19 January 2009

Monday Morning Rootkit

Monday morning and here's another security hole exploit. This one installs some new files and configure the machine to start them every time a user logs in. Usually when it comes to these exploits, there's some ad component installed that start popping up adverts for a rogue anti-spyware program, but not this time. There were no signs of an infection unless you start examining the process list or the registry.

As a matter of fact, the init.exe process listed below, is hidden from programs that enumerate the running processes running on the machine. It does not appear in the Windows Task Manager nor in FreeFixer's process list. It does not appear in FreeFixer's hidden process list which indicates that it may be a kernel level rootkit, which FreeFixer cannot detect at moment. It does however appear under the "UserInit" listing in the scan result.

FreeFixer v0.30 log
http://www.freefixer.com/
Operating system: Windows XP Service Pack 1
Log dated 2009-01-18 14:54


UserInits (1 whitelisted)
C:\DOCUME~1\Roger\LOKALA~1\Temp\init.exe (remove)

Winlogon Notify (9 whitelisted)
crypt - C:\WINDOWS\System32\crypts.dll (remove)

Registry Startups
HKLM\..\Run, lsass driver = C:\WINDOWS\msauc.exe (remove)
Error getting file version information size with 'GetFileVersionInfoSize' 
for the file 'C:\WINDOWS\msauc.exe'. Error code: 13. System error message: 
Felaktig data. Error code: 13.
HKCU\..\Run, MSMSGS = "C:\Program\Messenger\msmsgs.exe" /background

Processes (15 whitelisted)
C:\Program\Messenger\msmsgs.exe
C:\Program\Ethereal\ethereal.exe
C:\Program\Ethereal\ethereal.exe
C:\WINDOWS\system32\wpv661230374735.cpx (remove)
Error getting file version information size with 'GetFileVersionInfoSize' 
for the file 'C:\WINDOWS\system32\wpv661230374735.cpx'. Error code: 13. 
System error message: Felaktig data. Error code: 13.
C:\DOCUME~1\Roger\LOKALA~1\Temp\DC63.tmp (remove)
C:\Program\hjt\HijackThis.exe
C:\Program\FreeFixer\freefixer.exe
C:\DOCUME~1\Roger\LOKALA~1\Temp\DC63.tmp (remove)

If you run into this infection, check the items in red. You will be asked to reboot your machine since some files are in use. After the reboot, scan your computer again and remove any remaining items and your machine should be clean.

Comments

No comments posted yet.

Leave a reply