What does this virus actually do?

Discussion in 'malware problems & news' started by malwaretesting, May 17, 2008.

Thread Status:
Not open for further replies.
  1. malwaretesting

    malwaretesting Registered Member

    Joined:
    May 17, 2008
    Posts:
    77
    I'm using Windows XP. The filename is Ad-aware-keygen.exe. It's identified as Trojan-Dropper.Win32.VB.hf, Trojan-Dropper.VB.hf, and/or Trojan.Spy.Agent-54. It creates a file, mspeupx.exe, in the System32 directory. mspeupx.exe is identified as TrojanSpy.Win32.Agent.et and/or Troj/Agent-BJB.

    It makes the following modification to the registry:

    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List "" = mspeupx.exe:*:Enabled:mspeupx

    As I understand it, this modification allows it to bypass the XP firewall, which I don't use. I haven't been able to detect it making any attempts to access the internet.


    Here is a link to an online, automated analysis done at CWSandbox.org:

    http://cwsandbox.org/?page=details&id=262208&password=qjsns


    So, aside from making a registry modification and placing a file in the System32 directory, what malicious activity does it actually carry out? It seems completely benign to me, but I can't understand why someone would release a virus that actually does nothing.

    I'm mostly concerned about keyloggers and data transmitted online. I have anti-keyloggers, and they haven't alerted me to anything. My firewall hasn't alerted me to anything unusual. According to CWSandbox, there is no network activity.

    So, what does it actually do? I have a copy if anyone wants it.

    Thanks.
     
  2. HURST

    HURST Registered Member

    Joined:
    Jul 20, 2007
    Posts:
    1,419
    Welcome to wilders.

    You can upload that file to here to analize it and see what it does.

    I don't think your are authorized to distribute malware here on wilders.

    Looking at the log you posted, it seems to do a lot more...there's a lot of dll injecting and files being created. But I'm no expert, so I really can't tell what it really does...
     
  3. malwaretesting

    malwaretesting Registered Member

    Joined:
    May 17, 2008
    Posts:
    77
    Okay, here's the link:

    http://anubis.iseclab.org/result.php?taskid=631afd995bb2f1d41591c3ae03d09be7&refresh=1

    I realize the things listed are technically considered malicious. But to what end? What's the endpoint of these changes/modifications? Is this capable of keylogging?

    Thanks
     
  4. Taliscicero

    Taliscicero Registered Member

    Joined:
    Feb 7, 2008
    Posts:
    1,439
    A lesson here, Buy your Software Dont download keygens :p
     
  5. malwaretesting

    malwaretesting Registered Member

    Joined:
    May 17, 2008
    Posts:
    77
    Let's see. Where do I begin?

    How does that even address the question? If I wanted a pointless, meaningless response, I would have asked my family instead of posting here. But I was expecting that response eventually.

    It's bad enough that no one has an actual answer to my question without having to listen to irrelevancies. I'll continue to download whatever I want and do whatever I want.

    ~~ removed off-topic commentary ~~ Please do feel free to do what you want in your own places and on your own PC, however, we have rules about what can be posted on this forum. So, please allow us to do as we need to, as well. Thanks, LowWaterMark
     
    Last edited by a moderator: May 22, 2008
  6. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Malwaretesting,
    If I would like to know what a malware does exactly, I would ask for the source code, but no malware writer is going to give it to me.
    Even when I get the source code, I have another problem, I'm not a programmer.
    Even when I was a programmer, I still have to know the program language very well, in which the malware is written.
    There are too many program languages. Imagine a malware written in assembler, assembler isn't so easy like visual basic.

    The only thing I can do is running the malware and see what it does to my system, but looking at installed bad objects wouldn't make me any wiser, if I don't know the contents of it and what it does.

    So I'm not really interested in what a malware does. Getting rid of malware is something else, then I'm all ears.
    Getting rid of malware and choosing the right security softwares to do it, is already difficult enough :)
     
    Last edited: May 22, 2008
  7. malwaretesting

    malwaretesting Registered Member

    Joined:
    May 17, 2008
    Posts:
    77
    Getting rid of this one was easy. But that's not enough for me in this case.

    The reason why I would like to know what it does is to gauge if I need to change any passwords, login credentials, etc. If it was a keylogger, I might need to. I'm probably going to hold on to it until I can figure out what it actually does.

    Also, this thing gave me absolutely no indication that my system was compromised. If it was able to bypass my firewall, antivirus, and anti-keyloggers, I'd like to know how it did it.

