meanwhile, I find it hard to imagine how any javascript running on the local computer has any rights to write files or registry entries, though I haven't got a spare computer to go looking at a "Yahoo Counter" infected site to see. Do you know what loophole it is using?

I have come across another thread that suggests the original varient was supplied by an infected PDF through a bug in acrobat, which may be interesting as well.

Thanks again!

In a meanwhile it uses another obfusticated script though... and as you said, it's also spread via an infected PDF. That's why people should update Acrobat Reader or any other PDF viewer.

Thanks miekiemoes. I finally found the file eof.fju - quaranteened by ComboFix! There were a number of crashes, which I put down to the trojan trying to stop scans, but thinking back, my computer sometimes dies if it does too much processor intensive stuff (the control of the fan doesn't work well), so ComboFix must have found it, but not been able to report it.

Anyway, I think I understand it better now. http://www.bleepingcomputer.com/forums/lof...hp/t175838.html has helped with the technology, along with your excellent description.

Much more confident now that there's no lasting effects, and have updated Acrobat reader to remove the vunerability.

Had a look through the file - it contains the data "AntiMcHTNOD3LIVEPand<UACOMOESS CAUpliveNortSpySEnigAVPUTMUFAdobSUPE" - I assume that these are 4 chars of programs it will reset on, and there's the list of proceedures it uses, but that's as far as dumping the hex tells me.

Ran it through virustotal, and only got hits on 10 out of 40 virus checkers:
AhnLab-V3 Win-Trojan/Xema.variant
Avast Win32:Trojan-gen {Other}
AVG Agent
GData Win32:Trojan-gen {Other}
McAfee-GW-Edition Win32.LooksLike.NewMalware
Microsoft Trojan:Win32/Delf.ER
NOD32 Win32/Delf.OGX
Panda Trj/KillAv.KK
Prevx1 High Risk Worm
VBA32 Win32.Delf.OGX

My summary, just to check I've understood it......

Delivered by:
Infected PDF
"Yahoo Counter" javascript [presumably displaying an infected PDF]

Stop reinfection:
Upgrade to latest Acrobat Reader

Files:
Initially appearance: sysaudio.sys [different location to the real one]
Later appearance: wdmaud.sys [different location to the real one]
Current appearance: random filename

Actions:
On the first run of an Internet browser after infection -
Creates file in \WINDOWS or \WINDOWS\SYTEM32
Entry in HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
aux/aux2 = "filename"

May use the form \Windows\System32\..\"filename" to put the file in \Windows (up one level from System32).

On future runs of the Internet Browser load "filename".

Effects:
Internet searches are passed through an intermediary server - the displayed summary paragraph for a site is correct, but some of the links are changed to unpleasant sites [not quite sure whether the link change is done by javascript on the page, or on the intermediary server].

If attempts are made to run the names "cmd" or "regedit", it performs some aggressive action to stop them [maybe some reset, as it forces exits of Windows Explorer and Internet Explorer at the same time].

Risks:
Going to the unpleasant sites, thinking, based on the summary text, that they are helpful, and picking up worse things.

Future risks:
Maybe this sort of preparsing could change download links on valid sites, so rather than downloading a useful utility (to stop the infection), you download another trojan. Let's hope the scanning software improves!

All the best!

Good writeup!

Also... this may be an interesting article too: http://miekiemoes.blogspot.com/2009/01/ix-...g-reliable.html
I've seen the same with Godaddy unfortunately.

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.