HUNTER'S LOG
home | requirements | help | contact | scan now  
 
Hunter's Word

The Internet is filled with amazing amounts of information. There is so much to be explored and so much to learn. It would seem that this information is freely available to anyone. An informational garden of Eden.
This is not entirely the case. In this garden there are snakes at almost every click of the mouse, waiting to strike. There is always a new breed. One we did not recognize yesterday, disguised as something friendly, or necessary. Spyware and adware have moved from the shadows of software piracy and pornographic websites. I've infected computers installing
screensavers, games, listening to music, or even just browsing for information. It is not safe out there, unless someone is constantly keeping up with the newest infections and latest variants of known malicious software. We are doing just that to make sure our software is up to the task of removing the latest infections.
A Hunter's work is never done.


Archive

- 20060421 - Keyloggers
- 20060417 - VXGame
- 20060330 - Winsupdater
- 20060311 - Mailspam
- 20060228 - Hijackers
- 20060212 - Disabler
- 20060114 - INET
- 20060104 - Raze
- 20051219 - SpyAxe
- 20051205 - MsConfg
- 20051116 - NNNL
- 20051109 - KickOff

Hunter's Log: 20060417 131843

 

Finding spyware is not all that difficult. It is sometimes difficult to distinguish one spyware program from another. Often they will display very similar behavior. What makes it most difficult is that it is very common for one spyware program to install another. Some programs entire purpose is to do just that. One example of this is Downloader.Vxgame. This downloader seems to be continuously updating. Its entire purpose is to download and install different spyware programs.
I found a new unwanted program on my test PC recently after a visit to a nefarious website installed Downloader.Vxgame which caused a series of automated downloads. This new item, “Trojan.Update32” did not show itself right away. After removing the known spyware items installed by Downloader.Vxgame, the PC appeared to be running normally. After a few minutes though, it was evident that the PC was running slower than normal. An inspection of the network activity showed that the PC was still infected. There was quite a bit of unsolicited network activity going on even without any web browsers windows open:

All of this activity could bring a dialup connection to a crawl. After a bit the program started downloading advertisements. Some of these were very annoying windows that would launch new browser windows as soon as the first was closed. Quite of few of these windows were loading advertisements which with pornographic content and more than one or two of them were not in English:

After inspecting the network activity that was happening in the background, it appeared that the infection was doing more than just downloading advertisements. It made several connections to the same domain and sent lists of the files found on the computers root folder. It also seemed to maintain two or three connections active at all time even once all the browser windows were closed. Here’s an example from an execution of the windows utility netstat:


An interesting aspect of Trojan.Update32 is that it hides its main file in random folders that already exist on the PC. Most malicious programs will hide their files among the windows or windows system files on the PC. Running this program twice on clean installations of windows revealed that it would randomly select an existing folder in the program files directory and insert its file there to avoid arousing suspicion by creating a new folder.

c:\program files\beyond compare 2\
wintofs32.dll

Directory of C:\Program Files\INAC\Anti Spyware\
wintofs32.dll

It would launch itself on reboot by creating a registry entry under the delay load key using the name of the program in which folder it had inserted itself. In this way, when a user looks in the registry at the different points where objects can be loaded, he or she will see the name of the program that the user already has installed on their PC.

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"BC 2"="{24B2B197-D6D3-2290-7E3D-1F81BE3D36E1}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"INAC ASAP"="{52AA77E3-97C4-5707-C3BC-DD3E85B64B4F}"

After an update of Spyware Nuker it was as easy as running a deep scan to remove this item. It’s a challenge, but we work day in and day out to make sure all of the new malicious programs can be removed from our customer’s PCs.

 

End of Entry
 Download | Order Now | Partners | Index | Hunter's Log | EULA | Privacy Policy   © 2002-2007 TrekBlue, Inc.