Metallica’s blog

Trojan-Spy.Win32.GreenScreen

Is a real threat, but it is being used to scare users. By what looks to be a new member of the FakeAlert family. The usual Zlob infection method is done by offering fake codecs or from cracks/keygens.
Trying to trick users into buying a so-called antivirus or antispyware application, it claims your computer has been infected with a Trojan that has the ability to store encrypted screenshots of the users activity, so the malware-writer can have a look at them when he so wishes.
And of course offers you the perfect “solution”.

One way to recognize the infection in a HijackThis log is the presence of a ShellServiceObjectDelayLoad (O21) entry with these characteristics.
O21 - SSODL: InfoUtilSh - {06F61173-2D9A-8BFA-E6CF-0427119F25AD} - C:\Program Files\fsrpikb\InfoUtilSh.dll
where InfoUtilSh can be anything. The name is random, but repeated in the filename.
There are a number of known CLSIDs. I will list the ones I have found sofar further down.
The CLSID and the foldername ({06F61173-2D9A-8BFA-E6CF-0427119F25AD} and fsrpikb) are a pair, so you will find the same combination over and over, just with different filenames.
The foldernames sofar always have a name consisting of 6 or 7 letters.

PC Threat.com has a description with a screenshot of the fake message.

A list of known CLSID s and the accompanying foldernames:

{06F61173-2D9A-8BFA-E6CF-0427119F25AD} fsrpikb
{089B34BF-7B9F-72C8-B009-02836522926D} kaijrnf
{191AC1A7-66E5-1C75-D7C9-014D8DAD4EF2} xsbbbfg
{199C5732-24EF-9AE4-8BCB-0BE29CFE6580} ebtpojb
{2A364A72-CB04-DCC0-E1D9-060EF07A8A8C} sjhyddb
{2B645EC5-9487-94EE-BAD8-062C3CCFFC35} hubjemd
{2E971D22-98EA-D1B7-7544-055387C87792} fotwqyd
{2EF26493-ECFD-4DD1-ABDF-03A50288E9C3} ednppsf
{36136E14-7DEF-FB91-FA1E-08E42B7C04D5} vepwqt
{3D121C4F-952E-8161-293A-03E34EF94D7E} smupvr
{42A8F895-67E9-FA8E-EC1E-02EF6855EF9F} gvepnwd
{437CC218-806E-D9D1-177A-03D87A9D27E7} ossngzf
{48D9D434-E323-1211-205D-0761CE46F854} uzsehcd
{49F446EC-8CAD-63A0-BE77-08FC62F01A88} mhhmdsf
{49F446EC-8CAD-63A0-BE77-08FC62F01A88} mhhmdsf
{4AB2E0EB-83EF-B245-B76F-0354B8EB5923} qpujdcc
{4C07C461-D1E0-F56D-2AB9-0B8713BF6090} vswrlye
{4D24CB0E-5D02-ACFE-635E-0B7A265F273F} stngxvf
{4F4E81A0-D55E-4A9B-E009-0287F52E5AA4} xiayqpc
{5485E2FC-D135-B0E3-2D2F-0514C3DF9220} wfazvif
{56095251-6E37-8DBE-D932-079443198C43} fscxfub
{57600231-BB6E-EF9B-AF8F-01096E073D05} uapclud
{5F64AD74-63D3-E0F5-A0AE-03D622DEBD6A} nyvlcrd
{6B2EB9C8-AD05-B99C-B950-077B618EA53E} gtrwqkb
{6FA74F28-6F15-8EC1-5A71-04DC25F14DFF} zycpyxe
{71939439-361B-7503-055F-06EF062B9DC5} hesthwd
{73027D5C-74F2-DA89-F67A-0948F759EA03} ieuprxb
{7371173B-E2BA-EA98-DEEE-04AD3E7AF03E} eblnryc
{74230B65-F03E-381D-303E-0B9E0E267CD2} fjdgbff
{7520B774-AE02-FB5D-B4D3-01FE7E3421EF} qaoxqtd
{75654A9E-A79F-4E06-71E8-007F9C629290} rdwnpvb
{75CFD77D-4CC3-7526-C0CA-07A7129CC81B} dknxvag

DeepDive

A strange one this. Discovered in June 2006 according to McAfee, but still active. That makes it a dinosaur in malware country. I happened across it looking for something different, but that person only had an aftereffect caused by the (incomplete) removal by McAfee and couldn’t provide me with a sample. But another victim found that thread and contacted me.
His girlfriends computer was infected and he was a big help figuring out this infection.
You can read our dialogue here.

