Saturday, May 17, 2008

Vundo goes WGA!

Vundo aka Virtumonde aka Win32.Monder aka somanyotherdescriptions is a common infection nowadays. It creates several different loading points to keep the infection alive.
Some loading points are:

* HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\randomkeyname

* HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{bad CLSID}

* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
"{bad CLSID}"=""

* HKLM\SYSTEM\CurrentControlSet\Control\Lsa
"Authentication Packages"="default value + bad value inserted"

* and some more

We have also seen some other variants where a file infector was recreating above files/keys+values again.
An example of this one is W32/Trats.

I have already cleaned A LOT of computers with above ones present. After a while it's a piece of cake if you know where to look and what to delete.
However - I had a hard time with this one.
I just couldn't figure out why it was respawning everytime again. Everytime we tried to remove the files and related keys, after reboot, a new DLL was dropped again, which then downloaded/installed more files again.

The user had McAfee installed and in some other threads, I've noticed that McAfee was interfering with some removaltools after reboot. After I asked to temporary uninstall McAfee (since disabling doesn't make a difference because it will run again after reboot anyway) worked in most of the cases.. so the tools could finish their job and remove the infection properly.
However, in this case, it didn't make a difference. New files were created again after reboot.
Then I asked the user to disconnect from the internet, leave it disconnected and transfer the logs via another computer. This variant also downloads more files everytime again if connected with the internet so it would be a neverending story.
And if disconnected, it's easier to troubleshoot/figure out where these files come from, if they are downloaded or if a file already present is recreating/installing them.

The user disconnected the infected computer from the internet...
I really thought we could finally nail it now, because I assumed that the active files were responsible for downloading and installing new files again immediately after one was deleted.

I was wrong - because even after the user disconnected, after reboot, a new random DLL was present there again.
The other random files didn't appear there anymore, so this DLL couldn't download more files since the computer was disconnected from the internet. So we made progress in a way...
We tried once again, deleted the DLL and related keys - rebooted - and again, a new random DLL was created. Grrrrrr...

So, there should be a loader still present in the system - something I overlooked...
And yes, I overlooked some entries in the Kaspersky log that was posted previously. The log was posted with html tags which made it harder to read, because the forum doesn't support posts in html.
So I created the html file and had a better look....

And there it was..... the loader/installer!!

C:\WINDOWS\system32\WgaTray.exe/ Infected: Trojan.Win32.Monder.gen

The WgaTray.exe is a legitimate file and runs in the background to validate your Genuine Windows XP software. In this case, the WgaTray.exe was an infected version.
Since WgaTray.exe runs in combination with WgaLogon.dll and LegitCheckControl.dll, I had to check if WgaLogon.dll and LegitCheckControl.dll were also infected or not. The WgaLogon.dll was indeed modified recently, but appeared to be clean. The same was for LegitCheckControl.dll.
Only the WgaTray.exe was infected.

After removing the WgaTray.exe, the issue was resolved and no more files were installed again.

So what happened here was...
This user wanted to patch the WgaTray.exe in order to avoid the Genuine validation check, patched it with malware instead and All hell broke loose!

Another lesson learned I hope...

Related Posts by Categories