alibaba.com

November 11, 2006 on 9:17 pm | In Malware analysis | 1 Comment

Originally posted Jan 21 2006, 07:55 PM

 

After I figured out this hijacker I found several people complaining about a svchost.exe in the wrong directory that kept returning and about a Trojan.Downloader being detected that their AntiVirus couldn’t remove.

This malware starts using the ShellExecuteHooks key which does not show up in a HijackThis log.

The involved keys looks like this:

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
“{00212521-4FEF-4AD3-B3AA-E0531B8DC123}”=””

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00212521-4FEF-4AD3-B3AA-E0531B8DC123}\InprocServer32]
@=”C:\\WINDOWS\\system32\\usbadpt32.dll”

What happens is that usbadpt32.dll downloads and runs C:\WINDOWS\System32\DirectX\svchost.exe

That file downloads WITBLOG.OCX and/or MSDATGRPS.OCX and places them in the system directory.

The cure:

Download and unzip BFUzip from http://www.merijn.org/files/bfu.zip

Download the BFU script located at this url:
http://metallica.geekstogo.com/alibaba.bfu
and place it in the same folder as BFU.exe

 

Close as many programs as possible since this script will reboot your computer.
Your taskbar will also disappear during the procedure. This is normal.

Doubleclick BFU.exe to run the program.
Use the folder symbol to find and select the alibaba.bfu you have downloaded.

Execute the script by clicking the Execute button.

If you have any questions about the use of BFU please read here:
http://metallica.geekstogo.com/BFUinstructions.html

For those unable to download the script, copy the code in the block below into notepad and save it as alibaba.bfu in the same folder as BFU.exe
Set Filetype to “all files”

 

RegDeleteKey HKLM\SOFTWARE\Classes\CLSID\{00212521-4FEF-4AD3-B3AA-E0531B8DC123}
RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks|{00212521-4FEF-4AD3-B3AA-E0531B8DC123}

OptionUnloadShell
FileDelete %SYSDIR%\usbadpt32.dll
FileDelete %SYSDIR%\DirectX\svchost.exe
FileDelete %SYSDIR%\WITBLOG.OCX
FileDelete %SYSDIR%\MSDATGRPS.OCX

RegDeleteKey HKLM\SOFTWARE\Classes\CLSID\{09F59435-7814-48ED-A73A-96FF861A91EB}
RegDeleteKey HKLM\SOFTWARE\Classes\CLSID\{0C588F7D-A2B3-4001-B59B-D856C1BF3AD7}
RegDeleteKey HKLM\SOFTWARE\Classes\CLSID\{850B69E4-90DB-4F45-8621-891BF35A5B53}
RegDeleteKey HKLM\SOFTWARE\Classes\Interface\{42CB709C-A1D6-4C3A-9F9C-B077FF86A760}
RegDeleteKey HKLM\SOFTWARE\Classes\Interface\{63C8AF31-AD6E-417C-BF8B-48B96E95DC25}
RegDeleteKey HKLM\SOFTWARE\Classes\Interface\{AB44756F-FCE0-454D-AF29-930B89BB44D2}
RegDeleteKey HKLM\SOFTWARE\Classes\TypeLib\{448F1BD5-C41A-4551-83CF-8CD2309ABC66}
RegDeleteKey HKLM\Classes\AlibabaIEToolBar.AlibabaButton
RegDeleteKey HKLM\SOFTWARE\Classes\AlibabaIEToolBar.AlibabaButton.1
RegDeleteKey HKLM\SOFTWARE\Classes\AlibabaIEToolBar.AlibabaSearchBar
RegDeleteKey HKLM\SOFTWARE\Classes\AlibabaIEToolBar.AlibabaSearchBar.1
RegDeleteKey HKLM\SOFTWARE\Classes\AlibabaIEToolBar.ShowBarObject
RegDeleteKey HKLM\SOFTWARE\Classes\AlibabaIEToolBar.ShowBarObject.1
RegDeleteKey HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{09F59435-7814-48ED-A73A-96FF861A91EB}
RegDeleteKey HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{09F59435-7814-48ED-A73A-96FF861A91EB}
RegDeleteKey HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{13b0c05c-ef05-4bf6-b0ea-f6111af25544}
RegDeleteKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{850B69E4-90DB-4F45-8621-891BF35A5B53}
RegDeleteKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Alibaba Toolbar
RegDeleteKey HKLM\SOFTWARE\Ablibaba

FolderDelete %SYSDIR%\alitb
FolderDelete %SYSDIR%\alitb1
FolderDelete %SYSDIR%\alitb2
FolderDelete %SYSDIR%\alitb3

SystemRestart Let the computer reboot now|1

1 Comment »

RSS feed for comments on this post. TrackBack URI

  1. Originally posted May 31 2006, 06:52 PM

    The script was updated after a new variant was found by Erik of http://www.hijackthis.nl

    Norman Sandbox said:

    Norman Scanner Engine 5.90. 7
    Sandbox 05.90, dated 23/04-2006

    orthnapp.exe : Not detected by sandbox (Signature: W32/DLoader.RQT)
    [ General information ]
    * **IMPORTANT: PLEASE SEND THE SCANNED FILE TO: ANALYSIS@NORMAN.NO – REMEMBER TO ENCRYPT IT (E.G. ZIP WITH PASSWORD)**.
    * File might be compressed.
    * Decompressing Petite.
    * File length: 3565 bytes.
    * MD5 hash: ef5db03a6e174ca15f4eb39ecd267188.

    [ Changes to filesystem ]
    * Creates file outhera.exe.
    * Creates file northwist.dta.

    [ Network services ]
    * Downloads file from {Obfuscated} as outhera.exe.
    * Downloads file from {Obfuscated} as northwist.dta.

    [ Signature Scanning ]
    * C:\WINDOWS\outhera.exe (4096 bytes) : no signature detection.
    * C:\WINDOWS\northwist.dta (4096 bytes) : no signature detection.

    File downloaded from {Obfuscated} – recognized as type PE_I386

    orthnapp.exe_Download.tmp : Not detected by sandbox (Signature: NO_VIRUS)
    [ General information ]
    * **IMPORTANT: PLEASE SEND THE SCANNED FILE TO: ANALYSIS@NORMAN.NO – REMEMBER TO ENCRYPT IT (E.G. ZIP WITH PASSWORD)**.
    * File length: 192512 bytes.
    * MD5 hash: a8e008f116e56bcdc14eaa6f2a176586.

    [ Changes to system settings ]
    * Creates WindowsHook monitoring cbt activity.

    © 2004-2006 Norman ASA. All Rights Reserved.
    The material presented is distributed by Norman ASA as an information source only.

    Comment by metallica — November 11, 2006 #

Leave a comment

XHTML: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

Powered by WordPress with Pool theme design by Borja Fernandez.
Entries and comments feeds. Valid XHTML and CSS. ^Top^

The cookies on this site are just the ones Wordpress needs to work properly. By continuing to use this site, you are accepting them. Close