Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Horseserver.net, Klikfeed.com & Backdoor.haxdoor.d Analysis


  • Please log in to reply
No replies to this topic

#1 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,394 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:45 AM

Posted 02 February 2005 - 06:36 PM

Horseserver.net, klikfeed.com & Backdoor.Haxdoor.D Analysis



Note: Urls have been stripped from this public analysis to protect against infection.

This the analysis for the new infection that Hijacks search engines and creates popups. It also logs keystrokes and opens a backdoor to the machine. The keystrokes are sent as an email to an undetermined location.

Symptoms of a HijackThis log are:

O2 - BHO: (no name) - {0F9561D0-03B2-44a3-89A6-E95E417CBA25} - C:\WINDOWS\cerbmod.dll
O2 - BHO: Explorer Class - {962F12AE-2773-4BEB-99EA-B5C3AB9A6606} - C:\WINDOWS\System32\DSMANA~1.DLL
O4 - HKLM\..\Run: [tibs3] C:\WINDOWS\System32\tibs3.exe
O4 - Startup: winupdate32617713[1].exe


A file similar in name to winupdate32617713[1].exe is placed in the user's startup directory under their profile. The path is:

C:\Documents and Settings\username\Start Menu\Programs\Startup

It then launches the program. The program then does the following steps:
  • connects to ftp.freebsd.org. Unknown if this is a type of a DOS or attempting to download a file.
  • Downloads /1.gif which is an executable gif.
  • Downloads /dllr.exe. When run this connects to /dd/dial.exe?id=1277 and downloads sbar.exe. When sbar.exe is executed it downloads tibs3.exe which is part of a dialer.
  • Downloads /search.exe and saves it as a temp file. Search.exe then download and installs bin/BHO.dll. This bho is copied to c:\windows\system32\dsmanager.dll and is upx packed. DsManageris a search hijacker that when you search with www.google.com, www.yahoo.com, search.msn.com you instead get the results back from 61.131.54.618.cc on the first page. This includes their own sponsored links. If you go to a next page it will show the correct results.

    Clicking on links in this hijacked search page also opens popups from klikfeed.com
  • Downlaods /dialers/126099.exe and saves it as a temp file. This installs an app into c:\program files\WebSiteViewer which tells you how to use the adult dialer. It also adds linkes named Youn Teen Sex.lnk to your desktop and start menu. The links point to "C:\Program Files\WebSiteViewer\126099.exe" /ac:126099 /sk:tte /lc: /ul
  • downloads /private/X/537.exe which appears to be dialer related.
  • Starts popups to /1.html which attempts to install windupdates.
  • Adds itself to the Add/Remove programs as MDS Search Booster

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MDS Search Booster
  • Installs a keylogger which is a variant of Backdoor.Haxdoor.D. This keylogger will log certain keystrokes such as visiting websites, entering forms, writing in notepad or other documents, writing email, etc. The keylogger is installed as a device service on your machine and you need to modify the registry The keylogger uses the following files:


    c:\windows\system32\klogini.dll - part of logger
    c:\windows\system32\p2.ini - part of logger
    c:\windows\system32\ps.a3d - pop3 accounts
    c:\windows\system32\vdnt32.sys - part of logger
    c:\windows\system32\vdmt16.sys - keylogger
    c:\windows\system32\winlow.sys - keylogger
    c:\windows\system32\klo5.sys - key logger log
    c:\windows\system32\drct16.dll - key logger
    c:\windows\system32\mszx23.exe - backdoor (Must end process before killing)


    To remove this infection you must remove the following registry keys:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\winlow
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\winlow
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vdmt16
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\vdmt16
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\drct16


    These keeps need to be removed first but you must remove all permissions to the keys, then add everyone to it with full permission and then take ownership to delete them:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VDMT16
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINLOW


    This can be accomplished easily in Windows XP by running:

    sc delete winlow
    sc delete VDMT16


    and then delete the Winlogon Notify key.

    Now the keylogger is gone.
--------------------------------------------

Proscribed steps to remove the infection entirely is :
  • Killbox the winupdate file so you dont reinfect the machine when the user reboots.
  • Remove the keylogger
  • Clean the rest of the log as normal.
  • Remove Add/Remove programs entry by deleting this key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MDS Search Booster
  • Advise user to change passwords.


BC AdBot (Login to Remove)

 


m



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users