Wednesday, September 17, 2008

regsvr.exe (Microsoft Corparation) Virus




regsvr.exe / Winhelp.exe / rundll.exe / (Microsoft Corparation)

regsvr.exe / Winhelp.exe / rundll.exe
===========================

File names

———–

Name : regsvr.exe
Name : winhelp.exe
Type of File : Application
Icon : Folder icon
size : 1.06 MB (1,114,588 bytes)
size on disk : 1.07 MB (1,122,304 bytes)
File version : 1.1.2.2
Description : Microsoft Corparation (its Microsoft Corp’a'ration not Microsoft Corporation)
Copyright :
Compiled Script : Microsoft Corporation
File Verion : 1,1,2,2
Language : English (United Kingdom)

Name : rundll.exe
Type of File : Application
Description : Generic Host Process for Win32 Services
Size : 161 KB (164,864 bytes)
size on disk : 168 KB (172,032 bytes)
File version : 3.8.0.7400
Company : Microsoft Corporation
Internal name : svchost-full-org
Language : English (United States)
Original name : svchost-full-org.exe

other supporting files, created during installation ofvirus

Name : MSINET.OCX
Type : ActiveX Control
Size : 60.5 KB (61,952 bytes)
Size on disk : 64.0 KB (65,536 bytes)
File version : 5.1.45.11
Description : Microsoft Internet Transfer Control DLL
Copyright : Copyright © 1987-1997 Microsoft Corp.
Comments : September 11, 1997
Company : Microsoft Corporation
File version : 5.01.4511
Internal name : MSINET.OCX

Name : ijl11pro.dll
Type : Application Extension
Size : 70.0 KB (71,680 bytes)
six\ze on disk : 72.0 KB (73,728 bytes)
File version : 1.1.2.16
Description : Intel® JPEG Library - Retail Version
Copyright : Copyright © 1999
Comments : Intel® JPEG Library
Company : Intel Corporation
File version : 1.1.2
Internal name : Intel® JPEG Library
Original name : ijl11.dll

x—x—x

Recognized by KAV
—————–

not-a-virus:Monitor.Win32.007SpySoft.q rundll.exe
Worm.Win32.AutoIt.s regsvr.exe
x—x—x

Running Process
—————

regsvr.exe 1-30% 2 threads
rundll.exe 0% 4 threads
Winhelp.exe SYSTEM 1-40% 1 thread

x—x—x

Behind the Screen
—————–

Files Created:
…………..

I:\DOCUME~1\PIYUSH~1\LOCALS~1\Temp\aut3.tmp
I:\DOCUME~1\PIYUSH~1\LOCALS~1\Temp\aut4.tmp
I:\DOCUME~1\PIYUSH~1\LOCALS~1\Temp\aut5.tmp
I:\DOCUME~1\PIYUSH~1\LOCALS~1\Temp\aut6.tmp
I:\WINDOWS\winhelp.ini
I:\WINDOWS\system32\rundll.exe
I:\WINDOWS\system32\ijl11pro.dll
I:\WINDOWS\system32\MSINET.OCX
I:\WINDOWS\system32\regsvr.exe
I:\WINDOWS\regsvr.exe
I:\WINDOWS\system32\winhelp.exe
I:\Documents and Settings\Piyush Chandra\Local Settings\Temp\~DFD5E6.tmp
I:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9
I:\WINDOWS\system32\COMCTL32.OCX
I:\WINDOWS\system32\stdole2.tlb
ModifyFile I:\WINDOWS\winhelp.ini

Regsitries changed:
……………….

ModifyRegValue \REGISTRY\USER\S-1-5-21-1935655697-308236825-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{79ebb8fd-f8e1-11dc-a1b1-806d6172696f}\BaseClass
etc
ModifyRegValue \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
CreateRegValue \REGISTRY\USER\S-1-5-21-1935655697-308236825-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Run\Yahoo Messengger
CreateRegValue \REGISTRY\USER\S-1-5-21-1935655697-308236825-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NofolderOptions
CreateRegValue \REGISTRY\USER\S-1-5-21-1935655697-308236825-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr
CreateRegValue \REGISTRY\USER\S-1-5-21-1935655697-308236825-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools
CreateRegValue \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\AtTaskMaxHours
ModifyRegValue \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\system
CreateDir C:\WINNT\system32\ssdata\
CreateDir C:\Recycled\WinLiveUpdate32\scrdata\
CreateDir C:\Recycled\WinLiveUpdate32\
CreateRegValue \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\User Themes
CreateRegKey \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{48E59290-9880-11CF-9754-00AA00C00908}
etc
CreateRegKey \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}
etc
CreateRegValue HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\User “I:\WINDOWS\system32\rundll.exe”

Registry access:
…………….