After registering the helper.dll provided by fylraen I found the description by McAfee to be pretty accurate.

The infection can be recognized by this line in a HijackThis log
O2 - BHO: Browser Helper Object - {AFD4AD01-58C1-47DB-A404-FBE00A6C5486} - C:Program FilesCommonhelper.dll
or by user complaining about explorer opening the folder %programfiles%Common after boot which could contain files called helper.dll and helper.sig

Total Uninstall log:

My Computer
===============

Registry
===============
(+)(REG KEY) HKEY_CLASSES_ROOTmain.BHO
(+)(REG VAL) (Default) = ‘Browser Helper Object’
(+)(REG KEY) HKEY_CLASSES_ROOTmain.BHOCurVer
(+)(REG VAL) (Default) = ‘main.BHO.1′
(+)(REG KEY) HKEY_CLASSES_ROOTmain.BHOCLSID
(+)(REG VAL) (Default) = ‘{AFD4AD01-58C1-47DB-A404-FBE00A6C5486}’
(+)(REG KEY) HKEY_CLASSES_ROOTmain.BHO.1
(+)(REG VAL) (Default) = ‘Browser Helper Object’
(+)(REG KEY) HKEY_CLASSES_ROOTmain.BHO.1CLSID
(+)(REG VAL) (Default) = ‘{AFD4AD01-58C1-47DB-A404-FBE00A6C5486}’
(+)(REG KEY) HKEY_CLASSES_ROOTAppID{A0E1054B-01EE-4D57-A059-4D99F339709F}
(+)(REG VAL) (Default) = ‘Browser Helper Object’
(+)(REG KEY) HKEY_CLASSES_ROOTAppIDmain.DLL
(+)(REG VAL) AppID = ‘{A0E1054B-01EE-4D57-A059-4D99F339709F}’
(+)(REG KEY) HKEY_CLASSES_ROOTCLSID{AFD4AD01-58C1-47DB-A404-FBE00A6C5486}
(+)(REG VAL) AppID = ‘{A0E1054B-01EE-4D57-A059-4D99F339709F}’
(+)(REG VAL) (Default) = ‘Browser Helper Object’
(+)(REG KEY) HKEY_CLASSES_ROOTCLSID{AFD4AD01-58C1-47DB-A404-FBE00A6C5486}VersionIndependentProgID
(+)(REG VAL) (Default) = ‘main.BHO’
(+)(REG KEY) HKEY_CLASSES_ROOTCLSID{AFD4AD01-58C1-47DB-A404-FBE00A6C5486}TypeLib
(+)(REG VAL) (Default) = ‘{8E3C68CD-F500-4A2A-8CB9-132BB38C3573}’
(+)(REG KEY) HKEY_CLASSES_ROOTCLSID{AFD4AD01-58C1-47DB-A404-FBE00A6C5486}Programmable
(+)(REG KEY) HKEY_CLASSES_ROOTCLSID{AFD4AD01-58C1-47DB-A404-FBE00A6C5486}ProgID
(+)(REG VAL) (Default) = ‘main.BHO.1′
(+)(REG KEY) HKEY_CLASSES_ROOTCLSID{AFD4AD01-58C1-47DB-A404-FBE00A6C5486}InprocServer32
(+)(REG VAL) ThreadingModel = ‘Apartment’
(+)(REG VAL) (Default) = ‘C:Program FilesCommonhelper.dll’
(+)(REG KEY) HKEY_CLASSES_ROOTInterface{986A8AC1-AB4D-4F41-9068-4B01C0197867}
(+)(REG VAL) (Default) = ‘IBHO’
(+)(REG KEY) HKEY_CLASSES_ROOTInterface{986A8AC1-AB4D-4F41-9068-4B01C0197867}TypeLib
(+)(REG VAL) Version = ‘1.0′
(+)(REG VAL) (Default) = ‘{8E3C68CD-F500-4A2A-8CB9-132BB38C3573}’
(+)(REG KEY) HKEY_CLASSES_ROOTInterface{986A8AC1-AB4D-4F41-9068-4B01C0197867}ProxyStubClsid32
(+)(REG VAL) (Default) = ‘{00020424-0000-0000-C000-000000000046}’
(+)(REG KEY) HKEY_CLASSES_ROOTInterface{986A8AC1-AB4D-4F41-9068-4B01C0197867}ProxyStubClsid
(+)(REG VAL) (Default) = ‘{00020424-0000-0000-C000-000000000046}’
(+)(REG KEY) HKEY_CLASSES_ROOTTypeLib{8E3C68CD-F500-4A2A-8CB9-132BB38C3573}
(+)(REG KEY) HKEY_CLASSES_ROOTTypeLib{8E3C68CD-F500-4A2A-8CB9-132BB38C3573}1.0
(+)(REG VAL) (Default) = ‘main 1.0 Type Library’
(+)(REG KEY) HKEY_CLASSES_ROOTTypeLib{8E3C68CD-F500-4A2A-8CB9-132BB38C3573}1.0HELPDIR
(+)(REG VAL) (Default) = ‘C:Program FilesCommon’
(+)(REG KEY) HKEY_CLASSES_ROOTTypeLib{8E3C68CD-F500-4A2A-8CB9-132BB38C3573}1.0FLAGS
(+)(REG VAL) (Default) = ‘0′
(+)(REG KEY) HKEY_CLASSES_ROOTTypeLib{8E3C68CD-F500-4A2A-8CB9-132BB38C3573}1.0
(+)(REG KEY) HKEY_CLASSES_ROOTTypeLib{8E3C68CD-F500-4A2A-8CB9-132BB38C3573}1.0win32
(+)(REG VAL) (Default) = ‘C:Program FilesCommonhelper.dll’
(+)(REG KEY) HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerBrowser Helper Objects{AFD4AD01-58C1-47DB-A404-FBE00A6C5486}
(+)(REG VAL) NoExplorer = 1
(+)(REG VAL) (Default) = ”

