Guidelines for Helpers and Advanced users

Discussion in 'news, general information and FAQs' started by Pieter_Arntz, Nov 7, 2003.

Thread Status:
Not open for further replies.
  1. Pieter_Arntz
    Offline

    Pieter_Arntz Spyware Veteran

    Hijacker using random named dll's, usually posing as part of another popular program:

    SafeGuard aka Veevo

    Log examples:

    O2 - BHO: Core Library - {F281FFC7-6C63-4bf9-83F2-AB7A6157B109} - C:\WINDOWS\System32\KDP0d92.dll
    O4 - HKLM\..\Run: [Kazaa Download Accelerator Updater (required)] regsvr32 /s C:\WINDOWS\System32\KDP0d92.dll

    O2 - BHO: (no name) - {6E1C5E3D-A8E6-4a92-820F-BFCFE45BA158} - C:\WINDOWS\System32\veev2506.dll
    O4 - HKLM\..\Run: [Popup Blocker Updater] regsvr32 /s C:\WINDOWS\System32\veev2506.dll

    CLSID's in use and the corresponding filenames are:

    {564FFB73-9EEF-4969-92FA-5FC4A92E2C2A} sfg_****.dll
    {6CDF3C49-20E6-48d7-811B-9F5DD17F1D90} sfg****.dll, veev****.dll (* = random char)
    {6E1C5E3D-A8E6-4a92-820F-BFCFE45BA158} veev****.dll (* = random char)
    {6E34D984-4054-45E3-8452-0159A2F0D232} Veevo.dll
    {83B3E0C1-DEF1-4df5-A3F5-92D10B7A396A} sfg****.dll (*=random char)
    {A23AB93D-6CFF-442c-BB8A-41F6145F47E7} PDF****.dll (* = random char)
    {A44B961C-8C36-470f-8555-EDA0EFC1E710} popupblocker.dll, popupDefence.dll
    {B824E7B0-E8E3-4D75-895E-2C309EA4CC5D} Sgpopupblocker.dll
    {D4D505DF-D582-400c-91B6-84921012AFE3} pdfupd.dll / PDF****.dll
    {E9C1FD9A-46B0-4185-84ED-E2F8ACD4A262} kdp****.dll (* = random char)
    {F281FFC7-6C63-4bf9-83F2-AB7A6157B109} kdpupd.dll, kdp****.dll (* = random char)
    Last edited: Nov 27, 2004
  2. Pieter_Arntz
    Offline

    Pieter_Arntz Spyware Veteran

    Using random filenames it downloads and installs

    SaveNow

    Log examples:

    O4 - HKLM\..\Run: [hpsysconf1] C:\WINNT\system32\nftvqvk.exe

    O4 - HKLM\..\Run: [hpsysconf1] C:\WINDOWS\System32\wgsstip.exe

    Fix the Startup entries, delete the files and check under Add/Remove Programs for the presence of Save aka SaveNow aka WhenUSave and uninstall it.
  3. Pieter_Arntz
    Offline

    Pieter_Arntz Spyware Veteran

    Another downloader for adware using random filenames contacting these domains:
    newupdates.lzio.com
    updates.lzio.com

    TROJ_VIVIA.A

    Log examples:

    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://newupdates.lzio.com/augnew_1.htm...1086746781
    O4 - HKLM\..\Run: [nssysconf] C:\WINDOWS\System32\dhxpgpk.exe

    O4 - HKLM\..\Run: [nssysconf] C:\WINDOWS\System32\nmryaph.exe
  4. Pieter_Arntz
    Offline

    Pieter_Arntz Spyware Veteran

    A BHO in the Windows directory that uses random CLSID's but a fixed filename (lbbho.dll).

    RelatedLinks

    Log examples:

    O2 - BHO: LBBHO - {EFD84954-6B46-42f4-81F3-94CE9A77052D} - C:\WINDOWS\lbbho.dll

    O2 - BHO: C:\WINDOWS\lbbho.dll - {7FEFE602-B07B-42B7-BDB9-E321342F999B} - C:\WINDOWS\lbbho.dll

    Removal instructions and write-up by Kephyr
  5. Pieter_Arntz
    Offline

    Pieter_Arntz Spyware Veteran

    Using a randomly named .dat file as a BHO, this adware logs keystrokes and displays advertising messages periodically.

