How to stop XP Killer trojan from deleting services

Discussion in 'other anti-malware software' started by aigle, Feb 28, 2007.

Thread Status:
Not open for further replies.
  1. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    Once allowed to execute, XP Killer trojan removes following services on my PC.

    Windows update service
    Application layer gateway services
    System Restore service
    Windows firewall/ ICS service

    I have tried to stop it from deleting services by protecting reg keys ControlSet001, ControlSet002, ControlSet003 and CurrentControlSet.
    I tried RegDefend, SSM Pro, and Kaspersky,s PDM and they seem to block deletion of RegKeys but in spite of that trojan is able to delete the services.

    It looks strange.
     
  2. Chuck57

    Chuck57 Registered Member

    Joined:
    Sep 2, 2002
    Posts:
    1,770
    Location:
    New Mexico, USA
    Sounds like a lovely bug, aigle. What gets it onboard a computer - email, download, etc, or all ways?
     
  3. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Aigle,

    DefenseWall (review Kareldjag june 2006) stops it partially:

    "With XP Killer : This file was able to stop automatic updates service, but DefenseWall did prevent the most harmful actions : no system files (auto updates service, XP firewall and restore service files) were deleted, so that the system state is normal after a reboot."

    Did you check after reboot?
     
  4. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    Not sure. It did not tried for outbound connection on my PC. Just deleted these four services, but might do more as I tried it for short time.
     
  5. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    GesWall stops it altogether.
     

    Attached Files:

    • 1.jpg
      1.jpg
      File size:
      31.3 KB
      Views:
      417
    • 2.jpg
      2.jpg
      File size:
      59.1 KB
      Views:
      418
  6. Chuck57

    Chuck57 Registered Member

    Joined:
    Sep 2, 2002
    Posts:
    1,770
    Location:
    New Mexico, USA
    I've never tried geswall. Looks like it's time to add that one to my collection and see how it works. Sandboxie is nice, but I like the idea of being warned about things.

    I guess I could run Powershadow and not have to worry about anything.
     
  7. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    I use both. GW permanantly and PowerShadow off n on.
     
  8. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Aigle,

    Have you tried to blocking the changes of values a few registry levels deep (option SSM-free)?

    Application Layer Service
    - HKLM/System/CurrentControlSet/Services/Alg (block 2 levels)

    Windows Update Service
    - HKLM/System/CurrentControlSet/Services/wuauserv (block 2 levels)

    System Restore Service
    - HKLM/System/CurrentControlSet/Services/srservice (block 2 levels)

    Windows Firewall Service
    - HKLM/System/CurrentControlSet/Services/SharedAccess (block 2 levels)

    Al those service allow a 'stop' in regular operation, so this might also be the problem.

    Regards K
     
  9. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    I blocked Control sets upto 9 levels down. Most reg changes were blocked but SSM services module then gave popups of 'services removed'( so I did no hck after reboot).

    Same with KIS PDM. I am not framiliar with reg, so probably I am doing some mistake.
     
  10. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Aigle,

    The values problably only influence the startup type (automatic, manual, disable). In normal operation these services accept the stop handle. So protecting the corresponding registry values only helps you the keep the original values.

    Start = 2 (automatic)
    Start = 3 (manual)
    Start = 4 (disabled)
     
  11. zopzop

    zopzop Registered Member

    Joined:
    Apr 6, 2006
    Posts:
    642
    wow xpkiller strikes again. i remember this thing wrecking havoc vs various HIPS and sandboxing programs. did you try it vs sandboxie aigle?
     
  12. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    I don,t remember exactly but I must have tried and Sandboxie must have defended against it.
     
  13. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    May be some later testing.
     
  14. LoneWolf

    LoneWolf Registered Member

    Joined:
    Jan 2, 2006
    Posts:
    3,782
    BOClean is suposted to kill this one.Here is a screenshot of it in their list that they cover.

    Good luck with whatever you try with this one , sounds nasty.
     

    Attached Files:

  15. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    Don,t worry for signature based detection. Almost all of AVs will detect it.
     
  16. duke1959

    duke1959 Very Frequent Poster

    Joined:
    Jul 21, 2006
    Posts:
    1,238
    Does anyone know or think Cyberhawk would have detected this? Also would the freeware version of GesWall be enough, and what are the differences between the free version and the Pro version of it? I looked on the website, but didn't find them. Thanks, I may add GesWall, but if I do, would I truly still need my AVG Anti-Spyware?
     
