Vista Virus

[couttsj]

I have been offline all day struggling with a virus. I can no longer say that I have never been infected with a virus (first one in over 15 years). I haven't figured out exactly what happened, but I thought I should pass on what I learned today.

The virus consists of 2 parts, the backdoor trojan and the actual virus that it downloads a few minutes later (AVR09.exe short for Advanced Virus Removal). The backdoor appears to be targeted to Vista/Win7 (may also work in XP), but uses a technique that I have not seen before. I haven't quite figured out how it got there in the first place, but it installed a file called "winupdate.exe " in the %system% directory and set it to run on startup. It then installed a file called "winhelper.dll", and set it up as an LSP (Layered Socket Provider). It then restarted the machine, so that when I came back from breakfast, the very first Web page that I attempted to access brought up an HTML message that it had also loaded:
---------------------------------------------------
YOUR SYSTEM IS INFECTED!

System has been stopped due to a serious malfunction.
Spyware activity has been detected.

It is recommeded to use spyware removal tool to prevent data loss.
Do not use the computer before all spyware removed.
----------------------------------------------------
I could not access the Task Manager, the Command Prompt, the Registry Editor, and numerous other things. I immediately unplugged from the network and restarted in Safe Mode. Using Ransack to search for all recently modified files, I moved them all to a safe location. I had difficulty with the "winhelper.dll" file, as it would not allow me access. So I simply renamed it for the time being.

That was the easy part. When I attempted to reboot in normal mode, I got a message that an unauthorized change had been made to the system and I was no longer a registered user. Every time I would log in, it would advise me to register with Microsoft. I could not access the Internet, so I had to do it manually by phone. I could then login, but there were numerous errors in the event file, I could still not access the Task Manager, and both the BITs service and the print spooler service would start and then stop. The Task Manager problem took a visit to the registry HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System to set the DisableTaskMgr key to zero.

I could access my local network with NetBios, I could ping any responding site on the Internet, but I could not establish a socket connection. It seemed like the winsock was not working properly. The event files were no help at all, and a system repair did not work. Fixing this problem took a fair bit of research. In the end I used the "netsh winsock show catalog" command to discover that the "winhelper.dll" file was being called upon as an LSP. Winsock would not function because it could not find the "winhelper.dll" that I had renamed. That same command had a reset function, but using that would delete all the other LSPs. It was with a leap of faith that eventually I reset it and hoped the system would rebuild it. It did! And low and behold, everything else started to work.

I will provide further information on the virus once I figure it out. It looks like a combination of new and old technology.

J.A. Coutts

[Black Viper]

Great writeup. I also have not been infected, however, I take a lot of precautions... but it only is a matter of time I suppose.
Good luck and look forward to further information.

[richnrockville]

Sorry to hear of your virus/trojan.
That's even more justification to create images of your drive on a regular basis.
I do this almost every day as the process does it's thing while I take a shower in the morning.

I have never had a virus but with my tinkering, I sometimes get in trouble and have to
restore the image.
rich
Acronis works as well as others.

[VampireMuffinMan]

Sorry to hear of your virus/trojan.
That's even more justification to create images of your drive on a regular basis.
I do this almost every day as the process does it's thing while I take a shower in the morning.

I have never had a virus but with my tinkering, I sometimes get in trouble and have to
restore the image.
rich
Acronis works as well as others.

I'm not really on a daily schedule, but I use Macrium Reflect.  Saved my butt when I fried my hard drives...and when I tried another registry cleaner in W7 RC x64 which killed my wireless, yet again.  One of these days I'm going to find the solution to getting it back, but for now, I'm off of registry cleaners for good.  I have a back up image of that particular mess just waiting for a time when I'm bored.

[IH8U]

Malwarebytes' should take care of that. Give VipreRescue scanner a run with the /deep command <-- add the switch to quickscan.bat.

[couttsj]

As promised, more on the virus. It appears that the virus was able to invade my computer via a Java Script that originated from a server in the Netherlands. One of the Web sites that I visited was probably hacked, and the script added to the page. I did a lot of searching that particular day, visited many sites, and I do not retain the FireFox history for performance reasons. MalwareDomainList lists that server as home to the LuckySploit trojan. However, the description of the trojan does not match. I suspect that LuckSploit refers to the Java Scripts themselves. However, the trojan dropper (winupdate.exe) and the trojan itself (ARV09.exe) come from the same server.

