Sean's Blog

One of the computers I was working on as of late (a Dell Inspiron B130) appeared to have eleventy billion malware infections of one kind or another. The staff who had been out there before attempted to remove some of the malware, with varying levels of success. At some point, a chunk of malware was removed, but not all of it, and the hooks it had placed in the system caused a blue screen to appear with PAGE_FAULT_IN_NONPAGED_AREA (with a STOP message of 0×00000050, or just 0×50) when Windows XP loaded either in normal mode or safe mode with networking. I never tried to load with just regular safe mode (no networking), but I figured that it wouldn’t matter and I went straight to using the UBCD.

Let me say now: I <3 the UBCD. If I didn’t have this particular tool, my job would be a pain. Or I could work on less computers.

Anyway, I could tell immediately by examining CurrentVersion\Run keys and values that there were a number of issues on the computer. I manually took care of what I could, and used the EZ-PC-FIX on the UBCD to check other registry values/keys running at startup, in the control set, etc, and the files they were using. Eventually I was able to weed out enough malware (let’s say about 50+ registry and file deletions) to feel safe booting up into safe mode and running Spybot. How wrong I was. There was something in the malware that was causing a window to open saying shell.exe was not found and was preventing .exe files form being launched. I checked HKEY_CLASSES_ROOT .exe and exefile, and for one of those the malware and added a call to a program whenever a program was launched. Since that program was no longer around, nothing would load. Once I resolved that (again through the UBCD since regedit didn’t want to run), I was able to run Spybot in safe mode. After what seemed like an hour, Spybot found just over 220 malware items. It was able to resolve most of these, but would need to run at startup in normal mode to clean the few up that it couldn’t. Ok, so I should no be safe to load Windows normally. Or not.

I continued to get PAGE_FAULT_IN_NONPAGED_AREA when booting windows. While trying to recall the manner in which to try and restore save points in XP via the UBCD (never did find it; it may no longer be there), I was checking some of the information they had for resolving stop messages. One solution to the issue was for a Microsoft knowledge base article I hadn’t come across while searching Google for “page fault in nonpaged area”: KB894278. It referenced a particular rootkit that installs a kernel driver (or two). While these aren’t the files on the system in question, the following were present, and had the same creation date as a number of the malware files I had dealt with:

• Flee46.sys
• grande48.sys
• Wek86.sys (This file may or may not be an issue.  It says it is part of the SCSI Class group, but nothing comes up with a Google of this file, so it may still be malware.)
• ctfmon.exe (an .exe in with a bunch of .sys files?)
• Vgkm39.sys

I had been watching flee46.sys load in safe mode, as it was the last file that was being called, and I had never seen it before. My curiosity was further piqued when I could not get a Google result for “flee46.sys”, which meant to me it was malware. Regardless, I appended “.malware.old” onto the end of all of those and rebooted. The blue screen was no where to be found, Windows XP was loading in normal mode, and Spybot was running. There are a couple minor items I need to take care of now, but the computer is probably 90% resolved of its malware issues. Huzzah!

UPDATE: The .sys files in question were related to what McAfee calls Srizbi.

On Monday, I was resolving a connection issue over in Founders, and once I got the computer on the network, the adware woke up. In the process of cleaning that up, I also found Vundo hanging out on the system. I shifted gears from generic malware removal and checked on some specific things, namely system32. The system32 directory seems to be the favorite place to drop files, so I’m just used to looking there. Sure enough, there were gibberish file names (more so gibberish than actual files needed by Windows) with roughly the same creation date/time and file sizes. I selected a bunch, told the up-to-date McAfee to scan, and waited.

2 files. That’s all it identified.

I never felt more insulted by a program. I could tell those were unneeded files (qxzzsc.exe for example) but I’m guessing that they were files that weren’t considered a threat anymore, but still, why leave them on the system? Maybe I was wrong, and they weren’t really malware related at all.

To answer that question, I connected to the network, and thus the Internet, and went over to VirusTotal. I uploaded a couple files and sure enough, they were Trojans, and deleted they became. Then again, for some of the files, McAfee, Symantec, and Avast! said that those files were ok. Most of the other 30+ engines VirusTotal checks the file through thought otherwise.

I guess that’s the point of me posting this: just because one tool you use says that everything should be ok, it’s seldom actually the case, and that’s why it’s good to know when to look beyond just the tools you have at hand. I could have simply assumed that McAfee took care of it, but it’s just as likely that I would have been back out there in a couple days to resolve a re-infection of the computer.

On campus we had a nice piece of malware appear on some computers in the Bowen-Thompson Student Union. My sample required that I open a file that was either on the desktop or on a USB drive, which was made to look like a Microsoft Word document, and unless you had the option to show file extensions, you would assume it was a .doc, but it was actually an .exe. Once this was done, the malware would infect the C:\ drive and the USB drive with at least 3 files I am sure of, apply a handful of policy settings, and make other changes to the registry. One of my student workers, Matt Sigley, assisted me in determining which files and settings were added or changed.

