Saturday, June 21, 2008

Dutch users Alert! - Beware of fake Tax forms - episode 2

This is a follow up to my previous blog post here http://miekiemoes.blogspot.com/2008/06/dutch-users-alert-beware-of-fake-tax.html
Thanks to Jan (who was infected with this one) for sharing the samples. Some were detected by most Antivirus scanners. Others weren't detected at all, so I've sent them the samples.
It is confirmed now.. This one spreads via IM (Messenger - Windows Live Messenger). And since this is a worm, a lot of others may be infected with this one as well.
I don't know via which url yet (will find out later)

Some of the files it drops:

%systemdrive%\svchost.exe and %systemdrive%\smss.exe

svchost.exe is already detected by most scanners as Backdoor.Win32.VB.bsf. The author is Dutch, that's for sure.
As a matter of fact, Roel (Kaspersky) already posted about a variant of this one earlier. See here:
http://www.viruslist.com/en/weblog?discuss=208187474&return=1

svchost.exe and smss.exe have several different loading points. The main ones are:

* HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
C:\Windows\System32\userinit.exe,%systemdrive%\svchost.exe
C:\Windows\System32\userinit.exe,%systemdrive%\smss.exe

* HKCR\exefile\shell\open\command
%systemdrive%\svchost.exe "%1" %*

This means, the fileassociation for exefiles is replaced with the malicious file. So if the file is removed, the exeassociation will be broken en you won't be able to run exe files anymore.
To fix this, go to start > run > type "command.com" (without the quotes). In the command prompt, type: ftype exefile="%1" %*
This restores the default association for exefiles.


* HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Generic Host Process for Win32 Services=%systemdrive%\svchost.exe
Session Manager SubSystem=%systemdrive%\smss.exe

+ some extra policies:

HKLM\SOFTWARE\Policies\Microsoft\Windows\Windowsupdate
DoNotAllowSPSP2=dword:00000001
DoNotAllowSPSP3=dword:00000001

In case you were infected with this one, please make sure you change all your passwords afterwards as they may be known.
As a matter of fact, make sure you don't get infected with this one in the first place - so always be careful with clicking links in IM, even when they come from friends. Verify with the sender first if the link was sent intentionally or not.

Related Posts by Categories