a worm unlike any Ive ever seen before. It is fully integrated with
the operating system and is highly defensive.
So heres what Ive found out so far..
the start method is unknown
the app lists itself as 1381454673:2930550957.exe in the task manager
the task manager points to c:/windows but cannot find the file
as the name contains an invalid character
I located a file by this name, size 0kb in the windows
directory and also in prefetch. I renamed these .old
I ran superantispyware, the worm closed it then changed
the priveledges on it so I could not run it again, the
shortcut icon was removed as well
I ran malware bytes, it wass terminated, priviledges changed
and icons removed...
I ran process view from sys internals, it was terminated
icons removed as well
I used safe mode under the hidden administrator account and
the worm was still running
I searched by modified and created date, all files.. and nothing
not one DLL or EXE was created during the time of infection.. or at least there was no date and time which corresponded
I booted to Hirens Boot CD, used Superantispyware, it found a few
things and ignored the new worm
I browsed into the users folders, and discovered a duplicate
Application Data Directory.. the path was so long it was invalid,
but read as user/jennifer/local/app data/ application data/application data/application data/application data..
and was nested like 20 times.. the file by number was contained within this invalid path.
I found several of these invalid Application Data directories and paths, along with a dozen or more Temp Internet Files.. created in locations which could easily be mistaken for the proper path.
The Application Data directory which was nested, seemed to contain ALL the information that the parent folder contained, over and over, whith the worm located in the center of the nest
I used Dos and other tools to delete all invalid paths, and all files
containing the number. the system was still infected..
I searched registry for hours, and found 2 entries under control set services, but they were re written on boot and did not affect the worm in any way
I noticed several critical errors in the system log, stating the TCP packet limit was reached.. yet there were no entries at the time of infection, in any log
the copy of IE8 surfs fine but when an antivirus site is entered it is hijacked..
so I installed firefox, which also resulted in hijacked URLs
I removed the entire network and all protocols, which in turn crashed
the system, ive reinstalled those but DNS will not work now
This worm attacks any process which examines processes, it terminates
and changes security on all antivirus software, it blocks all possible URLS
containing patches or antivirus software, including this site. I have a pile
of white paper icons on my desktop now.. including process viewers 1 to 8
as I tried renaming them. I cannot delete them, even though windows
says I have full control.. I get a permissions prompt when trying to remove
the malware bytes shortcut, or the processs viewer app itself.
Ive reset everything, Ive checked every DLL removed all web files, all flash
objects, the system is empty, and this worm seems to be using DEP and Windows firewall to defend itself. it is fully integrated.
I dont think someone took the time
to write this thing just to hijack, Ive never seen anything like this..
this was written by one of the best, or a team of the best.. the worm is
able to detect antivirus like behaviours and terminate and remove apps.. and was written as well as most antivirus software.
I would like to know its purpose, busting open wireshark now problem
being ive been trying to kill this thing for 3 days and i may have taken
out its communications.
Has anyone ever heard of this? Superantispyware starts the scan and
lasts 3 seconds.. it seems when it touches the file the AV closes or is
closed by DEP. The worm seems to be using windows to defend itself.
I just didnt want to nuke this one till I knew what it was.. happily using Debian now. THe infected machine is running Vista, ie8 with DEP and Restore disabled.
Edited by Orange Blossom, 22 September 2011 - 11:30 AM.
Moved to AII. ~ OB