The malware prevented opening the Task Manager or regedit, even after I copied the the exe files to the desktop and renamed them. It also cleverly prevented opening McAfee's main window. I had to boot the machine from a CD (a previously made UBCD4Win disc) in order to examine and repair the computer.
Not only had McAfee been unhelpful at detecting or preventing the infection, but running a fully updated Spybot—Search & Destroy while booted from the CD didn't find any malicious files either. While that scan was running, I searched the hard drive for files modified within the past two days (the machine had reportedly become infected the previous day) and I noticed Windows prefetch (.PF) files for two suspicious executables, which I subsequently discovered residing here:
C:\Documents and Settings\[username]\Local Settings\Temp\glqvcorac\poylsfolajb.exe(Note that the name of the folder and files inside the Temp directory are random, so if you're cleaning this infection you'll have to look for similarly suspicious files inside your Local Settings\Temp folder. In fact, you can usually safely delete the entire contents of that Temp folder. Also note that this is the Windows XP directory structure, so if you're running Windows Vista or Windows 7 the path will be different, possibly C:\Users\[username]\AppData\Local\Temp or C:\Users\[username]\Local Settings\Temp)
C:\Documents and Settings\[username]\Local Settings\Temp\0.9249067424896712.exe
It turns out that both of these files were actually copies of the same file with different names. The file is currently detected by 28 out of 43 antivirus engines according to VirusTotal:
MD5 : 3f26b63042639ba83f12af59ec96b669Here's another variant that I later discovered on another computer:
SHA1 : 08d8df0cdb79519705b7cf57f625fa5b83842129
File size : 321536 bytes
First seen: 2011-01-04 17:26:04
28/43 detection rate as of 2011-01-06 19:46:38 (UTC)
34/43 detection rate as of 2011-01-10 17:33:23 (UTC)
Variously identified as: FakeAlert-SpyPro.gen.bb, Gen:Variant.Kazy.7105, Gen.Variant.Kazy!IK, Generic Malware, Generic4.AZEH, Mal/FakeAV-DO, Mal/FakeAV-IC, Medium Risk Malware, Rogue:Win32/FakeSpypro, Rogue.FakeSpypro (Not a Virus), TR/FakeAV.zrt, Trj/CI.A, TROJ_FAKEAV.SMT1, Trojan.Agent/Gen-Venue, Trojan.FakeAV, Trojan.FakeAV!6BsmWKRLcxY, Trojan.FakeAV!gen39, Trojan.Siggen.64617, Trojan.Win32.FakeAV.zrt, Trojan.Win32.Generic.pak!cobra, Trojan/Win32.FakeAV.gen, UnclassifiedMalware, W32/FakeAV.ACHR, W32/FakeAV.ZRT!tr, Win-Trojan/Fakeav.321536.D, Win32:FakeAV-BCD, Win32:FakeAV-BCI, Win32.GenVariant.Kaz, Win32/Adware.SpywareProtect2009, Win32/AntivirusAction.AM, etc.
MD5 : a931ee4e43fb3e2651811f984bfafc0dI continued my investigation to try to discover the origin of the infection. Searching through the main index.dat History file, I identified a suspicious URL for a PDF file, and I searched the hard drive for that file. Sure enough, a scan on VirusTotal showed that the file was a PDF exploit, and Wepawet also identified it as suspicious. (Incidentally, the infected PC was running an old and vulnerable copy of Adobe Reader, version 9.2.0, and had not been configured for better security.) Here's the current VirusTotal analysis of the PDF, which is currently only detected by about a third of major antivirus vendors:
SHA1 : d5cb58529480fe7d4bd04e997e235591ebbe8c5b
File size : 324096 bytes
First seen: 2011-01-07 02:58:58
36/43 detection rate as of 2011-01-11 20:23:54 (UTC)
In addition to the classifications above, this variant is also identified as: Gen:Variant.Kazy.7430, Generic20.BOWF, High Risk Cloaked Malware, Riskware, Suspicious file, TR/Kazy.7430, TROJ_FAKEAV.GKR, Trojan.Agent/Gen-Frauder, Trojan.FakeAV!F3J+Da8Hqx4, Trojan.FakeAV!gen39, Trojan.FakeAV.zug, Trojan.Win32.FakeAV.zug, Trojan/Kryptik.JMP.gen, W32/FakeAV.ACHN, W32/FakeAV.ZUG!tr, Win32:FakeAV-BCI, Win32.GenVariant.Kaz, Win32/FraudAntivirusScan.F, Win32/Kryptik.JMP.Gen, etc.
MD5 : 2d1eb76fde5a94b14e1436039ffb0d87Since the file was located in the browser cache (the Temporary Internet Files folder), simply emptying the cache should delete this file if it resides on your system.
