Yahoo Messenger Worm Evolving - My Experience

Discussion in 'malware problems & news' started by Cadillakin, May 22, 2007.

Thread Status:
Not open for further replies.
  1. Cadillakin

    Cadillakin Registered Member

    Joined:
    May 22, 2007
    Posts:
    18
    I'm an experienced end-user with a good knowledge of the Windows OS. I just contracted the worm.. and I wanted to add some notes and information that might possibly help others.. This is not meant to be a complete guide to cleaning the worm, only a supplement to what has been written on the net. If you are stuck.. and the worm isn't being eradicated by other means, as you would hope, maybe there is something in this post to help...

    I saw the coolpics link in my Yahoo Messenger friends list, right next to a friend I chat with. I didn't know what it was.. Maybe a new feature to show her pics or whatever.. I am a Firefox user, only using Iexplore when absolutely neccessary. I clicked on the link once. A few windows opened up and I ended up at a porn site.. Odd, I thought. Nothing much happened.. I didn't know it but the worm was trying to gain access..Anyway, it didn't get on my system. The following day, I discussed the coolpics link next to her name with her, and clicked on it again, so that I might tell her what was happening. Unbeknownst to me, and without any input or changes, IExplorer opened the link this time.. How did that happen? (Is the worm evolving to work around Firefox?)Now, I was infected.. I could tell in a few seconds watching my screen that something untoward was going on.. Java? I thought.

    Ok well, I looked around.. Not too serious.. I'll fix it.. I read up on the net... unloaded the infected lsass.exe (not mentioned much on the net) from memory. I'm using Clamwin antivirus.. the lsass.exe was in windows folder, not system32, like its supposed to be... I restored the task manager and registry with the help from my fellow netizens. I entered my registry, made some changes, deleted the startup files (from the HKLM run key) I also deleted the svchost32 files, (not svhost files that are usually mentioned)tipped off to their presence by the new entries that were created and noticed in my startup registry entries.. Ok, that should do it.. All done.

    Upon restart, I noticed a slight change entering the desktop, it took a little longer to load. First, instead of firing up Firefox as is my usual custom, I executed IExplorer to see if everything was ok... Uh oh! Went right back to coolpix.. More Java shimmering in my browser and desktop...(I hadn't changed the home page in the registry. Duh.. My mistake!.) I closed IExplorer fast.. Too late..

    Now, things were much worse.

    My firefox browser had been deleted.. Sh*t. The run option in my start menu was gone. Task Manager was locked. Regedit locked. Folder options gone from Explorer. I felt a little panicked. Calm down, I told myself..

    Although the worm can alter the behavior and function of antivirus software, Clamwin, , my scanner, doesn't reside in memory, was not affected by the worm's actions. I again had Clamwin scan windows memory and found lsass.exe resident and running. Clamwin unloaded it for me. I deleted it. I checked my command.com and gpedit.msc.. and both still working. Ok, I can do this. In an effort to restore my run entry.. I opened gpedit and went to Administrative templates/Start Menu and Taskbar. "Remove run menu from start menu" was "not configured". I had expected there would have been a change there. Nevertheless, I enabled it, then pressed apply, checked the run area of my start menu, nothing changed, then disabled it, pressed apply, nothing changed, and then changed it back to "not configured". That series of actions somehow restored the run menu item. I again used the instructions off the net for restoring my task manager and regedit.. using a single command and parameters on the run line... Ok, they are back. I'm making progress. No way I want to reformat or do anything drastic.. When I first started using computers, not knowing any better, I often followed the wrong advice, and ended up making things MUCH worse.. Caution is advised. Don't reboot or delete things that you don't understand.. until you are informed, ready, and have surveyed all the damage.. Sometimes a reboot can execute an instruction that the virus or trojan was unable to execute while the computer is on and active.

    Next, I went to my temp folder which I hadn't done before (documents and settings\username\local settings\temp) and I saw 2 instances of iexplore.exe there, running, with oddball icons, and definitely of the wrong file size. I opened task manager and there they were. 3 instances of Iexplore running. The first was using 40k memory, as is normal, the others, much, much less. I killed the smaller iexplores and then deleted them from the temp folder. After further changes in the registry that prevented installing software, under "currentuser\software\microsoft\windows\currentversion\policies\explorer, I reinstalled Firefox. Basically, I had deleted everything from that section of the registry, along with all the options installed in that same key, and in the policies\system key, right alongside. They were all added by the worm for the express purpose of protecting itself. This time the wiser, I found and changed the home page assignment directing the IExlorer browser to coolpics.com in Internet Explorer. This entry was previously greyed out in "internet options" from the worms changes. Another change to the registry is necessary to change it back to something other than the coolpics page, which loads the worm.. Ok, looks like everything is alright.. I reboot.. I'm nervous...

