BleepingComputer.com: AntiSpy Protector 2009 + Rootkit = Big Trouble!

A new rogue called AntiSpy Protector 2009 has been released and has started being seen in the wild. Normally rogues like these are fairly easy to remove, but this variant carries a trick up its sleeve in the form of a rootkit that does not let you run almost any anti-malware programs.



When AntiSpy Protector 2009 is installed on your computer it looks like every other rogue. It shows fake security alerts, displays fake scan alerts, and is a general nuisance. It is only when you try to remove this malware that you notice that your programs no longer work. While testing this program, I noticed that any program I ran to remove this malware was terminated, and then when I tried to run it again, I was told I did not have permission. It was then that I realized that something a little more devious was going on.



I fired up RootRepeal, an anti-rootkit scanner, to see what was happening and noticed a file was locked when it shouldn't be, as well as two Alternate Data Streams attached to the file win32k.sys. Please note, that the legitimate win32k.sys if found in the C:\Windows\System32 folder. An example as to what I saw when running a file scan with RootRepeal is:

Name: win32k.sys:1
Image Path: C:\WINDOWS\win32k.sys:1
Address: 0xF7BE7000 Size: 20480 File Visible: No Signed: -
Status: -



Name: win32k.sys:2
Image Path: C:\WINDOWS\win32k.sys:2
Address: 0xF48DC000 Size: 61440 File Visible: No Signed: -
Status: -



Hidden/Locked Files
-------------------



Path: C:\WINDOWS\system32\netlogon.dll
Status: Locked to the Windows API!

At this point I knew we had a rootkit on our hand. After investigating further, I saw that the C:\Windows\System32\netlogon.dll was replaced by a malware file. This malware file having a size of 60,416 bytes, while the legitimate program is 407,040 bytes. After speaking to some security professionals, I learned that the files that were substituted are the actual loading point of the infection and if we replace them with the legitimate file, then the rootkit will be disabled. Other files that are substituted by this rootkit include scecli.dll and eventlog.dll.



Luckily for us, a process has been developed to remove this infection, but it requires a customized solution for each person who may be infected. Therefore, I am unable to write a self-help guide on how to remove AntiSpy Protector 2009 or the rootkit defending it. If you are infected with this rogue, or your computer starts exhibiting the behavior of security programs terminating and then getting permission denied when you try to run them again, then there is a good chance you have this rootkit on your computer.



If that is the case, I suggest that you create a new topic in our Malware Removal section in order to receive help cleaning your computer.



On a last note, I strongly suggest that you do not delete the files listed above unless you are 100% sure that they are not the legitimate ones as doing so could affect the proper performance of your computer.

Is it possible to rename the 3 mentioned files or move the hidden one at least as a prophylactic measure to possible exposure to this virus?
Thanks

No, the files that are replaced are legitimate microsoft files and should not be modified.

Hi Grinler, thanks for the information!

I think I might have a few victims from this infection in AII. Before sending them to HJT, is there anything I can let them check to confirm?

Rootrepeal logs will show it right off. Let me know if you find any.

hello grinler how do i check my rootrepeal logs , this thing won't even let me run malwarebytes. although i was able to run spyware terminator and stopzilla

Have you downloaded and run RootRepeal as of yet?

You should perform the steps here to receive help:

http://www.bleepingcomputer.com/forums/topic34773.html

Hello Grinler,

First, congratulations for the news.

I have some questions. These two files, C:\WINDOWS\win32k.sys and C:\WINDOWS\system32\netlogon.dll, can be deleted by the tool KillBox?

The rogue Anti Spy Protector 2009 ever uses these file names or they are random file names?

Deleting the netlogon.dll rogue file, how I can restore the original file?

Thanks

The win32k.sys:1 file located in the C:\Windows folder is a memory resident driver loaded at runtime when the main loader runners. Netlogon.dll should be replaced with the legitimate file using a special method that could cause problems if done unattended and improperly.

Please do not use killbox to remove these files as unexpected behavior may occur.

Remember this is the rootkit, and not AntiSpy Protector 2009, creating these files. This rootkit is starting to be common with other infections as well. As for the filenames, the C:\Windows\wink32.sys seems to be static. The loader, netlogon.dll, is not random, but could be other replaced files.

It is for this reason we suggest you have someone examine your RR logs.

hello grimler i tryed rootrepeal and it did not install without a pe image error but i could use some of the functions. what do i have to do with the rootrepeal

I've had several customers recently with similar issues. Unfortunately, I couldn't identify the problem so we reloaded the computers after a reformat. Each of the computers was running anti-virus programs, McAfee, AVG, etc. Is there any anti-virus program out there that will prevent this type of infection?
Thanks

fab4life4ever, on Aug 18 2009, 05:29 AM, said:

STOPzilla is a ROGUE antispyware. Just saying...

I caught something similar, called totalsecurity, I succeeded to remove it, booting with ERD2008 .
using it's registry editor I deleted the "bad" entries in registry , and deleted the files.
Moshe

This post has been edited by MOSHE BERGMAN: 23 August 2009 - 03:34 PM

I have run into this nasty bug several times already. I found in some cases renaming combofix and the executable for malwarebytes allows it to run. I have about a 60% success rate on cleaning the pc's of the infections as long as I can get those two utilites to run.

Yes, hello grinler, you know how you said this:
"At this point I knew we had a rootkit on our hand. After investigating further, I saw that the C:\Windows\System32\netlogon.dll was replaced by a malware file. This malware file having a size of 60,416 bytes, while the legitimate program is 407,040 bytes."

I can honestly say that some unknown Rouges have had this, I think i reccently found this on my friends computer, altought...this file name....C:\drivers\system\infcahce.1 Was inffected, replaced, and renamed into C:\Program Files\rootkit. (It took me 3 days to figure out which program it was hidding in) I think the program had 40. But, it was hard to tell. I think his computer is a....Microsoft 2000. Anything leading to this? or is it a prank i should know of?