Need help finding forensic tools.

Discussion in 'adware, spyware & hijack cleaning' started by Close_Hauled, May 27, 2004.

Thread Status:
Not open for further replies.
  1. Close_Hauled

    Close_Hauled Registered Member

    Joined:
    Apr 24, 2004
    Posts:
    1,015
    Location:
    California
    I am in the middle of trying to find out how a new variant of the Look2Me-VX2.BetterInternet-NicTech virus is infecting a Windows 2000 system (I refuse to call these things "adware" or "spyware".). The virus has hooked itself into the system startup somehow and executes a randomly named DLL file. I remember once seeing a utility that logged all disk drive transactions. I am hoping that I could use such a tool to watch the virus copy the source DLL to the random DLL.

    Also, any other forensic software that you might suggest would be helpful. At the moment, I am using Port Explorer and Process Explorer to watch this virus' behavior. I know from Process Explorer that the virus was written by NicTech Networks Inc. And I know from Port Explorer that the software is trying to communicate with 69.20.20.161 (Look2Me). The virus opens TCP ports 500 through 5000 and leaves them in a listening state. It uses WINLOGON.EXE and RUNDLL32.EXE to do this. I just want to be able to watch this so that I can better understand how these viruses work.

    Close Hauled
     
    Last edited: May 27, 2004
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
  3. Close_Hauled

    Close_Hauled Registered Member

    Joined:
    Apr 24, 2004
    Posts:
    1,015
    Location:
    California

    Pieter;

    Thanks for taking the time to respond. I just found the utility that I was thinking about;

    Filemon by SysInternals
    http://www.sysinternals.com/ntw2k/source/filemon.shtml

    They also have;

    Regmon
    http://www.sysinternals.com/ntw2k/source/regmon.shtml

    I am going to try these out before eradicating the virus. I'll play cat and mouse with it for a while to learn about how it works. Then I will kill it.

    Close Hauled
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Have fun, but be carefull.
    My computer became completely unworkable the last time I tried that "package" of ..... adware. :D

    Regards,

    Pieter
     
  5. Close_Hauled

    Close_Hauled Registered Member

    Joined:
    Apr 24, 2004
    Posts:
    1,015
    Location:
    California

    Pieter;

    Thanks for the warning. I have standard builds of these machines in Ghost images. If I blew the machine up, I was just going to drop a fresh build on it with Ghost.

    Oddly enough, the virus either went dormant, or went away. All symptoms of the virus are gone!? o_O :'(

    One symptom that I had not mentioned was that it would cause the McAfee Framework Service to hang on starting (Event ID 7022). This is McAfee 4.5.1 SP1 that we use corporate wide.

    I am going to tighten up the users IE6 so that she can only run ActiveX and download files from trusted sites. Then I will show here how to add trusted sites to the list. This is done by default, but users override the settings without understanding the consequences.

    Close Hauled
     
  6. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Same here. I use Acronis, but the principle is the same. It became so bad at one point that the Start button and Taskbar became unusable. It took explorer more then ten minutes to respond. :doubt:

    Strange that it would go away by itself. Maybe because you denied contact with the "mothership" ?

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.