I found a description that matches the infection method at McAfee called FakeAlert discovered 09/08/2009. However, the file size doesn't match any of the downloaded files. Some of the other AV programs identify it as:
AVG (GriSoft)   FakeAlert.KO (Trojan horse)
Avira   TR/Crypt.ZPACK.Gen
Dr.Web   Trojan.Fakealert.4362
FortiNet   W32/Agent.ATMG!tr
Kaspersky   Trojan-Dropper.Win32.Agent.atmg
microsoft   VirTool:Win32/Obfuscator.FR
panda   Trj/CI.A
rising   Trojan.Win32.FakeAV.nz
Sophos   Mal/FakeAV-AX
Symantec   Packed.Generic.233
vba32   Malware-Cryptor.Win32.Argin

The script downloads a 24KB file to the temp directory and copies it as "winupdate.exe" to the %SYSTEM% directory. It adds a registry entry to cause it to start from HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run. It did not appear to register the file.

The script then downloads a 21KB file to the temp directory and copies it as "winhelper.dll" to the %SYSTEM% directory. This file is registered as "Microsoft-Windows-Winsock-WS2HELP" and installed in the LSP catalog as "LSP VSockets Library". It then issues a PopUp "WARNING : Application cannot be executed. The file is infected. Please activate your antivirus software." and initiates a restart to activate the new LSP catalog. For whatever reason, the process "ntvdm.exe" was hung and had to be terminated.

After restart, the trojan is in control of all TCP communications. It makes a number of other registry changes and creates 2 new key files in the %SYSTEM% directory (I have no idea what these are for) and an HTML file called "critical_warning.html". It then uses Internet Explorer to download a file called "SetupAdvancedVirusRemover[1].exe", which copies itself into the %SYSTEM% directory as "ARV09.exe". This file must not have installed properly because it produces a PopUp "AVR09.exe - Entry Point Not Found : The procedure entry point RtlFindRange could not be located in the dynamic link library NTDLL.DLL.".

J.A. Coutts

[couttsj]

As a side note, the winsock stopped working again when I deregistered the DLL file. It is easy to identify the problem by simply executing the "netstat -an" command. The listening connections will all be listed, but there will be no IP addresses or port numbers. The "netsh winsock reset" command can be used to clear the catalog list, and it will be rebuilt on a restart.

J.A. Coutts

[couttsj]

The reason I don't like using Internet Explorer is because ActiveX can load programs in the background without the user's knowledge or consent. Mozilla Firebird not not support ActiveX, and I was always under the impression that Java Script could not be used to load programs without the consent of the user. Upon further investigation, it was not a Java Script that was used to load the backdoor trojan, but rather a Java Applet. The Firebird database webappsstore.sqlite logs each Java applet, and that shows only one Applet ever loaded and where it was loaded from (webinwild.co.uk). The "java_install_reg.log" shows the Java engine starting, and the engine created a history log (.hst) in it's cache showing where the applet dowloaded from. I located the downloaded file in my temp directory (jar_cache60892.tmp), and then uncompressed and disassembled it. I am not a Java programmer, but it looks like it just reads a stream and saves it.

At this point it gets a little hazy. The time stamp on the directory "C:\Program Files\Adobe\Reader 8.0\Resource\Linguistics\Providers" shows a change being made in that directory but no files remained, and a little later an auto update occurred for Adobe. Adobe updates are a scheduled event, and whether this update was involved or whether is was just coincidence, could not be determined.

I do not remember ever enabling Java in Firebird, and since it was only ever used once, I obviously didn't need it and turned it off. That leaves me with a nagging question. Are Java Scripts safe to use in Mozilla Firebird? They are fairly commonly used, and disabling them would be a real pain.

As a side note, most AV software was able to detect and stop the AVR09.exe file from loading, but not necessarily the backdoor trojan itself. Even after disinfecting their computer, many users still complained that their Web Browser was going places that they did not select due to the DLL file still being active.

