New malware discovery (perhaps)

Discussion in 'malware problems & news' started by Pikachu762, Apr 24, 2007.

Thread Status:
Not open for further replies.
  1. Pikachu762

    Pikachu762 Registered Member

    Joined:
    Jan 31, 2004
    Posts:
    41
    Hey everyone,

    I was looking at a friend's computer... her 2 children (teenagers) are the ones who mostly use it for downloading music, instant messaging and emails, internet browsing, and games.

    I last looked at it a number of months ago, and it was infested with tons of viruses and spyware. I installed Spybot, Ad-Aware, Spyware Blaster, and Anti-Vir, along with some stuff from grc.com and ran a bunch of scans in safe mode. I blew away all the nasty crap, restarted, and installed Firefox, and told them to use that instead of Internet Exploder. I also updated the JRE, and made sure all the Windows patches were installed (they're running XP Home). Finally I did a scan with Rootkit Revealer, and nothing unusual was found.

    Anyway, today I was there and was taking care of the usual spyware and adware junk. There were tons of entries in Anti-Vir's quarantine... And the resident guard was repeatedly warning about a file called atetobj.exe. The detection was based upon heuristics. I have them set to high for both the resident guard and on-demand scanner. Every time I tried to quarantine, deny access, or simply ignore the file... well, it kept on warning me about it every few seconds. After a time, I had to turn off the resident guard to get any work done.

    I then did a scan with F-Secure's Blacklight, and it also noted the presence of atetobj.exe as a hidden file, along with a hidden driver called fiparvdm.sys. I also scanned with Sophos's rootkit detector, and it also found those two entries, along with a number of hidden registry entries (about 6. None of the hidden registry entries had similar names to the hidden .exe or the .sys files). It also found a hidden executable, C:\i386\AUTOFMT.exe which I am guessing is legit and part of Windows. Google returns no hits at all for atetobj.exe or fiparvdm.sys and I am 99% sure those are rather evil files.

    I closed down the Sophos RK detector without doing anything, and then set Blacklight to rename the 2 hidden files. It asked to restart, and so the machine restarted...

    Whereupon Anti-Vir started going nuts again about atetobj.exe. Seems there is a serious problem with their machine. I didn't try to do more, as I was concerned about breaking something and making their machine unbootable (and I didn't want to mess around with taking their hard drive out and using a 2nd machine to read off files from it to recover anything they wanted to keep). I told them to begin burning any files they wanted to keep to a CD, and that they might need to wipe their disk and reinstall. They're using Limewire, and I imagine that is the vector that most of the crapware uses to attack their machine.

    Thought I'd report the new files... seems I've stumbled upon something new out there, since Google doesn't have any info on the hidden files and Anti-Vir is flagging it based upon heuristics. Perhaps it's an established virus of some sort with a random filename generator though. I'm going to submit the Blacklight logfile to F-Secure shortly and I'll include their response when I get it.

    If anyone has suggestions as far as securing the hidden files so I can submit them to AV vendors, let me know. Also, any good ideas about how best to go about cleaning up would be appreciated. I know that the machine has likely been utterly compromised, but they don't do anything sensitive like online banking, so being able to mostly clean it would be good enough. I am looking to learn a bit from the experience as well.

    -Pika
     
  2. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
  3. fcukdat

    fcukdat Registered Member

    Joined:
    Feb 20, 2005
    Posts:
    569
    Location:
    England,UK
    Ok lets go:)

    Right i can help you recover those files for sharing and also aid in the distribution c/o Malware listserve.Secondly up when we know the devil we can nail him to the rafters too and help finish the clean up you have started:thumb:

    If you can download IceSword>>>
    http://www.majorgeeks.com/Icesword_d5199.html

    UnZip and run the main executable,Using the *file* option middle lefthand side of main GUI will open up a folder explorer tree ala *windows explorer*.By using the + sign navigate to the folder(s) containing the suspect files.
    atetobj.exe
    AUTOFMT.exe
    fiparvdm.sys
    On the centre screen you will see alphabetically listed files in that particular folder.Locate and highlight the suspect file(s) and next use *copy* only.It will open up a save window where you should rename each sample such as a.exe b.exe and a.sys then save them to a holding folder/location.

    Goto that location and zip the files up.If you could start a new topic at the following link(you do not have to register to post) but can attach/upload the zipped folder containing thoes 3 files.
    http://www.castlecops.com/f81-Unknown_Files.html

    I will have alook at them as well as escalating them onto malware listserve should they be new or not widely known malwares etc

    After you have retrieved the files for uploading i would recommend you run some ASW softwares that have far more bite then Adaware/SpyBot on the infected machine.
    Here's the 2 best free ASW's IMO at the moment against more recent and menovolent Spywares:thumb:
    http://www.superantispyware.com/
    http://free.grisoft.com/doc/20/lng/us/tpl/v5

    There will almost certainly be malware present that your current 2 are incapble of detecting let alone removing so this is highly advised:)
     
    Last edited: Apr 26, 2007
  4. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Yes plz do as fcukdat suggested.
     
  5. Pikachu762

    Pikachu762 Registered Member

    Joined:
    Jan 31, 2004
    Posts:
    41
    Franklin---

    Thank you for the suggestions, but I wasn't sure how to get the hidden files so I could submit them. I will have them shortly though (I hope)

    Fcukdat---

    Hello and thank you for the reply. I have heard of Ice Sword before, but I didn't know what it did exactly and I didn't think of it until you mentioned it :) I have downloaded IS and Super AntiSpyware to my machine, and I'll put them on a thumb drive so I can bring them to the other computer.

