Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

New type of Malware?


  • Please log in to reply
5 replies to this topic

#1 biochemiii

biochemiii

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:11:37 PM

Posted 21 September 2011 - 02:31 PM

Ive been poking at an HP pav for a few days here.. and Ive discovered
a worm unlike any Ive ever seen before. It is fully integrated with
the operating system and is highly defensive.

So heres what Ive found out so far..

the start method is unknown

the app lists itself as 1381454673:2930550957.exe in the task manager
the task manager points to c:/windows but cannot find the file
as the name contains an invalid character

I located a file by this name, size 0kb in the windows
directory and also in prefetch. I renamed these .old

I ran superantispyware, the worm closed it then changed
the priveledges on it so I could not run it again, the
shortcut icon was removed as well

I ran malware bytes, it wass terminated, priviledges changed
and icons removed...

I ran process view from sys internals, it was terminated
icons removed as well

I used safe mode under the hidden administrator account and
the worm was still running

I searched by modified and created date, all files.. and nothing
not one DLL or EXE was created during the time of infection.. or at least there was no date and time which corresponded

I booted to Hirens Boot CD, used Superantispyware, it found a few
things and ignored the new worm

I browsed into the users folders, and discovered a duplicate
Application Data Directory.. the path was so long it was invalid,
but read as user/jennifer/local/app data/ application data/application data/application data/application data..
and was nested like 20 times.. the file by number was contained within this invalid path.

I found several of these invalid Application Data directories and paths, along with a dozen or more Temp Internet Files.. created in locations which could easily be mistaken for the proper path.

The Application Data directory which was nested, seemed to contain ALL the information that the parent folder contained, over and over, whith the worm located in the center of the nest

I used Dos and other tools to delete all invalid paths, and all files
containing the number. the system was still infected..

I searched registry for hours, and found 2 entries under control set services, but they were re written on boot and did not affect the worm in any way

I noticed several critical errors in the system log, stating the TCP packet limit was reached.. yet there were no entries at the time of infection, in any log

the copy of IE8 surfs fine but when an antivirus site is entered it is hijacked..
so I installed firefox, which also resulted in hijacked URLs

I removed the entire network and all protocols, which in turn crashed
the system, ive reinstalled those but DNS will not work now

This worm attacks any process which examines processes, it terminates
and changes security on all antivirus software, it blocks all possible URLS
containing patches or antivirus software, including this site. I have a pile
of white paper icons on my desktop now.. including process viewers 1 to 8
as I tried renaming them. I cannot delete them, even though windows
says I have full control.. I get a permissions prompt when trying to remove
the malware bytes shortcut, or the processs viewer app itself.

Ive reset everything, Ive checked every DLL removed all web files, all flash
objects, the system is empty, and this worm seems to be using DEP and Windows firewall to defend itself. it is fully integrated.

I dont think someone took the time
to write this thing just to hijack, Ive never seen anything like this..
this was written by one of the best, or a team of the best.. the worm is
able to detect antivirus like behaviours and terminate and remove apps.. and was written as well as most antivirus software.

I would like to know its purpose, busting open wireshark now :) problem
being ive been trying to kill this thing for 3 days and i may have taken
out its communications.

Has anyone ever heard of this? Superantispyware starts the scan and
lasts 3 seconds.. it seems when it touches the file the AV closes or is
closed by DEP. The worm seems to be using windows to defend itself.

I just didnt want to nuke this one till I knew what it was.. happily using Debian now. THe infected machine is running Vista, ie8 with DEP and Restore disabled.

Edited by Orange Blossom, 22 September 2011 - 11:30 AM.
Moved to AII. ~ OB


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:37 AM

Posted 23 September 2011 - 10:29 AM

Please download the Brontok Disinfection Tool and follow the instructions posted by Sophos.

When done, please download the Brontok Worm Removal Tool by sUBs and save it to your Desktop.
Disconnect the computer from the Internet and close all other programs.
Double-click CleanX-II.exe and follow the prompts.
The tool will begin scanning your machine. Because this worm names it's files randomly, there are a series of cross-checks/verification processes to ensure that the tool does not remove legitimate files. Depending on the size of your drives, this scan may take several minutes. Please be patient during this period & allow it to complete it's task.
Once the scan is complete it will provide a text log of the results. If the log shows any files remaining in the bottom portion under "POST RUN ANALYSIS" run the entire scan a second time.


Next run MBAM (MalwareBytes):

Please download Malwarebytes Anti-Malware and save it to your desktop.
Download Link 1
Download Link 2MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
    For instructions with screenshots, please refer to the How to use Malwarebytes' Anti-Malware Guide.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

Troubleshoot Malwarebytes' Anti-Malware
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 turnorburn

turnorburn

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:37 AM

Posted 25 September 2011 - 10:22 PM

Ive been poking at an HP pav for a few days here.. and Ive discovered
a worm unlike any Ive ever seen before. It is fully integrated with
the operating system and is highly defensive.

So heres what Ive found out so far..

the start method is unknown

the app lists itself as 1381454673:2930550957.exe in the task manager
the task manager points to c:/windows but cannot find the file
as the name contains an invalid character

I located a file by this name, size 0kb in the windows
directory and also in prefetch. I renamed these .old

I ran superantispyware, the worm closed it then changed
the priveledges on it so I could not run it again, the
shortcut icon was removed as well

I ran malware bytes, it wass terminated, priviledges changed
and icons removed...

