Vundo MFCOptimize

November 11, 2006 on 9:30 pm | In Malware analysis | 1 Comment

Originally posted Feb 5 2006, 10:32 PM

Just passing on some kudos here. 😎

My friend and teacher Tony Klein pointed me to this thread:
http://castlecops.com/postlite146184-.html

He does that sometimes when he finds something new and exciting and wants a copy of the files involved.
There is a lot going on in that log, but this is what got his attention:

O2 – BHO: MFCOptimizeClass Object – {A6CEA0E7-6B4D-4CD9-9932-D85705CBC1A9} – C:\WINDOWS\System32\ssqrs.dll

O20 – Winlogon Notify: ssqrs – C:\WINDOWS\System32\ssqrs.dll

The entries are typical for Vundo but the CLSID and the name of the BHO were new.

The victim found the file and made it available to us, so we could investigate.
Atribune, who wrote the VundoFix that helpers all over the net are using to fight these infections, immediately adapted his program so that it would tackle this variant as well.

And with success, needless to add.

Spotted, harvested and added for detection and removal in under 7 hours.
By a couple of volunteers. I thought that deserved a round of applause.  😆

Changes made by registering ssqrs.dll

==========
Filesystem
==========
    (FOLDER) C:\WINDOWS\system32
      (+)(FILE) srqss.ini = 16:09 05-02-06 418 bytes
      (+)(FILE) ssqrs.dll = 16:14 04-02-06 565300 bytes
   
=========
Registry
=========
    (+)(REG KEY) HKEY_CLASSES_ROOT\MFCOptimizeClass.MFCOptimizeClass
      (+)(REG VALUE) (Standaard) = ‘MFCOptimizeClass Object’
    (+)(REG KEY) HKEY_CLASSES_ROOT\MFCOptimizeClass.MFCOptimizeClass\CLSID
      (+)(REG VALUE) (Standaard) = ‘{A6CEA0E7-6B4D-4CD9-9932-D85705CBC1A9}’
    (+)(REG KEY) HKEY_CLASSES_ROOT\MFCOptimizeClass.MFCOptimizeClass\CurVer
      (+)(REG VALUE) (Standaard) = ‘MFCOptimizeClass.MFCOptimizeClass.1’
    (+)(REG KEY) HKEY_CLASSES_ROOT\MFCOptimizeClass.MFCOptimizeClass.1
      (+)(REG VALUE) (Standaard) = ‘MFCOptimizeClass Object’
    (+)(REG KEY) HKEY_CLASSES_ROOT\MFCOptimizeClass.MFCOptimizeClass.1\CLSID
      (+)(REG VALUE) (Standaard) = ‘{A6CEA0E7-6B4D-4CD9-9932-D85705CBC1A9}’
    (+)(REG KEY) HKEY_CLASSES_ROOT\CLSID\{A6CEA0E7-6B4D-4CD9-9932-D85705CBC1A9}
      (+)(REG VALUE) (Standaard) = ‘MFCOptimizeClass Object’
      (+)(REG VALUE) AppID = ”
    (+)(REG KEY) HKEY_CLASSES_ROOT\CLSID\{A6CEA0E7-6B4D-4CD9-9932-D85705CBC1A9}\InprocServer32
      (+)(REG VALUE) (Standaard) = ‘C:\WINDOWS\system32\ssqrs.dll’
      (+)(REG VALUE) ThreadingModel = ‘apartment’
    (+)(REG KEY) HKEY_CLASSES_ROOT\CLSID\{A6CEA0E7-6B4D-4CD9-9932-D85705CBC1A9}\ProgID
      (+)(REG VALUE) (Standaard) = ‘MFCOptimizeClass.MFCOptimizeClass.1’
    (+)(REG KEY) HKEY_CLASSES_ROOT\CLSID\{A6CEA0E7-6B4D-4CD9-9932-D85705CBC1A9}\Programmable
    (+)(REG KEY) HKEY_CLASSES_ROOT\CLSID\{A6CEA0E7-6B4D-4CD9-9932-D85705CBC1A9}\TypeLib
      (+)(REG VALUE) (Standaard) = ‘{BAD59A24-6891-417D-A041-C8FD495B77F1}’
    (+)(REG KEY) HKEY_CLASSES_ROOT\CLSID\{A6CEA0E7-6B4D-4CD9-9932-D85705CBC1A9}\VersionIndependentProgID
      (+)(REG VALUE) (Standaard) = ‘MFCOptimizeClass.MFCOptimizeClass’
    (+)(REG KEY) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A6CEA0E7-6B4D-4CD9-9932-D85705CBC1A9}
    (+)(REG KEY) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ssqrs
      (+)(REG VALUE) Asynchronous = 1
      (+)(REG VALUE) DllName = ‘C:\WINDOWS\system32\ssqrs.dll’
      (+)(REG VALUE) Impersonate = 0
      (+)(REG VALUE) Logoff = ‘SysLogoff’
      (+)(REG VALUE) Startup = ‘SysLogon’