SHA1 : 441a264f5f0fc30072ab4b4f420d80b70366f645
File size : 12458 bytes
First seen: 2011-01-06 00:04:44
16/43 detection rate as of 2011-01-06 19:57:17 (UTC)
18/43 detection rate as of 2011-01-10 17:35:49 (UTC)
Variously identified as: Exploit.AdobeReader.gen (v), Exploit.JS.Pdfka.dcq, Exploit.PDF-JS!IK, Exploit.PDF-JS.Gen, Exploit.PDF.1654, Exploit.PDF.gen, Heuristic.BehavesLike.PDF.Suspicious.I, JS:Pdfka-APU, PDF/Exploit.Pidief.PDS.Gen, PDF/Pidief!generic, PDF/Piedf.F2EB!exploit, TROJ_PIDIEF.SMZB, Troj/PDFJs-ML, etc.
After rebooting from the hard drive again, the PC could not access the Internet. I ran HijackThis and found the following registry entries which needed to be deleted:
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:8074(For the O4 entry above, note that the path to the file inside the Temp folder will match the one where the file had previously been located on your system; it won't be named exactly as above.)
O4 - HKCU\..\Run: [qectelup] C:\DOCUME~1\[username]\LOCALS~1\Temp\glqvcorac\poylsfolajb.exe
After cleaning these entries, the system was able to get online again. Note that there may be additional registry settings that should be reverted to their previous settings. This Anubis report and this ThreatExpert report show the following additional modifications to registry values:
HKCU\Software\Microsoft\Internet Explorer\Download CheckExeSignatures = noAccording to Trend Micro, it should be safe to delete the registry values highlighted in bold above (assuming you have a good understanding of how to properly edit the registry).
HKCU\Software\Microsoft\Internet Explorer\Download RunInvalidSignatures = 1
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations LowRiskFileTypes = .exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments SaveZoneInformation = 1
Following are reports for malicious sites and IPs that have recently been hosting content related to this infection and its variants:
- WOT report for yourremue .com (which hosted the PDF exploit)
- WOT report for marezer .com (referenced in a malware object found in the cache [identified as HTML/FakeAlert.AT, JS/FakeAV.ZRT!tr, Trojan.HTML.Fraud!IK, Trojan.HTML.Fraud.di, Win32/Adware.SpywareProtect2009 application, etc.]; hosting a fraudulent payment page)
- WOT report for heneya8 .co.cc (hosting a Java exploit [identified as a variant of Java/TrojanDownloader.OpenStream.NAU, Exploit-ByteVerify, Exploit:Java/CVE-2010-0840.W, JAVA_LOADER.HLL, JAVA_LOADER.HLM, Java:Agent-BJ, Java.Downloader.150, Java.S.OpenConnection.3758, Java.Trojan-Downloader.OpenConnection!IK, Java.Trojan.Downloader.OpenConnection.AI, Java/Agent.CG, Java/Cve-2010-0840, Java/ObfusJava.G, JAVA/OpenConnect.CF, Java/Openconnection.9ADE!tr, Mal/JavaJar-A, Trojan-Downloader:Java/OpenConnection.AV, Trojan-Downloader.Java.OpenConnection.cf, Trojan.ByteVerify, Trojan.Java.Agent.dc (v), Trojan/Java.OpenConnection, , etc.] associated with the second variant I've encountered)
- WOT report for geniuscancer .com (hosted the same Java exploit as above; also associated with the second variant I encountered)
- WOT report for 64.111.211 .154 (see also Symantec's Norton Safe Web report)
- WOT report for 69.50.202 .18 (see also Malware Domain List's report)
- WOT report for mumeonline .com (affiliated with 69.50.202 .18 and utilizing the Phoenix Exploit Kit according to Malware Domain List)
- WOT report for yourbouge .com (affiliated with 69.50.202 .18 and utilizing the Phoenix Exploit Kit according to Malware Domain List)
- WOT report for softwarear .com (affiliated with a variant of this malware according to McAfee)
- WOT report for softwareea .com (affiliated with variants of this malware according to McAfee)
- WOT report for afantispy .com (affiliated with variants of this malware according to URLVoid and McAfee)
- WOT report for afantispy .net (affiliated with a variant of this malware according to McAfee)
The computer probably wouldn't have gotten infected in the first place if it had been running the latest version of Adobe Reader configured for better security, or an alternative PDF reader.
UPDATE, 10 Jan 2011 @ 11:26 PST: Added additional malware names and current detection rates.
UPDATE, 11 Jan 2011 @ 21:38 PST: Added additional malware names and domains related to a new variant.
For more from the JoshMeister on Security, please subscribe via e-mail or RSS, or follow me on Twitter.