I would have expected Google to give me a better answer, but I was really unable to find anything that met my search criteria. As a result, I’m posting this here so that other’s can see was needs to be done. This is as complete a list of what needs to be done that we were able to determine, and the machine otherwise appears to be clean. I do not take responsibility if you remove files or change a setting you need as a result of these items, but again, it worked for us.

Remove
------------------------------------------------
HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\policies\\system\\DisableTaskMgr: 01 00 00 00
HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\policies\\system\\DisableRegistryTools: 01 00 00 00
HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\policies\\Explorer\\NoFolderOptions: 01 00 00 00
HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\Installer\\LimitSystemRestoreCheckpointing: 01 00 00 00
HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\Installer\\DisableMSI: 01 00 00 00
HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\SystemRestore\\DisableConfig: 01 00 00 00
HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\SystemRestore\\DisableSR: 01 00 00 00
HKU\\S-1-5-21-1482476501-1606980848-1957994488-1003\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoClose: 01 00 00 00
HKU\\S-1-5-21-1482476501-1606980848-1957994488-1003\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Nofolderoptions: 01 00 00 00
HKU\\S-1-5-21-1482476501-1606980848-1957994488-1003\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\DisableCMD: 01 00 00 00
HKU\\S-1-5-21-1482476501-1606980848-1957994488-1003\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\DisableTaskMgr: 01 00 00 00
HKU\\S-1-5-21-1482476501-1606980848-1957994488-1003\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\NoDispCPL: 01 00 00 00
HKU\\S-1-5-21-1482476501-1606980848-1957994488-1003\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\DisableRegistryTools: 01 00 00 00
HKU\\S-1-5-21-1482476501-1606980848-1957994488-1003\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\WinOldApp\\Disable: 01 00 00 00
HKU\\S-1-5-21-1482476501-1606980848-1957994488-1003\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\winxp: "C:\\WINDOWS\\winxp.exe"
HKLM\\SYSTEM\\ControlSet001\\Control\\SafeBoot\\AlternateShell: "C:\\WINDOWS\\winxp.exe"
HKLM\\SYSTEM\\ControlSet002\\Control\\SafeBoot\\AlternateShell: "C:\\WINDOWS\\winxp.exe"
HKLM\\SYSTEM\\CurrentControlSet\\Control\\SafeBoot\\AlternateShell: "C:\\WINDOWS\\winxp.exe"
C:\\WINDOWS\\winxp.exe
C:\\WINDOWS\\winword.exe
C:\\Win Firewall.txt
C:\\The Science of becoming Rich.exe
C:\\My Cv.exe
C:\\The Biography of Adolf Hitler.exe
Also possible: C:\\Database.exe
Also possible: C:\\Tasks.exe

Change
------------------------------------------------
HKLM\\SOFTWARE\\Classes\\exefile\\shell\\open\\command\\: ""C:\\WINDOWS\\winword.exe" "%1" %*"
to
HKLM\\SOFTWARE\\Classes\\exefile\\shell\\open\\command\\: ""%1" %*"

HKLM\\SOFTWARE\\Classes\\lnkfile\\shell\\open\\command\\: ""C:\\WINDOWS\\winword.exe" "%1" %*"
to
HKLM\\SOFTWARE\\Classes\\lnkfile\\shell\\open\\command\\: ""%1" %*"

HKLM\\SOFTWARE\\Classes\\batfile\\shell\\open\\command\\: ""C:\\WINDOWS\\winword.exe" "%1" %*"
to
HKLM\\SOFTWARE\\Classes\\batfile\\shell\\open\\command\\: ""%1" %*"

HKLM\\SOFTWARE\\Classes\\comfile\\shell\\open\\command\\: ""C:\\WINDOWS\\winword.exe" "%1" %*"
to
HKLM\\SOFTWARE\\Classes\\comfile\\shell\\open\\command\\: ""%1" %*"

HKLM\\SOFTWARE\\Classes\\exefile\\: "File Folder"
to
HKLM\\SOFTWARE\\Classes\\exefile\\: "Application"

HKLM\\SOFTWARE\\Classes\\piffile\\shell\\open\\command\\: ""C:\\WINDOWS\\winword.exe" "%1" %*"
to
HKLM\\SOFTWARE\\Classes\\piffile\\shell\\open\\command\\: ""%1" %*"

HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell: "Explorer.exe "C:\\WINDOWS\\winxp.exe""
to
HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell: "Explorer.exe"

HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Userinit: "C:\\WINDOWS\\system32\\userinit.exe,C:\\WINDOWS\\winxp.exe"
to
HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Userinit: "C:\\WINDOWS\\system32\\userinit.exe"

HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SystemRestore\\DisableSR: 0x00000001
to
HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SystemRestore\\DisableSR: 0x00000000

The keys that begin with HKU\S-1-5-21- may have different numbers than those listed above, but just keep going and ignore whatever you have in place of 1482476501-1606980848-1957994488-1003. Also, if you have any other iterations, such as HKU\S-1-5-22-, HKU\S-1-5-23-, etc, check those directories and keys as well.

