Wednesday, May 28, 2008

New Comments System installed

I previously had Haloscan installed as my Comments System, however, I've noticed that there were a lot of problems with Haloscan lately. Posts were lost, debug errors in the comments system, and other errors which caused my blog to crawl.

So, I decided to remove Haloscan.. and replaced it with Intense Debate instead.
It's a free service that provides more functionality and allows greater control of the comments.
It also automatically adjusts itself to the layout of your blog and there are a lot of extra settings and widgets you can use with it.
Thanks to this great tutorial, I could "install" it without any problems.

Too bad that removing Haloscan deleted all my previous comments - but oh well, there weren't that many comments posted anyway.

Tuesday, May 27, 2008

VIRUS ALERT! in clock and how to restore it

Most people recognise the words VIRUS ALERT! beside the System clock after being infected with one of the Zlob-Media Codec infections.



It's also displayed under the ProductID in your System Properties > General:



In the Registry, the following values are affected and replaced with VIRUS ALERT!

[HKEY_CURRENT_USER\Control Panel\International]
"sTimeFormat"="h:mm: VIRUS ALERT!"


Which explains the VIRUS ALERT! words in the clock.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion]
"ProductId"="VIRUS ALERT!"


Which explains the VIRUS ALERT! in the System Properties.

In both cases, on every computer, above default values are different, because for the clock settings, it depends what the Regional Settings are.
To restore the VIRUS ALERT! in the clock settings, Go to start > run and type: intl.cpl
Hit enter
This opens the Regional Settings properties.
Under the tab Regional Options > standards and formats, from the dropdown list, re-select your region again.

In my case it is set to English (United States), but in your case, it may be different ofcourse.
By default the correct region should already be displayed there, but you have to re-select it, or select another Region first and then select your Region again > click apply and OK. This will reset the default data in the Registry for the sTimeFormat, so the VIRUS ALERT! should be gone.
(in some cases, you need to log off in order to make the changes)
(Extra note: In case you're having problems with above instructions, see the latest part of this post how to restore the policies first.)

For the ProductID - this is somewhat more advanced since every ProductID is different.
You need to restore that value in the Registry again with your ProductID. The ProductID will be a 20 long string of numbers and is used when you call Microsoft for support. It may also affect Windows XP Validation, an error in System tray with "Unable to complete genuine Windows validation" and/or you *may receive the error: "0x80080201 Cannot detect product ID (PID)"

The ProductID that was modified here is under the:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion]
"ProductId"="XXXX-XXX-XXXXXXX-XXXXX"


Note, this is not your Product Key used to install Windows!

To retrieve your Product ID and restore it for above key/value, you can find it under next value in the registry as well:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion]
"ProductId"="XXXX-XXX-XXXXXXX-XXXXX"


If you're not familiar with the registry, I suggest you use the Microsoft Genuine Advantage Diagnostic (MGADIAG) tool instead to retrieve your Product ID.

Run MGADiag.exe, click Continue and you'll find your Product ID under the Windows Tab.



There you can find your Product ID.
Now you have to restore that value in the registry again.
To do this, go to start > run and type: regedit
This will open your Registry Editor.
(Extra note: In case you're having problems with above instructions, see the latest part of this post how to restore the policies first.)

Now browse to the following key by expanding the folders (keys)
HKEY_LOCAL_MACHINE > SOFTWARE > Microsoft > Windows NT > CurrentVersion
On the right, you should find: ProductId
In your case, you'll see VIRUS ALERT! next to it.
Doubleclick the value to open it and edit the string as you see in the screenshot below:



Where you see VIRUS ALERT! in the "edit string Window", delete the VIRUS ALERT! in there and replace it with your Product ID key you retrieved previously: XXXX-XXX-XXXXXXX-XXXXX
The X stands for random numbers/letters
Click the OK button after you edited the ProductID value in the Edit string Window to apply the changes.

This infection also adds a lot of policies (taskmanager disabled, registry editor disabled etc..) and also made some modifications in the startmenu as you see in the screenshot below:


To fix this, download this zipfile to your desktop.
Unzip it. Then RIGHTCLICK the VArestorepolicies.inf and select to Install from the Context menu.

Then, log off or reboot to apply the changes.

Note: Above will set the display in the Startmenu to Windows default. This in case you have modified this previously and already "disabled" some StartMenu items there.
It will also delete some policies which you *may have set yourself previously.

Note2: Above instructions only remove the VIRUS ALERT! in the clock and System properties and the restrictive policies+registry modifications being set. This doesn't clean the infection itself if still present. As long as the infection is still present and active, it will replace above values (with VIRUS ALERT!)+policies again.
To receive help to remove the infection (if still present), register at one of the forums present on the right, or register at my personal forum here. It's a dutch forum but I also give english support.

Monday, May 26, 2008

Popups - annoying... but funny... sometimes

Once in a while, I install some random malware to analyze what it exactly does. And some popups the malware generates are just amazing.
So here are few of my "funny popups collection" :







Too bad there's no Yes button there... :(

Stay tuned for new ones...

Saturday, May 17, 2008

Vundo goes WGA!

