For the last three days I've been experimenting with a new FreeFixer plugin. The plugin simply lists the most recently modified/created files, which appear at the end of the scan result. Definitely no rocket science, but in a case of a malware infection, I think it can be quite efficient in pointing out the unwanted files.
I've tested the new plugin on some real world infection picked up by my malware honeypot. All the unwanted files listed in the scan results were installed through security holes. I've marked them with red. During the testing I also ran into Antivirus System Pro, which is another of those rogue anti-spyware programs. Antivirus System Pro uses sysguard.exe as its file name and is located in the c:\Windows folder. You can find more information and screenshots on this rogue over at Bharath's Security Blog.
FreeFixer v0.41 log http://www.freefixer.com/ Operating system: Windows XP Service Pack 1 Log dated 2009-06-09 20:16 Browser Helper Objects {5B1D95A2-F547-4e5e-8902-622B08354622}, BHO, C:\WINDOWS\system32\iehelper.dll Registry Startups HKCU\..\Run, MSMSGS = "C:\Program\Messenger\msmsgs.exe" /background HKCU\..\Run, system tool = C:\WINDOWS\sysguard.exe HOSTS file 209.44.111.57 alarm-security.microsoft.com 209.44.111.57 inetantivirus.com 209.44.111.57 www.inetantivirus.com Processes (11 whitelisted) C:\Program\Messenger\msmsgs.exe C:\Program\FreeFixer\freefixer.exe Recently modified files 2 minutes, c:\Program\FreeFixer\freefixer.exe 2 minutes, c:\Program\FreeFixer\Uninstall.exe 17 minutes, c:\WINDOWS\system32\iehelper.dll 27 minutes, c:\WINDOWS\sysguard.exe 26 minutes, c:\wxh21u.exe 27 minutes, c:\a113c2.exe
FreeFixer v0.41 log http://www.freefixer.com/ Operating system: Windows XP Service Pack 1 Log dated 2009-06-08 22:57 UserInits (1 whitelisted) C:\WINDOWS\System32\sdra64.exe Registry Startups HKCU\..\Run, MSMSGS = "C:\Program\Messenger\msmsgs.exe" /background Processes (15 whitelisted) C:\Program\Messenger\msmsgs.exe C:\DOCUME~1\Roger\LOKALA~1\Temp\winELyqWgX.exe C:\Program\FreeFixer\freefixer.exe Recently modified files 5 minutes, c:\Program\FreeFixer\freefixer.exe 5 minutes, c:\Program\FreeFixer\Uninstall.exe 35 minutes, c:\Documents and Settings\Roger\Lokala inställningar\Temp\winELyqWgX.exe 21 days, c:\RECYCLER\S-1-5-21-1229272821-413027322-839522115-1003\Dc124.exe
FreeFixer v0.41 log http://www.freefixer.com/ Operating system: Windows XP Service Pack 1 Log dated 2009-06-09 15:25 System policies HKCU\..\policies\system, DisableRegistryTools = 1 Browser Helper Objects {82633227-7884-4264-6517-5599ca323026}, , C:\Program\Common Files\System\s sig.dll Registry Startups HKCU\..\Run, MSMSGS = "C:\Program\Messenger\msmsgs.exe" /background Autostart shortcuts Visio Util Firing.exe, , C:\Documents and Settings\All Users\Start-meny\Program\Autostart\Visio Util Firing.exe Yahoo Software Firing.exe, , C:\Documents and Settings\Roger\Start-meny\Program\Autostart\Yahoo Software Firing.exe HOSTS file 67.212.80.125 pagead2.googlesyndication.com Processes (12 whitelisted) C:\Program\Messenger\msmsgs.exe C:\WINDOWS\System32\wininet.exe C:\Program\FreeFixer\freefixer.exe Shell services (4 whitelisted) SysRun, {D7FFD784-5276-42D1-887B-00267870A4C7}, C:\WINDOWS\System32\svshost.dll Recently modified files 4 minutes, c:\Program\FreeFixer\freefixer.exe 4 minutes, c:\Program\FreeFixer\Uninstall.exe 32 minutes, c:\WINDOWS\system32\svshost.dll 32 minutes, c:\WINDOWS\system32\wininet.exe 32 minutes, c:\Documents and Settings\Roger\Lokala inställningar\Temporary Internet Files\Content.IE5\YQ2T1TWE\1[1].exe 32 minutes, c:\Documents and Settings\Roger\Lokala inställningar\Temp\1\svchost.exe 32 minutes, c:\Documents and Settings\Roger\Lokala inställningar\Temporary Internet Files\Content.IE5\0H6N6RCD\1[1].exe 32 minutes, c:\Documents and Settings\Roger\Lokala inställningar\Temp\~tt1.tmp 32 minutes, c:\Documents and Settings\Roger\Lokala inställningar\Temporary Internet Files\Content.IE5\0H6N6RCD\load[1].exe 22 days, c:\Program\Common Files\System\Adobe_Office_Firing.exe 22 days, c:\Documents and Settings\All Users\Start-meny\Program\Autostart\Visio Util Firing.exe 22 days, c:\Documents and Settings\Roger\Start-meny\Program\Autostart\Yahoo Software Firing.exe 22 days, c:\Program\Common Files\System\s sig.dll 22 days, c:\Documents and Settings\Roger\Lokala inställningar\Temp\winxfH6q2KD.exe 22 days, c:\Documents and Settings\Roger\Lokala inställningar\Temporary Internet Files\Content.IE5\KHYB4HUB\load[1].exe 22 days, c:\RECYCLER\S-1-5-21-1229272821-413027322-839522115-1003\Dc124.exe
FreeFixer v0.41 log http://www.freefixer.com/ Operating system: Windows XP Service Pack 1 Log dated 2009-05-18 12:57 UserInits (1 whitelisted) C:\WINDOWS\System32\win32avs.exe Registry Startups HKLM\..\Run, internat = C:\WINDOWS\internat.exe (file is missing) HKCU\..\Run, MSMSGS = "C:\Program\Messenger\msmsgs.exe" /background Processes (14 whitelisted) C:\Program\Messenger\msmsgs.exe C:\Documents and Settings\Roger\Skrivbord\calc.exe C:\Program\FreeFixer\freefixer.exe Recently modified files 3 minutes, c:\Program\FreeFixer\freefixer.exe 3 minutes, c:\Program\FreeFixer\Uninstall.exe 24 minutes, c:\Documents and Settings\Roger\Skrivbord\calc.exe 24 minutes, c:\Documents and Settings\Roger\Lokala inställningar\Temp\ntsystem.exe 24 minutes, c:\Documents and Settings\Roger\Lokala inställningar\Temporary Internet Files\Content.IE5\C12FS9AV\calc[1].exe 46 minutes, c:\RECYCLER\S-1-5-21-1229272821-413027322-839522115-1003\Dc124.exe
Do your honeypots watch outgoing data? I'm wondering if this virus has any privacy implications.
# 4 Nov 2009, 15:57
web development company writes