Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

AntiSpy Protector 2009 + Rootkit = Big Trouble!


  • This topic is locked This topic is locked
26 replies to this topic

#1 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,568 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:07 AM

Posted 12 August 2009 - 09:14 PM

A new rogue called AntiSpy Protector 2009 has been released and has started being seen in the wild. Normally rogues like these are fairly easy to remove, but this variant carries a trick up its sleeve in the form of a rootkit that does not let you run almost any anti-malware programs.



When AntiSpy Protector 2009 is installed on your computer it looks like every other rogue. It shows fake security alerts, displays fake scan alerts, and is a general nuisance. It is only when you try to remove this malware that you notice that your programs no longer work. While testing this program, I noticed that any program I ran to remove this malware was terminated, and then when I tried to run it again, I was told I did not have permission. It was then that I realized that something a little more devious was going on.






I fired up RootRepeal, an anti-rootkit scanner, to see what was happening and noticed a file was locked when it shouldn't be, as well as two Alternate Data Streams attached to the file win32k.sys. Please note, that the legitimate win32k.sys if found in the C:\Windows\System32 folder. An example as to what I saw when running a file scan with RootRepeal is:



Name: win32k.sys:1
Image Path: C:\WINDOWS\win32k.sys:1
Address: 0xF7BE7000 Size: 20480 File Visible: No Signed: -
Status: -




Name: win32k.sys:2
Image Path: C:\WINDOWS\win32k.sys:2
Address: 0xF48DC000 Size: 61440 File Visible: No Signed: -
Status: -




Hidden/Locked Files
-------------------




Path: C:\WINDOWS\system32\netlogon.dll
Status: Locked to the Windows API!




At this point I knew we had a rootkit on our hand. After investigating further, I saw that the C:\Windows\System32\netlogon.dll was replaced by a malware file. This malware file having a size of 60,416 bytes, while the legitimate program is 407,040 bytes. After speaking to some security professionals, I learned that the files that were substituted are the actual loading point of the infection and if we replace them with the legitimate file, then the rootkit will be disabled. Other files that are substituted by this rootkit include scecli.dll and eventlog.dll.



Luckily for us, a process has been developed to remove this infection, but it requires a customized solution for each person who may be infected. Therefore, I am unable to write a self-help guide on how to remove AntiSpy Protector 2009 or the rootkit defending it. If you are infected with this rogue, or your computer starts exhibiting the behavior of security programs terminating and then getting permission denied when you try to run them again, then there is a good chance you have this rootkit on your computer.



If that is the case, I suggest that you create a new topic in our Malware Removal section in order to receive help cleaning your computer.



On a last note, I strongly suggest that you do not delete the files listed above unless you are 100% sure that they are not the legitimate ones as doing so could affect the proper performance of your computer.



BC AdBot (Login to Remove)

 


#2 doctorphibes

doctorphibes

  • Members
  • 81 posts
  • OFFLINE
  •  
  • Local time:06:07 AM

Posted 14 August 2009 - 01:25 PM

Is it possible to rename the 3 mentioned files or move the hidden one at least as a prophylactic measure to possible exposure to this virus?
Thanks
I am enough of the artist to draw freely upon my imagination. Imagination is more important than knowledge. Knowledge is limited. Imagination encircles the world. Albert Einstein

#3 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  • Admin
  • 43,568 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:07 AM

Posted 14 August 2009 - 11:18 PM

No, the files that are replaced are legitimate microsoft files and should not be modified.

#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,112 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:07 PM

Posted 16 August 2009 - 03:04 AM

Hi Grinler, thanks for the information!

I think I might have a few victims from this infection in AII. Before sending them to HJT, is there anything I can let them check to confirm?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  • Admin
  • 43,568 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:07 AM

Posted 17 August 2009 - 08:16 AM

Rootrepeal logs will show it right off. Let me know if you find any.

#6 fab4life4ever

fab4life4ever

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:07 AM

Posted 18 August 2009 - 04:29 AM

hello grinler how do i check my rootrepeal logs , this thing won't even let me run malwarebytes. although i was able to run spyware terminator and stopzilla

#7 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  • Admin
  • 43,568 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:07 AM

Posted 18 August 2009 - 05:59 AM

Have you downloaded and run RootRepeal as of yet?