Vundo aka Virtumonde aka Win32.Monder aka somanyotherdescriptions is a common infection nowadays. It creates several different loading points to keep the infection alive.
Some loading points are:

* HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\randomkeyname
"DllName"="badfile"


* HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{bad CLSID}

* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
"{bad CLSID}"=""


* HKLM\SYSTEM\CurrentControlSet\Control\Lsa
"Authentication Packages"="default value + bad value inserted"


* and some more

We have also seen some other variants where a file infector was recreating above files/keys+values again.
An example of this one is W32/Trats.

I have already cleaned A LOT of computers with above ones present. After a while it's a piece of cake if you know where to look and what to delete.
However - I had a hard time with this one.
I just couldn't figure out why it was respawning everytime again. Everytime we tried to remove the files and related keys, after reboot, a new DLL was dropped again, which then downloaded/installed more files again.

The user had McAfee installed and in some other threads, I've noticed that McAfee was interfering with some removaltools after reboot. After I asked to temporary uninstall McAfee (since disabling doesn't make a difference because it will run again after reboot anyway) worked in most of the cases.. so the tools could finish their job and remove the infection properly.
However, in this case, it didn't make a difference. New files were created again after reboot.
Then I asked the user to disconnect from the internet, leave it disconnected and transfer the logs via another computer. This variant also downloads more files everytime again if connected with the internet so it would be a neverending story.
And if disconnected, it's easier to troubleshoot/figure out where these files come from, if they are downloaded or if a file already present is recreating/installing them.

The user disconnected the infected computer from the internet...
I really thought we could finally nail it now, because I assumed that the active files were responsible for downloading and installing new files again immediately after one was deleted.

I was wrong - because even after the user disconnected, after reboot, a new random DLL was present there again.
The other random files didn't appear there anymore, so this DLL couldn't download more files since the computer was disconnected from the internet. So we made progress in a way...
We tried once again, deleted the DLL and related keys - rebooted - and again, a new random DLL was created. Grrrrrr...

So, there should be a loader still present in the system - something I overlooked...
And yes, I overlooked some entries in the Kaspersky log that was posted previously. The log was posted with html tags which made it harder to read, because the forum doesn't support posts in html.
So I created the html file and had a better look....

And there it was..... the loader/installer!!

C:\WINDOWS\system32\WgaTray.exe/data0000.cab/is201779.exe Infected: Trojan.Win32.Monder.gen

The WgaTray.exe is a legitimate file and runs in the background to validate your Genuine Windows XP software. In this case, the WgaTray.exe was an infected version.
Since WgaTray.exe runs in combination with WgaLogon.dll and LegitCheckControl.dll, I had to check if WgaLogon.dll and LegitCheckControl.dll were also infected or not. The WgaLogon.dll was indeed modified recently, but appeared to be clean. The same was for LegitCheckControl.dll.
Only the WgaTray.exe was infected.

After removing the WgaTray.exe, the issue was resolved and no more files were installed again.

So what happened here was...
This user wanted to patch the WgaTray.exe in order to avoid the Genuine validation check, patched it with malware instead and All hell broke loose!

Another lesson learned I hope...

Tuesday, May 13, 2008

Reminder for Forum owners

This post is actually a reminder to my previous blog post http://miekiemoes.blogspot.com/2008/04/forum-owners-take-your-responsability.html.

This because recently MANY phpbb forums were compromised, where malicious scripts were injected, responsible for redirecting visitors to a fake codec download site.

More detailed info here:

http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9084991
http://blog.trendmicro.com/more-than-a-half-a-million-web-sites-compromised/
http://uploadmalware.blogspot.com/2008/05/mass-file-injection-redirecting-to-zlob.html
http://www.dynamoo.com/blog/2008/05/mass-phpbb-attack-freehostpinoyinfo-and.html
http://d0mber.blogspot.com/2008/05/mass-phpbb-download-infection.html

So once again, I can't stress enough how important it is to take responsibility if you're a forum owner.

Saturday, May 10, 2008

PhraseExpress - Useful tool for common used phrases

As most of you know - or don't know... I am active at several different Security related forums to guide people how to remove malware.
For that, I use canned speeches, because most of the instructions always return. For example, a step-by-step guide how to run a certain Online scanner, how to run certain Removal tools etc...
I have been using several different tools in the past to manage my canned speeches and enter them immediately in my replies. Some are great, however, there was always something I was missing - until I installed PhraseExpress.
This was Exactly the program I was looking for!

It has so many features. Some of them are:

* Supports Hotkeys, custom text abbreviations - so you can give each common used phrase/canned speech a hotkey or text abbreviation. Just use the hotkey or text and it inserts the phrases/canned speech automatically.
* Autocompletes phrases with predictive text recognition.
* Uses a context menu, so phrases / canned speeches are easy to select.
* Has the option to open a certain context menu folder or phrases by using an assigned word.
* Includes spelling correction.
* Contains a clipboard cache where recently copied clipboard contents are stored.
* You can even launch applications by entering text shortcuts.
* Very easy to manage and to backup.
* And for me, the most important advantage (since many other similar tools don't support this (yet): It works in any application where you can enter text!!!
* And so many more!

