There's a lot of fake ("rogue") antivirus malware in the wild, as I've mentioned previously. Sometimes it's relatively easy to remove; just kill the process with Windows Task Manager (press Ctrl-Shift-Esc, click on the malicious process e.g. pav.exe, and click End Process) and then delete the offending executable file. Yesterday I came across a new variant of "Windows PC Defender" and was surprised at how many changes it made to the system. Not only were there HOSTS file and search engine modifications, but the malware also effectively disabled Windows Task Manager—and even McAfee VirusScan Enterprise, which unfortunately failed to detect the new malware before being disabled by it.What heinous malware sorcery was needed to disable a major corporate antivirus product? Nothing more than a simple registry hack. Several application file names were added to the following location in the registry, with svchost.exe set as the debugger (which effectively prevented all processes with those file names from running at all):
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\
Although McAfee didn't stop the malware and was subsequently disabled by the infection, Spybot-Search & Destroy was able to find some—but not all—of the registry modifications (the entries that Spybot found were identified as Hupigon13, Win32.Agent.tdd, Win32.Delf.uv, and Win32.VB.PW infections). Spybot's findings pointed me in the right direction so I could manually find and remove some of the other registry changes. A partial list of disabled applications can be found at the ThreatExpert link below. When cleaning this or a similar infection, you can safely delete any entries with "svchost.exe" set as the debugger. Note that if regedit.exe is disabled by this hack, you can just make a copy of it on your desktop and rename it to something else, e.g. regedit-works-now.exe, and then open the renamed copy. You can find the original at C:\WINDOWS\regedit.exe on your hard drive, or look in the I386 folder on your Windows installation disc.
HijackThis pointed out that there were HOSTS file infections. Several Google domains were being forced to resolve to 206.53.61 .77, but even more interesting was that several domains related to other fake antivirus products were being forced to resolve to 74.125.45.100—the real Google. (Apparently the creator of this malware didn't want any competition from certain other fake antivirus products, but I find it somewhat amusing that the malware author chose to redirect those sites to the real Google while redirecting real Google sites elsewhere; why not just redirect your competitors' sites to 206.53.61 .77 as well?) HijackThis was unable to remove the HOSTS file infections, and FileASSASSIN was unable to delete the infected HOSTS file, so I used Spybot's file shredder utility to rename it, and then used Spybot to create a new HOSTS file in its place. I then used GiPo@MoveOnBoot to mark the renamed infected file for removal the next time the system boots.
The malware also changed SearchScopes entries in the registry so that searches would be redirected to search-gala .com. To clean an infected system, you will need to search the registry for "search-gala" and replace anything that looks similar to this:
hxxp://search-gala .com/?&uid=201&q={searchTerms}
...with something safe like this:http://www.google.com/search?hl=en&q={searchTerms}
Details about the malicious executable, parts courtesy of VirusTotal:
File name and location:For more details regarding the malicious payload and associated domains, see:
C:\Documents and Settings\All Users\Application Data\090943c\WP0909.exe
File size: 2185216 bytes
MD5 : db50541ff7a46ddeb64fbccdb3bea9d9
SHA1 : 6839e11a015469255f8a1e93a058e5b35c5f74da
SHA256: 6b52a1f71544d3328720cacb7f27034826241cc6bcec33eb6f9c19c48ad3136d
6/41 detection rate upon first scan at 2009.09.22 00:20:13 (UTC)
14/41 detection rate as of 2009.09.22 17:54:05 (UTC), and McAfee and Fortinet plan to add detections for it soon
Variously identified as: Trojan.Win32.FakeVimes!IK, TR/FakeVimes.A.64, Trojan.FakeAV.SG, Trojan.Win32.FraudPack.uci, Artemis!DB50541FF7A4, Trojan.FakeVimes.A.64, Trojan:Win32/FakeVimes, Win32/Kryptik.AKT, Trj/CI.A, Mal/Basine-C, Trojan.Win32.Generic!BT, Suspicious.MH690.A, Misc/FakeAV, FakeAlert-WPS.gen.a
- http://www.threatexpert.com/report.aspx?md5=db50541ff7a46ddeb64fbccdb3bea9d9
- http://anubis.iseclab.org/?action=result&task_id=1e8faf7553374b794d556a4e85a9c6244&format=html
- http://www.bleepingcomputer.com/virus-removal/remove-windows-pc-defender - Removal instructions for another variant of Windows PC Defender
- http://www.mywot.com/en/scorecard/search-gala.com/comment-2410888
- http://www.mywot.com/en/scorecard/206.53.61.77
In other news, last night I discovered a new fake virus scan and malware distribution site at rampir .info, which I reported to numerous malware site blacklists. So far hpHosts, Malware Domain List, and DNS-BH have added it to their lists. See the following reports:
- http://wepawet.iseclab.org/view.php?hash=2cefe8d3cb9cbd1d89edbe6a491dbded&t=1253604494&type=js
- http://anubis.iseclab.org/?action=result&task_id=14a93866152a3b164990c58c537a1e6a1&format=html
- https://www.virustotal.com/analisis/19b6484a551aa8a07eb1179067156ae368d92d860a60a9be6a48b30b14e4d766-1253578460
- http://www.mywot.com/en/scorecard/rampir.info/comment-2410647
- http://hosts-file.net/?s=rampir.info
- http://www.malwaredomainlist.com/mdl.php?search=rampir.info
- http://www.malwaredomains.com/wordpress/?p=637
- http://www.mywot.com/en/scorecard/goneatscan.com/comment-2402650
- http://www.mywot.com/en/scorecard/gomutescan.com/comment-2402645
- http://www.malwaredomains.com/wordpress/?p=624
- http://www.mywot.com/en/scorecard/teacherslounge.cn/comment-2391753
- http://www.mywot.com/en/scorecard/mg0b.info/comment-2393060
- http://www.mywot.com/en/scorecard/cnn-bcc2.com/comment-2393057
For more from the JoshMeister on Security, please subscribe via e-mail or RSS, or follow me on Twitter.
Posts
3 comments: