Wednesday 28 October 2009

Windows Police Pro

Another day, another rogue. This one is called Windows Police Pro:



Here's a FreeFixer log from the infected computer. Malware files appear in red:
FreeFixer v0.48 log
http://www.freefixer.com/
Operating system: Windows XP Service Pack 2
Log dated 2009-10-27 18:28


Registry Startups (3 whitelisted)
HKCU\..\Run, inixs = C:\WINDOWS\system32\minix32.exe

Processes (18 whitelisted)
C:\WINDOWS\system32\minix32.exe
C:\Program Files\FreeFixer\freefixer.exe

Recently created/modified files (18 whitelisted)
2 minutes, c:\WINDOWS\system32\pump.exe
3 minutes, c:\WINDOWS\svchast.exe
3 minutes, c:\WINDOWS\system32\plugie.dll
3 minutes, c:\Program Files\Windows Police Pro\Windows Police Pro.exe
3 minutes, c:\Program Files\Windows Police Pro\msvcr80.dll
3 minutes, c:\Program Files\Windows Police Pro\msvcp80.dll
3 minutes, c:\Program Files\Windows Police Pro\msvcm80.dll

Tuesday 27 October 2009

Active Security rogue

Another rogue, dubbed Active Security:



Here's a FreeFixer log of the infected system. Malware files appear in red:
FreeFixer v0.48 log
http://www.freefixer.com/
Operating system: Windows XP Service Pack 2
Log dated 2009-10-27 17:57


Registry Startups (3 whitelisted)
HKCU\..\Run, wow64main.exe = C:\DOCUME~1\roger\LOCALS~1\Temp\wow64main.exe
HKCU\..\Run, Active Security = "C:\Program Files\Active Security\asecurity.exe" -noscan

Processes (23 whitelisted)
C:\Program Files\FreeFixer\freefixer.exe
C:\DOCUME~1\roger\LOCALS~1\Temp\wow64main.exe
C:\DOCUME~1\roger\LOCALS~1\Temp\wscsvc32.exe
C:\Program Files\Active Security\asecurity.exe

..

EnumPageFiles missing in Windows 2000

Seems like the EnumPageFiles documentation at MSDN is incorrect. EnumPageFiles should be available starting with Windows 2000 Pro, but there's no export with that name in psapi.dll.

This is a dump of the functions available in psapi.dll on my Windows 2000 Pro machine (No service pack installed):

C:\Program Files\Microsoft Visual Studio 8\VC>dumpbin /exports c:\tmp\dump\psapi.dll
Microsoft (R) COFF/PE Dumper Version 8.00.50727.762
Copyright (C) Microsoft Corporation. All rights reserved.


Dump of file c:\tmp\dump\psapi.dll

File Type: DLL

Section contains the following exports for PSAPI.DLL

00000000 characteristics
37EC8753 time date stamp Sat Sep 25 10:26:59 1999
0.00 version
1 ordinal base
19 number of functions
19 number of names

ordinal hint RVA name

1 0 00001CDE EmptyWorkingSet
2 1 00001226 EnumDeviceDrivers
3 2 00001981 EnumProcessModules
4 3 00003106 EnumProcesses
5 4 00001106 GetDeviceDriverBaseNameA
6 5 00001789 GetDeviceDriverBaseNameW
7 6 00001728 GetDeviceDriverFileNameA
8 7 000016D8 GetDeviceDriverFileNameW
9 8 0000185E GetMappedFileNameA
10 9 000017E1 GetMappedFileNameW
11 A 00001BD4 GetModuleBaseNameA
12 B 00001B7E GetModuleBaseNameW
13 C 00001B1D GetModuleFileNameExA
14 D 00001AC7 GetModuleFileNameExW
15 E 00001C35 GetModuleInformation
16 F 00003233 GetProcessMemoryInfo
17 10 00003351 GetWsChanges
18 11 00003317 InitializeProcessForWsWatch
19 12 00001D42 QueryWorkingSet

Summary

4000 .data
1000 .reloc
1000 .rsrc
4000 .text


No EnumPageFiles export. But what if I install service pack 4? Will EnumPageFiles be available there? The answer is no, psapi.dll is not updated while installing the service pack.

When running an application linking to the unavailable EnumPageFiles you will see an error message saying:
The procedure entry point EnumPageFilesA could not be located in the dynamic link library PSAPI.DLL.

The Win2k work-around

You can get the paging files from the registry by reading "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management, PagingFiles".

Do you know of some other method of enumerating the paging files?