I ran process view from sys internals, it was terminated
icons removed as well

I used safe mode under the hidden administrator account and
the worm was still running

I searched by modified and created date, all files.. and nothing
not one DLL or EXE was created during the time of infection.. or at least there was no date and time which corresponded

I booted to Hirens Boot CD, used Superantispyware, it found a few
things and ignored the new worm

I browsed into the users folders, and discovered a duplicate
Application Data Directory.. the path was so long it was invalid,
but read as user/jennifer/local/app data/ application data/application data/application data/application data..
and was nested like 20 times.. the file by number was contained within this invalid path.

I found several of these invalid Application Data directories and paths, along with a dozen or more Temp Internet Files.. created in locations which could easily be mistaken for the proper path.

The Application Data directory which was nested, seemed to contain ALL the information that the parent folder contained, over and over, whith the worm located in the center of the nest

I used Dos and other tools to delete all invalid paths, and all files
containing the number. the system was still infected..

I searched registry for hours, and found 2 entries under control set services, but they were re written on boot and did not affect the worm in any way

I noticed several critical errors in the system log, stating the TCP packet limit was reached.. yet there were no entries at the time of infection, in any log

the copy of IE8 surfs fine but when an antivirus site is entered it is hijacked..
so I installed firefox, which also resulted in hijacked URLs

I removed the entire network and all protocols, which in turn crashed
the system, ive reinstalled those but DNS will not work now

This worm attacks any process which examines processes, it terminates
and changes security on all antivirus software, it blocks all possible URLS
containing patches or antivirus software, including this site. I have a pile
of white paper icons on my desktop now.. including process viewers 1 to 8
as I tried renaming them. I cannot delete them, even though windows
says I have full control.. I get a permissions prompt when trying to remove
the malware bytes shortcut, or the processs viewer app itself.

Ive reset everything, Ive checked every DLL removed all web files, all flash
objects, the system is empty, and this worm seems to be using DEP and Windows firewall to defend itself. it is fully integrated.

I dont think someone took the time
to write this thing just to hijack, Ive never seen anything like this..
this was written by one of the best, or a team of the best.. the worm is
able to detect antivirus like behaviours and terminate and remove apps.. and was written as well as most antivirus software.

I would like to know its purpose, busting open wireshark now :) problem
being ive been trying to kill this thing for 3 days and i may have taken
out its communications.

Has anyone ever heard of this? Superantispyware starts the scan and
lasts 3 seconds.. it seems when it touches the file the AV closes or is
closed by DEP. The worm seems to be using windows to defend itself.

I just didnt want to nuke this one till I knew what it was.. happily using Debian now. THe infected machine is running Vista, ie8 with DEP and Restore disabled.


Are you still poking at that HP I'd be interested to see what that worm looks like as I'm sure others would like to know as well. If you've solved your problem maybe you could have the courtesy to let us know.

Thanks..

turnorburn
Saved by grace and grace alone

#4 duffman452001

duffman452001

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:11:37 PM

Posted 26 September 2011 - 02:52 PM

You have the new strand of the ZeroAccess rootkit. It is nasty.

LINK REMOVED, Rootkit removal not allowed in this forum by non staff.Rootkit Removal in AII
Instructions for posting advice in Am I Infected



This is a tool specific to it's removal. It may be too late for your computer though, as it's pretty destructive (have had to re-image both PC's that had it here in my IT department, but this was before I knew of this tool)

More info on this new strand

http://www.sectechno.com/2011/09/16/zeroaccess-rootkit-max-new-variants/

Edited by boopme, 28 September 2011 - 10:52 AM.


#5 Lotsableeps

Lotsableeps

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:37 PM

Posted 27 September 2011 - 09:44 PM

I've seen a few of these the past week. Hard to get rid of. I'm looking forward to trying the tools bleepingcomputer.com has recommended. Might make life easier.

To biochemiii and others looking to manually find this infection and remove the files, I would like to add some more info. The file name seen in the task manager with the randomnumbers:randomnumbers is not going to appear on the system. The first part in front of the colon will, and the colon represents an ADS, or, alternate data stream. It's a built in function of NTFS partitions to tie data to another file, but doing so hides the file completely. Flexhex.com has a good article on ADS streams if you want more info.

Hijackthis has a version of ADSSpy in the Misc. Tools section, but will not remove the ADS while the file is active, and taskmanager will not kill the process. In fact, Hijackthis will not run more than once unless you run it from removable media (i.e. flash drive).

TDSKiller from trend will see the file as bad but not remove it (unless it is being re-created)

I think the important part of removing this infection involves another file, a rootkit driver, that is doing the work to recreate this file.

Scanning the drive hooked up to another machine so the files are not in memory helps, along with using a utility like ADSSpy to remove the alternate data stream at the same time. This method indicated intelppm.sys infected (the rootkit part), which I replaced with a good copy. Note that TDSSKiller showed this file having a forged MD5 hash, but would not offer to "cure", only delete or quarantine. All together that seemed to disinfect that machine.

I'm dealing with a MAC with bootcamp now that hopefully will be made easier with the utilities mentioned above, so hopefully the drive won't have to be removed (which is a pain) to do a scan as a secondary drive on another machine.

I'll see if I can get feedback tomorrow evening on how it went.

Thanks!

Edited by Lotsableeps, 27 September 2011 - 09:51 PM.


#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:37 AM

Posted 28 September 2011 - 10:54 AM

This is a MAX++ ZeroAccess rootkit and if you are infected you need to start a new topic.
The tool link I removed is not effective enough to use safely.

Please go here....
Preparation Guide ,do steps 6 - 9.

Create a DDS log and post it in the new topic explained in step 9,which is here Virus, Trojan, Spyware, and Malware Removal Logs and not in this topic,thanks.
If Gmer won't run,skip it and move on.
Let me know if that went well.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users