|
In general spyware and malware programs try to hide their executable
files. They try to hide from the user’s attention so that
the user will not become suspicious and remove the files. Some programs
use windows file names to trick the user into thinking that the
malicious file is part of windows. Other malicious programs may
use a rootkit to hide their files. Rootkits make files not visible
in windows even if the system is set up to view hidden files.
The Malware.Disabler program I recently discovered uses a completely
different approach. It’s file name is not a known windows
or common program file name, and it makes no attempt to make itself
invisible. Instead, it completely disabled the windows task manager.
With the task manager disabled, a user would be unable to see what
suspicious processes may be running on the system. Windows also
has some built in command prompt tools and utilities for diagnostic
purposes. Once I discovered that the task manager could not be opened,
I tried to open the command prompt. This malicious program had also
disabled the command prompt.
The program’s executable runs in the background. It watches
for utilities that may be used to disable it or discover its location,
and as soon as they are launched it kills the processes to terminate
the utility. The registry editor was also disabled in the same way.
With these three important utilities disabled it is very difficult
to do any kind of diagnosis on the system. I was unable to run the
command prompt netstat utility to see if any unsolicited network
connections had been made. There are many different third party
network sniffer programs available for this. I installed a packet
sniffer on the infected system. To my dismay, as soon as I launched
the program, it was terminated by the malicious process running
on the system. All other normal applications were able to launch.
The malicious program was just blocking any known software that
might be used to detect or halt its activities. This happened with
several different network monitoring programs I tried. The solution
was, to use a more obscure program. The more obscure network monitor
program was able to run without being detected.
With a network monitoring program running I was able to see that
the malware program I was continuously making connections to its
server at the following IP address: 70.145.168.224.
I also noticed that it was making repeated connections to another
PC on the local network. Using the network monitor I found out which
process was making these connections. Once I found the file and
removed it, I was able to restart windows without it launching again.
The windows utilities were now available again. The malware program
had used quite a few different registry keys to ensure that it would
run again at startup.
[HKLM\SOFTWARE\Microsoft\Ole]
"Windows codex Services"="Mspp.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows codex Services"="Mspp.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"Windows codex Services"="Mspp.exe"
[HKLM\SYSTEM\ControlSet001\Control\Lsa]
"Windows codex Services"="Mspp.exe"
[HKLM\SYSTEM\CurrentControlSet\Control\Lsa]
"Windows codex Services"="Mspp.exe"
[HKU\*\Software\Microsoft\OLE]
"Windows codex Services"="Mspp.exe"
[HKU\*\Software\Microsoft\Windows\CurrentVersion\Run]
"Windows codex Services"="Mspp.exe"
[HKU\*\Software\Microsoft\Windows\CurrentVersion\RunServices]
"Windows codex Services"="Mspp.exe"
[HKU\*\SYSTEM\CurrentControlSet\Control\Lsa]
"Windows codex Services"="Mspp.exe"
All of these plus a file signature were added to Spyware Nuker
to ensure the removal of this malicious program.
|