    Early on, everything is normal, but as the desktop is about to load, it seems to be hanging.. taking over a minute... Ahhh.. I'm agonizing watching as it seems to be stuck... I just wait.. After about 90 seconds, the desktop loads with an error message.. but on reading the message, it's a seemingly not-to-serious error message. .. "Windows cannot find c:\windows\system\lsass.exe. I cllick ok.. I recognize the path to that lsass file is that of the previously deleted file that the worm installed. Windows does not use the system folder for the lsass.. Searching in the registry again, I found the entry.. The worm had appended C:\windows\system\lsass.exe to my shell entry, explorer.exe. (HKEY local machine\software\Microsoft\WindowsNT\Current Version\WinLogon. Thus instead of having explorer.exe as my shell, I had "explorer.exe c:\windows\system\lsass.exe listed as the windows shell..

    I restarted and everything is gone.. All is well. The whole process ended up taking a couple of hours.. including the reading and researching that was necessary.

    A long post for sure.. but I'm hoping at least one part of this might help somebody who is stuck with a computer, not properly functioning..
     
    Last edited: May 22, 2007
  2. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Can you post the coolpics link so others can test?

    Use hxxp://

    regards,

    -rich

    ________________________________________________________________
    "Talking About Security Can Lead To Anxiety, Panic, And Dread...
    Or Cool Assessments, Common Sense And Practical Planning..."
    --Bruce Schneier​
     
  3. Cadillakin

    Cadillakin Registered Member

    Joined:
    May 22, 2007
    Posts:
    18
    hxxp://thecoolpics.net
    hxxp://thecoolpics.net/mypics.jpg
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi Cadillakin,

    Can you check for the presence of a file called "New Folder.exe" on your computer?
    I've been trying to hunt that file down since I believe it to be related to the coolpics hijacker.
    If you have it we can discuss a way to get it to me.
    The most likely location is in your root directory ( C:\New Folder.exe )

    Oh, P.S. : http://www.pieter-arntz.info/wordpressblog/?p=31

    Regards,

    Pieter
     
  5. Cadillakin

    Cadillakin Registered Member

    Joined:
    May 22, 2007
    Posts:
    18
    Yes Pieter, I do have it... I had not noticed it before you mentioned it.

    Let me know how to transport it to you.. I don't want to violate any terms of service by uploading a known virus/worm.
     
  6. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    That'd be great!! :)

    Can you follow the instructions here:
    http://www.thespykiller.co.uk/index.php?topic=5.0

    The owner of that site is a moderator here and only a few known malware fighters he trusts can download the uploaded files.

    I'll keep you posted on my findings ofcourse.

    Thanks in advance,

    Pieter
     
  7. Cadillakin

    Cadillakin Registered Member

    Joined:
    May 22, 2007
    Posts:
    18
    Ok, Pieter.. Done deal.. it's uploaded
     
  8. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Definitely related.

    Detected as Sohanad.AI

    Thanks,

    Pieter
     
  9. Cadillakin

    Cadillakin Registered Member

    Joined:
    May 22, 2007
    Posts:
    18
    Even though I have almost discarded IE in favor of Firefox, this worm still nailed me, somehow invoking my IE browser when Firefox is the default for all relevant file types. I think perhaps I will register Sandboxie, which when registered, can force the browser into the Sandbox if involuntarily invoked in this manner.. That worm wouldn't have touched me..

    Two things occurred with this worm, that in my reading, doesn't appear common, or perhaps I am the only one to have written about it on the net.

    #1. The worm deleted Firefox leaving me only with IE.
    #2. The worm accessed and changed my shell command.

    No question about it.. this worm is getting more dangerous. It could have easily have finished off the contents of this drive..
     
    Last edited: May 22, 2007
  10. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    This is a pretty straight-forward redirect exploit:

    http://www.urs2.net/rsj/computing/tests/mypics/code-mypics.gif

    It will download a dropper -- YMworm.exe -- and then the fun begins.

