What does this virus actually do?

I'm using Windows XP. The filename is Ad-aware-keygen.exe. It's identified as Trojan-Dropper.Win32.VB.hf, Trojan-Dropper.VB.hf, and/or Trojan.Spy.Agent-54. It creates a file, mspeupx.exe, in the System32 directory. mspeupx.exe is identified as TrojanSpy.Win32.Agent.et and/or Troj/Agent-BJB.

It makes the following modification to the registry:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List "" = mspeupx.exe:*:Enabled:mspeupx

As I understand it, this modification allows it to bypass the XP firewall, which I don't use. I haven't been able to detect it making any attempts to access the internet.


Here is a link to an online, automated analysis done at CWSandbox.org:

http://cwsandbox.org/?page=details&id=262208&password=qjsns


So, aside from making a registry modification and placing a file in the System32 directory, what malicious activity does it actually carry out? It seems completely benign to me, but I can't understand why someone would release a virus that actually does nothing.

I'm mostly concerned about keyloggers and data transmitted online. I have anti-keyloggers, and they haven't alerted me to anything. My firewall hasn't alerted me to anything unusual. According to CWSandbox, there is no network activity.

So, what does it actually do? I have a copy if anyone wants it.

Thanks.

 

Welcome to wilders.

You can upload that file to here to analize it and see what it does.

I don't think your are authorized to distribute malware here on wilders.

Looking at the log you posted, it seems to do a lot more...there's a lot of dll injecting and files being created. But I'm no expert, so I really can't tell what it really does...

 

Okay, here's the link:

http://anubis.iseclab.org/result.php?taskid=631afd995bb2f1d41591c3ae03d09be7&refresh=1

I realize the things listed are technically considered malicious. But to what end? What's the endpoint of these changes/modifications? Is this capable of keylogging?

Thanks

 

A lesson here, Buy your Software Dont download keygens

 

Let's see. Where do I begin?

How does that even address the question? If I wanted a pointless, meaningless response, I would have asked my family instead of posting here. But I was expecting that response eventually.

It's bad enough that no one has an actual answer to my question without having to listen to irrelevancies. I'll continue to download whatever I want and do whatever I want.

~~ removed off-topic commentary ~~ Please do feel free to do what you want in your own places and on your own PC, however, we have rules about what can be posted on this forum. So, please allow us to do as we need to, as well. Thanks, LowWaterMark

 

Malwaretesting,
If I would like to know what a malware does exactly, I would ask for the source code, but no malware writer is going to give it to me.
Even when I get the source code, I have another problem, I'm not a programmer.
Even when I was a programmer, I still have to know the program language very well, in which the malware is written.
There are too many program languages. Imagine a malware written in assembler, assembler isn't so easy like visual basic.

The only thing I can do is running the malware and see what it does to my system, but looking at installed bad objects wouldn't make me any wiser, if I don't know the contents of it and what it does.

So I'm not really interested in what a malware does. Getting rid of malware is something else, then I'm all ears.
Getting rid of malware and choosing the right security softwares to do it, is already difficult enough

 

Getting rid of this one was easy. But that's not enough for me in this case.

The reason why I would like to know what it does is to gauge if I need to change any passwords, login credentials, etc. If it was a keylogger, I might need to. I'm probably going to hold on to it until I can figure out what it actually does.

Also, this thing gave me absolutely no indication that my system was compromised. If it was able to bypass my firewall, antivirus, and anti-keyloggers, I'd like to know how it did it.

The strange thing is, there's no indication online about what it does. It's like all the antivirus makers ran into the same problem as me. Either that, or this virus was poorly written and actually doesn't do what the authors intended. So, it may actually pose no risk.

 

I hope you find a skilled expert at Wilders, who has the time to analyse it.
This is indeed an easy-to-remove malware, nothing but simple objects, I remove that one during reboot without doing anything.

 

It makes me sick

Gerard

 

Well, I diddent mean to offend you or anything but its true, don't pirate software and you wont have these problems ;/

 

Yes I know, other users like to spend more time on malware and learn about them as much as possible, but not me.
It's neither my job, nor hobby. I only want to get rid of malware as fast as possible and without doing anything.

 

No offense. I was just trying a different tactics to get more responses.

I think I'm pretty well covered now. This was an old piece of software (from 2005) that I installed a long time ago. My old antivirus just didn't detect it, even with updates. My new antivirus didn't even detect it until I scanned System32 directory, which makes me think this thing wasn't doing anything to begin with. Currently, I'm using Sandboxie (both with my browser and any new software), Zonalarm with antivirus, Process Guard, and anti-keyloggers (+many other techniques). I can always use an online malware analysis tool before I open anything, and I can run any new software through Sandboxie. I surf online with active content off.

Things are much more heavily weighted in my favor now. Even if my antivirus didn't detect this virus today, I would have easily detected it using other means. Sandboxie alone would have entirely protected me if I had it when I first opened this software years ago. I tested it against this virus, and it worked.

I'm just wondering about the damage it did before I detected it. I'm 90% confident it didn't do anything, but there's always that 10% that wonders. The annoying thing is that I don't feel Ad-Aware was even worth it. I don't believe it's ever detected anything serious on my system.

But I'm confident something like this won't happen again anytime soon. I have a better understanding now.

