## Wednesday, October 1, 2008

### MySpace/FaceBook worm causes confusion in HijackThislogs

This blogpost is actually a warning for people who are helping others to get rid of this worm via HijackThis-logs.
http://www.kaspersky.com/news?id=207575670

This worm is also known as Net-Worm.Win32.Koobface.*

The files responsible for this infection are:

%WinDir%\kenny**.exe (** stands for a number, in this case 16, 17, 18..), runs from HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run with displayname sysftray2
%WinDir%\fmark2.dat
%ProgramFiles%\TinyProxy\TinyProxy.exe or %ProgramFiles%\ProtectService\ProtectService.exe which runs as a service.

It also modifies the Proxy to http=127.0.0.1:8181
To fix this:
In IE: Tools Menu -> Internet Options -> Connections Tab ->Lan Settings > uncheck "use a proxy server" or reconfigure the Proxy server again in case you have set it previously.
In Firefox in Tools Menu -> Options... -> Advanced Tab -> Network Tab -> "Settings" under Connection.

To remove this infection, just delete the %ProgramFiles%\TinyProxy folder or %ProgramFiles%\ProtectService folder it has created + the %WinDir%\fmark2.dat and %WinDir%\kenny**.exe files + restore proxysettings.
It's recommended that you do this in Windows Safe mode since this infection (mainly the service) is active in Windows normal mode.

Now, what's the confusion with HijackThislogs and people who are guiding others with malware removal via HijackThislogs...

Let me explain how HijackThis.exe enumerates the services...
For example, let's take the legitimate Nvidia Display service:

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

What's between the brackets is the Servicename. In this case "NVSvc". That's how the service is registered in the registry.
The Displayname is "NVIDIA Driver Helper Service". This is how you see it in services.msc for example. This is also set under the Servicename with value "Displayname".
The "C:\WINDOWS\system32\nvsvc32.exe" refers to the "ImagePath" value set under the "NVSvc" service. This means the file responsible for running as a service.

In case there are no brackets, then it means that the Servicename is the same as the Displayname, for example:

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

In this case, "Apple Mobile Device" is the servicename and displayname.

If people check and fix a O23 entry in HijackThis, HijackThis doesn't delete the service, but disables it instead. This means, it changes the "Start" valuedata for the service to dword:00000004, which means disabled.
In case when a malicious service is present, if you fix it in HijackThis, it won't remove the service. It will only disable it.
That's why a lot of helpers who are guiding with HijackThislogs are teached to delete the service in the registry as well. The sc delete "servicename" command is the common used command here.

Now let's compare one of these malicious TinyProxy.exe or ProtectService.exe Services..
That's how they look in a HijackThislog:

Some examples:

O23 - Service: Network Connections (Netman) - Unknown owner - C:\Program Files\TinyProxy\TinyProxy.exe
O23 - Service: Logical Disk Manager (dmserver) - Unknown owner - C:\Program Files\TinyProxy\TinyProxy.exe
O23 - Service: Apple Mobile Device (Apple Mobile Device) - Unknown owner - C:\Program Files\TinyProxy\TinyProxy.exe
O23 - Service: Plug and Play (PlugPlay) - Unknown owner - C:\Program Files\TinyProxy\TinyProxy.exe
O23 - Service: Network Connections (Netman) - Unknown owner - C:\Program Files\TinyProxy\TinyProxy.exe
O23 - Service: NMIndexingService (NMIndexingService) - Unknown owner - C:\Program Files\TinyProxy\TinyProxy.exe
O23 - Service: DHCP Client (Dhcp) - Unknown owner - C:\Program Files\TinyProxy\TinyProxy.exe

O23 - Service: Application Layer Gateway Service (ALG) - Unknown owner - C:\Program Files\ProtectService\ProtectService.exe
O23 - Service: Workstation (lanmanworkstation) - Unknown owner - C:\Program Files\ProtectService\ProtectService.exe
O23 - Service: Fast User Switching Compatibility (FastUserSwitchingCompatibility) - Unknown owner - C:\Program Files\ProtectService\ProtectService.exe
O23 - Service: Print Spooler (Spooler) - Unknown owner - C:\Program Files\ProtectService\ProtectService.exe
O23 - Service: Computer Browser (Browser) - Unknown owner - C:\Program Files\ProtectService\ProtectService.exe

In this case, let's take O23 - Service: Network Connections (Netman) - Unknown owner - C:\Program Files\TinyProxy\TinyProxy.exe as an example.

