Posted 19 February 2010 - 03:13 PM
Dear friendly experts,
Recently a friend asked me for help with her laptop. It had started to "play up". She wasn't quite able to describe the problem (her German is good but not perfect), so I went to look and found that a barrage of popups from what called itself "Security Tool" was making work almost impossible. I became suspicious so I googled 'Security Tool' and quickly found confirmation that it was a scam.
My friend's computer runs under Windows Vista but back when it was brand new I had installed Linux in a partition. So now I booted Linux, downloaded the Linux version of Avira AntiVir, created a directory "/windows/C/antivirus_quarantine" (yep, this is the Unix notation - slashes instead of backslashes, etc.) and then scanned her entire C-drive. The result was a whole lot of trojans and some other malware (30+!) identified and quarantined. After this the computer seemed to be working normally again - except for a few RunDLL error messages on startup, like:
"Error loading C:\Users\<owner>\AppData\Local\Temp\ftpiles.dll".
I assumed that these were undetected remnants of malwares, but since they were unable to start I wasn't too concerned and put a more thorough investigation off to a later time. I am fairly comfortable with Linux, but digging into the internals of Windows is a bit beyond me.
Yesterday she came to visit, asking for some help with wording an important letter she had to write, and she brought her laptop with her. Also, she reported that she was getting strange error messages about links but couldn't be more specific.
We composed the letter (Microsoft Works) and saved it as "GEW.wps". Rather than set her computer up to use my printer, I simply copied the "GEW.wps" onto a USB stick, meaning to take it to my computer and print it from there. Copying to the stick turned out to be difficult: a flood of error messages and failure notices popped up (to quick to really read them) and I thought copying had failed, but when I stuck the stick into my computer the file was there - plus, alas!, several others that hadn't been there before. I tried to open the document file with OpenOffice but it showed only garbage. Looking at it with a hex-editor we could not find a trace of the letter's original wording.
I then gave the other unexpected files a closer look:
Documents .lnk (yes, seven spaces between "Documents" and ".lnk"
New Folder .lnk
The files with .lnk all contained the same mix of 'garbage' and text, among which is the following:
"J:\ksliq.scr . \ k s l i q . s c r ! % s y s t e m r o o t % \ s y s t e m 3 2 \ s h e l l 3 2 . d l l"
autorun.inf contains script-like instructions, among which is "SHeLLExeCuTe=KSLIQ.exE" (the mix of capital and small letters is thus in the file).
BOOTEX.LOG contains German text, probably to be shown when the program runs. The contents, in a nutshell:
"Checking file system on J:
Consistency of the medium must be checked. You may skip checking but it is strongly recommended to proceed." The rest is a message to the effect that no problems were found and some (fake?) drive statistics.
Looking at ksliq.exe and ksliq.scr with a hex-editor they seem to be identical. Mostly binary gibberish, but some text can be identified: "MSVBVM60.DLL" and "rbiCo0Wa.exe".
Apparently this beast has tried to copy itself onto the USB stick in order to infect the next (my!) computer. Fortunately, my computer was running Linux, so the attack failed, and, what's more, I was able to scrutinize those files in safety. Is this mode of propagation known?
After this experience I did another scan from Linux over the entire C:-drive. The following were quarantined (Unix notation, again):
"/windows/C/Users/<owner>/ksliq.exe" - identified as worm Autorun.fse
"/windows/Users/AppData/Local/Temp/H8SRT3d36.tmp" - identified as trojan TR/Alureon.DF. 15
The computer is now behaving normally again - except for the above mentioned RunDLL error.
1. How do I get rid of the RunDLL Error?
2. How can I verify that all malware has been removed from the computer?
Any assistance would be very much appreciated.