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
HKLM\SYSTEM\ControlSet001\Control\NetworkProvider\HwOrder
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
HKLM\SYSTEM\ControlSet001\Services\WinSock2\Parameters\
HKLM\SOFTWARE\Microsoft\Tracing\RASAPI32
HKLM\SYSTEM\ControlSet001\Services\Tcpip\Linkage
HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters
HKLM\SYSTEM\ControlSet001\Services\NetBT\Parameters\Interfaces
HKLM\SYSTEM\ControlSet001\Hardware Profiles001
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Network\Location Awareness

x—x—x

More behind the screen
———————-

The virus gets completely installed only after rebooting two times.

It uses cacls.exe to change some permission setting (not yet discovered)

It saves printscreen images in c:\recycled\WinLiveUpdate32\ at an interval of 30 seconds
so it eats up the space for your c:\ if u are affected by this virus for long time

It saves some processes goining on the system in c:recycled\WinLiveUpdate32\scrdata\ in files namely Apps.data, Files.dat, Keys.data, scr.data, lgstat.ini

In simple words: it keeps a complete track about you computer.

Apps.data
………

Piyush Chandra|||2008-03-26 19:05:18|||Run|||Kaspersky Anti-Virus 6.0
Piyush Chandra|||2008-03-26 19:05:21|||Run|||Protection
Piyush Chandra|||2008-03-26 19:05:32|||Close|||Protection
Piyush Chandra|||2008-03-26 19:05:34|||Close|||Kaspersky Anti-Virus 6.0
Piyush Chandra|||2008-03-26 19:05:37|||Run|||Windows Task Manager
Piyush Chandra|||2008-03-26 19:06:04|||Run|||My Documents
etc

Files.dat
………

Piyush Chandra|||2008-03-26 19:31:55|||Create Dir|||H:\MyDocs\virus collection\Known\regsvr.exe Worm.Win32.AutoIt.s\Virus\New Folder
Piyush Chandra|||2008-03-26 19:32:00|||Rename Dir|||H:\MyDocs\virus collection\Known\regsvr.exe Worm.Win32.AutoIt.s\Virus\New Folder—>H:\MyDocs\virus collection\Known\regsvr.exe Worm.Win32.AutoIt.s\Virus\recycler files

etc

Keys.data
………

Piyush Chandra|||2008-03-26 19:10:03|||StartupMonitor Warning
{Enter}

scr.data
……..

Piyush Chandra|||2008-03-26 19:06:15|||Proactive Defense Alert|||C:\Recycled\WinLiveUpdate32\scrdata\2008032668776.jpg
Piyush Chandra|||2008-03-26 19:06:45|||Process Explorer - Sysinternals: www.sysinternals.com [PIYUSH\Piyush Chandra]|||C:\Recycled\WinLiveUpdate32\scrdata\2008032668806.jpg
Piyush Chandra|||2008-03-26 19:07:16|||Process Explorer - Sysinternals: www.sysinternals.com [PIYUSH\Piyush Chandra]|||C:\Recycled\WinLiveUpdate32\scrdata\2008032668836.jpg
Piyush Chandra|||2008-03-26 19:07:46|||~DFBFCB.tmp - Notepad|||C:\Recycled\WinLiveUpdate32\scrdata\2008032668866.jpg
Piyush Chandra|||2008-03-26 19:08:16|||Player

etc

Wanrning Messages
—————–

rundll.exe
Another program is currently using this file.

Kaspersky
Riskware: not-a-virus:Monitor.Win32.007SpySoft.q
File: I:\WINDOWS\system32\rundll.exe

x—x—x

Solution:
———

Start > Run > type the following

(if you have a lappy, then copy taskkill.exe in your c:\windows\system32\ folder)

End task
……..

taskkill /f /im regsvr.exe /t
taskkill /f /im rundll.exe /t
taskkill /f /im winhelp.exe /t

Registries
……….

at /delete /yes
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 0 /f
reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoFolderOptions /f
reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v “Yahoo Messengger” /f
reg delete HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run /v “Yahoo Messengger” /f
reg add “HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon” /v System /t REG_SZ /d “” /f
reg add “HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon” /v shell /t REG_SZ /d “Explorer.exe” /f
reg delete “HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run” /v “User Themes” /f

Files
…..

cmd /k del “%USERPROFILE%\Local Settings\Temp\aut*” /f
cmd /k del “%USERPROFILE%\Local Settings\Temp\~*” /f
cmd /k del “%WINDIR%\System32\rundll.exe” /f
cmd /k del “%WINDIR%\winhelp.ini” /f
cmd /k del “%WINDIR%\system32\ijl11pro.dll” /f
cmd /k del “%WINDIR%\system32\MSINET.OCX” /f
cmd /k del “%WINDIR%\system32\regsvr.exe” /f
cmd /k del “%WINDIR%\regsvr.exe” /f
cmd /k del “%WINDIR%\system32\winhelp.exe” /f
cmd /k del “C:\WINNT\system32\ssdata\”
cmd /k del “C:\Recycled\WinLiveUpdate32\scrdata\” /f /q
cmd /k del “C:\Recycled\WinLiveUpdate32\” /f /q
(and delete regsvr.exe, New Folder.exe and autorun.inf from pen drives)

No comments: