Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Lingering PRAGMA Rootkit (Win32/Rootkit.Kryptik.AZ trojan) TDSS Variant


  • Please log in to reply
No replies to this topic

#1 bstrange

bstrange

  • Members
  • 82 posts
  • OFFLINE
  •  
  • Local time:12:13 AM

Posted 14 February 2011 - 12:59 PM

Hello,

I have been working on cleaning this system(Desktop PC: Dell Optiplex 7500: Windows XP SP3)for a few days now after discovering an old partially removed infection of Paladin Antivirus. Ran the usual removal tools, MBAM, Combofix, Avast Boot Scan, and F-Secure Online scans, and all show up clean now; however, the Avast real time behavior scanned is still flagging a latent Rootkit service: SVC:PRAGMApxevsticxr. Of course when avast asks what I want to do I choose delete, and it recommends boot scan which comes up clean, and the avast process starts again.

Knowing I was still infected, I decided to go to the ever trusty, but lengthy ESET online scanner which found:

C:\WINDOWS\PRAGMApxevsticxr\PRAGMAc.dll a variant of Win32/Kryptik.EXT trojan cleaned by deleting - quarantined
C:\WINDOWS\PRAGMApxevsticxr\PRAGMAd.sys a variant of Win32/Rootkit.Kryptik.AZ trojan cleaned by deleting - quarantined
C:\WINDOWS\PRAGMApxevsticxr\trz1D.tmp a variant of Win32/Rootkit.Kryptik.AZ trojan cleaned by deleting - quarantined
C:\WINDOWS\PRAGMApxevsticxr\trz3.tmp a variant of Win32/Rootkit.Kryptik.AZ trojan cleaned by deleting - quarantined
C:\WINDOWS\PRAGMApxevsticxr\trz7.tmp a variant of Win32/Rootkit.Kryptik.AZ trojan cleaned by deleting - quarantined


and then in a subsequent ESET scan:

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP6\A0000075.dll a variant of Win32/Kryptik.EXT trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP6\A0000076.sys a variant of Win32/Rootkit.Kryptik.AZ trojan cleaned by deleting - quarantined


the third ESET scan came up clean a I thought I had beaten it. Unfortunately the rootkit reared it's ugly head and Avast behavior shield cought it again.

I assumed there were probably registry keys infected still so after the third avast warning or so, I searched the registry and found:

LOCAL_MACHINE\software\ati technologies\cds\device\0\DeviceItem0082 : [Non-Plug and Play Drivers] -> [PRAGMApxevsticxr] (0x00000000)
CURRENT_USER\software\microsoft\internet explorer\explorer bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}\FilesNamedMRU\000 : PRAGMAd
HKEY_CURRENT_USER\software\microsoft\internet explorer\explorer bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}\FilesNamedMRU\001 : PRAGMAd.sys


Which oddly enough, deleted without 3rd party tools. I rebooted the system and it looked clean for about 20 minutes before avast cought the rootkit again.

At this point, I tried Kaspersky's TDSS Killer which found nothing. Root Repeal found a number of drivers (including itself):

Name: atapi.sys
Image Path: atapi.sys
Address: 0xB9F0B000 Size: 96512 File Visible: - Signed: -
Status: Hidden from the Windows API!

Name: dump_iaStor.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_iaStor.sys
Address: 0xA9AB8000 Size: 815104 File Visible: No Signed: -
Status: -

Name: iaStor.sys
Image Path: iaStor.sys
Address: 0xB9E44000 Size: 815104 File Visible: - Signed: -
Status: Hidden from the Windows API!


and a hidden service (this is what Avast realtime keeps flagging I believe):

Service Name: PRAGMApxevsticxr
Image Path: C:\WINDOWS\system32\drivers\PRAGMApxevsticxr.sys


So that is where I am at, stumped on a pesky rootkit, all other infections appear to be removed. All scan logs are available for review if necessary.

Oh, one more very interesting note, as I had never seen a virus/malware do this before. It had modified group policy to allow full 'enabled' access to the following:
-Download signed ActiveX controls,
-Download unsigned ActiveX controls,
-Initialize and script ActiveX controls not marked as safe for scripting,
-Launch programs and files in an IFRAME.

These policies were locked in the IE8 security Tab and uneditable. I accessed Group Policy, but the path "Windows Components\Internet Explorer" was not even present, in fact very few items were configurable in gpedit. The malware had removed all administrator templates for group policy editing. The following administrator templates had to be added: system.adm, conf.adm, inetres.adm, wmplayer.adm, wuau.adm. Once system.adm was added, I was able to override the changes it made to IE8 security.

Hopefully, I have given a good description of what my problem is. I know it is frowned upon to post logs so I didn't post any, but I did try to include file names and what I thought was necessary info.

Thanks in advance!

[Edit to add:] It may also be important to mention that in any instance that Avast realtime scanner reports and then deletes the Rootkit and actually enters it into the log file the "Result" lists the following error "1381 The maximum number of secrets that may be stored in a single system has been exceeded." This has not occurred within the last half dozen times since uninstalling and reinstalling Avast; however, the detection and removal is no longer being listed in the logs either, so of course if there is no record, there is obviously no error... This may be a different problem entirely, and if so, please ignore it; however, considering the group policy changes the virus made I thought it would be important to mention, even if it is dismissed as an unrelated problem by the experts :)

Edited by bstrange, 14 February 2011 - 01:09 PM.


BC AdBot (Login to Remove)

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users