Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Search-area.com And Search-link.com Analysis


  • Please log in to reply
No replies to this topic

#1 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,389 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:17 AM

Posted 07 April 2005 - 04:06 PM

Analysis of Search-area.com and search-link.com hijacker



This infection used to hijack you to search-area.com, but now hijackers you instead to search-link.com. These instructions apply to either infection. The main file is %System%\kb32.exe. When this runs it launches a kernel driver service called msdirectx with the filename msdirectx.sys which has root kit capabilities.


Symptoms include:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http:://search-area.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http:://search-area.com/?my= (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http:://search-area.com/?my= (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http:://search-area.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http:://search-area.com/?my= (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http:://search-area.com/?my= (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http:://search-area.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http:://search-area.com/?my= (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http:://search-area.com/?my= (obfuscated)


The main executable, kb32.exe, is launched by adding the following key:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe]
"Debugger"="C:\WINDOWS\System32\kb32.exe"

It also adds the following to your hosts file:

127.0.0.1 auto.search.msn.com


As this infection can cause your computer to malfunction if not correctly removed, no self-help guide has been provided. If you need help removing this, please post a HijackThis log. Instructions can be found below.


Inctrl of the install is below.

------------------------------------------------------------
Registry
********

Keys ignored: 0
---------------
* (none)

Keys added: 15
--------------
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Search
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MS alchemy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MSDIRECTX
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MSDIRECTX\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MSDIRECTX\0000\Control
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\msdirectx
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\msdirectx\Enum
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\msdirectx\Security
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSDIRECTX
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSDIRECTX\0000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSDIRECTX\0000\Control
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msdirectx
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msdirectx\Enum
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msdirectx\Security

Values added: 41
----------------
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Search "CustomizeSearch"
Type: REG_SZ
Data: http:://%73%65%61%72%63%68%2D%6C%69%6E%6B%73%2E%6E%65%74/?my=
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Search "SearchAssistant"
Type: REG_SZ
Data: http:://%73%65%61%72%63%68%2D%6C%69%6E%6B%73%2E%6E%65%74/?my=
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MS alchemy "DisplayName"
Type: REG_SZ
Data: MS alchemy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MS alchemy "UninstallString"
Type: REG_SZ
Data: C:\WINDOWS\System32\kb32.exe --uninstall
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe "Debugger"
Type: REG_SZ
Data: C:\WINDOWS\System32\kb32.exe
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MSDIRECTX "NextInstance"
Type: REG_DWORD
Data: 01, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MSDIRECTX\0000 "Class"
Type: REG_SZ
Data: LegacyDriver
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MSDIRECTX\0000 "ClassGUID"
Type: REG_SZ
Data: {8ECC055D-047F-11D1-A537-0000F8753ED1}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MSDIRECTX\0000 "ConfigFlags"
Type: REG_DWORD
Data: 00, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MSDIRECTX\0000 "DeviceDesc"
Type: REG_SZ
Data: msdirectx
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MSDIRECTX\0000 "Legacy"
Type: REG_DWORD
Data: 01, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MSDIRECTX\0000 "Service"
Type: REG_SZ
Data: msdirectx
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MSDIRECTX\0000\Control "*NewlyCreated*"
Type: REG_DWORD
Data: 00, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MSDIRECTX\0000\Control "ActiveService"
Type: REG_SZ
Data: msdirectx
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\msdirectx "DisplayName"
Type: REG_SZ
Data: msdirectx
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\msdirectx "ErrorControl"
Type: REG_DWORD
Data: 01, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\msdirectx "ImagePath"
Type: REG_EXPAND_SZ
Data: \??\C:\DOCUME~1\Forensic\LOCALS~1\Temp\msdirectx.sys
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\msdirectx "Start"
Type: REG_DWORD
Data: 03, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\msdirectx "Type"
Type: REG_DWORD
Data: 01, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\msdirectx\Enum "0"
Type: REG_SZ
Data: Root\LEGACY_MSDIRECTX\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\msdirectx\Enum "Count"
Type: REG_DWORD
Data: 01, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\msdirectx\Enum "NextInstance"
Type: REG_DWORD
Data: 01, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\msdirectx\Security "Security"
Type: REG_BINARY
Data: 01, 00, 14, 80, 90, 00, 00, 00, 9C, 00, 00, 00, 14, 00, 00, 00, 30, 00, 00, 00, 02, 00, 1C, 00, 01, 00, 00, 00, 02, 80, 14, 00, FF, 01, 0F, 00, 01, 01, 00, 00, 00, 00, 00, 01, 00, 00, 00, 00, 02, 00, 60, 00, 04, 00, 00, 00, 00, 00, 14, 00, FD, 01, 02, 00, 01, 01, 00, 00, 00, 00, 00, 05, 12, 00, 00, 00, 00, 00, 18, 00, FF, 01, 0F, 00, 01, 02, 00, 00, 00, 00, 00, 05, 20, 00, 00, 00, 20, 02, 00, 00, 00, 00, 14, 00, 8D, 01, 02, 00, 01, 01, 00, 00, 00, 00, 00, 05, 0B, 00, 00, 00, 00, 00, 18, 00, FD, 01, 02, 00, 01, 02, 00, 00, 00, 00, 00, 05, 20, 00, 00, 00, 23, 02, 00, 00, 01, 01, 00, 00, 00, 00, 00, 05, 12, 00, 00, 00, 01, 01, 00, 00, 00, 00, 00, 05, 12, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSDIRECTX "NextInstance"
Type: REG_DWORD
Data: 01, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSDIRECTX\0000 "Class"
Type: REG_SZ
Data: LegacyDriver
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSDIRECTX\0000 "ClassGUID"
Type: REG_SZ
Data: {8ECC055D-047F-11D1-A537-0000F8753ED1}
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSDIRECTX\0000 "ConfigFlags"
Type: REG_DWORD
Data: 00, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSDIRECTX\0000 "DeviceDesc"
Type: REG_SZ
Data: msdirectx
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSDIRECTX\0000 "Legacy"
Type: REG_DWORD
Data: 01, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSDIRECTX\0000 "Service"
Type: REG_SZ
Data: msdirectx
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSDIRECTX\0000\Control "*NewlyCreated*"
Type: REG_DWORD
Data: 00, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSDIRECTX\0000\Control "ActiveService"
Type: REG_SZ
Data: msdirectx
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msdirectx "DisplayName"
Type: REG_SZ
Data: msdirectx
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msdirectx "ErrorControl"
Type: REG_DWORD
Data: 01, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msdirectx "ImagePath"
Type: REG_EXPAND_SZ
Data: \??\C:\DOCUME~1\Forensic\LOCALS~1\Temp\msdirectx.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msdirectx "Start"
Type: REG_DWORD
Data: 03, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msdirectx "Type"
Type: REG_DWORD
Data: 01, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msdirectx\Enum "0"
Type: REG_SZ
Data: Root\LEGACY_MSDIRECTX\0000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msdirectx\Enum "Count"
Type: REG_DWORD
Data: 01, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msdirectx\Enum "NextInstance"
Type: REG_DWORD
Data: 01, 00, 00, 00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msdirectx\Security "Security"
Type: REG_BINARY
Data: 01, 00, 14, 80, 90, 00, 00, 00, 9C, 00, 00, 00, 14, 00, 00, 00, 30, 00, 00, 00, 02, 00, 1C, 00, 01, 00, 00, 00, 02, 80, 14, 00, FF, 01, 0F, 00, 01, 01, 00, 00, 00, 00, 00, 01, 00, 00, 00, 00, 02, 00, 60, 00, 04, 00, 00, 00, 00, 00, 14, 00, FD, 01, 02, 00, 01, 01, 00, 00, 00, 00, 00, 05, 12, 00, 00, 00, 00, 00, 18, 00, FF, 01, 0F, 00, 01, 02, 00, 00, 00, 00, 00, 05, 20, 00, 00, 00, 20, 02, 00, 00, 00, 00, 14, 00, 8D, 01, 02, 00, 01, 01, 00, 00, 00, 00, 00, 05, 0B, 00, 00, 00, 00, 00, 18, 00, FD, 01, 02, 00, 01, 02, 00, 00, 00, 00, 00, 05, 20, 00, 00, 00, 23, 02, 00, 00, 01, 01, 00, 00, 00, 00, 00, 05, 12, 00, 00, 00, 01, 01, 00, 00, 00, 00, 00, 05, 12, 00, 00, 00

