Hunter's Log: 20051205

HUNTER'S LOG

home | requirements | help | contact | scan now

Hunter's Word

The Internet is filled with amazing amounts of information. There is so much to be explored and so much to learn. It would seem that this information is freely available to anyone. An informational garden of Eden.
This is not entirely the case. In this garden there are snakes at almost every click of the mouse, waiting to strike. There is always a new breed. One we did not recognize yesterday, disguised as something friendly, or necessary. Spyware and adware have moved from the shadows of software piracy and pornographic websites. I've infected computers installing
screensavers, games, listening to music, or even just browsing for information. It is not safe out there, unless someone is constantly keeping up with the newest infections and latest variants of known malicious software. We are doing just that to make sure our software is up to the task of removing the latest infections.
A Hunter's work is never done.

Archive

- 20060421 - Keyloggers
- 20060417 - VXGame
- 20060330 - Winsupdater
- 20060311 - Mailspam
- 20060228 - Hijackers
- 20060212 - Disabler
- 20060114 - INET
- 20060104 - Raze
- 20051219 - SpyAxe
- 20051205 - MsConfg
- 20051116 - NNNL
- 20051109 - KickOff

Hunter's Log: 20051205 092301

Recently, When looking at the customer's log, I noticed the file "c:\windows\system32\msconfg.exe" as a suspicious running process. A file by the similar name of msconfig.exe is a legitimate windows file which is installed with the operating system. It is a windows system configuration utility. The valid file normally resides in the "c:\WINDOWS\PCHEALTH\HELPCTR\Binaries" folder.
The customer had recently purchased Spyware Nuker because he had come across a bundleware executable which had installed several infections on his PC. Spyware Nuker had removed all of the known spyware items, but this file had been left behind. The customer's PC was not stable and his internet connection was running slower than normal. I requested that the customer upload the file to our research server so that I could analyze it and see if it was the cause of his problems.
I put the file in the system32 folder of a clean test machine with windows XP. After running the file, nothing seemed to happen. There were no obvious popup windows or, no HTTP network activity. Unsolicited HTTP network activity is a telltale sign of adware and spyware, because those types of infections use HTTP connections to download and display advertisements in a browser. This msconfg executable appeared at first glance to do nothing. On closer inspection, i saw that the file was running silently in the background. It was doing two malicious things. It was systematically scanning all possible local IP addresses for an open port 135. It had also silently established a connection to 65.96.11.164:5555 using local port 3020.
Port 135 (or port epmap) is used by windows for distributed COM services. A windows Machine may open this port and listen for incoming messages from other 'client' PC's which may want to access a DCOM service. Several known viruses exploit this. There are vulnerabilities which can be taken advantage of if certain DCOM services are running on the machine. The msconfg.exe scans for computers on the local network. It started scanning all IP addresses starting at 192.168.*.* and continued scanning all possible IP addresses for an open port 135. This causes a lot of network traffic and would slow down the network connection.

The second thing that the infection was doing was related to the connection to 65.96.11.164:5555. Running a packet sniffer on my test machine, and setting a filter to view all packets sent to and received from that IP address, I was able to figure out what was going on. I navigated to several web sties, and noticed that the URL's were being sent to the connection at 65.96.11.164. This is a normal symptom of a spyware program, but what I noticed a little bit later, as I began to type this journal, was that every word I typed was being sent to 65.11.164. Msconfg.exe was logging all my keystrokes and sending them to it's server, most likely in hopes of obtaining some usernames and corresponding passwords or other private information.

It was easy to see that this was a malicious program and that it needed to be removed. I logged all my findings and created an entry in the Spyware Nuker database to remove this item.

End of Entry

Download \| Order Now \| Partners \| Index \| Hunter's Log \| EULA \| Privacy Policy	© 2002-2007 TrekBlue, Inc.