    VirtuMonde aka Troj/AgentSpy

    Known CLSID's that are used with this BHO:

    {02F96FB7-8AF6-439B-B7BA-2F952F9E4800}
    {18722863-6D1D-4300-BF29-406948EDA7CB}
    {2316230A-C89C-4BCC-95C2-66659AC7A775}
    {2527BEEF-1B3C-4D3B-98F0-7F3C1EB910A0}
    {30279F2D-1A38-4785-97D4-5C3508BDB289}
    {3EC8E271-FAB9-418a-8A8E-65AEB4029E64}
    {446CF8A5-617E-4D91-95AE-AE78CE0D06AF}
    {44E5B409-35A2-4E8D-BF94-344222323A53}
    {55E301E5-BA44-4095-BB0B-14E0123CCF71}
    {60112085-E1CE-4e0e-823A-EBB1AD98804C}
    {68132581-10F2-416E-B188-4E648075325A }
    {6A06CDAD-9D2D-42A0-9C91-C0CF7CB9971B}
    {72AC6865-B1D3-4C32-A27B-4B3BF04DE655}
    {73529697-D46A-4F7D-8A93-01378FCAEDA4}
    {77849D67-5672-4B68-93E2-CCEFF1E3949E}
    {8109AF33-6949-4833-8881-43DCC232B7B2}
    {870B70D4-F6DA-47AE-9158-D146440A0A4D}
    {98BC949B-3D81-4750-836F-4BC57BD032EE}
    {BB54DE33-E539-4749-BFAC-CC49617E8F2A}
    {BF755B85-EA69-4F58-9A59-D85F384A15FF}
    {C69FA570-7FDE-4C49-A7BC-CB1CF24BE66B}
    {D487068E-9B04-4FE5-8A83-08344F800BF5}
    {D6964FD8-3AF1-4A2A-ABB7-3D0C62924FD6}
    {DF57FEB6-9BCE-45E3-AA65-BE327B8CCE7F}
    {ED5ABC42-8E4F-4C39-9972-F0CF619D672F}
    {F32F8ECD-6CF3-459D-82F2-9738392C85A8}
    {FD8609EC-7D7C-4778-AB8F-0053245550EF}
    {FF4D5071-EE0E-4DCA-BC1C-D776B0F2276E}

    Log examples:

    O2 - BHO: CATLEvents Object - {3EC8E271-FAB9-418a-8A8E-65AEB4029E64} - C:\DOCUME~1\[username]\LOCALS~1\Temp\4dpUswodniW.dat
    O2 - BHO: CATLEvents Object - {60112085-E1CE-4e0e-823A-EBB1AD98804C} - C:\WINDOWS\TEMP\YEKCBDO.DAT

    O4 - HKLM\..\Run: [WindowsUpd] C:\WINDOWS\WindowsUpd4.exe
    O4 - HKLM\..\Run: [SysUpd] C:\WINDOWS\WindowsUpd4.exe
    O4 - HKLM\..\Run: [WindowsUpd4] C:\WINDOWS\WindowsUpd4.exe

    ( Example of O4's with * but without rerun or ren at end of file name.)
    O4 - HKLM\..\Run: [*JAVAAD] C:\WINDOWS\APPPATCH\JAVAAD\JAVAAD.EXE
    O4 - HKLM\..\Run: [*VSSIP] C:\WINDOWS\WEB\VSSIP.EXE

    ( Examples of O4's with * and rerun or ren at end of file name.)
    O4 - HKLM\..\RunOnce: [*IISINFO] C:\WINDOWS\APPPATCH\IISINFO.EXE rerun
    O4 - HKLM\..\RunOnce: [*VSSIP] C:\WINDOWS\WEB\VSSIP.EXE rerun
    O4 - HKCU\..\RunOnce: [*MS Setup] C:\WINDOWS\SYSTEM\MUI\040B\WMSCOM.EXE ren
    O4 - HKCU\..\RunOnce: [*MS Setup] C:\WINDOWS\HELP\NUTHARD.EXE ren
    The files with rerun or ren at the end of the file name should also be found in running processes, you should find one of each.
    ( If they are in the same subfolder you may only find one in running processes.)

