Need help finding forensic tools.

I am in the middle of trying to find out how a new variant of the Look2Me-VX2.BetterInternet-NicTech virus is infecting a Windows 2000 system (I refuse to call these things "adware" or "spyware".). The virus has hooked itself into the system startup somehow and executes a randomly named DLL file. I remember once seeing a utility that logged all disk drive transactions. I am hoping that I could use such a tool to watch the virus copy the source DLL to the random DLL.

Also, any other forensic software that you might suggest would be helpful. At the moment, I am using Port Explorer and Process Explorer to watch this virus' behavior. I know from Process Explorer that the virus was written by NicTech Networks Inc. And I know from Port Explorer that the software is trying to communicate with 69.20.20.161 (Look2Me). The virus opens TCP ports 500 through 5000 and leaves them in a listening state. It uses WINLOGON.EXE and RUNDLL32.EXE to do this. I just want to be able to watch this so that I can better understand how these viruses work.

Close Hauled

 

Hi Close_Hauled,

This utility may be helpfull: http://tools.zerosrealm.com/VX2Finder.exe

It will at least tell you a lot about the files involved.

Another tool you may find usefull is Inctrl5: http://www.extremetech.com/article2/0,1558,9411,00.asp

Regards,

Pieter

 

Pieter;

Thanks for taking the time to respond. I just found the utility that I was thinking about;

Filemon by SysInternals
http://www.sysinternals.com/ntw2k/source/filemon.shtml

They also have;

Regmon
http://www.sysinternals.com/ntw2k/source/regmon.shtml

I am going to try these out before eradicating the virus. I'll play cat and mouse with it for a while to learn about how it works. Then I will kill it.

Close Hauled

 

Have fun, but be carefull.
My computer became completely unworkable the last time I tried that "package" of ..... adware.

Regards,

Pieter

 

Pieter;

Thanks for the warning. I have standard builds of these machines in Ghost images. If I blew the machine up, I was just going to drop a fresh build on it with Ghost.

Oddly enough, the virus either went dormant, or went away. All symptoms of the virus are gone!?

One symptom that I had not mentioned was that it would cause the McAfee Framework Service to hang on starting (Event ID 7022). This is McAfee 4.5.1 SP1 that we use corporate wide.

I am going to tighten up the users IE6 so that she can only run ActiveX and download files from trusted sites. Then I will show here how to add trusted sites to the list. This is done by default, but users override the settings without understanding the consequences.

Close Hauled

 

Same here. I use Acronis, but the principle is the same. It became so bad at one point that the Start button and Taskbar became unusable. It took explorer more then ten minutes to respond.

Strange that it would go away by itself. Maybe because you denied contact with the "mothership" ?

Regards,

Pieter