Monday, October 13, 2008

Fake sysaudio.sys causes Searchengine Hijack

What is this infection about...
It actually loads a script, so searchengine results are loaded within a script. For example, when you research something in google or another searchenigine, you get this when you view the source:

script scr= //78. 157. 142. 58/ and then the searchengine results.
or
script scr= //209 .85 .171 .9/ and then the searchengine results.
(more may be present as well)

So, whenever a popular searchengine is being used, a script is loaded to insert its results. For example, a search for: "How to remove rootkits with icesword", you get irrelevant results. Screenshot here:


This only applies for the first page of the results.

It looks like stopzilla.com is also promoted via this piece of malware
Example:


As far as I know.. this one is getting installed via a "Yahoo! Counter starts here" javascript (which is a malicious script and not related with Yahoo) injected on many forums/sites/blogs.

The responsible file for the searchengine hijack is sysaudio.sys, (which is actually a DLL) dropped in the %sysdir% folder (system32 folder).

Note - do NOT confuse this one with the legitimate sysaudio.sys file which is present in the %sysdir%\drivers folder!!! So don't delete the legitimate %sysdir%\drivers\sysaudio.sys file!

The loading point for the fake sysaudio.sys is under the
HKLM\software\microsoft\windows nt\currentversion\drivers32 key
with value and valuedata:

"aux"="sysaudio.sys" or
"aux2"="sysaudio.sys"

Legitimate valuedata for "aux" should be wdmaud.drv or mmdrv.dll or ctwdm32.dll (those are the most common legitimate ones I've seen so far, there could be more)

Other files the fake sysaudio.sys may use are divx.nls or ntnet.drv which is also present in the %sysdir% folder.
(could be more already - newer variants)

Anyway, this is another method being used to "hide" its presence because it causes confusion with legitimate files/keys. So be cautious if you think you're dealing with this one and do not delete the legitimate sysaudio.sys file present in the system32\drivers folder or "aux" value in the registry. Ask for help if you're not sure.


UPDATE!!!
A new variant is Windows\system32\wdmaud.sys <== bad one
The legitimate ones are Windows\system32\wdmaud.drv and Windows\system32\drivers\wdmaud.sys, so don't delete those!!

UPDATE2!!!

And again a new variant around. Malwarebytes' Anti-Malware detects this one as Trojan.Gumblar or Trojan.JSRedir. (previous variants were detected as Trojan.Daonol)
Redirections go for example to 209.85.171.199 - or you see 7.7.7.0 in the status bar.
This time, it uses a random file name. To find out, browse to the HKLM\software\microsoft\windows nt\currentversion\drivers32 key in the registry and look what's present under the "aux" values (aux1, aux2, aux3, aux4..) One of them is the cause. It's a "weird" looking filepath and name, examples are: "C:\WINDOWS\system32\..\sjkemx.iqd" or "C:\WINDOWS\system32\..\kvlhurx.niq" or "c:\docume~1\%username%\LOCALS~1\Temp\..\herlppj.sna" - note the reference named ".." which actually refers to "go up two levels". To find the file itself, easiest way is via Windows search. If it comes back immediately after you have removed it, you can use the "Hijackthis - Delete on reboot" option, or any other tool that is able to delete files on reboot.
In case you can't launch regedit (crashes when you launch it), rename regedit and try again.
If you're unsure, don't delete anything, but ask help instead.

Update: A Great, detailed writeup by MAD (French)

To receive help to remove the infection or similar infections, register at one of the forums present on the right, or register at my personal forum here. It's a dutch forum but I also give english support.

Related Posts by Categories