A malicious Firefox extension called FirestarterFox is being installed by some of the latest malware variants. This extension hijacks all search requests through Google, Yahoo and Microsoft Live search and redirects them through the Russian site thebestwebsearch.net. This is done with the intention of showing ads on the search results page which presumably make money for the creator of this piece of malware.
Luckily the extension can’t be silently installed since Firefox alerts users to all new extensions. So if you ever start Firefox and get the message that a new extension called FirestarterFox has been installed you will immediately know that you have malware on your system and should take steps to remove it or reformat your system.
A new sample came in today – an ad injector for Internet Explorer. I was analyzing it and noticed that the malware hid several of its key files. “Aha – a rootkit!” I thought and proceeded to find out how the trojan had hooked into the system to hide its traces. An SSDT hook perhaps, or maybe an injected user-mode DLL?
I looked and looked and couldn’t find a thing. No rootkit, no driver, no IAT modifications; nothing. Even stranger, the trojan seemed to have rootkitted the entire C:\Windows\system32 folder – it was invisible in Windows Explorer and couldn’t be seen when executing dir in a CMD prompt. That’s strange – why would a rootkit want to hide the system32 folder? If anything would tip you off that something is horribly wrong with your system, a missing system32 folder would be it (see figure 1 below).
Fig 1. Bad things are going on if you open up Explorer and see this.
After about an hour of looking for the rootkit and not finding it I started to get frustrated. So I decided to take another look at RegMon to see what the trojan was doing with the registry. That’s when I stumbled upon this:
Fig 2. The trojan modifies the ShowSuperHidden setting for Windows Explorer
The HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden determines whether or not Explorer shows files that have the hidden and system attribute set. It wasn’t a rootkit after all! The trojan simply disabled this setting and this caused all files with the system and hidden attribute to be invisible in Windows Explorer. And since the lab machine had the ShowSuperHidden setting enabled the trojan was hidden after performing the above registry tweak.
However, this didn’t explain why the files and folders were invisible in a Command Prompt as well. The explanation is obvious and simple: I had entered a simple “dir”. And since the system32 folder and the trojan files had attributes +h +s (hidden and system) set, they were hidden in the listing. Doing a “dir /ah” showed the missing files.
Moral of the story: Somtimes malware will use “old reliable” instead of messing about with a rootkit and drivers. So check the obvious stuff first before assuming it’s something more advanced.
ThreatExpert looking good today !
In comes a new virus undetected by everything on VirusTotal. Just had a quick look and immediately thought it looks like a VIRUT .. this is the only detection
Note the automated analysis thinks certain system files are deleted, this is another sign that they were infected by the virus or hidden by the rootkit, or both.
Please note: While TrojanHunter doesn’t deal with viruses in most cases, detection for the sample will be added very shortly since it was scanning 100% clean and analysis will take some time. The computer systems analysing the malware took over 3 minutes, an eternity when talking trillions of operations a second.
An interesting new spam, slight twist on the usual social engineering:
Mrs. Clause Is Out Tonight!
I know you hate these kind of emails but this one is different. Hey what
can 1 min from your day hurt. You wont regret it for sure. 😉
<malicious URL removed>
Obviously, users should avoid such emails and immediately delete them. If you can’t spot this sort of email as being a spammed virus, give us an email with any questions!
We’ve started working on our new Trojan Information Library, and there are already a few sample entries online. Read about how to remove some of the most common trojans manually, and get additional technical insight into how the trojans work. We’re also adding aliases so you can cross-reference the trojan names with those from other virus and malware scanners.
Doing some housecleaning, and going through a whole bunch of malware files with the new scanner (as you do..)