People who are used to working with HijackThislogs would think: "Netman" is the servicename and "Network Connections" is the Displayname.
Yes, that's how it looks like.
But.. the service "Netman" is a LEGITIMATE service and the Displayname "Network Connections" matches as well as LEGITIMATE. Normally HijackThis whitelists these services.
Now what? Does that mean that this service in the registry was modified and the "Imagepath" value under the "Netman" service was changed to "C:\Program Files\TinyProxy\TinyProxy.exe" instead of %SystemRoot%\system32\svchost.exe -k netsvcs (which is the default valuedata for this one)?
Yes, that's a possibility... we've seen it before.
In such cases, after you have removed the offending folder C:\Program Files\TinyProxy, you need to restore the default "Imagepath" valuedata again to the legitimate one.

HOWEVER, I found out that this infection isn't modifying any legitimate services at all!
After a bit of research - comparing logs and testing with some dummy services - it appears that this infection creates a new service instead, but makes sure it matches a legitimate service and causes extra confusion in HijackThislogs.
Example:

Let's create the service:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Network Connections (Netman)]
"Displayname"="Network Connections (Netman)"
"ImagePath"=hex(2):25,00,50,00,72,00,6f,00,67,00,72,00,61,00,6d,00,46,00,69,00,\
6c,00,65,00,73,00,25,00,5c,00,54,00,69,00,6e,00,79,00,50,00,72,00,6f,00,78,\
00,79,00,5c,00,54,00,69,00,6e,00,79,00,50,00,72,00,6f,00,78,00,79,00,2e,00,\
65,00,78,00,65,00,00,00
<== which translates to %ProgramFiles%\TinyProxy\TinyProxy.exe
"Start"=dword:00000002 <== which means "autostart"

The service "Network Connections (Netman)" isn't legitimate since the legitimate service is actually "Netman".
But, since the "Displayname" in above example matches the servicename here, in HijackThislogs, it will show as:

O23 - Service: Network Connections (Netman) - Unknown owner - C:\Program Files\TinyProxy\TinyProxy.exe

While the servicename is actually: "Network Connections (Netman)" and NOT "Netman"!!

The result of this is.. many helpers look at the servicename in HijackThis (the one between brackets) and since it has a malicious file attached, some don't think further and think that the service itself is malicious as well (without knowing that it may be a legitimate service) > result > they ask to delete the legitimate service from the registry using the sc.exe delete command.
And yes, a Threatexpert report also reveals how it has created its service. Example: http://www.threatexpert.com/report.aspx?uid=b72eb6f9-00dd-442b-8a08-f095ca088e31
In the Threatexpert's example..
"TrkWks" is the LEGITIMATE service, but in this case, as you see in above report, the service: "Distributed Link Tracking Client (TrkWks) " was created.
A slightly bit different from what I've tested with dummy services, but it does make sense. In above example, the service has an extra space after the services name and since the "Displayname" is the same, it will show it like this in a original HijackThislog (since displayname and servicesname matches):

O23 - Service: Distributed Link Tracking Client (TrkWks) - Unknown owner - C:\Program Files\TinyProxy\TinyProxy.exe (note the extra empty space after (TrkWks) and -)**

But since people are posting this at forums, the forumsoftware strips that empty space anyway.
The same applies for the threatexpert report itself imho, where it also strips the extra space in the services name/services key if no subkeys are attached.

** After I have posted this, I noticed that this blogpost also strips the extra space after the services name..

Anyway.. imho, I'm pretty sure that, whoever developed this infection is well aware of HijackThis and how it displays its entries, this to cause some extra confusion for helpers.
And that's why I posted this warning in the first place, because I've seen it happen a couple of times already. Legitimate services were deleted > result, no internet access anymore or anything else that was broken because of this confusion in HijackThis.
That's why, before you want to delete a service in the registry, make sure first it's not a legitimate service!

I have not played with this infection itself yet (no samples available) - so my analysis is only based on logs/research and testing.
Samples are welcome. :-)