My proposed fix:

Please download Brute Force Uninstaller .

• Right click the downloaded BFU folder, and choose Extract All
• Click “Next”
• In the box to choose where to extract the files to,
• Click “Browse”
• Click on the + sign next to “My Computer”
• Click on “Local Disk (C:) or whatever your primary drive is
• Click “Make New Folder”
• Type in BFU
• Click “Next”, and Uncheck the “Show Extracted Files” box and then click “Finish”.

RIGHT-CLICK HERE and choose “Save As” (in IE it’s “Save Target As”) in order to download DeepDive Remover.
Save it in the same folder you made earlier (c:BFU).

Then, please go to Start > My Computer and navigate to the C:BFU folder.

• Start the Brute Force Uninstaller by doubleclicking BFU.exe
• Behind the scriptline to execute field click the folder icon and select DeepDive.bfu
• Press Execute and let the program do it’s job. (Do not be startled as your taskbar will disappear for a little while.)
• Wait for the complete script execution box to pop up and press OK.
• Press exit to terminate the BFU program.
• A notepad file called BFUlogdeepdive.txt will be created on the systemdrive (usually the location will be C:BFUlogdeepdive.txt). Post the content of that file please.

Problem in HijackThis

Today (april 26 2008) at 12.36 GMT I downloaded HJTinstall.exe from trendsecure.com

I then installed HijackThis on my Virtual machine running Windows 2000
The header of the log looked like this:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:39:09, on 26-4-2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP4 (5.00.2920.0000)
Boot mode: Normal

Then I made a reg file with this content

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ffaabb]
“messinabout”=”F:\\WINDOWS\\System32\\ffaabb.dll”

and merged it with the registry.

