HUNTER'S LOG
home | requirements | help | contact | scan now  
 
Hunter's Word

The Internet is filled with amazing amounts of information. There is so much to be explored and so much to learn. It would seem that this information is freely available to anyone. An informational garden of Eden.
This is not entirely the case. In this garden there are snakes at almost every click of the mouse, waiting to strike. There is always a new breed. One we did not recognize yesterday, disguised as something friendly, or necessary. Spyware and adware have moved from the shadows of software piracy and pornographic websites. I've infected computers installing
screensavers, games, listening to music, or even just browsing for information. It is not safe out there, unless someone is constantly keeping up with the newest infections and latest variants of known malicious software. We are doing just that to make sure our software is up to the task of removing the latest infections.
A Hunter's work is never done.


Archive

- 20060421 - Keyloggers
- 20060417 - VXGame
- 20060330 - Winsupdater
- 20060311 - Mailspam
- 20060228 - Hijackers
- 20060212 - Disabler
- 20060114 - INET
- 20060104 - Raze
- 20051219 - SpyAxe
- 20051205 - MsConfg
- 20051116 - NNNL
- 20051109 - KickOff



Hunter's Log: 20060212 090934

 

In general spyware and malware programs try to hide their executable files. They try to hide from the user’s attention so that the user will not become suspicious and remove the files. Some programs use windows file names to trick the user into thinking that the malicious file is part of windows. Other malicious programs may use a rootkit to hide their files. Rootkits make files not visible in windows even if the system is set up to view hidden files.

The Malware.Disabler program I recently discovered uses a completely different approach. It’s file name is not a known windows or common program file name, and it makes no attempt to make itself invisible. Instead, it completely disabled the windows task manager. With the task manager disabled, a user would be unable to see what suspicious processes may be running on the system. Windows also has some built in command prompt tools and utilities for diagnostic purposes. Once I discovered that the task manager could not be opened, I tried to open the command prompt. This malicious program had also disabled the command prompt.

The program’s executable runs in the background. It watches for utilities that may be used to disable it or discover its location, and as soon as they are launched it kills the processes to terminate the utility. The registry editor was also disabled in the same way.

With these three important utilities disabled it is very difficult to do any kind of diagnosis on the system. I was unable to run the command prompt netstat utility to see if any unsolicited network connections had been made. There are many different third party network sniffer programs available for this. I installed a packet sniffer on the infected system. To my dismay, as soon as I launched the program, it was terminated by the malicious process running on the system. All other normal applications were able to launch. The malicious program was just blocking any known software that might be used to detect or halt its activities. This happened with several different network monitoring programs I tried. The solution was, to use a more obscure program. The more obscure network monitor program was able to run without being detected.

With a network monitoring program running I was able to see that the malware program I was continuously making connections to its server at the following IP address: 70.145.168.224.

netstat

I also noticed that it was making repeated connections to another PC on the local network. Using the network monitor I found out which process was making these connections. Once I found the file and removed it, I was able to restart windows without it launching again. The windows utilities were now available again. The malware program had used quite a few different registry keys to ensure that it would run again at startup.

[HKLM\SOFTWARE\Microsoft\Ole]
"Windows codex Services"="Mspp.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows codex Services"="Mspp.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"Windows codex Services"="Mspp.exe"

[HKLM\SYSTEM\ControlSet001\Control\Lsa]
"Windows codex Services"="Mspp.exe"

[HKLM\SYSTEM\CurrentControlSet\Control\Lsa]
"Windows codex Services"="Mspp.exe"

[HKU\*\Software\Microsoft\OLE]
"Windows codex Services"="Mspp.exe"

[HKU\*\Software\Microsoft\Windows\CurrentVersion\Run]
"Windows codex Services"="Mspp.exe"

[HKU\*\Software\Microsoft\Windows\CurrentVersion\RunServices]
"Windows codex Services"="Mspp.exe"

[HKU\*\SYSTEM\CurrentControlSet\Control\Lsa]
"Windows codex Services"="Mspp.exe"

All of these plus a file signature were added to Spyware Nuker to ensure the removal of this malicious program.



End of Entry
 Download | Order Now | Partners | Index | Hunter's Log | EULA | Privacy Policy   © 2002-2007 TrekBlue, Inc.