Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

SMTP spam virus


  • Please log in to reply
9 replies to this topic

#1 zlyles

zlyles

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:20 AM

Posted 27 July 2009 - 02:45 PM

I have a user at my company who recently started getting Symantec spam responses from target mail servers. Very soon after we were put on a block list. We set up a monitor for SMTP traffic on the firewall, and found her computer was sending thousands of spam messages out nonstop.

So far I have tried the following in an attempt to locate the source of the problem and eliminate it:

Symantec Endpoint Protection: full system scan
Trend Housecall: full scan
Kaspersky online scan: full scan
Malwarebytes: full scan
Combofix
SDfix
Microsoft RootkitRevealer
F-Secure BlackLight

All scans returned clean with no infections found.

At this point, I resorted to using net stat to track the services, which found Services.exe sending out thousands of SMTP messages.

Next, I removed the hard drive from the computer and dropped it in another machine and proceeded to rescan the hard drive, which still came back with no results.

I resorted to using netstat to track the services, which found Services.exe sending out thousands of SMTP messages.
I did a search for all files modified in the past day, and ran across the file C:\WINDOWS\system32\drivers\246a374.sys which seemed like an odd name.

So I renamed the file to 246a374-test.sys, dropped the hard drive back in the original PC, fired it up, and no spam.
I rename the file back to it's original name, restart the computer, and bam, out flows the spam.
So now starts the mission to find what is using 246a374.sys.
A quick search of the windows registry comes back with the following entries:

HKLM\SYSTEM\ControlSet001\Services\246a374
HKLM\SYSTEM\ControlSet002\Services\246a374

Clicking on either folder results in the following message:

Error Opening Key
Cannot open 246a374: Error while opening key.

At this point we are just trying to track down the roots of this virus, what is calling 246a374.sys

Anybody have ideas for getting into that registry key, or tracking down other files related to the virus?

Thanks for the help,

Zak

BC AdBot (Login to Remove)

 


#2 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,702 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:05:20 AM

Posted 27 July 2009 - 04:36 PM

Hi again :thumbsup:

Please install RootRepeal
Note: Vista users ,, right click on desktop icon and select "Run as Administrator."

Go HERE, and download RootRepeal.zip to your Desktop.
Tutorial with images ,if needed >> L@@K.

Disconnect from the Internet or physically unplug you Internet cable connection.
Close all open programs, scheduling/updating tasks and background processes that might activate during the scan including the screensaver.
Temporarily disable your anti-virus and real-time anti-spyware protection.
After starting the scan, do not use the computer until the scan has completed.
When finished, re-enable your anti-virus/anti-malware (or reboot) and then you can reconnect to the Internet.

Unzip the download,(7-zip tool if needed) and then click RootRepeal.exe to open the scanner.
Next click on the Report tab, now click on Scan. A Window will open asking what to include in the scan. Check all of the below and then click OK.

Drivers
Files
Processes
SSDT
Stealth Objects
Hidden Services


Now you'll be asked which drive to scan. Check C: and click OK again and the scan will start. Please be patient as the scan runs. When the scan has finished, click on Save Report.
Name the log RootRepeal.txt and save it to your Documents folder (it should automatically save it there).
Please copy and paste that into your next reply.

~Blade


In your next reply, please include the following:
RootRepeal log

Edited by Blade Zephon, 27 July 2009 - 04:38 PM.

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#3 zlyles

zlyles
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:20 AM

Posted 28 July 2009 - 09:53 AM

I went ahead and renamed the known file back to the original file name 246a374.sys for the scan, and restarted the computer. Here are the results from RootRepeal.

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/07/28 09:40
Program Version: Version 1.3.3.0
Windows Version: Windows XP SP2
==================================================

Drivers
-------------------
Name: 246a374.sys
Image Path: C:\WINDOWS\System32\drivers\246a374.sys
Address: 0xAE128000 Size: 92800 File Visible: No Signed: -
Status: -

Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xAE0C5000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF79B3000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xAB3BF000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\drivers\246a374.sys
Status: Locked to the Windows API!