    Connections found in firewall log.
    virtumonde.com [209.123.150.14]
    updates.virtumonde.com [208.48.15.13] or [208.48.15.11]
    scripts.affiliatefuture.com [80.253.103.154]

    Additional methods of infection and removal are described here:
    http://securityresponse.symantec.com/avcenter/venc/data/pf/adware.virtumonde.html
    http://www.pestpatrol.com/pestinfo/v/virtumonde.asp
    http://www.giantcompany.com/antispyware/research/spyware/spyware-VirtuMonde.aspx
    http://www.kephyr.com/spywarescanner/library/virtumonde/index.phtml
    http://www.sophos.com/virusinfo/analyses/trojagentspyb.html
    http://vil.nai.com/vil/content/v_127690.htm

    http://securityresponse.symantec.com/avcenter/venc/data/trojan.vundo.html <= with a link to a removal tool

    Special credits to Trpm
    Last edited: May 1, 2005
  6. Pieter_Arntz
    Offline

    Pieter_Arntz Spyware Veteran

    Using a randomly named dll, it Registers itself as a Browser Helper Object, connects to a preset remote server, downloads and executes other files from there.

    Troj/Dloader-NL

    Log examples:

    O2 - BHO: (no name) - {15ACE85C-0BB1-42d1-9E32-07EB0506675A} - C:\WINDOWS\System32\kuzok.dll

    O2 - BHO: (no name) - {15ACE85C-0BB1-42d1-9E32-07EB0506675A} - C:\WINNT\system32\aouox.dll

    O2 - BHO: (no name) - {15ACE85C-0BB1-42d1-9E32-07EB0506675A} - C:\WINDOWS\SYSTEM\hadicuie.dll

    The CLSID is a constant.

    For more information:
    http://www.sophos.com/virusinfo/analyses/trojdloadernl.html
  7. dvk01
    Offline

    dvk01 Global Moderator

    A new hijacker that has second copies of all the files to reinstall itself if any of them are deleted
    It makes copies in localsettinhgs/temp folder in NT based computers I haven't seen it in 9x computers yet

    you might or might not have start ups to the other files in a hjt log frequently not

    You might not see all entries in a hjt log but I can guarantee that all the files will be there

    Download pocket killbox from http://download.broadbandmedic.com/Killbox.exe put it on the desktop where you can find it easily
    Run hijackthis, tick these entries listed below and ONLY these entries, double check to make sure, then make sure all browser & email windows are closed and press fix checked

    O4 - HKCU\..\Run: [atiupdate] C:\WINDOWS\System32\msshed32.exe

    and any other O4 start ups taht correspnd to the named files

    now run killbox and paste each of these lines into the box, select delete on reboot and end explorer shell before deleting must be ticked at all times , then press the red X button, when it says reboot now, say no and continue to paste the lines in in turn and follow the above procedure every time, after the last line has been pasted let it reboot

    C:\command.exe
    C:\WINDOWS\System32\msshed32.exe
    C:\WINDOWS\System32\moneyspj.exe
    C:\WINDOWS\System32\atiupdate.exe
    C:\DOCUME~1\User name \LOCALS~1\Temp\atiupdate.exe
    C:\DOCUME~1\User name \LOCALS~1\Temp\msshed32.exe
    C:\DOCUME~1\User name \LOCALS~1\Temp\moneyspj.exe

    If any ONE file is missed on a delete on reboot the whole cycle starts again

    the original downloader is msshed32 and if you block it's access to the net with a firewall before it downloads the others then it normally deletes easily

    example of logs
    http://forums.techguy.org/showthread.php?t=290449
  8. Pieter_Arntz
    Offline

    Pieter_Arntz Spyware Veteran

    A hijacker that tries to install itself as the default browser, using random filenames.

    Adware.Inetex

    Description and removal instructions:
    http://sarc.com/avcenter/venc/data/pf/adware.inetex.html

    Also using randomly named BHO's

    Log example:

    O2 - BHO: WSearch - {4EB644C7-A12A-409A-8304-DC16E87D48C2} - C:\Program Files\WebSearch\Util\84IQEVLF.dll
    Last edited: Nov 27, 2004
  9. Pieter_Arntz
    Offline

    Pieter_Arntz Spyware Veteran

    Adware using random filenames for BHO's and executables.

