Friday, May 2, 2008

Email-Worm.Win32.Locksky - new stubborn variant

I was helping a user the other day where his computer was crippled with malware. We could successfully delete all other files, registry keys and restore whatever it damaged, however, I was having a real hard time to delete the Email-Worm.Win32.Locksky.
Reference to the thread here.
Even though some instructions weren't followed to the letter - which caused extra confusion - we could nail it after all. Thanks to lostinendicott for the files and cooperation.

The Email-Worm.Win32.Locksky in most cases spreads as an attachement to infected messages - which then sends itself to the email addresses harvested from the infected computer.
It also collects information from the infected machine, including system passwords and other info entered via the keyboard. Then this information is uploaded to the remote malicious users's site. This site is also used to download updates from there to the infected computer.
This new variant is detected as Email-Worm.Win32.Locksky.cm or Email-Worm.Win32.Locksky.df and uses some advanced tactics to keep the infection alive.

When this one installs itself, it creates several different loading points:

* HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"random value"="rundll32.exe "%Temp%\randomfilename" WLEntryPoint"


* HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
"random value"="rundll32.exe "%System%\randomfilename" WLEntryPoint"


* HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\randomname
"DLLName"="pathtorandomfilename"
"Logon"="WLEventLogon"


* HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
"taskman"="rundll32.exe "pathtofile" WLEntryPoint"


* Installs as a random Driver

* HKLM\SOFTWARE\Microsoft\Command Processor
"AutoRun"="rundll32.exe "%Temp%\randomfilename" WLEntryPoint"


* HKLM\SOFTWARE\Classes\exefile\shell\open\command
Points to (Default)="rundll32.exe "%Temp%\randomfilename" WLEntry %1 %*"


In this case, it means that the default association for exefiles is replaced with the malicious file, so everytime an exe is executed, the malicious file is loaded.

Also, one of the files is injected in the address space of the legitimate process svchost.exe.

The random created Driver and file loaded under the Winlogon Notify isn't that hard to remove. Once it's removed, it won't recreate itself again.
However, it's the ones under the HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run and HKLM\SOFTWARE\Classes\exefile\shell\open\command which are stubborn.
This because they are watching eachother and when one component is missing, it replaces it with another random one. The exefile association is the main culprit here and as long as this infection is active, you cannot restore the default exefile association since it will recreate itself immediately again.
Also, the fact that filenames are random everytime makes it harder to find the files to delete.
And if you delete one component - as I already explained, the other ones still loaded will recreate another random filename again and load it. It copies itself over and over again.

Since these files are loaded with the use of rundll32.exe - a method is to kill the legitimate process rundll32.exe and delete the malicious files and loading points pointing to it+restore the exefile association again.
However, in this case, you should know exactly what files to delete and what keys to delete+restore.
Keep in mind, if you kill the process rundll32.exe, after a next reboot, in case you forgot to delete a file and loading point, the infection will load again, this again with a new random filename being created, so you have to start all over again.

That's why it may be easier to temporary rename the %system%\rundll32.exe file to rundll32.old, so this file won't load anymore.
If there's no rundll32.exe, it cannot load the malicious files either.
Keep in mind, if you rename the rundll32.exe file, make sure you rename the rundll32.exe file in the %system%\dllcache FIRST.
If you don't do that and you rename the rundll32.exe in the %system% folder only, it will be recreated from the dllcache because of the Windows System File Protection.
If you have done this correctly, renamed the file rundll32.exe from the dllcache first and then the one from the %system% folder, by default, you should get a message from Windows System File Protection to insert your CD in order to replace the file.
Don't let it replace, click cancel here, because we don't want it to be replaced!

Then, after performing above, REBOOT your computer in order to unhook the malicious files.

Then you can scan with your Antivirus and let it delete all files (since most scanners detect this variant), delete the loading points and restore exefile association.
To restore the exefile association, go to start > type command.com (since cmd.exe won't work when exefile association is broken)
Via the command.com prompt, type: ftype exefile="%1" %*
This will restore the default association for exefiles afgain.

Once you're sure that all malicious files are deleted, the exefile association is restored, then you can rename the rundll32.old back to rundll32.exe

Don't forget to change all passwords afterwards as well!!

Main point still is - better to avoid this and read my prevention tips here: http://miekiemoes.blogspot.com/search/label/Prevention

Related Posts by Categories