Saturday 31 May 2008

Select file to crack - Virus information

Quite a lot has been documented about the Troj/BagleDl-BX, W32/Mitglieder.VD, hldrrr.exe, "Rootkit Haxdoor", "Hacktool.Rootkit", Trojan.Tooso.R, srosa.sys and wintems.exe

Sophos,
Spybot,
prevx.com,
symantec,
symantec again,
siusic.com,
spybot,
techsupportforum.

And related problems - such as that it destroys safe mode boot up.
hijackthis-forum,
devshed,
castlecops

[Incidentally with regard to the safe mode boot up registry problem I used this version of SafeBootKeyRepair.exe on 30May2008 on a Windows XP SP2 machine and it appeared to work in restoring the operation of Safe Mode without ill effects.]

The fellow on siusic noted (at the end of his post on the link just above) that this virus tended to get activated by starting Internet Explorer. And as the only external bits of software that IE launches at start up are 3rd party toolbars they uninstalled all the IE toolbars, and this helped reduce the activity of this virus.

I did the same and sure enough it helped.

About 3 more Symantec Anti-virus full scans down the road and a couple of reboots, and still at start up I get the "Select file to crack" message.

So I look on the registry keys:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run and
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
to see if I can stop anything suspicious.

Interestingly I see the following:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\swg
which is running:
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

Also I notice it has once again created this key in the registry: HKEY_CURRENT_USER\Software\FirstRRRun

Now GoogleToolbarNotifier.exe as you may know from what-is-exe.com is supposedly an exe that monitors your browser to see if anything tries to change your default search engine. However I'm wondering why after I have un-installed Google toolbar why this file is still starting up when windows boots so I go and check the file and I discover the file has a curious red cross icon, and bizarre copyright information. It refers to "microsoft" without any (c) or years.

Clearly whatever version of this malware virus I have inherited has replaced the real GoogleToolbarNotifier.exe with its virus alternative.

The "Select file to crack" dialog is being created by "CTHELPER.EXE" which is supposed to be a supporting file for Creative Labs Soundblaster devices (see liutilities ... but clearly not in my case.

A search of the machine shows that there are 4 copies of CTHELPER.EXE on the machine in question, these are in c:\Drivers\Audio\addon\common\amd64, c:\Drivers\Audio\addon\common\i386, C:\WINDOWS, and C:\WINDOWS\System32. The version of the file in C:\WINDOWS\System32 has the curious red cross on it like the hijacked version of GoogleToolbarNotifier.exe! Also it is exactly the same size as the hijacked GoogleToolbarNotifier.exe.

I then did a file search using FileBoss from theutilityfactory
for all files on my machine of this exact same size: 692,224. It revealed that there was another copy of this file called "mdelk.exe" and a load of copies called things like "A0056###.exe" ie. A followed by 7 digits, eg. A0056227.exe. There were some ligitimate files of this exact size too, but I checked the properties and the weird red cross icon to see that these were indeed the same virus file.

My guess is that the hijacked GoogleToolbarNotifier.exe is being used to start the copy itself onto hijacked CTHELPER.EXE and whatever else (if it doesn't exist already) and then start its, which in turn does the infecting of the machine all over again each time windows starts!

Aren't the guys who design these virus things humourous fellows! 8-)

My Symantec anti-virus failed to spot any of these files in repeated scans, and even when I click on one of these files and say "Scan for virus" it still comes back with "Scan complete, no virus found".

Addendum - "Show hidden files and folders" option is missing!


Something I didn't initially notice was that the virus - pretty sure it was this virus (haven't had any other infections recently) - also removed a key from my registry which enables you to "Show hidden files and folders" under advanced settings in windows explorer (-> Tools ->View).

Because the whole key had been removed from the registry I didn't notice intially that the option wasn't displaying on the list of advanced settings at all. So it couldn't be set one way or the other. It just wasn't there to be set.

I noticed this when I came to look at some files on my PocketPC (my T-mobile MDA pro PDA which I use to test development of PocketPC applications that I build for clients). When I looked at the files on the PocketPC via the windows explorer on the desktop, the /Temp and /Windows folders didn't appear, even though I could see them via the File Explorer on the Pocket PC.

The way to get the "Show hidden files and folders" option back is to re-create the registry key. You can do this by manually editing your registry (ball-ache) or by running a simple script. Gertnoob on cnet very helpfully provides one here: Show hidden files and folders.

Or copy the following into a text file with a .Reg extension. Then double-click on it to merge it into your regestry:



Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden]
"Text"="@shell32.dll,-30499"
"Type"="group"
"Bitmap"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,\
00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,53,00,\
48,00,45,00,4c,00,4c,00,33,00,32,00,2e,00,64,00,6c,00,6c,00,2c,00,34,00,00,\
00
"HelpID"="shell.hlp#51131"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\NOHIDDEN]
"RegPath"="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced"
"Text"="@shell32.dll,-30501"
"Type"="radio"
"CheckedValue"=dword:00000002
"ValueName"="Hidden"
"DefaultValue"=dword:00000002
"HKeyRoot"=dword:80000001
"HelpID"="shell.hlp#51104"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL]
"RegPath"="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced"
"Text"="@shell32.dll,-30500"
"Type"="radio"
"CheckedValue"=dword:00000001
"ValueName"="Hidden"
"DefaultValue"=dword:00000002
"HKeyRoot"=dword:80000001
"HelpID"="shell.hlp#51105"