    The strange thing is, there's no indication online about what it does. It's like all the antivirus makers ran into the same problem as me. Either that, or this virus was poorly written and actually doesn't do what the authors intended. So, it may actually pose no risk.
     
  8. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    I hope you find a skilled expert at Wilders, who has the time to analyse it.
    This is indeed an easy-to-remove malware, nothing but simple objects, I remove that one during reboot without doing anything.
     
  9. gerardwil

    gerardwil Registered Member

    Joined:
    Jan 17, 2004
    Posts:
    4,748
    Location:
    The Netherlands
    It makes me sick

    Gerard
     
  10. Taliscicero

    Taliscicero Registered Member

    Joined:
    Feb 7, 2008
    Posts:
    1,439
    Well, I diddent mean to offend you or anything but its true, don't pirate software and you wont have these problems ;/
     
  11. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Yes I know, other users like to spend more time on malware and learn about them as much as possible, but not me.
    It's neither my job, nor hobby. I only want to get rid of malware as fast as possible and without doing anything. :)
     
  12. malwaretesting

    malwaretesting Registered Member

    Joined:
    May 17, 2008
    Posts:
    77
    No offense. I was just trying a different tactics to get more responses.

    I think I'm pretty well covered now. This was an old piece of software (from 2005) that I installed a long time ago. My old antivirus just didn't detect it, even with updates. My new antivirus didn't even detect it until I scanned System32 directory, which makes me think this thing wasn't doing anything to begin with. Currently, I'm using Sandboxie (both with my browser and any new software), Zonalarm with antivirus, Process Guard, and anti-keyloggers (+many other techniques). I can always use an online malware analysis tool before I open anything, and I can run any new software through Sandboxie. I surf online with active content off.

    Things are much more heavily weighted in my favor now. Even if my antivirus didn't detect this virus today, I would have easily detected it using other means. Sandboxie alone would have entirely protected me if I had it when I first opened this software years ago. I tested it against this virus, and it worked.

    I'm just wondering about the damage it did before I detected it. I'm 90% confident it didn't do anything, but there's always that 10% that wonders. The annoying thing is that I don't feel Ad-Aware was even worth it. I don't believe it's ever detected anything serious on my system.

    But I'm confident something like this won't happen again anytime soon. I have a better understanding now.
     
  13. Taliscicero

    Taliscicero Registered Member

    Joined:
    Feb 7, 2008
    Posts:
    1,439
    Np Glad you found your answer.
     
  14. malwaretesting

    malwaretesting Registered Member

    Joined:
    May 17, 2008
    Posts:
    77
    Well, I have a better understanding of computer security, and I don't think this type of virus could get on my system now.

    But I haven't found an answer to my initial question yet. Since this virus did make it on my system at some point, I would still like to know what it does.
     
  15. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    How did the virus get to your system ? That is the crucial question.
    All the other questions are of no importance, when you have answered and SOLVED the first question.
    A decent, properly used ISR-software would have removed at least this object during reboot, instead of keeping it as a remaining superfluous object (dangerous or not).

    A properly used Image Backup software would have removed this bad object also and restored your computer completely.
     
    Last edited: May 23, 2008
  16. malwaretesting

    malwaretesting Registered Member

    Joined:
    May 17, 2008
    Posts:
    77
    There's a flaw in that theory. If the object in question is part of your baseline image, this type of software won't work. If malware makes it onto your system before you even take the image and none of your system scans detect it, it won't be removed.
     
  17. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    No there is no flaw in my theory, because I do it right and I never backup my actual system either like most users do, because it might be infected and restoring an infected image is no solution.
    Any actual system that has been online too long is possibly infected due to failures of security softwares and needs to be replaced with a clean system.
    You can only create a clean image during an installation from scratch, after that it's not possible anymore, unless you keep that clean image for restoration only and that's what I do. I upgrade my clean images, not my actual system.
    I still have to find the first scanner, that detects something on my system, except false positives of course.
    Forget the classical way of doing things and start from scratch like I did with new procedures. :)
     
    Last edited: May 24, 2008
  18. malwaretesting

    malwaretesting Registered Member

    Joined:
    May 17, 2008
    Posts:
    77
    Well, I did image my system after an installation from scratch (spent one day doing it), with no connection to the internet. But, of course, I wanted to install some additional software besides Windows before I took my image. But, then, how do you know that additional software doesn't have something on it. I am having trouble differentiating what you mean by an "actual system" and "clean image" though. Isn't a clean image still an image of your system?