    Last edited: Feb 28, 2007
  17. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Duke,

    Forrester research uses a model to determine the setup and strength of your security defense. In short it looks at the sequence of events of an infection.

    Inbound traffic level
    An inbound firewall (needed), preferably a hardware FW or the bare minimum windows XP firewall.

    Treath gates: think about sandboxes like GeSWall/DefenseWall (I use them on different machines) or Sandbox with file virtualisation (like (BufferZone or SandBoxie) or OS+File virtualisation/Hardware emulation (e.g. VMWare). In general Sandboxes like GW/DW are set and forget. GW free is as strong as GW paid, it only covers one treath gate (Internet and not P2P, chat, e-mail et cetera).

    Trigger level: This are system wide IDS/HIPS programs who defend important OS files (like registry), system changes (services) and process modification. In this category fall the resident protection anti-spyware programs like SpywareTerminator (also a HIPS feature), classical HIPS like SSM and behavior blockers like CyberHAwk.

    Data level: This is the area of traditional Antivirus applications (who check at every read and write on a black listed malware). Also programs like CoreForce, DriveSentry and SensiveGuard have data level protection, because they forbid certain files/folders/file extentions to be changed.

    Outbound Network level: These are outbound firewalls wich prevent the hief to run after the theft.

    In general it is wise to have those area's covered and to put most effort in protecting at an early state. Another rule of thumb is that hardening, black listing and whitelisting is a stronger form of defense, demanding higher levels of knowledge to answer pop-ups from the security ap.

    Hardening = disable what you do not use, it either works or does not
    Black list = catch known bad guys, a pop-up could be a false positive, but in general you can be trust the black list
    Behavior blocking = stop strange/suspicious behavior. In all cases the pop-up (e.g. of CyberHawk) indicates a system anomaly, in few cases this is caused by a legitemat application.
    Whitelist = allow only the good guys. Gives the user the problem to decide on what is good or bad. Therefore some white list aps have build in white lists or share white list experience across the user group via the Web (e.g. PrevX).

    An Antivirus for instance also has behavioral protection (heuristics). In general it is wise not to overlap the sort of protection (e.g. two whitelist HIPS) on the same level.

    What is neccesary depends on you PC usage behavior and at what protection you feel at ease. When you use AVG Antispyware (a blacklist + IDS) only for on-demand, they do not interfere. Some people use Spyware Terminator (not so good blacklist, good IDS) a long side with CyberHawk. So it is up to you really.

    I personally do not use an AntiSpyware ap, because I trust the combination of DefenseWall/SSM-free and GeSWall Pro/CyberHawk on two different PC's. One PC is stable (no software being tried out), the other not (therefore CyberHawk in stead of SSM).
    Regards
     
    Last edited: Feb 28, 2007
  18. duke1959

    duke1959 Very Frequent Poster

    Joined:
    Jul 21, 2006
    Posts:
    1,238
    Thank you for this Kees1958. I appreciate your information and understand it really does boil down to what the user likes and feels comfortable with. I know I try out way too many combinations of software protection, while at the same time also realizing I don't really need all that much for my needs. It's just fun to do so. LOL. I enjoy reading posts like yours and the many others i see here in Wilders, and although I know I may be getting on a few peoples nerves with my questions. (and slight obsession. LOL.) I certainly appreciate the people like yourself who have humored me by answering them. I have recently decided to try and stick with the AVG Internet Security Suite even though I probably won't ever need a Resident AS. I believe that along with Cyberhawk and Geswall should be sufficient from what you're saying if I'm correct? Anyway thanks to you again, and to the others that have humored me. LOL
     
  19. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Yep,

    AVG Internet security suit (when it fits you), GeSWall for Internet treathgate and CyberHawk for Zero days treaths.

    Have fun
     
  20. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    Free version should be enough for many users.
    Free version has isolation rules for browsers, mail clients and viewers while pro has rules for many more applications. U can add ur own rules in both but it,s a job for experts.
    U should keep AVG AS alongwith that as a scanner ( although u might disable it,s guard if u want).
     
  21. duke1959

    duke1959 Very Frequent Poster

    Joined:
    Jul 21, 2006
    Posts:
    1,238
    So if I leave just my hands off of GesWall Free and use the rules it has, it should be easy to run and with no problems, right?
     
  22. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    Ya, sure. Just u have to reply one pop up for each browser on first launch only. Say 'Yes' and mark 'Don,t ask again'. That,s all.
     

    Attached Files:

    • ff.jpg
      ff.jpg
      File size:
      26.2 KB
      Views:
      244
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.