Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rogue service process left after otherwise successful MBAM detection/deletion


  • Please log in to reply
No replies to this topic

#1 Phil Schwarz

Phil Schwarz

  • Members
  • 484 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:48 PM

Posted 24 December 2010 - 06:43 PM

My son's computer was attacked a couple of days ago when he browsed to a malicious website.
He ran MBAM (1.50.1, database version 5383), which detected and deleted *most* of the malicious attack artifacts, but not all.
The attack disabled his Microsoft Security Essentials -- removed the MSSE entry from HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, disabled the MsMpSvc service, and launched a malicious service (in a rundll32.exe launched by the regular svchost.exe for the netsvcs service group).
The maliciously launched rundll32.exe loaded a dll named ntmsdba2.dll that had been dropped in c:\windows\system32.
When that process was running, MSSE was unable to initialize when launched -- it exited within seconds of being launched manually.
The attack-dropped ntmsdba2.dll had been attributed system, hidden, read-only, and ACLed to prevent deletion.
MBAM did not detect it when in that state.

I killed the rundll32.exe and then used cacls.exe to overwrite the ACLs with EVERYONE:F, and removed the S H & R attributes.
After doing that, I ran another MBAM scan, which *did* detect it, and an apparently associated registry key as well:

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\H3O8CABBPI (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Files Infected:
c:\WINDOWS\system32\ntmsdba2.dll (Trojan.Agent) -> Quarantined and deleted successfully.

We have a remaining issue however -- the svchost.exe is still attempting to launch the malicious service. The rundll32.exe does not exit, even though the dll has been deleted. Its command line is:

C:\WINDOWS\system32\rundll32.exe "C:\WINDOWS\system32\ntmsdba2.dll",Bkmap

However there doesn't seem to be a service in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services, or an entry in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\netsvcs, corresponding to this process.

It's unclear to me what the mechanism is by which the process is being launched. It appears to be launched at boot time, but not in safe mode.

I have searched the registry for the string "ntmsdba2" anywhere in any key, value, or data -- nothing found. If the dll filename is being stored in the registry anywhere it must be in something other than clear text.

I have searched the file system (with Explorer set to view hidden and system files, of course) for files containing the string "ntmsdba2" -- no luck. Again, if it's being stored in the file system, it's not in clear text.

The svchost.exe and rundll32.exe program files themselves appear to be OK -- they byte-compare identical to copies of the respective file taken from an uninfected system running the same OS revision (WinXP SP3, with all critical updates pushed by Microsoft through 12/23/10).

I have checked the system for rootkits using GMER, RootRepeal, Sysinternals RootkitRevealer, HitManPro 3.5, and Kaspersky's TDSSKiller -- none of them reported anything that didn't have a legitimate explanation.

Can anyone briefly explain the possible mechanisms by which svchost.exe can be induced to launch a rundll32.exe, suggest additional places and/or formats to look for a stored representation of the rundll32 command line or dll filename ("ntmsdba2"), or know enough about the propagation and operation of Trojan.Agent to help identify how the rogue service process is still being launched? (And does anyone know why the rundll32.exe doesn't exit, if the dll named on its command line doesn't exist in the file system?)

At least with the dll itself gone, MSSE now has no trouble coming up and initializing at boot.

Any help appreciated -- please let me know if I can run and post any diagnostics that will help.

BC AdBot (Login to Remove)

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users