    I assume you install software besides Windows during your clean install. The point is that at that point in time when I did the "clean install", I had one piece of software that wasn't clean. I thought it was because it had been scanned so many times. And, even after I had been using this image for years and scanned it numerous times, still nothing showed up. I upgraded my antivirus numerous times on this image, and it was never detected. I added a HIPS, anti-keyloggers, etc. Still nothing. Each time I restored the image, I added new anti-malware and did different types of scans.

    To my thinking, if you're installing software other than Windows (or another OS) from a commercially produced CD/DVD, you can't be 100% sure. I'm sure you're going to point out that this software I thought was clean was a keygen. That's true. But it could have been some other piece of software with a virus that's simply not being detected.

    And even if I didn't include this software on my image, I probably would have run it after every image restore, confident that it was virus free. After all, I had been scanning it for years.

    Doing imaging like that is a big help, but it's not a complete solution. It still depends on the better judgment of the user. My judgment is better now than it was then.
     
  19. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Malwaretesting,
    If I have to explain everything how I do things and the philosophy behind it, this thread is going to be OFF-TOPIC and my post will be deleted by the moderators.
    Everything I did is somewhere posted at Wilders, where also other members share their knowledge and ideas regarding recovery/security.
    I do nothing but reading/writing posts and collecting information to reach my goal, just like every other member. I can't do it alone, because my computer knowledge is very poor. :)
     
  20. malwaretesting

    malwaretesting Registered Member

    Joined:
    May 17, 2008
    Posts:
    77
    I believe I understood what you were saying and the philosophy behind it. And I think you were right. Your suggestions were right on.

    I just hadn't explained to you that I have a similar philosophy, but it just happened to fail in this case. You had no way of knowing that this virus was actually on what I considered to be a clean install. I generally keep a set of programs on another drive that I consider to be useful and malware-free. After I install Windows (for my clean install), I install these programs. This virus just happened to be in that folder. I thought it was clean, and at the time, I didn't have the knowledge to know otherwise. So, clean installs, while very useful, are not a guarantee unless you can guarantee that all of your favorite programs are malware-free. As an example of this, take your favorite media player. You would probably consider this to be a must either before or after you take your image. If this media player just happens to have malware that you can't detect, your clean image will be infected, either before or after the restore. In my case, I would have thought that it would take less than 3 years to detect this virus. I thought wrong.

    And that's the main problem here. It's had 3 years to do its damage. That's why I want to know what it actually does. If it had been just 1 month, I would probably just get rid of it. But, since it's had years to operate, I'm probably not just going to let it go.

    If you couldn't tell, this is my first virus (or any type of malware) in many years. I'm a meticulous person, and I generally follow strict security precautions. I've been reading this forum for years, and I've posted with different credentials in the past.

    I appreciate your responses. Thank you. Feel free to respond as often as you want, even if it's off-topic. I'm sure it won't be deleted.
     
  21. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
  22. malwaretesting

    malwaretesting Registered Member

    Joined:
    May 17, 2008
    Posts:
    77
    Here's the link. It's not ready yet as of this time, but I'll post it anyway. The message I'm getting now is "Your malware binary analysis is not complete yet."

    ~~~ removed malware line - tagged as "TR/Drop.VB.HF.2" ~~~


    If it's not ready by tomorrow, I'll do it again.

    Thank you.
     
    Last edited by a moderator: May 28, 2008
  23. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    I'm not surprised, you have to wait. This website might have alot of work to do for many other users world-wide.
    Nevertheless, keep us posted, because I also would like to know, how helpfull the final results are. I like to remember that kind of background information as a possibility in the future. :)
     
    Last edited by a moderator: May 28, 2008
  24. malwaretesting

    malwaretesting Registered Member

    Joined:
    May 17, 2008
    Posts:
    77

    I think it's ready. I haven't had a chance to look at it yet though.
     
  25. malwaretesting

    malwaretesting Registered Member

    Joined:
    May 17, 2008
    Posts:
    77
    Be careful. Don't download the EXE. I think they've actually included the virus in the analysis. I didn't know they would do that.

    @ Moderators

    I believe there is a virus in my links and in ErikAlbert's response. Let me know if the link should be removed.
     
Loading...
Thread Status:
Not open for further replies.