CLSID's for the sKyWIper infection

[CloneRanger]

Be nice if someone could provide them for the following OCX's to manually include in SB

advnetcfg.ocx - bb5441af1e1741fca600e9c433cb1550
msglu32.ocx - d53b39fb50841ff163f6e9cfd8b52c2e
mssecmgr.ocx - bdc9e04388bda8527b398a8c34667e18
nteps32.ocx - c9e00c9d94d1a790d5923b050b0bd741
soapr32.ocx - 296e04abb00ea5f18ba021c34e486746

And others that appear

[CloneRanger]

I managed to find 2 to include

CLSID (6994AD04-93EF-11D0-A3CC-00A0C9223196)

CLSID (6994AD04-93EF-11D0-A3CC-00A0C9223196)

Courtesy of - http://blog.fireeye.com/research/201...-analysis.html

[redwolfe_98]

cloneranger, adding activex-killbits for the activex controls that are used by "skywiper" is a good idea.. however, as far as the two CLSID's that you associated with "skywiper", first, the two CLSID's that you listed actually are the same CLSID, so you actually only have one CLSID listed.. second, the CLSID that you cited appears to be a legitimate CLSID that shouldn't be blocked..

here is what google pulled up for the CLSID:

http://www.google.com/search?num=20&...6}&btnG=Search

[CloneRanger]

@ redwolfe_98

Quote:

adding activex-killbits for the activex controls that are used by "skywiper" is a good idea..

Thanks

Quote:

however, as far as the two CLSID's that you associated with "skywiper", first, the two CLSID's that you listed actually are the same CLSID, so you actually only have one CLSID listed..

Oops, my bad so it is ! Thanks

Quote:

second, the CLSID that you cited appears to be a legitimate CLSID that shouldn't be blocked..

In the - http://blog.fireeye - link i posted, it says this,

Quote:

CLSID (6994AD04-93EF-11D0-A3CC-00A0C9223196) appears to be the Audio GUID for the KS Media sound card driver, as published by ReactOS, which is supposed to be binary compatible with Microsoft Windows. The malware performs these registry key additions as part of its ability to record audio from the compromised system's microphone.

So as it's a ReactOS .DRV i wouldn't have expected many people, if at all, to have it. In which case my thinking was, blocking it via the CLSID trick wouldn't be a problem ! If this isn't the case ? i'm sorry for any inconvenience. Just thought these CLSID's tricks "might" help. Anyway, if the CLSID (6994AD04-93EF-11D0-A3CC-00A0C9223196) "is" a no go, the CLSID's for other ActiveX controls, if obtainable, would block the nasties, i'm sure.

[CloneRanger]

Here's another which you "might" be able to make use of {0AFACED1-E828-11D1-9187-B532F1E9575D}

Quote:

Flamer uses some special tricks to bypass this behavior. Three CLSID entries are added to the ShellClassInfo section with a specially chosen CLSID.

http://www.symantec.com/connect/blog...s-and-exploits

[redwolfe_98]

Quote:

Originally Posted by CloneRanger

Here's another which you "might" be able to make use of {0AFACED1-E828-11D1-9187-B532F1E9575D}

nope.. that CLSID, too, is legitimate and shouldn't be blocked..

i did a google-search for "{0AFACED1-E828-11D1-9187-B532F1E9575D}" and pulled up some information about it:

http://www.google.com/search?num=20&...=Google+Search

i also searched my computer's "registry" and found a couple of instances of the CLSID.. (i am running windows xp)..

sometimes, legitimate regkeys (or, in this case, a "CLSID") are associated with malware but are used for legitimate purposes, as well.. just because a regkey (or CLSID) was used by malware, that doesn't necessarily mean that the regkey, or CLSID, is malicious..

[CloneRanger]

@ redwolfe_98

Hi, ok thanks for the info No other CLSID's appearing for this ? Anyway the danger is probably over now, as most Anti's detect it one way or another. Plus it's started to delete itself

I guess it won't be the last we see of it though, in some form or another !