backdoor win32/cycbot.b

Hi,

Just thought I'd post about a friend's system tonight, who was having problems connecting to the internet.

First thing I noticed was firefox was running through a proxy. Changed the settings for no proxy. Obviously this file had only been on the system for an hour or so, so asked whether the user had logged on to facebook, email and internet banking.

On another connection/system (clean), changed internet banking, facebook and email login details. User said things were 'strange' for a week or so, so I didn't have too much faith in a system restore at this moment, otherwise would have done this right away.

Ran CCleaner and cleared the temporary internet files.

Ran a scan with Hitman Pro. Hitman Pro couldn't connect to the internet, but after running an early warning scoring scan (which doesn't require the internet - that's why Hitman Pro kicks ~ Snipped as per TOS ~, with or without the net ), resolved the proxy issue and deleted the file (from what I recall) called csrss.exe. Thread here on kaspersky forum lists this file.

Checked Microsoft Security Essentials, and it had quarantined the backdoor file about an hour earlier. See bleepingcomputer's post here on a similar user's experience.

Next step was downloading Malwarebytes, after an update and scan, it removed several trojan agents, and fake AVs as shown in the kaspersky forum post. After a reboot, Hitman Pro and MBAM removed a number of files.

Downloaded emsisoft's hijackfree, just to check the port connections, running processes, autoruns, host file etc. Ran an update in hijackfree, but processes, appeared to be ok, from what I could see. Deleted a few unnecessary autoruns, disabled a few programs in services which were set to automatic etc.

Downloaded portable superantispyware, and ran the internet fix settings, just to be sure. Always placed a lot of values in SAS, and these hijack reset settings. That is, repairing internet zones, IE settings, and so on. Ran all the repairs which took one minute.

Dowloaded prevx safeonline, and it identified a few other files to delete, not related to the backdoor file, but some definite suspicious files related to software which was cracked. The lure of cracked software and the unwanted extras they provide! The addition of prevx meant, hopefully, keystrokes were protected from now on. Ran a few scans and after deleting a few files manually, and using CCleaner again, it came back clean. Mentioned to the user they should be running prevx full/paid. Best $30 you can spend.

Then downloaded bleepingcomputer's combofix. Killed MSE and disabled prevx, and let combofix run its scans and reboot. All clear after a subsequent reboot.

Finally, downloaded the emsisoft emergency kit and ran a full scan. No suspicious files found.

One hour later, nothing more can be found. Hope to run a full scan with malwarebytes, Hitman Pro and prevx tomorrow. Any other suggestions what I should do next, or should have done?

Thank you in advance.

 

I would also:

1. Scan/clean with the AVIRA Rescue System CD. Malware signatures are up-to-date at the time of the download of the AVIRA Rescue CD.

2. Update/scan/clean with the Kaspersky Rescue Disk 10. "Crank-up" the Heuristics Setting to Maximum, and see what shows up in the scan.

3. Update/scan/clean with the GData BootCD. It uses both Bitdefender and Avast engines. If possible, "Crank-up" the Heuristics Setting to Maximum, and see what shows up in the scan.

4. Scan/clean with DrWeb Cureit. Malware signatures are up-to-date at the time of the download. I would just do only the default "Express" Scan since a "Full" Scan may take several hours.

 

Thanks for your input. I'll compile a couple of the boot cds today (although, system can run, good to run Avira's and Avast's definitions etc without installing the whole program etc).

JRViejo - I've kept you on your toes two times in a row now. Won't happen again.

 

@ Saraceno

Nice rundown of what you did

Did you find out how he got infected ?

 

CloneRanger, she mentioned while using one of those file services, think filestube, which can be used for mp3s etc, one of the pop-ups looked like a rogue, such as a 'you're infected'. Except the close button was most likely the install, or maybe it installed after clicking on a link. Basically, filestube and co redirect to file services like 4shared, and other hosting sites that pump out ads.

I mentioned, what another user said on here the other week, next time a message like that appears, hit ALT + F4 to close your browser.

The install, and proxy hijack obviously is designed to filter through personal information. Not sure on the speed these guys work, I mean, they might have had 100/1000+ people running through that proxy that evening, and would go through the logs in a few hours or over the next few days.