You should perform the steps here to receive help:

http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/

#8 Freemind

Freemind

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Brazil
  • Local time:07:07 AM

Posted 18 August 2009 - 08:14 AM

Hello Grinler,

First, congratulations for the news.

I have some questions. These two files, C:\WINDOWS\win32k.sys and C:\WINDOWS\system32\netlogon.dll, can be deleted by the tool KillBox?

The rogue Anti Spy Protector 2009 ever uses these file names or they are random file names?

Deleting the netlogon.dll rogue file, how I can restore the original file?

Thanks

#9 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  • Admin
  • 43,568 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:07 AM

Posted 18 August 2009 - 08:34 AM

The win32k.sys:1 file located in the C:\Windows folder is a memory resident driver loaded at runtime when the main loader runners. Netlogon.dll should be replaced with the legitimate file using a special method that could cause problems if done unattended and improperly.

Please do not use killbox to remove these files as unexpected behavior may occur.

Remember this is the rootkit, and not AntiSpy Protector 2009, creating these files. This rootkit is starting to be common with other infections as well. As for the filenames, the C:\Windows\wink32.sys seems to be static. The loader, netlogon.dll, is not random, but could be other replaced files.

It is for this reason we suggest you have someone examine your RR logs.

#10 fab4life4ever

fab4life4ever

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:07 AM

Posted 19 August 2009 - 07:56 PM

hello grimler i tryed rootrepeal and it did not install without a pe image error but i could use some of the functions. what do i have to do with the rootrepeal

#11 disnyintns

disnyintns

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:07 AM

Posted 22 August 2009 - 12:37 PM

I've had several customers recently with similar issues. Unfortunately, I couldn't identify the problem so we reloaded the computers after a reformat. Each of the computers was running anti-virus programs, McAfee, AVG, etc. Is there any anti-virus program out there that will prevent this type of infection?
Thanks

#12 ComputerNutjob

ComputerNutjob

  • Banned
  • 125 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:07 AM

Posted 23 August 2009 - 03:04 AM

hello grinler how do i check my rootrepeal logs , this thing won't even let me run malwarebytes. although i was able to run spyware terminator and stopzilla



STOPzilla is a ROGUE antispyware. Just saying... :thumbsup:

#13 MOSHE BERGMAN

MOSHE BERGMAN

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:12:07 PM

Posted 23 August 2009 - 03:20 PM

I caught something similar, called totalsecurity, I succeeded to remove it, booting with ERD2008 .
using it's registry editor I deleted the "bad" entries in registry , and deleted the files.
Moshe

Edited by MOSHE BERGMAN, 23 August 2009 - 03:34 PM.


#14 Three Sisters Farms

Three Sisters Farms

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:06:07 AM

Posted 27 August 2009 - 01:13 PM

I have run into this nasty bug several times already. I found in some cases renaming combofix and the executable for malwarebytes allows it to run. I have about a 60% success rate on cleaning the pc's of the infections as long as I can get those two utilites to run.

#15 Kenji The Helpful

Kenji The Helpful

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Virginia
  • Local time:05:07 AM

Posted 27 August 2009 - 07:37 PM

Yes, hello grinler, you know how you said this:
"At this point I knew we had a rootkit on our hand. After investigating further, I saw that the C:\Windows\System32\netlogon.dll was replaced by a malware file. This malware file having a size of 60,416 bytes, while the legitimate program is 407,040 bytes."

I can honestly say that some unknown Rouges have had this, I think i reccently found this on my friends computer, altought...this file name....C:\drivers\system\infcahce.1 Was inffected, replaced, and renamed into C:\Program Files\rootkit. (It took me 3 days to figure out which program it was hidding in) I think the program had 40. But, it was hard to tell. I think his computer is a....Microsoft 2000. Anything leading to this? or is it a prank i should know of?
♣SoftWare Intermediate♣




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users