Some comments about the files it makes

The only .exe files I had were C:\The Science of becoming Rich.exe, C:\My Cv.exe, and C:\The Biography of Adolf Hitler.exe, and the two listed as possible were reported to me by our network security people. The files created by the malware were C:\WINDOWS\winxp.exe, C:\WINDOWS\winword.exe, and C:\Win Firewall.txt. That last one tries to mislead you by listing some information about two pieces of malware, so this one could be a derivative work of either or both of those malware, and based on my Google Web History, I believe they were rontokbro and sircam, as I don’t have a copy of that txt file still around. However, when looking to see what those could do, I found none of their signatures on the computer. There’s also the fact that C:\WINDOWS\winxp.exe is typically related to bagle. This is also one of the few cases where C:\WINDOWS\winword.exe is related to the malware.

The other thign to keep an eye out for is that if you try and runa a program while infected, let’s say Firefox, you may end up with some files in C:\Program Files\Mozilla Firefox or elsewhere on the hard drive. Fortunately, it’s easy to find exactly where they go, as they share the same file size and creation date as winword.exe and winxp.exe, so you may just have to do a search to find all of them.

Overall, we used the following programs to keep track of what was happening and/or resolve things:

• We did have to use the UBCD in order to get access to these files and the registry, as the malware prevents the use of the registry and .exe files without making it reference the malware. If you would try and boot into Safe Mode, you’d also be using the malware, which would still prevent you from getting to regedit easily. We used RegEdit (Remote) to change the registry.
• We used Regshot to track what the registry looked like before and after the infection happened, though we did have to use to UBCD to make the change below to run the .exe file first.
• While it gave much the same information as Regshot, Deckard’s System Scanner was also used in stead of just using HiJack This.
• We also used a program to fix IE and the explorer shell, just to be sure. I’m not sure if we made it or found it, but we call it FixShell.bat.

At work I’m on a lot of e-mail lists, many of which are public and have been public for quite some time, and as a result, I get a decent amount of spam. Then there’s the fact that we send out a lot of e-mails to students, and if they get infected, our e-mail addresses can (and do) get harvested. Earlier last week, we got an e-mail asking us to do something about the stock e-mails that were getting sent to students at BGSU, but there’s not much we can do, being the wrong department. I responded with an e-mail listing some things they could do to mitigate the amount of spam they get, such as using the spam filter with their school e-mail (BGSU students: go to http://webmail.bgsu.edu/filters) or use an e-mail client, such as Thunderbird, that has either a built-in spam filter that can adapt to spam over time, or a plugin that can reference somewhere else. This, however, got me thinking on the spam that has been coming in the most: stock e-mails.

However, I really don’t care how this effects businesses, stock prices, or anything like that. Well, I should say that it isn’t the main focus of this post. If you want to read more about those particulars, such as more about scam itself, variations of it, and advice for users, investors, and companies, check out this article over at spamnation dot info.

We’ve all seen these stock spam e-mails. Typically, there’s a randomly generated image that lists some text to try and grab your attention and information about when the stock is going to be traded and how much it’ll cost. Aside from that though, are the stories that follow the stock image. Below the image are sentences regarding numerous topics, typically about a half dozen or so. This is done to allow the spam to bypass the popular Bayesian spam filters companies and organizations use.

Where do these e-mails come from? Now, these could be sent out from spammers who have machines set aside just for this purpose. However, due to the randomness of the e-mails, I would personally say that the e-mails are being sent from computers that have been compromised with malware, and are now being used as zombies to send out the spam. Chances are, the compromised computers connect to an IRC room or are otherwise sent commands from the Internet. Then, the infected computer either uses a list of e-mail addresses it was installed with, gathers an updated list from the web, or simply harvests e-mails from the computer it is on. After getting the list of recipients, it creates the image after getting commands saying what stocks they are to promote or where they are supposed to get this information from, etc. Once the image is created, the malware looks at the browser history of the infected computer, or the current webpage(s) that have been viewed by the users, and then place this text in the e-mail following the image. After all this is done, out the backdoor it goes, and into your mail box.

I only mention this due to the content that is being used by these e-mails. As of late, the subjects of these e-mails have gone from odd word combinations, such as “corkscrew sympathy” or “meticulous staple”, to more readable phrases like “is pleased to announce RSS2SQL, a new php script that allows users to converts RSS feeds to databases.” and “There are two main obstacles preventing the formation of a coalition government.”. Subjects like this caught my eye. I started to start Googling parts of the spam messages, and lo-and-behold, I was getting nearly exact matches for most fo the text. Here are some samples:

Subject:
Let’s be serious here, at best, this is a case of “porting” OpenBSD to another platform, UltraSparc III.