But changing the login details asap was the best bet. Even if you do a complete reinstall, login details are hopefully, not been compromised yet.

Example, just searching for a song on those sites, leads to various pop-ups, and many links to confuse a user of the real 'download' link. Such as 'faster download link here', or 'high speed download link here'. Many pop-ups can be fullscreen. Here are a couple of small ones from just a quick search now:



This one seems to try to 'hijack' the mouse. User wants a song, gets locked-in to another site/download.

 

I thought it was pretty obvious or am I mistaken?

And regarding compiling boot-CD's;

Check out Sardu/Shardana AntiVirus Rescue Disc Utility link.
No need to compile yourself, it's been done already

 

Thanks for the link Baserk. Some good resources there more users should know about. Didn't know that one existed.

The cracked software prevx identified may have be the culprit, but may have been part of the overall system problems. I'm still not sure if MSE, by quarantining cycbot.b, meant this 'infection' didn't roll out how it intended to.

My guess is MSE stopped a part of the process. At least with prevx safeonline now installed, if something else happens/re-installs, at least I know all the financial details are safe.




Here's microsoft's write-up on what the file does when it's fully installed.
http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor:Win32/Cycbot.B

 

@ Saraceno

Thanks for the extra info and screenies which explain more

 

So the computer was being protected with MSE alone prior to the infections? If so, was MSE updated and had the correct settings?

Also, so Prevx detected cracked programs but Prevx in Hitman Pro did not?

 

Correct.

From looking at the MS article on the full infection, it seems MSE did a good job in stopping the subsequent programs from uninstalling, as all the other registry settings etc such as a second svchost in the appdata folder aren't there. So it grabbed 2 x backdoor files within 20 mins of each other. You'll notice they've updated their 'detection' for it on the same day as it hit this system.

Meaning, the user's detection, and others who most likely clicked on the same link, gave the guys at Microsoft the chance to analyse the file and see what it does, and add further protection for others in the community using MSE.

When I first ran Hitman Pro, it didn't have any internet connection, as the proxy was changed system-wide. I removed the proxy on firefox, but hitman pro couldn't connect. The early warning scoring managed to fix the proxy issue and remove a malicious file, with no internet connection, meaning its behavioural scanning works.

I should have run a full scan with Hitman Pro again, but after reboot, I had already download MBAM, and choose to run MBAM, and move on to Combofix etc. Hitman Pro most likely would have picked up these other files (you'll notice its early warning scoring, without the internet, did grab one of the main files listed in the MS article), but I guess I was working on the spot, and had someone 'panicking' about possible loss of their email/facebook/banking details, so was doing the best I could. Additional hitman pro scans at the end revealed all was clear.

We can all do a better job, if handed a system, and given overnight to look at it, but when someone is in your ear, saying 'fix it' with a bewildered look on their face, and it's 11pm at night, I was pressed for time. For example, had to cancel the superantispyware scan, and chose to scan with prevx (and delete the cracked program files manually). I would have liked to run Emsisoft's scan or Dr Web, but these would have taken an hour or more.

You have a preference to utilise what you normally use. I currently use MSE + prevx, hitman pro and MBAM. Other programs could have done the job, such as Dr Web, Avira bootscan and so on, and programs such as Mamutu might have stopped this in its tracks from the get go.

Guess it's all a lottery which malicious file will break through and what you're currently using at the time. Best thing you can do is have a few strong programs at your disposal. I feel prevx, MSE, hitman pro and MBAM are some of the best around - but others used by members here are equally as good.

 

Just a final follow-up, scanned again with Hitman Pro, Malwarebytes, Prevx and the Kaspersky Virus Removal Tool.

Seems to be in the clear.

 

What do you think about the Kaspersky Virus Removal Tool? Did it take very long for the scan?

Thanks in Advance.

 

Kaspersky's tool is one of the best around. Options to configure with the scan, what to do with malicious files found, how deep you want it to scan, and best of all, uninstalls itself if you want it to.

I'll probably try this tool first next time as Kaspersky is low in false positives and very thorough with the scanning. For those interested, can get either from developer's site or softpedia's.

Great back-up scanner, regardless what AV software you use.

Noticed you use Nod, I've found their online scan to be great too in the past. Now works in non-IE browsers (separate download).