Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Newest Moneypak Strain: Computer Crime And Intellectual Property Section


  • Please log in to reply
2 replies to this topic

#1 Fenix Studios

Fenix Studios

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:57 PM

Posted 15 May 2013 - 06:04 PM

If it helps, my computer repair shop just got this bug in. Just now manually removing it.This is what I discovered about this strain:

8-char name can be found on vista/7/8 under:

C:\ProgramData\

C:\Users\%Username%\AppData\Local\

C:\Users\%Username%\AppData\Roaming\

 

Load points at:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

To run the 8-char.exe from the infected users My Documents folder.

 

Also located the re-infect mechanism at:
HKEY_Users\S-long string but not the Class one\Software\Microsoft\Command Processor
"Autorun"="\C:\\Users\\%username%\\Documents\\8-char.exe"

 

After removing these files and registry entries, the system starts up without an explorer shell, but does spawn a command prompt, so you can simply type "explorer". Obviously this is not completely fixed.

 

Still trying to trace down removing the command prompt from spawning instead of an explorer shell.


Edited by bloopie, 19 May 2013 - 05:28 PM.
Moved from Logs forum to AV Protection area. ~bloopie


BC AdBot (Login to Remove)

 


#2 Fenix Studios

Fenix Studios
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:57 PM

Posted 15 May 2013 - 06:08 PM

seems modifying the original autorun value to explorer.exe works to get a shell, but still cant get rid of this blasted prompt....and of course, autorun isnt there normally on any un-infected systems i have here in house

 

SWEET!

 

Shell had been hijacked at:

HKey_Users\S-long one not classes\Software\Microsoft\Windows NT\CurrentVersion\WinLogon

Shell = cmd.exe should have value of explorer.exe

 

Also found additional non-exe file at C:\Users\%UserName%\AppData\Roaming\Microsoft\Windows\Templates

 

Hope this helps someone. Used hirens 15.2 to access file system and load registry hive. Now onward with the rootkit scanning!


Edited by Fenix Studios, 15 May 2013 - 06:29 PM.


#3 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:11:57 PM

Posted 19 May 2013 - 05:43 PM

Thanks for sharing your post! :)

 

 

Load points at:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

To run the 8-char.exe from the infected users My Documents folder.

 

Also located the re-infect mechanism at:
HKEY_Users\S-long string but not the Class one\Software\Microsoft\Command Processor
"Autorun"="\C:\\Users\\%username%\\Documents\\8-char.exe"

 

Shell had been hijacked at:

HKey_Users\S-long one not classes\Software\Microsoft\Windows NT\CurrentVersion\WinLogon

Shell = cmd.exe should have value of explorer.exe

 

Also found additional non-exe file at C:\Users\%UserName%\AppData\Roaming\Microsoft\Windows\Templates

 

==========

 

Also bear in mind that (depending on the variant) the malware can sometimes be easily sidestepped by just disconnecting the ethernet cable, and rebooting normally. Occasionally that will work.

 

Other times just restoring the Winlogon [Shell] registry value will be enough to boot normally and use another antimalware program like MBAM to clean up the remaining infected files.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users