Body:
Theo explained, “Sun released CPU docs, but that’s useless.
11 adapters as found in Centrino Duo laptops. What will change are the middlemen who broker these ads. Today, data mining uses well-established statistical and machine learning techniques to build models that predict customer behavior. I’ve pre-ordered as well, and I hope many of the individuals using OpenBSD will buy CDs and swag.
However, I don’t think that’s the gist of the message. For instance, why not invite key customers to HR team meetings?
We canonly win, and then the device works. “It’s going to stay that way as far as I’m concerned,” Jason says, “I don’t need it. They fed those answers into their program as well.
They’re getting a big
As for getting involved as a developer I wanted to add an option to ls, saw how clean and elegant the code in the source tree was and became addicted soon after. They’re getting a big benefit from OpenBSD and have a vested interest in seeing in continue.

Almost every sentence from the above can be found somewhere on KernelTrap.
Here’s another, but it does not cover just one site in particular.

Subject:
I feel almost like a fully-dressed clown at church.

Body:
Please DO NOT do that. I’m not exactly sure howmany, but they would have certainly been enough to house that third pig and histwo retarded brothers.
Hogg and Uncle Jessie. I sometimes usebad language, and totally rip my loser co-workers.
I’ve been watching several episodes the past few days. Take advantage of our Platinum Membership offer in a very reasonable price, click here. Hooray for Ubi Soft and the PoP team! I suppose the rumors were true.
He’s now abouthalfway to collecting them all!
Although I didn’t get to shakehermetically-sealed hands with Steve Jobs, or even grace my eyeballs with hisrugged good looks, it was as close as a guy like me can hope to come to the MacPope. Free Articles Distribution and Search Engine for Free Ezine or Website Content – iSnare. I got lucky and there’s noone sitting in my entire row.
comAbout Us : My Account : Submit Articles : It’s been a bit odd trying to work out of a pristinely cleanenvironment. Michael Tatelman, a vp with Motorola’s Mobile Devices Business in North Asia, said, “We knew people were waiting for MotoRazr, and we knew the Christmas season would be big.
Should Ibe embarrassed to say that many of them brought me to tears?
This proves it will be as big a hit in Japan as it is everywhere else. But don’t just take our word for it. Please DO NOT do that.
This past weekendI decided it was time for a little outdoors work. I rarely make it from one end of the house to theother without stepping on at least one of them.
India has overtaken China as the fastest growing cellular market.
It’s becoming more and more obvious why such a fierce fight has emerged for a controlling an operator which is a mere fourth largest player in its market.
comAbout Us : My Account : Submit Articles : >From lighting to character models to new gameplay features, Splinter Cell 3 was astounding.
Javier Perez Dolset, Zed’s CEO, said his company possessed leading personalised mobile products which it would make available to MonsterMob.
Recently I attended traffic court inresponse to receiving the ticket.
It was an intense couple of days of meetingafter meeting and penning job-related emails in-between.
Website: upmarketcontent.
In the meantime, check out these DailyGame-exclusive videos of the game’s single-player components.
or should I say more OFFthe bicycleThe whole”teaching-your-son-how-to-ride-a-bicycle” thing is a HUGE deal for most people.
” anytime he detects any increase inspeed while riding in the car, or even the shopping cart at the grocery store.
Given its Steam distribution method, Valve is familiar with distributing its own games, albeit in a manner far different from the retail method in which Half-Life 2 will ship for Xbox. He was the first astronauton the moon after-all.
Where they evenrelated?
But of course we are busymotoring, and our price for flight comes due again in only a couple of days whenI fly back out to Anaheim, CA for the NAMM convention. I’m actually writing this on theairplane as I fly back home to Tennessee.
comSEO And Magnet Content By: Chris AngusMaintaining Your Dog’s Training Skills By: Veronica Sanchez M.
According to an Associated Press report, a man arrested by Iraqi authorities in conjunction with the filming was an official who supervised the execution and he’s now under investigation. html I’ve also posted pictures from theNAMM show.

Some websites that came up with that last one were some old pages from CJ Sorg idiotblog, the Inquirer, and Daily Game.

So, from this I would say that the infected machines are either snagging cached files on the machines they are on, or they are running their own spiders for the sake of generating random content (if they are on spam-specific servers). In either case, I’ve been mulling this over for the last couple days, and while I doubt I’m the first to look at what is going on, it is what I came up with on my own, without someone telling me “this is what is happening, see?” and so that makes me feel better about myself.

Now I’m leaving work and going home to celebrate Seanmas!