Values changed: 3
-----------------
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Start Page"
Old type: REG_SZ
New type: REG_SZ
Old data: http:://www.google.com/
New data: http:://search-links.net
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix "(Default)"
Old type: REG_SZ
New type: REG_SZ
Old data: http:://
New data: http:://%73%65%61%72%63%68%2D%6C%69%6E%6B%73%2E%6E%65%74/?my=
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\Prefixes "www"
Old type: REG_SZ
New type: REG_SZ
Old data: http:://
New data: http:://%73%65%61%72%63%68%2D%6C%69%6E%6B%73%2E%6E%65%74/?my=
------------------------------------------------------------
Disk contents
*************

Drives tracked: 1
-----------------
* c:\

Files added: 3
--------------
c:\WINDOWS\Prefetch\KB32.EXE-10D8E6BE.pf
Date: 4/7/2005 3:33 PM
Size: 10,416 bytes
c:\WINDOWS\Prefetch\UNP_VER103.EXE-065FFEF6.pf
Date: 4/7/2005 3:32 PM
Size: 11,806 bytes
c:\WINDOWS\system32\kb32.exe
Date: 4/6/2005 11:11 PM
Size: 32,768 bytes

Files deleted: 1
----------------
c:\files\forensics\lucky_189\Unp_ver103.exe
Date: 4/6/2005 11:11 PM
Size: 32,768 bytes

Files changed: 5
----------------
c:\Documents and Settings\Forensic\ntuser.dat.LOG
Old date: 4/7/2005 3:32 PM
New date: 4/7/2005 3:32 PM
Old size: 1,024 bytes
New size: 1,024 bytes
c:\WINDOWS\Prefetch\CMD.EXE-087B4001.pf
Old date: 4/7/2005 3:30 PM
New date: 4/7/2005 3:33 PM
Old size: 4,426 bytes
New size: 5,262 bytes
c:\WINDOWS\system32\config\software.LOG
Old date: 4/7/2005 3:31 PM
New date: 4/7/2005 3:32 PM
Old size: 1,024 bytes
New size: 1,024 bytes
c:\WINDOWS\system32\config\system.LOG
Old date: 4/7/2005 3:31 PM
New date: 4/7/2005 3:32 PM
Old size: 1,024 bytes
New size: 1,024 bytes
c:\WINDOWS\system32\drivers\etc\hosts
Old date: 8/23/2001 6:00 AM
New date: 4/7/2005 3:32 PM
Old size: 734 bytes
New size: 765 bytes



This is a Malware analysis. Use at your own risk.


BleepingComputer.com can not be held responsible for problems that may occur by using this information. If you would like help with any of these fixes, you can post a HijackThis log in our HijackThis Logs and Analysis forum.

If you have any questions about this analysis then please post those questions in our AntiVirus, Firewall and Privacy Products and Protection Methods forum and someone will help you.



BC AdBot (Login to Remove)

 


m



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users