J.A. Coutts

[Black Viper]

I have always considered Javascript "mostly" safe. Java, well... no. That is one of the first things that I ensure is uncheck on new Firefox installs. From what I recall, Java is actually enabled by default (but it has been awhile since installing Firefox anew) and I know it is enabled by default on Opera (I just looked and unchecked it). The option is located in:
Tools > Options > Content tab > uncheck "Java" in Firefox
or
Tools > Preferences > Advanced tab > Content section > uncheck "Enable Java" in Opera

I have never encountered a time when a Java VM was needed, however, I am not the average browser on the internet, either. It just reminds me of the "good ol' days" of crap like the "comet cursor" (even though that was actually ActiveX) and stuff like that. Java has always been, in my brain, the ActiveX control for all computers and, as such, I just make it go away.

I also use noscript and accept JS from only those sites that I choose to allow. Can be a pain at first and often times I will wander to a "new" site and not be allowed to do or use particular functions and wonder "why?" Then I allow JS on that domain and all is good.
Kinda also like the times when (an option did not exist) to disallow third party cookies. It was amazing how many cookies would try to be written on some web sites, from many different places, and I had to manually disallow (due to a popup each time) cookies that I felt were not needed. After awhile, I just turned off the feature of "ask me each time" because it plain became annoying. Thankfully, accepting third party cookies is an option in Firefox and Opera now.

[couttsj]

I have always considered Javascript "mostly" safe. Java, well... no. That is one of the first things that I ensure is uncheck on new Firefox installs. From what I recall, Java is actually enabled by default (but it has been awhile since installing Firefox anew) and I know it is enabled by default on Opera (I just looked and unchecked it).

According to Mozilla, both Java and Javascripts are enabled by default, but the Java VM is not installed. The first time Java is called upon, you are prompted to install.

They also state that both Java and Javascripts are safe to use because they don't allow direct access to the hard disk. I know now that is a bunch of bull, and I have taken your advise and installed the NoScript add-on. Your forum site shows Scripts blocked, but I don't notice anything out of the ordinary.

J.A. Coutts

[Black Viper]

Your forum site shows Scripts blocked, but I don't notice anything out of the ordinary.

Mostly, JavaScript on the forums is to remember user preferences, but all should function if disabled as far as I am aware.

[couttsj]

Thank you BV for the NoScript suggestion. It is the greatest thing since sliced bread, as it has removed numerous annoyances that come with some Web pages. And it is so easy to allow scripts for the current page should the need arise.

J.A. Coutts

[Black Viper]

Thank you BV for the NoScript suggestion. It is the greatest thing since sliced bread, as it has removed numerous annoyances that come with some Web pages. And it is so easy to allow scripts for the current page should the need arise.

No problem.

BV EDIT: It should be worth noting that I used to do it the old way with host files and many domains that I did not like being resolved to 127.0.0.2 (not a typo... will elaborate if you want), but that became a big hassle after awhile (and probably started the down hill slide of me going to read every slashdot article posted... more fun reading the comments and DNR the article, anyway.

I think I may do the same thing again, due to Firefox not performing like I think it should. Since tabbed browsing is everywhere, now, and "speedier/less bloated" browsers have came on the scene, the only thing keeping Firefox installed right now is Noscript. Not sure if that is a good thing or bad lol

[tonster]

My wife's laptop got infected as well.  Installed Avast free edition and got it back up and running.  This is her first virus as well.  She got a link from a friend on facebook and that sent her to a hacked site.  At any rate, fixed now  

I wish people would spend their time doing other things.  Why create viruses?  Oh well, at least I know how to fix it.  My wife's friend has to wait a MONTH for her computer guy to fix her laptop  

I guess in the end it makes me look like a superhero, even though I didn't have to do much.  That's always a good thing.  I receive win! 

[couttsj]

I wish people would spend their time doing other things.  Why create viruses? 

It is usually driven by the quest for money. In this case, it was an attempt to get you to purchase and install Anti-Virus Remover software (which of course only installs more malware). Whether that works or not doesn't matter, as they have installed a backdoor and can now use your machine for whatever they want to.