Friday 23 October 2009

SecurityTool Rogue

Ran into a new rogue today called "Security Tool":

SecurityTool Malware

This program was installed by exploiting a security hole in an unpatched Windows XP installation. Below is a FreeFixer log to show what files appeared on the infected computer:

FreeFixer v0.47 log
http://www.freefixer.com/
Operating system: Windows XP Service Pack 1
Log dated 2009-10-23 14:45


Registry Startups
HKLM\..\Run, sysgif32 = C:\WINDOWS\Temp\wpv511255703227.exe
HKLM\..\Run, restorer64_a = C:\WINDOWS\system32\restorer64_a.exe
HKLM\..\Run, 60306520 = C:\DOCUME~1\ALLUSE~1\APPLIC~1\60306520\60306520.exe
HKLM\..\Run, PromoReg = C:\WINDOWS\Temp\_ex-08.exe
HKLM\..\Run, Antivirus Pro 2010 = "C:\Program\AntivirusPro_2010\AntivirusPro_2010.exe" /hide
HKLM\..\Run, Regedit32 = C:\WINDOWS\system32\regedit.exe (file is missing)
HKCU\..\Run, restorer64_a = C:\Documents and Settings\Roger\restorer64_a.exe
HKCU\..\Run, mserv = C:\Documents and Settings\Roger\Application Data\seres.exe
HKCU\..\Run, svchost = C:\Documents and Settings\Roger\Application Data\svcst.exe

Autostart shortcuts
zavupd32.exe, , C:\Documents and Settings\Roger\Start-meny\Program\Autostart\zavupd32.exe

Recently created/modified files
15 minutes, c:\Documents and Settings\Roger\Lokala inställningar\Temp\BN6.tmp
15 minutes, c:\WINDOWS\system32\dllcache\agp440.sys
15 minutes, c:\WINDOWS\system32\drivers\AGP440.SYS
15 minutes, c:\Documents and Settings\Roger\Lokala inställningar\Temp\BN5.tmp
42 minutes, c:\Documents and Settings\Roger\Lokala inställningar\Temp\TMP13.tmp
42 minutes, c:\Documents and Settings\Roger\Lokala inställningar\Temporary Internet Files\Content.IE5\2B6JEHAV\win[1].exe
42 minutes, c:\WINDOWS\system32\_scui.cpl
42 minutes, c:\Program\AntivirusPro_2010\Uninstall.exe
42 minutes, c:\Program\AntivirusPro_2010\wscui.cpl
42 minutes, c:\Program\AntivirusPro_2010\htmlayout.dll
42 minutes, c:\Program\AntivirusPro_2010\pthreadVC2.dll
42 minutes, c:\Program\AntivirusPro_2010\Microsoft.VC80.CRT\msvcr80.dll
42 minutes, c:\Program\AntivirusPro_2010\Microsoft.VC80.CRT\msvcp80.dll
42 minutes, c:\Program\AntivirusPro_2010\Microsoft.VC80.CRT\msvcm80.dll
42 minutes, c:\Program\AntivirusPro_2010\AVEngn.dll
42 minutes, c:\Program\AntivirusPro_2010\AntivirusPro_2010.exe
44 minutes, c:\Documents and Settings\Roger\Application Data\lizkavd.exe
44 minutes, c:\Documents and Settings\Roger\Lokala inställningar\Temporary Internet Files\Content.IE5\G5ER0HM3\Install[1].exe
44 minutes, c:\Documents and Settings\All Users\Application Data\60306520\60306520.exe
44 minutes, c:\Documents and Settings\Roger\Application Data\svcst.exe
44 minutes, c:\WINDOWS\Temp\_ex-08.exe
44 minutes, c:\Documents and Settings\Roger\Application Data\seres.exe
44 minutes, c:\Documents and Settings\Roger\Lokala inställningar\Temp\BN12.tmp
44 minutes, c:\Documents and Settings\Roger\restorer64_a.exe
45 minutes, c:\WINDOWS\system32\restorer64_a.exe
45 minutes, c:\Documents and Settings\Roger\Lokala inställningar\Temp\10.tmp
45 minutes, c:\WINDOWS\Temp\wpv791256209457.exe
45 minutes, c:\WINDOWS\Temp\wpv651256085323.exe
45 minutes, c:\WINDOWS\Temp\wpv511255703227.exe

Wednesday 21 October 2009

Antivirus Pro 2010 Rogue

Ran into a another rogue today. Antivirus Pro 2010:




These malware files appeared on the computer: AntivirusPro_2010.exe, seres.exe, lizjavd.exe and svcst.exe.