    AdBlaster

    HijackThis log examples:

    OLD versions

    O2 - BHO: (no name) - {2D7CB618-CC1C-4126-A7E3-F5B12D3BCF71} - c:\windows\ngpw34.dll

    O2 - BHO: (no name) - {E9147A0A-A866-4214-B47C-DA821891240F} - C:\WINDOWS\NGSW31.DLL

    New version

    O2 - BHO: ngsh33.clsIS - {941CA48C-3984-4E7D-AAF8-8755ED76EB50} - C:\WINDOWS\system32\43152.dll

    and a running process called adprot.exe

    Removal:

    - Stop adprot.exe as a running process
    - Have HijackThis fix the line with the BHO (called ngsh33.clsIS) with al IE windows closed.
    - Find and delete *****.dll and *****.exe after a reboot. * are numbers that are the same for the dll and the exe.
  10. Pieter_Arntz
    Offline

    Pieter_Arntz Spyware Veteran

    A hijacker that modifies the hosts file and adds favorites, a BHO and a Toolbar.

    The Simple Toolbar aka TROJ_FAVADD.C

    It will show up in a log looking like:

    O2 - BHO: IEHlprObj Class - {CE7C3CF0-4B15-11D1-ABED-709549C10020} - C:\WINDOWS\system32\3kuubuqrhi.dll

    O3 - Toolbar: The Simple Toolbar Search - {A6790AA5-C6C7-4BCF-A46D-0FDAC4EA99EB} - C:\WINDOWS\system32\gm2v6xjqnl.dll

    The CLSID's are fixed, the filenames are random.

    For more information:
    http://uk.trendmicro-europe.com/enterprise/security_info/ve_detail.php?Vname=TROJ_FAVADD.C
  11. Pieter_Arntz
    Offline

    Pieter_Arntz Spyware Veteran

    A trojan using a random CLSID and a partly random filename as a BHO.

    Trojan.Eman

    Trojan.Eman is a Browser Helper Object which attempts to download and execute arbitrary code from a predetermined website.
    The filename consist of msxxx.dll where xxx are three random lower case letters.

    It can be recognized because it adds the value:
    "emandislc"
    to the registry subkey:
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer

    logexample:
    O2 - BHO: Name - {9CCA572C-7BBF-4D12-B5BF-F6AA6EE098A9} - C:\WINNT\system32\msfxj.dll
    O2 - BHO: Name - {5161DDA0-7CEA-11D9-9548-A0B659C1414A} - C:\WINDOWS\SYSTEM\MSDXI.DLL

    More information and removal instructions
    Last edited: May 30, 2005
  12. Pieter_Arntz
    Offline

    Pieter_Arntz Spyware Veteran

    A Startpage trojan which registers as a COM object and a Browser Helper Object (BHO) under a random clsid.

    Trojan.Win32.StartPage.xb aka Troj/StartPa-FR

    When the Trojan is installed it creates the file <Windows system folder>\spqap.dll. which is registered as a COM object and a Browser Helper Object (BHO) for Microsoft Internet Explorer is registered under a random clsid.

    However, reference to the random clsid can be found at
    HKLM\SOFTWARE\Microsoft\Internet Explorer\cslnam

    Where corresponding clsid can be found in:
    HKCR\CLSID\{clsid}
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{clsid}

    Write-up by Sophos
  13. Pieter_Arntz
    Offline

    Pieter_Arntz Spyware Veteran

    Using a few CLSID's, foldernames and filenames, displays advertisements on the infected computer.

    MSEvents aka Trojan Vundo.B

    Log examples:

    O2 - BHO: MSEvents Object - {B8B55274-0F9A-41E5-9067-A3539BD9E860} - C:\WINDOWS\system32\export\webjava.dll

    O2 - BHO: MSEvents Object - {44240BB5-BD7D-4D49-A1AA-8AB0F3D3CB44} - C:\WINDOWS\ServicePackFiles\fontsrv.dll

    Symantec offers a removal tool:
    http://securityresponse.symantec.com/avcenter/venc/data/trojan.vundo.b.removal.tool.html

    Attached to this post find a regfile (I stole from dvk01) to remove some more registry entries.

    Attached Files:

Thread Status:
Not open for further replies.