    MyPics Redirect Test


    regards,

    -rich

    ________________________________________________________________
    "Talking About Security Can Lead To Anxiety, Panic, And Dread...
    Or Cool Assessments, Common Sense And Practical Planning..."
    --Bruce Schneier​
     
    Last edited: May 22, 2007
  11. Cadillakin

    Cadillakin Registered Member

    Joined:
    May 22, 2007
    Posts:
    18
    Thanks for the test and the instruction. I'm not that aware of web and html coding. How is it that this worm/site invoked my dormant IE browser? I use IE only for one website and it is associated to nothing applicable to web browsing. I noticed when I was repairing the damage that IE was NOT changed to my default browser.. it was still Firefox. How does that happen?
     
  12. tayres

    tayres Guest

    Could I ask what version of IE you were using, was it fully patched at the time, and what was IE's security level set to?
     
    Last edited by a moderator: May 22, 2007
  13. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    It is very simple to make a script start a particular program. By having IE connect out rather than FireFox, the chances of the exploit succeeding are greatly enhanced.

    The script is probably buried in the obfuscated javascript. I can't find my link to the on-line converter at the moment, so I don't know exactly how it is done.

    However, you might review your firewall rules, because later, the bogus applications that were created attempted to connect out to dl other junk - and could have been stopped:

    http://www.urs2.net/rsj/computing/tests/mypics/kerio-iexplore.gif
    _____________________________________________________________________________-

    http://www.urs2.net/rsj/computing/tests/mypics/kerio-svchost.gif

    I added these screen shots and a few others to my test.

    regards,

    -rich

    ________________________________________________________________
    "Talking About Security Can Lead To Anxiety, Panic, And Dread...
    Or Cool Assessments, Common Sense And Practical Planning..."
    --Bruce Schneier​
     
  14. herbalist

    herbalist Guest

    I've picked up 2 separate executables from that site.
    YMworm.exe MD5 is 206aaa39f0e9e4a6934d55ead0ed4c9c
    worm2007.exe MD5 is 3614b3a18a10c63a3368425431bb1135

    It'll be a while before I can scan them at VT. They're extremely buzy at the moment. 200+ scans ahead of me. Both files are queued.

    What's odd here is that neither file even tried to execute when I visited the page. I bypassed Proxomitron, disabled the hosts file, and lowered the IE6 security settings for the internet zone to their default level. I was going to give SSM a little test but the malware files won't launch. Maybe I'll try it again with lower settings in IE6.
    Rick
     
  15. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    I have to use IE6 at medium settings (unpatched of course!) to get most of these things to run.

    regards,

    -rich
     
  16. Cadillakin

    Cadillakin Registered Member

    Joined:
    May 22, 2007
    Posts:
    18
    Thanks for the info, rich..

    I used to tinker with firewalls all the time. In fact, I spent too much time playing around, configuring, reconfiguring. I got tired of the interruptions and trying to interpret everything while training a firewall. Sometimes I didn't have a clue whether to allow or to deny... and I could spend hours trying to understand the intricacies of the firewall. With that said, I'm a relatively safe web surfer. A couple of years back, I began to feel comfortable with Firefox and discarded IE .. I occasionally invoke "no script". That browser and extension suited me.

    Basically, I settled on my Buffalo router and it's accompanying firewall for protection, along with Firefox. I have Sandboxie on my computer to use for testing anything suspicious. I rarely use it to browse with.. And I have a non-resident freeware scanner. That served me well enough, till now.

    But as is mostly always the case., it was my fault that the worm got me.. I invited it by clicking on that link. Funny, the first time I clicked on that coolpix link, firefox handled it. I even suspected when the porn and the anonymizer came up that they might be trying to install something. I wasn't too worried about it. But in one day, they overcame my feeble protection and invoked the more vulnerable browser..

    To answer the previous questioner, I'm using IE v6 with sp1.. and have not updated anything since the beginning of 06. I have my windows OS extremely stable and along the way, in the transition from 98 to XP, and and the move away from the IE browser, I gained faith in my web security. Well, I've learned some things, thanks to people like yourself, my reading and this experience... and I'm less likely to get nailed again. I've been on the net from the beginning and it's been 10 years since I've had that kind of breach.. I have True Image installed and backing up .. so I should be ok no matter what.. but it's more the thought that somebody got in.. That's what bothers me...