Consequently HijackThis showed this line:
O20 - Winlogon Notify: ffaabb - C:\WINNT\
which is not justified because no startup was added.
For a file to get started from under HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\subkey
the subkey needs to contain a value called DLLname which points to the dll that gets loaded.
To clarify, a DLL referenced here will be executed in a SYSTEM-level process, regardless of whether a user logs in.
This is not the case here, because this value was not created and did not exist.

Changed the regfile to:

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ffaabb]
“DLLname”=”F:\\WINDOWS\\System32\\ffaabb.dll”

and merged it with the registry.

Then HijackThis does the correct thing.
O20 - Winlogon Notify: ffaabb - F:\WINDOWS\System32\ffaabb.dll (file missing)
(file missing) because I didn’t bother to plant one.

Last try I did on the VM to find out where HJT gets the path to the dll

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ffaabb]
“messinabout”=”%WINDIR%\\ffaabb.dll”

After merge HJT reports:
O20 - Winlogon Notify: ffaabb - C:\WINNT\
So it does seem to look at the value that is present rather then let us know that the value that is required for the autostart is not present.

Screenshot of regedit looking at this part of the registry:

Finally I downloaded the standalone executable HijackThis.exe from the same source and merged the last regfile on my XP computer.
The result is the same in essence:
O20 - Winlogon Notify: ffaabb - F:\WINDOWS\

HijackThis did remove the subkey in question from HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify under all the above circumstances.

I would like to add that I reported this problem over a month ago to Trend at which point I was promised they would look into it and fix it if they could reproduce it.
Since I haven’t heard from them since, even after two reminders, I have to assume that they don’t plan to do anything about it.
This is not a very serious problem, but it can be confusing and with the many users of this program it may lead to wrong decisions being made.

Camouflaging malware URLs

Recently we have seen a trend of spam mails that are using camouflaged links to get you to a malware ditributing site.

Two examples that worked when tested on february 8 2008:
Google?
Follow the leader

If you look closely you will notice that they will both redirect you to my subdomain at GeeksToGo but at first sight most users might expect to see search results, rather then being sent somewhere.

Of course the malware distributors are not as nice as I am.
I just sent you to the site, but with the same effort there will be a (php or other) script waiting for you that dumps a trojan on your computer.

I stole those two tricks out of mails sent by the same distributor and I would have ended up installing the rogue VirusHeat if I wouldn’t have gone in expecting the worst and protected accordingly.
Both mails promised me a video with Britney and not one recorded while she was making music.

Yahoo seems to have fixed the problem with their redirect service in the meantime.

MBS account manager

After having several users complain about popups by Micro Bill Sys. a fellow spyware fighter using the nick John McKenna approached me with a proposed fix for this pest.

The company that the commercials are for denies all responsibilty here:
Micro Bill Systems
so I’m sure they won’t mind us helping remove the source of the problems. The method John started and I extended can be found here:
How-to-remove-MBS-account-manager
Don’t be shy to let me know if it helped you. I’d really like to find out if this software was installed willingly and you regretted it later or if it was installed without notifying you in any way.

coolpics hijacker

A few victims came looking for help at WildersSecurity forums.

One of them provided me with the installer.
A trick I hadn’t seen before was to remove the Run option from the Startmenu.

I noticed this by finding this entry in a Combofix log:
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
“NoRun”=dword:00000001

Together with the victims at WildersSecurity forums a fix was thought out and tested:
http://www.geekstogo.com/forum/How_to_remove_the_coolpicscom_hijacker-t137346.html

Running the installer produced the following
Total Uninstall log

MyComputer
===============

File System
===============
(FOLDER) C:\WINDOWS\Prefetch
(+)(FILE) SVCHOST32.EXE-20192F81.pf = 19:39 06/11/06 21320 bytes
(+)(FILE) SVCHOST32.EXE-2633C3EE.pf = 20:05 06/11/06 13294 bytes
(FOLDER) C:\WINDOWS\system
(+)(FILE) svchost32.exe = 19:39 06/11/06 185386 bytes
(+)(FILE) svhost.exe = 20:05 06/11/06 10752 bytes

