Monday, October 13, 2008

Fake sysaudio.sys causes Searchengine Hijack

What is this infection about...
It actually loads a script, so searchengine results are loaded within a script. For example, when you research something in google or another searchenigine, you get this when you view the source:

script scr= //78. 157. 142. 58/ and then the searchengine results.
or
script scr= //209 .85 .171 .9/ and then the searchengine results.
(more may be present as well)

So, whenever a popular searchengine is being used, a script is loaded to insert its results. For example, a search for: "How to remove rootkits with icesword", you get irrelevant results. Screenshot here:


This only applies for the first page of the results.

It looks like stopzilla.com is also promoted via this piece of malware
Example:


As far as I know.. this one is getting installed via a "Yahoo! Counter starts here" javascript (which is a malicious script and not related with Yahoo) injected on many forums/sites/blogs.

The responsible file for the searchengine hijack is sysaudio.sys, (which is actually a DLL) dropped in the %sysdir% folder (system32 folder).

Note - do NOT confuse this one with the legitimate sysaudio.sys file which is present in the %sysdir%\drivers folder!!! So don't delete the legitimate %sysdir%\drivers\sysaudio.sys file!

The loading point for the fake sysaudio.sys is under the
HKLM\software\microsoft\windows nt\currentversion\drivers32 key
with value and valuedata:

"aux"="sysaudio.sys" or
"aux2"="sysaudio.sys"

Legitimate valuedata for "aux" should be wdmaud.drv or mmdrv.dll or ctwdm32.dll (those are the most common legitimate ones I've seen so far, there could be more)

Other files the fake sysaudio.sys may use are divx.nls or ntnet.drv which is also present in the %sysdir% folder.
(could be more already - newer variants)

Anyway, this is another method being used to "hide" its presence because it causes confusion with legitimate files/keys. So be cautious if you think you're dealing with this one and do not delete the legitimate sysaudio.sys file present in the system32\drivers folder or "aux" value in the registry. Ask for help if you're not sure.


UPDATE!!!
A new variant is Windows\system32\wdmaud.sys <== bad one
The legitimate ones are Windows\system32\wdmaud.drv and Windows\system32\drivers\wdmaud.sys, so don't delete those!!

UPDATE2!!!

And again a new variant around. Malwarebytes' Anti-Malware detects this one as Trojan.Gumblar or Trojan.JSRedir. (previous variants were detected as Trojan.Daonol)
Redirections go for example to 209.85.171.199 - or you see 7.7.7.0 in the status bar.
This time, it uses a random file name. To find out, browse to the HKLM\software\microsoft\windows nt\currentversion\drivers32 key in the registry and look what's present under the "aux" values (aux1, aux2, aux3, aux4..) One of them is the cause. It's a "weird" looking filepath and name, examples are: "C:\WINDOWS\system32\..\sjkemx.iqd" or "C:\WINDOWS\system32\..\kvlhurx.niq" or "c:\docume~1\%username%\LOCALS~1\Temp\..\herlppj.sna" - note the reference named ".." which actually refers to "go up two levels". To find the file itself, easiest way is via Windows search. If it comes back immediately after you have removed it, you can use the "Hijackthis - Delete on reboot" option, or any other tool that is able to delete files on reboot.
In case you can't launch regedit (crashes when you launch it), rename regedit and try again.
If you're unsure, don't delete anything, but ask help instead.

Update: A Great, detailed writeup by MAD (French)

To receive help to remove the infection or similar infections, register at one of the forums present on the right, or register at my personal forum here. It's a dutch forum but I also give english support.

Related Posts by Categories



Comments (96)

Loading... Logging you in...
  • Logged in as
Derek Smith's avatar

Derek Smith · 856 weeks ago

HI,
How does this file get put on your computer in the first place?
Thank you! Thank you! I spent my entire day scanning my PC trying to fix this problem. I'm a software developer so it is a big deal when I have to wait hours for multiple virus scanners. Then I was about to pull my hair out going through all those silly forums with all the Hijack This scripts. After all that, I was so glad to have a real person just tell me which file to delete!! It even fixed a problem with Google maps that I've had for months as well. Don't know why, but it did. You saved me so much time! I wish I could have found your solution earlier.