The easy way ofcourse is to download and run VundoFix as advised below:

Please download VundoFix.exe to your desktop.
Double-click VundoFix.exe to run it.
Put a check next to Run VundoFix as a task.
You will receive a message saying vundofix will close and re-open in a minute or less. Click OK
When VundoFix re-opens, click the Scan for Vundo button.
Once it’s done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will shutdown your computer, click OK.
Turn your computer back on.
Please post the contents of C:\vundofix.txt and a new HiJackThis log.

This works now that the fix has been updated.

The method below describes how I got rid off it the first time.
#####################################################################
Download and install Process Explorer from:
http://www.sysinternals.com/Utilities/ProcessExplorer.html

Download Advanced Process Manipulation from:
http://www.diamondcs.com.au/index.php?page=apm

Download Killbox from:
http://www.bleepingcomputer.com/files/killbox.php

Copy the part in bold below into notepad and save it directly to the rootdirectory as vundoh.reg
Set Filetype to “All files” (the file should now be here: C:\vundoh.reg)

 

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ssqrs]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A6CEA0E7-6B4D-4CD9-9932-D85705CBC1A9}]

[-HKEY_CLASSES_ROOT\CLSID\{A6CEA0E7-6B4D-4CD9-9932-D85705CBC1A9}]

[-HKEY_CLASSES_ROOT\MFCOptimizeClass.MFCOptimizeClass]

[-HKEY_CLASSES_ROOT\MFCOptimizeClass.MFCOptimizeClass.1]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{A6CEA0E7-6B4D-4CD9-9932-D85705CBC1A9}]
“Compatibility Flags”=dword:00000400

Reboot into safe mode

Open Process Explorer.
Scroll down in the main window and find winlogon.exe
Right click on winlogon.exe and select Suspend
Leave Process Explorer open.
Now run HijackThis and put checkmarks in front of these two lines
O2 – BHO: MFCOptimizeClass Object – {A6CEA0E7-6B4D-4CD9-9932-D85705CBC1A9} – C:\WINDOWS\System32\ssqrs.dll

O20 – Winlogon Notify: ssqrs – C:\WINDOWS\System32\ssqrs.dll

Do NOT fix them yet

Now open Advanced Process Manipulation by doubkleclicking APM.exe.
Scroll down in the main window and find c:\windows\explorer.exe
Click on the entry and that will display a list of files in the second window.
Scroll down the list in the second window and find C:\WINDOWS\System32\ssqrs.dll
Right click on that entry and select Unload DLL
You will now lose your Start Bar and Desktop Icons. This is normal.
Leave Advanced Process Manipulation open
Go back to Process Explorer window.
Click File > Run
In the run box type regedit.exe /s C:\vundoh.reg
Back in Advanced Process Manipulation.
Scroll down in the main window and find c:\windows\system32\winlogon.exe
Click on the entry and that will display a list of files in the second window.
Scroll down the list in the second window and find C:\WINDOWS\System32\ssqrs.dll
Right click on that entry and select Unload DLL
You will have to click OK about six times
In HijackThis click Fix checked. You will be prompted you are about to remove a BHO. That’s what you want.

Go back to Process Explorer window.
Click File > Run
Enter the path to Killbox
In the killbox program, select the Delete on Reboot option.
Select this file to be deleted: C:\WINDOWS\System32\ssqrs.dll
*Click the red-and-white “Delete File” button. Click “Yes” at the Delete on Reboot prompt.

Now back in Process Explorer.
Find winlogon.exe again.
Right click on winlogon.exe and select Resume
This should reboot your computer automatically.
####################################

1 Comment »

RSS feed for comments on this post. TrackBack URI

  1. Hi. I found here really interesting facts! Thanks.

    Comment by Mover — April 24, 2007 #

Leave a comment

XHTML: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

Powered by WordPress with Pool theme design by Borja Fernandez.
Entries and comments feeds. Valid XHTML and CSS. ^Top^