    Thanks for your help
     
  17. Cadillakin

    Cadillakin Registered Member

    Joined:
    May 22, 2007
    Posts:
    18
    Aha.. that's my version and patch status :D
     
  18. herbalist

    herbalist Guest

    Cadillakin,
    Just using another browser instead of Internet Explorer isn't sufficient to keep it from being used or exploited by malware. In this instance, a firewall rule blocking Internet Explorer from accessing the net would have stopped it from being used. You can always disable the blocking rule when you use windows update, then re-enable it when your done.
    Both HTML and JavaScript can specify the app to be used as well as the site to connect to. You can see how this works by making a couple of internet shortcuts on your desktop by right clicking "New" then "shortcut. Copy the following into the "create shortcut" dialog box:
    Code:
    http://www.wilderssecurity.com
    Then make another shortcut and copy this to it, including the quotes:
    Code:
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://www.wilderssecurity.com
    The first one will use your default browser. Assuming the first part of the second link is the correct path to Internet Explorer on your PC and you don't have it blocked with a firewall or HIPS, the 2nd link should bring you to this forum using IE6. JavaScript works in a similar fashion.

    Rmus,
    I went to medium-low and still nothing. How long ago was this patched? I'm running 98, which hasn't seen any new patches in a while now. I suppose I shouldn't complain when I can't make a lot of malicious code run on this box even after I lower most of my defenses.
    Rick

    edited to fix typo's
     
    Last edited by a moderator: May 23, 2007
  19. herbalist

    herbalist Guest

    VirusTotal scan results of the 2 files from that link.
    YMworm
    Worm2007
    Rick
     
  20. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Gee, this is a terrible dilemma. I'm really sorry for your predicament.http://www.urs2.net/rsj/computing/imgs/sad.gif

    It came with my Win2K and when I had a friend upgrade my Win2K to SP4, he installed these IE updates:

    Q824145
    Q330994

    I haven't done any updates since then.

    If I think of a way I could "loan" you my IE6 I'll let you know :)

    You know, Rick, I've often done normal surfing Saturday mornings with IE security set on Low just to see what happens. Just my normal work on the 'net. A friend has done the same. We've never encountered a drive-by. It's only when I intentionally go to a known malicious site to test, that I encounter anything. And you have to be quick, because these sites are often taken down rather quickly these days.

    The OP writes,

    I wonder if that isn't the case in most of these situations.

    I think IE is a fine browser, and I know many who have used it safely with no problems. I choose to use another because of its features, not because it is more secure, because much of "browser security" pertains to configuration and user's actions.

    -rich
     
    Last edited: May 22, 2007
  21. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    I notice your YMworm is the same as the svchost.exe that I cached.

    EDIT: My YMworm was corrupt. I snagged a new one, scanned at Virus Total with the same results that you had. YMworm.exe copies itself as svchost.exe which is why they have the same MD5 signature.

    -rich
     
    Last edited: May 22, 2007
  22. herbalist

    herbalist Guest

    That's pretty much the same for me. In the last 4 or 5 years, I've run into 2 of them when I wasn't deliberately looking for one. Whenever I find or hear of one, I like to use it to test my defenses, primarily SSM. Makes for a better test than having to launch the malware manually. I couldn't get that site to do anything more than leave the malware files in a temp folder. The only thing I didn't try was putting the site in my trusted zone. Real drive-by sites are hard enough to find when you want them. Ones that will try to attack a 98 box are getting scarce, or so it would seem.
    Rick
     
  23. innerpeace

    innerpeace Registered Member

    Joined:
    Jan 15, 2007
    Posts:
    2,095
    Location:
    Mountaineer Country
    Interesting read. Just a quick question. The OP mentioned using Yahoo messenger. Is it based around IE? I understand that IE is integrated in the OS and other programs. I was wondering if Yahoo messenger was how IE got involved in this situation? Thanks, innerpeace
     
  24. stapp

    stapp Global Moderator

    Joined:
    Jan 12, 2006
    Posts:
    7,284
    Location:
    England
    I have been told that SDFix by Andy Manchesta removes this infection.
     
  25. AndyManchesta

    AndyManchesta Registered Member

    Joined:
    Feb 13, 2006
    Posts:
    5
    Location:
    Manchester. UK
    Cheers for the link Stapp,

    Yes SDFix removes the worm and reverses the changes it makes, if its removed manually then you should also check that msconfig still works and system restore if its on XP as the worm is capable of deleting the files, if they have been removed though the backups in the dllcache should still be there so can be copied back into their original location

    %systemroot%\pchealth\helpctr\binaries\msconfig.exe
    %systemroot%\system32\Restore\rstrui.exe

    Cheers

    Andy
     
Loading...
Thread Status:
Not open for further replies.