Pwned


Today I had my system infected with a trojan. I don�t even remember when it was the last time to have one� The worst part of it � I didn�t get it by visiting dubious sites (pr0n, warez), but from a news site (http://news.com). Most likely the malware was masquerading as an ad and exploited some unpatched hole in Adobe Flash (caveat!) as the site is full of Flash advertisements and had problems in the past, too.
I was browsing the news and suddenly the browser disappeared (crashed). I restarted it thanking Adobe and thinking nothing more of it. Soon after that, problems appeared.
The first red flag was an elevated prompt from Windows 7, asking for permission to run �SoftwareUpdate.exe�. Since I was not installing anything, I canceled it. Yet the prompt came again, and again, and again. From the dialog�s details, the program was "c:\Users\alinc\AppData\Local\temp\SoftwareUpdates.exe", so I renamed the executable to *.exe_ extension, and canceled the prompt again. This time I got error messages that updates can�t be installed, so I set up to investigate who was displaying it. To my surprise, I could not launch TaskManger (taskmgr.exe) nor SysInternal�s ProcessExplorer (procexp.exe). As soon as the programs were started, they were closed automatically... It was clear now I was infected.
I logged off, and switched users, logging in with a different local Administrator account. Problems occurred here as well, I still could not launch ProcExp. Soon I started to get tons of error messages �A Write command during the test failed to complete�, culminating with a �System error, hard disk failure detected�. All the icons on desktop disappeared leaving only one �Smart_Hdd� shortcut.
Screenshot2
I opened a command prompt and stated to see problem here as well - folders and files disappeared from �dir� commands. I renamed procexp.exe to something else (alin.exe) and this way I was able to launch it without being closed anymore. You can see in one look Process Explorer highlighted in gray 2 suspect programs (C:\ProgramData\rmIhrYfwFjUdy.exe and C:\ProgramData\QFUDzzwTiL1aQy.exe): they had weird names, were launched from ProgramData, had no Description or CompanyName.
screenshot1
Even more worrying, rmIhrYfwFjUdy.exe had launched a recursive �attrib.exe /s +h \*.*� (not shown, I killed it immediately)� this was hiding all the files and folders on my computer! I believe all these was a scamming scheme to convince me into buying some �cleanup program� that would fix the �hard drive failures� �detected� and reported in the previous messages.
I tried to stop/kill the malicious programs by pressing Delete, but those were protecting each other � as soon as one was killed, the other one was immediately starting it up again. The solution is to right click them, and use �Suspend� command. Suspend both, then you�ll be able to kill them without coming back. Now I could move the binaries out of the way for my collection and investigate further.
I run another Sysinternal/Microsoft tool, Autoruns. This indicated rmIhrYfwFjUdy.exe was launched at logon time via a registry value written under HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run. I deleted that as well.
I updated Microsoft Security Essentials to the latest definitions, and I started a scan. With latest definitions, it flagged as malware two of the binaries. QFUDzzwTiL1aQy was recognized as Win32/Bumat!rts, and SoftwareUpdate was recognized as Win32/Tibs!IT. The 3rd program was not recognized, so I used the Microsoft�s Virus Submission Sample Page to submit rmIhrYfwFjUdy.exe for further analysis. 
The trojan left more traces on my computer:
- The "Smart HDD" shortcut on desktop pointing to QFUDzzwTiL1aQy.
- A �Smart HDD� program group with 2 entries, one masquerading as an �Uninstall� program, but pointing to the same malware.
- Most folders and files were hidden. I had to run recursive �attrib �h� of my own to reset attributes.
- The StartMenu and Taskbar settings were all changed. All the icons in start menus were hidden, the taskbar was set with Vista-like settings (program buttons with texts, no grouping, system tray showing all icons, etc). I had to go to Properties and explicitly set or reset all to defaults.
Startmenu
- All icons under �Administrative Tools� were deleted. In fact, the whole �C:\ProgramData\Microsoft\Windows\Start Menu� folder was cleaned of all files.
AdminTools
- The �C:\Users\All Users� folder is also gone. There may be other effects I haven�t found yet�
Basically I�ve lost all the shortcuts/icons of all installed programs, but I�m still pleased I caught it in time before it caused more damage - the situation could have been much worse�
In any case, this was one more win for Sysinternals tools.
Previous
Next Post »