Registry
===============

(+)(REG KEY) HKEY_USERS\S-1-5-21-839522115-1708537768-1202660629-1003\Software\Yahoo
(+)(REG KEY) HKEY_USERS\S-1-5-21-839522115-1708537768-1202660629-1003\Software\Yahoo\pager
(+)(REG KEY) HKEY_USERS\S-1-5-21-839522115-1708537768-1202660629-1003\Software\Yahoo\pager\View
(+)(REG KEY) HKEY_USERS\S-1-5-21-839522115-1708537768-1202660629-1003\Software\Yahoo\pager\View\YMSGR_buzz
(+)(REG VAL) content url = ‘http://thecoolpics.com’
(+)(REG KEY) HKEY_USERS\S-1-5-21-839522115-1708537768-1202660629-1003\Software\Yahoo\pager\View\YMSGR_Launchcast
(+)(REG VAL) content url = ‘http://thecoolpics.com’
(REG KEY) HKEY_USERS\S-1-5-21-839522115-1708537768-1202660629-1003\Software\Microsoft\Internet Explorer\Main
(*)(REG VAL) Start Page
‘http://www.oldhomepage.com’ ==> ‘http://thecoolpics.com’
(+)(REG KEY) HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
(+)(REG VAL) DisableRegistryTools = 1
(+)(REG VAL) DisableTaskMgr = 1
(REG KEY) HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
(+)(REG VAL) NoRun = 1
(+)(REG KEY) HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel
(+)(REG VAL) Homepage = 1

Warning Internet Gamebox

Originally posted  Aug 11 2006, 01:10 PM

InternetGamebox is available from the .com site with the same name.

This so-called Totally Free software installs adware on your computer that behaves like a rootkit.
In other words it hides itself from Windows to avoid being detected.
This malware is also spread by Mailskinner and is usually called EGDAccess or NaviPromo

If you are lucky all it does is display ads in pop-unders, but if you are connected to the net by dial-up it could also “spice up” your phone-bill.

If you are infected with this adware, please follow this procedure:
Download Brute Force Uninstaller: http://www.merijn.org/files/bfu.zip
Unzip it to it’s own folder (c:\BFU)

RIGHT-CLICK HERE: http://metallica.geekstogo.com/EGDACCESS.bfu and choose “Save As” (in IE it’s “Save Target As”) in order to download EGDACCESS Remover. Save it in the folder you made earlier (c:\BFU)

Start the Brute Force Uninstaller by doubleclicking BFU.exe

In the scriptline to execute copy and paste c:\bfu\EGDACCESS.bfu
Press execute and let it do it’s job.

Wait for the complete script execution box to popup and press OK.
Press exit to terminate the BFU program.

Then reboot your computer and look for the file C:\egd.txt that was created by the script.
Post the content of that file on the Malware Removal forum explaining what you did. Also look at the content of the folder bfubackups in your System(32) folder. This folder was also created by the script. Let the helper know if any files were in that folder and if so, what they are called.

If I have some time I’ll infect a Virtual Machine shortly and post my findings here.
Done that. Results below.

Well I installed InternetGamebox and it is definitely bad news.
Besides trying to harvest email-addresses (it asks you to send a message to your friends from an online form) it also installs the NaviPromo/EGDAccess rootkit.

Here is what I found with Blacklight:

After renaming those files and rebooting HijackThis showed the startup entry:

Submitting the file wmjglyxr.exe to one of the online scanners confirmed what we already suspected:
File: wmjglyxr.exe
SHA-1 Digest: a124914f2ae67742e3326b2230edc10ee7447cc3
Packers: PECompact v2.00
Status: Infected or Malware

Although none of the scanners identifies it correctly. (I’ll make sure that changes shortly.)

Cleaning Alcan and some of its friends

Originally posted Mar 19 2006, 03:02 PM