I am completely enamored with Belgium after developing quite the taste for Belgian Ales. My husband and I hope to visit someday.
1 reply · active 494 weeks ago
I had this and used several different scanners to find whatever was causing the problem. (Super AntiSpyware, MalwareBytes AntiMalware, AVG Free 8, etc. None found anything. This had gone on for about the last week. Tonight (and for the last couple of days) when going to google and searching it would take forever to load the results. This happened whther using IE 7 or Firefox. Well tonight I did a little sarching through the registry to see if there was anything unusal (did clean some things up) but found nothing unusual. RIght after that AVG popped up with the sysaudio.dll file as a Trojan Horse Backdoor.Generic10.ZLE so I threw it over in quarantine and ever since then everythings back to normal. I have my wireless router that sits hers also and I could see the activity lights for my connection and the internet activity light blinking at a steady pace. Checking the status of the adapter also showed packets steadily going in and out. Now it's all good. I do spywarre/virus removal all of the time as part of my job, and have never had one as tough as this to simply find. Found this info after the fact, but it's great info and describes the problem perfectly!!!
We reassembled sysaudio.sys (14.362 KB) from a TCP packet stream capture. Multiple online scanners were run against it (A-Squared, AntiVir, ArcaVir, Avast, AVG Antivirus, BitDefender, ClamAV, CPsecure, Dr.Web, F-Prot Antivirus, F-Secure Anti-Virus, G DATA, Ikarus, Kaspersky Anti-Virus, NOD32, Norman Virus Control, Panda Antivirus, Sophos Antivirus, VirusBuster, VBA32) on 11/24/2008, and no hits. Also see http://www.virustotal.com/analisis/9e975066a5189ce22600c9d425c5e128. File was submitted to Microsoft Malware Protection Center. Microsoft classified it a as new trojan - Trojan:Win32/Daonol.B on 11/25/2008.
1 reply · active 852 weeks ago
Legitimate sysaudio.sys file is located in ../system32/drivers/ and has MS signature with version, etc. Bogus file can be in ../windows/ or ../windows/system32/ and it doesn't have MS sig. Apparently it installs itself as a driver, so even booting in safe mode won't help. And it's true - scanners won't detect it. And, of course, it can use different name. The way I located it was by the date on the file. It was in system32 directory that should not contain many *.sys files if any. So it was immediate suspect.
1 reply · active 852 weeks ago
I just assumed it was a driver. Tell the truth, I didn't check the registry. Just deleted this file in the recovery console and then ran registry cleaner and deleted all orphans. Wasn't mine computer. Needed to do it fast. However I did come across of couple of similar problems before. I still don't know how they get there, but it doesn't really matter. In those cases they were actual drivers and scanners didn't flag them either. It's just a tip how to locate these pests if scans fail. Check windows and system32 directories and sort by date. Look for most recent files/subdirectories. Check for MS sig. It may not always work, but it did for me. Perhaps you can rename all the suspects, but some won't let you do it if in use, so you will have to use the Recovery Console. Specifically if it's real driver.
And this is just a question(s). Is there any reason for putting malware files in windows directory? Can they put them some other place? Can they fake date on files and fake MS sig so it will be more difficult to spot? I just simply find that all antivirus/antispyware programs and all these hijack this and that are completely useless. They are only good for 10 year old hacks. So I am thinking about some solid methods of locating these problems. Any ideas?
Ok so after several scans, this is my exact problem and you've explained how it works and how it happend quite well I would like to add. I would be grateful for a 1, 2, 3, this is how you fix it? Malwarebytes spotted the problem after a full scan but says that it can't fix the problem itself.
1 reply · active 851 weeks ago
Thank you for the posting liek everyone else here I've tried our antivirus, NOD32 and our previous one McAfee, non of them was able to find this peice of junk.
I had/have this issue going on right now, and another I have noticed is it was blocking my ability to check for updates via Windows UPdates...
Thanks for the blog - very helpful in removing this from my system.

Still unclear how it manages to create the sysaudio.sys file on the host ? Javascript within a browser can't normally create or write to files on the host (can it??) ?
I've been looking into the infection code on this thing.. looks like it has a pretty wide repertoire of exploits to use. Picking apart the javascript is very difficult - if you 'wget' it, it seems to be incomplete. Very odd.
Ive been fighting this one for about a week now- my computer is pretty clean. BUT- atleast once a day it comes back. I use malwarebytes to run a scan- it finds it, quarantines it and deletes successfully. I reboot and my google is no longer hijacked. And the file is no longer in the system32 folder- but to no avail- it comes back within hours and I have to run the scan to delete it again. It has a hook in the registry that keeps bringing it back.
1 reply · active 850 weeks ago
Very helpful. I did a seach for sysaudio and found 7 files with that name. Only one was smaller in size and newer than the others. It was in the System32 folder. I deleted it and no more problems. Thank you.
you should also remove the entry for the bad sysaudio.sys file in your registry
If I go to View --> Page Source in Firefox, and I find the "Yahoo! Counter starts... "etc. language, does this mean I've found an infected site?
WOW! I can't say thanks enough for this. I have been pulling my hair out trying kill this exploit on the company presidents workstation for almost a month. You just helped me justify my continued employment. Thanks.
Sandro de Rosa's avatar

Sandro de Rosa · 849 weeks ago

WATCH OUT BECAUSE WEBSITESOURCE.COM IS INFESTED AS OF 20 December 2008
There is "one" that removes it! it's NOT spybot, nor is it adaware or AVG or McAfee...and the best thing about it that it's FREE! the program is called Malware bytes
http://i40.tinypic.com/119s4jo.jpg
Malwarebytes doesn't get the latest version, which masquerades as "wdmaud.sys". Same 15k Delphi-created DLL, same backwards-text in the hex dump, and IDA still can't make any sense of it...
3 replies · active 847 weeks ago
I have the same problem, google searches and yahoo searches are redirected through the address 7.7.7.0 and then the first page of results give back bogus results. when i go to http://7.7.7.0/.it give me a blank white page with only this:

document.write("<div id=_p_></div>");window.onload=function(){try{var u=document.body.getAttribute("unload");if(u)eval(u);}catch(e){}};//

unfortunately i have some updated form of the virus so i'm not seeing it named as "sysaudio.sys". i searched for "wdmaud.sys" and have two of that file in WINDOWSsystem32, one 23kb and one thats 14kb. im not sure what to do here so im trying malwarebytes, hopefully it will work
1 reply · active 848 weeks ago
thank you! that did the trick, everything's working perfectly now
Wow I can't say thanks enough, to everyone but especially miek for making this blog.

I had the wdmaud.sys variety. Malware bytes, ad-aware, NOD32, Spybot SND were all unable to find this file...
I deleted the file, cleared all temp files, and restarted the browser and my searches are no longer hijacked.

However, many say it returns. Though it seems by what miek is saying that it is because an infected site was visited. Hopefully this won't be the case for me but atleast now I know the file to delete, thanks!

Are there any registry values from the wdmaud.sys varient that I need to delete?
Thank you very much for this informative post miekiemoes.. I used malwarebytes to remove sysaudio and manually removed the mdmaud.sys and ntnet files in system32 and now have my search results back!
Thank you! I got hit with the wdmaud.sys going to 7.7.7.0. It's load point was under "aux5".

Post a new comment

Comments by