    I got a response from F-Secure, and they indicated that it is a rootkit and they'd like to see the files as well. I plan on going to my friend's house tomorrow and getting the files.

    One curious thing... I scanned the .zip file for Ice Sword at VirusTotal (I generally scan everything I download, even from legit sites, just in case the file server gets compromised with a bad file :) and Fortinet 2.85.0.0 and Panda 9.0.0.4 flagged it as suspicious. I imagine these are false positives, and those vendors should be informed.

    I'll start a new thread at CastleCops and include this post, along with my original posting.


    Aigle---

    I'm doing so :)

    I'll be back later. This is kinda interesting. :)
     
  6. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    It,s sure.
    We will wait.
     
    Last edited: Apr 25, 2007
  7. fcukdat

    fcukdat Registered Member

    Joined:
    Feb 20, 2005
    Posts:
    569
    Location:
    England,UK
    IceSword is a AntiRootKit tool,ARK for short but it has some useful sub utilites for example its file/registry option does not use Win API to view files on a harddrive.This will expose files/malicious code that is hidden from traditional scanners and windows explorer.

    It is certainly a rootkit malware at play as too which is to be deteremined.It could be well known but because of how rootkit malwares hide thereselves and their activities most traditional AV's,AT's and ASW's are blind to there presents even if they know the files.

    This is a generic detction of runtime packers as supicious.It is in this case a F/P but in the case of malwares using UPX packers it would not be so those scanners are edging their bets and erring on caution;)

    Excellent,fwiw if after we recover the files and if they *new* quantities i will get the owner of SAS to expedite a cleanup routine for them to save us from manually hacking them of the infected PC:thumb:
     
  8. cheater87

    cheater87 Registered Member

    Joined:
    Apr 22, 2005
    Posts:
    3,121
    Location:
    Pennsylvania.
    Download Comodo BOclean on their computer.
     
  9. Pikachu762

    Pikachu762 Registered Member

    Joined:
    Jan 31, 2004
    Posts:
    41
    Sorry about the delay. Everyone at my friend's house has been rather ill the past couple days. I expect to have the files sometime this weekend. :)

    I will update again once I get them.
     
  10. Pikachu762

    Pikachu762 Registered Member

    Joined:
    Jan 31, 2004
    Posts:
    41
    Ok! I finally got the files. I deleted them from the disk, and kept renamed copies. I'm going to submit them on the Castle Cops forum and to F-Secure.... although according to Jotti's Virus Scan, F-Secure already detects both the rootkit driver and executable. :)

    They call the driver Rootkit.Win32.Agent.ao (probable variant), as does Kaspersky. Detection is pretty poor as of now, with only 7 vendors detecting it as malware out of the 18 listed on Jotti's site.

    The executable is described by F-secure and Kaspersky as Trojan.Win32.Crypt.t (this is what Anti-Vir flagged as a bad file, calling it Heur/Crypted). Only 6 vendors detected the exe as malware.

    I imgine this thing downloaded a bunch of crapware to their machine. I installed Super Anti-Spyware Blaster and before I left it had found a ton of stuff ( I instructed them to let it finish scanning and then delete everything it found). The main thing was finding the driver though, along with the primary exe. I think :)
     
  11. acr1965

    acr1965 Registered Member

    Joined:
    Oct 12, 2006
    Posts:
    4,954
    Out of curiosity, besides F-Secure and Kaspersky, what were the other vendors that detected the malware?
     
  12. fcukdat

    fcukdat Registered Member

    Joined:
    Feb 20, 2005
    Posts:
    569
    Location:
    England,UK
    Last edited: Apr 30, 2007
  13. Firecat

    Firecat Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    7,927
    Location:
    The land of no identity :D
    A "crypt" detection usually means a file which is packed with a complex runtime packer (for Kaspersky, anyway). You should probably send the file anyway for analysis so that the vendors can inform you of correct disinfection routines because the "crypt" detections are very generic and hence may not have cleaned your infection properly.

    BTW I also am interested in knowing who else detected the 2 files. :)
     
  14. tazmil

    tazmil Registered Member

    Joined:
    May 2, 2007
    Posts:
    1
    Dear All,

    I really need help but I'm unsure whether my query belongs here or in the viral forum. PLEASE do not click on any links I have attached in my message. They brought me trouble, they might bring you too.

    I made a mistake of clicking on a link from a friend's YM message. The link is gotoforums.com. Now everytime I load the internet explorer, I get a header that displays the website I'm visiting (like Yahoo or msn or this page) PLUS the link hotads.netfirms

    I've tried a few virus cleaners (Norton & AVG) and also used Spybot Search&Destroy on top of installing a firewall but to no avail. I don't think my steps were proper but those were all I could think of.

    Help, please?
     
    Last edited by a moderator: May 2, 2007
  15. Pikachu762

    Pikachu762 Registered Member

    Joined:
    Jan 31, 2004
    Posts:
    41
  16. Pikachu762

    Pikachu762 Registered Member

    Joined:
    Jan 31, 2004
    Posts:
    41
    When I submitted the driver a few days ago, the following AV programs identified it as malware:

    ArcaVir
    Avast
    F-Prot
    F-Secure
    Kaspersky
    VirusBuster
    VBA32

    The executable was identified by the following:

    AntiVir
    Dr. Web
    F-Secure
    Kaspersky
    VBA32
     
  17. Pikachu762

    Pikachu762 Registered Member

    Joined:
    Jan 31, 2004
    Posts:
    41
    I just submitted a .zip containing the exe and sys files to VirusTotal, and detection has improved somewhat. NOD32, Ewido, Prevx, Dr. Web, and ClamAV are some of the products which still don't detect anything.
     
Loading...
Thread Status:
Not open for further replies.