SSDT
-------------------
#: 035 Function Name: NtCreateEvent
Status: Hooked by "C:\WINDOWS\System32\drivers\246a374.sys" at address 0xae13b8fd

#: 041 Function Name: NtCreateKey
Status: Hooked by "C:\WINDOWS\System32\drivers\246a374.sys" at address 0xae139905

#: 119 Function Name: NtOpenKey
Status: Hooked by "C:\WINDOWS\System32\drivers\246a374.sys" at address 0xae1399c5

Hidden Services
-------------------
Service Name: 246a374
Image Path: C:\WINDOWS\System32\drivers\246a374.sys

Service Name: PxHelp20
Image Path: System32\Drivers\PxHelp20.sys

Service Name: SymEvent
Image Path: C:\WINDOWS\system32\Drivers\SYMEVENT.SYS

Service Name: SYMREDRV
Image Path: C:\WINDOWS\System32\Drivers\SYMREDRV.SYS

Service Name: SYMTDI
Image Path: C:\WINDOWS\System32\Drivers\SYMTDI.SYS

==EOF==

Zak

#4 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,702 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:05:20 AM

Posted 29 July 2009 - 12:29 AM

Alright. Next I'd like to see a fresh scan log from Malwarebytes. Please update Malwarebytes, then run a Quick Scan in Normal mode. Please post back the log for my review. This is looking to be a relatively new worm, Malwarebytes may have just recently developed detections for it. To facilitate detection and removal you should leave the suspect file unchanged unless directed otherwise. Leave your computer disconnected from the Internet whenever possible to stop spam from being sent.

~Blade


In your next reply, please include the following:
Malwarebytes log

Edited by Blade Zephon, 29 July 2009 - 12:33 AM.

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#5 zlyles

zlyles
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:20 AM

Posted 29 July 2009 - 10:16 AM

Malwarebytes' Anti-Malware 1.39
Database version: 2525
Windows 5.1.2600 Service Pack 2

7/29/2009 10:02:39 AM
mbam-log-2009-07-29 (10-02-39).txt

Scan type: Full Scan (C:\|)
Objects scanned: 188696
Time elapsed: 28 minute(s), 20 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Zak

#6 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,702 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:05:20 AM

Posted 29 July 2009 - 10:30 PM

Alright, let's try another scanner. Please note that this scanner could take some time to run.


Please download ATF Cleaner by Atribune & save it to your desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

***************************************************

Please download and scan with SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If it will not start, go to Start > All Prgrams > SUPERAntiSpyware and click on Alternate Start.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (uncheck all others):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode". When logging in, do NOT log in under the account titled "Admin" or "Administrator"

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

~Blade



In your next reply, please include the following:
SUPERAntiSpyware log

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#7 zlyles

zlyles
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:20 AM

Posted 31 July 2009 - 04:08 PM

Sorry for taking so long to get back to you. Here are the logs.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 07/31/2009 at 03:06 PM

Application Version : 4.27.1000

Core Rules Database Version : 4023
Trace Rules Database Version: 1963

Scan type : Complete Scan
Total Scan Time : 00:36:13

Memory items scanned : 226
Memory threats detected : 0
Registry items scanned : 4464
Registry threats detected : 6
File items scanned : 14563
File threats detected : 4

Trojan.Agent/Gen
HKLM\System\ControlSet001\Services\246a374
C:\WINDOWS\SYSTEM32\DRIVERS\246A374.SYS
HKLM\System\ControlSet001\Enum\Root\LEGACY_246a374
HKLM\System\ControlSet002\Services\246a374
HKLM\System\ControlSet002\Enum\Root\LEGACY_246a374
HKLM\System\CurrentControlSet\Services\246a374
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_246a374
C:\DOCUMENTS AND SETTINGS\PCALOWAY\DESKTOP\246A374-SPAMBOT.SYS
C:\SYSTEM VOLUME INFORMATION\_RESTORE{528B2BDC-E493-4812-B028-3478EC634C6E}\RP535\A0062257.SYS

Adware.Tracking Cookie
C:\Documents and Settings\pcaloway\Cookies\pcaloway@doubleclick[1].txt

Zak

#8 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,702 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:05:20 AM

Posted 01 August 2009 - 04:55 PM

Looks like SAS got it. are you still getting spam sent out?

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#9 zlyles

zlyles
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:20 AM

Posted 03 August 2009 - 11:21 AM

Yep, SAS got it. Looks like I have a new favorite tool. So I guess it was those locked registry keys that were calling the .sys file then.

Thanks for your help.

Zak

#10 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,702 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:05:20 AM

Posted 03 August 2009 - 05:48 PM

Glad we could help. :thumbsup:

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+





1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users