Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

New (?) virtumonde variant - StopGuard VIPFares


  • This topic is locked This topic is locked
No replies to this topic

#1 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,388 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:25 AM

Posted 28 September 2004 - 04:00 PM

New Virtumonde analysis

Not sure if its new or not, but I found it to be a pain to figure out how to remove, so I thought I would share my findings.

This infection will create popups to StopGuard , VIPFaires , and WinPopUpGuard

Link to example log can be found here:

http://www.bleepingcomputer.com/forums/ind...?showtopic=2721

O4 - HKLM\..\Run: [*JAVAAD] C:\WINDOWS\APPPATCH\JAVAAD.EXE
O4 - HKLM\..\RunOnce: [*JAVAAD] C:\WINDOWS\APPPATCH\JAVAAD.EXE rerun
O4 - HKCU\..\RunOnce: [*MS Setup] C:\WINDOWS\TASKS\PLAY.EXE ren


Notice that it now is set to run in Safe mode as well.

The javaad file seems to be the master exe that stay static through reboots. It constantly monitors its registry keys and will recreate them if they are missing. On exit, or randomly (not sure on this) it calls itself so the process launches again, and also calls the c:\windows\system32\hostx.exe file that will reinstate its entry as well. If the hostx file does not exist it will download on reboot and when you kill the process:

When hostx starts it connects to www.virtumonde.com and does a POST to /. Not exactly sure what it is doing there but maybe its for statistics. If you delete the hostx.exe file, it will be recreated by the master .exe.

The play.exe is a random file name and is installed in a random location. I believe when it is first downloaded it will download as bkinst.exe. When it is run with the ren flag, the file will copy itself to a new location and change the RunOnce entry to point to the new file. If it sees that the master exe is missing it will download a new one.

It will copy regshape.exe to arandom name/location and introduce entries to start them in the registry. Because this file is in the registry with the ren argument it will change its name/location every time you reboot.

With testing on my pc I have found the easiest way to remove this infection is to use killbox to kill all four files and then reboot.


Steps to remove are:
  • Download and run killbox
  • Add the 4 files (2xO4,c:\windows\system32\hostx.exe,BHO) into killbox and set it to delete on reboot. Do not, though, have it reboot until all four files are queued for deletion on reboot.
  • When all four files are added, have them reboot and then fix the HJT entries.
This fix has only been tested on my infection, not the live user. Should work though.



This is a self-help guide. Use at your own risk.


BleepingComputer.com can not be held responsible for problems that may occur by using this information. If you would like help with any of these fixes, you can post a HijackThis log in our HijackThis Logs and Analysis forum.

If you have any questions about this self-help guide then please post those questions in our AntiVirus, Firewall and Privacy Products and Protection Methods forum and someone will help you.


BC AdBot (Login to Remove)

 


m



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users