26 June 2009

Summer of Drive-By Downloads

The summer has finally arrived here in Sweden. Now is the time to go swimming, bouldering and do all the other things that requires great weather.

As you may know, I've been documenting lots of drive-by downloads and intend to continue doing so during the summer. To make this as smooth as possible I've set up this blog post which I'll update when I find some new malware that use security holes to install.

--

As usual, I'm scanning the infected system with FreeFixer to find out what's been installed on the system. I'm also using FreeFixer to remove the unwanted files.

10 July

Today the rogue System Security application installed. Nothing new under the sun except this driver that can along:

c:\windows\system32\drivers\amd64si.sys

8 July

c:\windows\system32\drivers\netsik.sys
c:\windows\system32\msrr32.dll
c:\win32upd.exe

6 July

c:\windows\system32\appwinproc.dll
HOSTS file redirecting antispy.microsoft.com to 209.44.111.62
HOSTS file redirecting antiaware-pro.com 209.44.111.62
HOSTS file redirecting www.antiaware-pro.com to 209.44.111.62

4 July

c:\windows\system32\msxz.exe

2 July

Another nasty infection. The files msjv32.dll and msne.exe was hidden from detection by a rootkit:

c:\windows\system32\msjv32.dll
C:\Documents and Settings\Roger\Skrivbord\msdos.pif
c:\windows\system32\msne.exe

1 July

C:\WINDOWS\9129837.exe
c:\windows\system32\drivers\securentm.sys
C:\WINDOWS\System32\rr64_b.exe
HOSTS file redirecting safesystem.microsoft.com to 209.44.111.62
HOSTS file redirecting antiviraprof.com to 209.44.111.62
HOSTS file redirecting www.antiviraprof.com to 209.44.111.62

30 June

Nasty little bugger. None of the 40 anti-virus engines over at VirusTotal.com detects HB32.dll:

C:\WINDOWS\system32\wbem\HB32.dll

29 June

C:\WINDOWS\system32\EVA.exe
C:\DOCUME~1\Roger\LOKALA~1\Temp\init.exe
C:\DOCUME~1\Roger\LOKALA~1\Temp\3.EXE
c:\windows\system32\drivers\systemntmi.sys
C:\Documents and Settings\Roger\Application Data\twex.exe
C:\Documents and Settings\Roger\Start-meny\Program\Autostart\rncsys32.exe
C:\WINDOWS\ld09.exe
C:\WINDOWS\System32\net.net

26 June

This drive-by download installed the System Security Rogue, Koobface, and a malware device driver:

C:\windows\ld11.exe
C:\Documents and Settings\All Users\Application Data\15452184\15452184.exe
c:\program\sys\sys.sys

26 June

A device driver + additional malware:

C:\WINDOWS\System32\drivers\ethxhkrw.sys
C:\WINDOWS\System32\sdra64.exe
C:\WINDOWS\system32\logon.exe

Comments

Dental Care Austin TX writes

0 thumbs

Is it effective to take out unwanted program? Is it compatible with windows vista? I am just curious. Thanks.

# 22 Jul 2009, 1:15

Leave a reply