Here's a screenshot how it looks like in my case:



In this case, I opened it via the tray icon, but you can also let it open (context menu) via an assigned word in every application.
Example (in this case a forum post):



In this case, I assigned the word "tu" in order to open the PhraseExpress "Tool & Utilities" folder I created. As you can see, I have seperate phrases stored in this folder. I only have to select the one I want and it enters itself automatically into the textfield.
The same applies for other applications, for example notepad or any other application where you can enter text.

Visit the main site for more features and info: http://www.phraseexpress.com/ - including video demos.
Even better is to try it - It's still the best way to find out the advantages of this tool.

And... before I forget.. You can use PhraseExpress for free!
http://www.phraseexpress.com/freeware.htm
But since I like this tool so much, I supported them by purchasing a license. It's really worth the money!

Friday, May 2, 2008

Email-Worm.Win32.Locksky - new stubborn variant

I was helping a user the other day where his computer was crippled with malware. We could successfully delete all other files, registry keys and restore whatever it damaged, however, I was having a real hard time to delete the Email-Worm.Win32.Locksky.
Reference to the thread here.
Even though some instructions weren't followed to the letter - which caused extra confusion - we could nail it after all. Thanks to lostinendicott for the files and cooperation.

The Email-Worm.Win32.Locksky in most cases spreads as an attachement to infected messages - which then sends itself to the email addresses harvested from the infected computer.
It also collects information from the infected machine, including system passwords and other info entered via the keyboard. Then this information is uploaded to the remote malicious users's site. This site is also used to download updates from there to the infected computer.
This new variant is detected as Email-Worm.Win32.Locksky.cm or Email-Worm.Win32.Locksky.df and uses some advanced tactics to keep the infection alive.

When this one installs itself, it creates several different loading points:

* HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"random value"="rundll32.exe "%Temp%\randomfilename" WLEntryPoint"


* HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
"random value"="rundll32.exe "%System%\randomfilename" WLEntryPoint"


* HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\randomname
"DLLName"="pathtorandomfilename"
"Logon"="WLEventLogon"


* HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
"taskman"="rundll32.exe "pathtofile" WLEntryPoint"


* Installs as a random Driver

* HKLM\SOFTWARE\Microsoft\Command Processor
"AutoRun"="rundll32.exe "%Temp%\randomfilename" WLEntryPoint"


* HKLM\SOFTWARE\Classes\exefile\shell\open\command
Points to (Default)="rundll32.exe "%Temp%\randomfilename" WLEntry %1 %*"


In this case, it means that the default association for exefiles is replaced with the malicious file, so everytime an exe is executed, the malicious file is loaded.

Also, one of the files is injected in the address space of the legitimate process svchost.exe.

The random created Driver and file loaded under the Winlogon Notify isn't that hard to remove. Once it's removed, it won't recreate itself again.
However, it's the ones under the HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run and HKLM\SOFTWARE\Classes\exefile\shell\open\command which are stubborn.
This because they are watching eachother and when one component is missing, it replaces it with another random one. The exefile association is the main culprit here and as long as this infection is active, you cannot restore the default exefile association since it will recreate itself immediately again.
Also, the fact that filenames are random everytime makes it harder to find the files to delete.
And if you delete one component - as I already explained, the other ones still loaded will recreate another random filename again and load it. It copies itself over and over again.

Since these files are loaded with the use of rundll32.exe - a method is to kill the legitimate process rundll32.exe and delete the malicious files and loading points pointing to it+restore the exefile association again.
However, in this case, you should know exactly what files to delete and what keys to delete+restore.
Keep in mind, if you kill the process rundll32.exe, after a next reboot, in case you forgot to delete a file and loading point, the infection will load again, this again with a new random filename being created, so you have to start all over again.

That's why it may be easier to temporary rename the %system%\rundll32.exe file to rundll32.old, so this file won't load anymore.
If there's no rundll32.exe, it cannot load the malicious files either.
Keep in mind, if you rename the rundll32.exe file, make sure you rename the rundll32.exe file in the %system%\dllcache FIRST.
If you don't do that and you rename the rundll32.exe in the %system% folder only, it will be recreated from the dllcache because of the Windows System File Protection.
If you have done this correctly, renamed the file rundll32.exe from the dllcache first and then the one from the %system% folder, by default, you should get a message from Windows System File Protection to insert your CD in order to replace the file.
Don't let it replace, click cancel here, because we don't want it to be replaced!

Then, after performing above, REBOOT your computer in order to unhook the malicious files.

Then you can scan with your Antivirus and let it delete all files (since most scanners detect this variant), delete the loading points and restore exefile association.
To restore the exefile association, go to start > type command.com (since cmd.exe won't work when exefile association is broken)
Via the command.com prompt, type: ftype exefile="%1" %*
This will restore the default association for exefiles afgain.

Once you're sure that all malicious files are deleted, the exefile association is restored, then you can rename the rundll32.old back to rundll32.exe

Don't forget to change all passwords afterwards as well!!

Main point still is - better to avoid this and read my prevention tips here: http://miekiemoes.blogspot.com/search/label/Prevention