 

Np Glad you found your answer.

 

Well, I have a better understanding of computer security, and I don't think this type of virus could get on my system now.

But I haven't found an answer to my initial question yet. Since this virus did make it on my system at some point, I would still like to know what it does.

 

How did the virus get to your system ? That is the crucial question.
All the other questions are of no importance, when you have answered and SOLVED the first question.
A decent, properly used ISR-software would have removed at least this object during reboot, instead of keeping it as a remaining superfluous object (dangerous or not).

A properly used Image Backup software would have removed this bad object also and restored your computer completely.

 

There's a flaw in that theory. If the object in question is part of your baseline image, this type of software won't work. If malware makes it onto your system before you even take the image and none of your system scans detect it, it won't be removed.

 

No there is no flaw in my theory, because I do it right and I never backup my actual system either like most users do, because it might be infected and restoring an infected image is no solution.
Any actual system that has been online too long is possibly infected due to failures of security softwares and needs to be replaced with a clean system.
You can only create a clean image during an installation from scratch, after that it's not possible anymore, unless you keep that clean image for restoration only and that's what I do. I upgrade my clean images, not my actual system.
I still have to find the first scanner, that detects something on my system, except false positives of course.
Forget the classical way of doing things and start from scratch like I did with new procedures.

 

Well, I did image my system after an installation from scratch (spent one day doing it), with no connection to the internet. But, of course, I wanted to install some additional software besides Windows before I took my image. But, then, how do you know that additional software doesn't have something on it. I am having trouble differentiating what you mean by an "actual system" and "clean image" though. Isn't a clean image still an image of your system?

I assume you install software besides Windows during your clean install. The point is that at that point in time when I did the "clean install", I had one piece of software that wasn't clean. I thought it was because it had been scanned so many times. And, even after I had been using this image for years and scanned it numerous times, still nothing showed up. I upgraded my antivirus numerous times on this image, and it was never detected. I added a HIPS, anti-keyloggers, etc. Still nothing. Each time I restored the image, I added new anti-malware and did different types of scans.

To my thinking, if you're installing software other than Windows (or another OS) from a commercially produced CD/DVD, you can't be 100% sure. I'm sure you're going to point out that this software I thought was clean was a keygen. That's true. But it could have been some other piece of software with a virus that's simply not being detected.

And even if I didn't include this software on my image, I probably would have run it after every image restore, confident that it was virus free. After all, I had been scanning it for years.

Doing imaging like that is a big help, but it's not a complete solution. It still depends on the better judgment of the user. My judgment is better now than it was then.

 

Malwaretesting,
If I have to explain everything how I do things and the philosophy behind it, this thread is going to be OFF-TOPIC and my post will be deleted by the moderators.
Everything I did is somewhere posted at Wilders, where also other members share their knowledge and ideas regarding recovery/security.
I do nothing but reading/writing posts and collecting information to reach my goal, just like every other member. I can't do it alone, because my computer knowledge is very poor.

 

I believe I understood what you were saying and the philosophy behind it. And I think you were right. Your suggestions were right on.

I just hadn't explained to you that I have a similar philosophy, but it just happened to fail in this case. You had no way of knowing that this virus was actually on what I considered to be a clean install. I generally keep a set of programs on another drive that I consider to be useful and malware-free. After I install Windows (for my clean install), I install these programs. This virus just happened to be in that folder. I thought it was clean, and at the time, I didn't have the knowledge to know otherwise. So, clean installs, while very useful, are not a guarantee unless you can guarantee that all of your favorite programs are malware-free. As an example of this, take your favorite media player. You would probably consider this to be a must either before or after you take your image. If this media player just happens to have malware that you can't detect, your clean image will be infected, either before or after the restore. In my case, I would have thought that it would take less than 3 years to detect this virus. I thought wrong.

And that's the main problem here. It's had 3 years to do its damage. That's why I want to know what it actually does. If it had been just 1 month, I would probably just get rid of it. But, since it's had years to operate, I'm probably not just going to let it go.

If you couldn't tell, this is my first virus (or any type of malware) in many years. I'm a meticulous person, and I generally follow strict security precautions. I've been reading this forum for years, and I've posted with different credentials in the past.

I appreciate your responses. Thank you. Feel free to respond as often as you want, even if it's off-topic. I'm sure it won't be deleted.

 

Perhaps send it to http://eureka.cyber-ta.org/ and them PM me the resulting URL for the analysis (such as http://eureka.cyber-ta.org/OUTPUT/xxxxxx.....)

 

Here's the link. It's not ready yet as of this time, but I'll post it anyway. The message I'm getting now is "Your malware binary analysis is not complete yet."

~~~ removed malware line - tagged as "TR/Drop.VB.HF.2" ~~~


If it's not ready by tomorrow, I'll do it again.

Thank you.

 

I'm not surprised, you have to wait. This website might have alot of work to do for many other users world-wide.
Nevertheless, keep us posted, because I also would like to know, how helpfull the final results are. I like to remember that kind of background information as a possibility in the future.

 

I think it's ready. I haven't had a chance to look at it yet though.

 

Be careful. Don't download the EXE. I think they've actually included the virus in the analysis. I didn't know they would do that.

@ Moderators

I believe there is a virus in my links and in ErikAlbert's response. Let me know if the link should be removed.