This one brings a smile.. TrojanHunter now includes SFX detection among other things in the 5.0 beta, here’s an “installer”…
Found trojan file: C:\TESTING\2005107\2005107.exe/3721.exe (TrojanClicker.VB.166)
Found trojan file: C:\TESTING\2005107\2005107.exe/ad1.exe (TrojanClicker.VB.166)
Found trojan file: C:\TESTING\2005107\2005107.exe/ad2.exe (TrojanClicker.VB.166)
Found trojan file: C:\TESTING\2005107\2005107.exe/ad3.exe (TrojanClicker.VB.166)
Found trojan file: C:\TESTING\2005107\2005107.exe/ad4.exe (TrojanClicker.VB.166)
Found trojan file: C:\TESTING\2005107\2005107.exe/ad5.exe (TrojanClicker.VB.166)
Found trojan file: C:\TESTING\2005107\2005107.exe/ad6.exe (TrojanClicker.VB.166)
Found trojan file: C:\TESTING\2005107\2005107.exe/ad7.exe (TrojanClicker.VB.166)
Found adware file: C:\TESTING\2005107\2005107.exe/bind_8432.exe (Adware.AdHelper.107)
Found adware file: C:\TESTING\2005107\2005107.exe/dmshell.dll/Upxlpbqnauj (Adware.Dm.100)
Found trojan file: C:\TESTING\2005107\2005107.exe/s45337.exe (Agent.629)
Found adware file: C:\TESTING\2005107\2005107.exe/setup_110013.exe (Adware.WSearch.121)
Found trojan file: C:\TESTING\2005107\2005107.exe/system.exe (TrojanClicker.VB.167)
Found trojan file: C:\TESTING\2005107\2005107.exe/system2.exe (TrojanClicker.VB.167)
Found trojan file: C:\TESTING\2005107\2005107.exe/system3.exe (TrojanClicker.VB.167)
Found adware file: C:\TESTING\2005107\2005107.exe/WIS174.exe (Adware.AllSum.105)
Found trojan file: C:\TESTING\2005107\2005107.exe/Upxeeorvkdi/3721.exe (TrojanClicker.VB.166)
Found trojan file: C:\TESTING\2005107\2005107.exe/Upxeeorvkdi/ad1.exe (TrojanClicker.VB.166)
Found trojan file: C:\TESTING\2005107\2005107.exe/Upxeeorvkdi/ad2.exe (TrojanClicker.VB.166)
Found trojan file: C:\TESTING\2005107\2005107.exe/Upxeeorvkdi/ad3.exe (TrojanClicker.VB.166)
Found trojan file: C:\TESTING\2005107\2005107.exe/Upxeeorvkdi/ad4.exe (TrojanClicker.VB.166)
Found trojan file: C:\TESTING\2005107\2005107.exe/Upxeeorvkdi/ad5.exe (TrojanClicker.VB.166)
Found trojan file: C:\TESTING\2005107\2005107.exe/Upxeeorvkdi/ad6.exe (TrojanClicker.VB.166)
Found trojan file: C:\TESTING\2005107\2005107.exe/Upxeeorvkdi/ad7.exe (TrojanClicker.VB.166)
Found adware file: C:\TESTING\2005107\2005107.exe/Upxeeorvkdi/bind_8432.exe (Adware.AdHelper.107)
Found adware file: C:\TESTING\2005107\2005107.exe/Upxeeorvkdi/dmshell.dll/Upxtgyxoryw (Adware.Dm.100)
Found trojan file: C:\TESTING\2005107\2005107.exe/Upxeeorvkdi/s45337.exe (Agent.629)
Found adware file: C:\TESTING\2005107\2005107.exe/Upxeeorvkdi/setup_110013.exe (Adware.WSearch.121)
Found trojan file: C:\TESTING\2005107\2005107.exe/Upxeeorvkdi/system.exe (TrojanClicker.VB.167)
Found trojan file: C:\TESTING\2005107\2005107.exe/Upxeeorvkdi/system2.exe (TrojanClicker.VB.167)
Found trojan file: C:\TESTING\2005107\2005107.exe/Upxeeorvkdi/system3.exe (TrojanClicker.VB.167)
Found adware file: C:\TESTING\2005107\2005107.exe/Upxeeorvkdi/WIS174.exe (Adware.AllSum.105)
We detect supsicious droppers too, simply because a normal SFX should be well, normal. Lets just say I wouldn’t want to execute the above on MY system…
A new wave of Zhelatin emails is currently going out. A typical example is this email:
Are you ready to have fun at Web Joker.
Account Number: 775152935455
Temp Login ID: user1160
Your Password ID: px259
Please keep your account secure by logging in and changing your login info.
Use this link to change your Login info: http://74.64.28.xx/
The page linked to in the email advises the user to install a “Secure Login Applet” to view the page, which of course is an executable trojan file — a typical name is applet.exe. Below is a brief analysis.
The applet.exe file, when run, performs the standard Zhelatin actions: Copying itself to C:\Windows\spooldr.exe, and extracting a driver file to C:\Windows\system32\spooldr.sys. It also adds a rename entry for a .tmp file:
HKLM\System\CurrentControlSet\Control\Session Manager\PendingFileRenameOperations = C:\Windows\system32\drivers\OLD3.tmp"
This entry will simply delete the file on reboot. Interestingly enough, the variants we’ve examined so far haven’t patched the tcpip.sys file to make themselves autostart. This makes removal easier since tcpip.sys does not need to be restored from backup. (Check that the digital signature on tcpip.sys is valid though, in case you are infected with this and it is a different variant!)
The OLD3.tmp file is actually a patched version of the legitimate Microsoft kbdclass.sys driver file. The trojan version has an extra 15 KB of data appended to it. The entry point of the patched driver file has been modified to point to the start of this extra block of data. Once loaded, the OLD3.tmp file loads the spooldr.sys trojan driver using the native Windows API function ZWSetSystemInformation.
The spooldr.sys driver will as usual disable most common firewalls, including the built-in Windows firewall.
Manual removal steps
- Reboot computer in Safe Mode without networking
- Delete the following files: C:\Windows\spooldr.exe, C:\Windows\system32\spooldr.sys
- Restart computer normally