Since may 2006's last week, a lot of malwares with rootkit characteristics have been reported. It is very likely, then, that these malwares has been circulating since april 2006. Their main characteristic is the ability to become invisible inside user's PC, it is very difficul to intercept and remove them.
These rootkits have benn already seen on computers infected by other malwares such as the BHO.LinkOptimizer, Trojan. Win32 Agent.AAZ, and other variants.
In these last weeks we could see a peculiar evolution on these malwares, they're not using ADS (Alternate Data Stream) anymore, instead they now use forbidden name files (like com, lpt, aux, nul), and they now comes with new Trojans.
The infection comes from the website "Gromozon", which downloads and image pic.tiff with the WMF- exploit that will infect the PC with the trojans quoted above.
We strongly recommend to install this Microsoft patch: http://www.microsoft.com/technet/security/bulletin/MS06-001.mspx
Infection symptoms are, principally, a general PC slowdown and in some cases specific applications crash (e.g. autocad).
In one case this message appeared after a reboot:
System is going to be shut down. Save all the work and close programs. All unsaved edits will be lost. Shutdown has been started from NT AUTHORITY \SYSTEM
System's process "C:\Windows\SYSTEM32\SERVICES.EXE" ended inappropriately with error code -1073741819. System will be close and shut down. |
If the PC had been infected from the trojan that creates the file c:\windows\temp\[random]1.exe (random name that ends with 1.exe) and/or from BHO.LinkOptimizer.D, then it's very likely infected by a Rootkit.
The malware is made of more trojans:
1) c:\windows\temp\[random]1.exe
2) \\?\c:\windows\[forbinnen file name such as: com, lpt] or c:\:[adsstream] (Rootkit)
3) Service with a random file name (created by a new user), that executes a crypted file from c:\programmi o c:\Program Files\Common Files\System or c:\Program Files\Common Files\Microsoft Shared or c:\Program Files\Common Files\service
Most infected users managed to remove common malwares and trojans stated above but are still unaware of the rootkit inside their pc.
Here you can see a short lsit of trojans/BHOs which infect the PC with a rootkit:
Other malwares that VirIT could recognize inside infected PC are: Trojan.Win32.Agent.AAZ, Trojan.Win32.Agent.ABK (that creates a ranodom named service), Trojan.Win32.Agent.ABV
Some malwares will be removed by VirIT only after the removal of the rootkit, that hide them, some of these are: BHO.IEPlugin.E, BHO.Agent.AS, BHO.LinkOptimizer.E.
Other than gromozon,com, the malware uses the following sites:
Sites |
gromozon,com |
xearl.com |
td8eau9td.com |
lah3bum9.com |
mioctad.com |
js.gbeb.cc |
js.pceb.cc |
IDKQZSHCJXR.COM |
UV97VQM3.COM |
MUFXGGFI.COM |
AAGXGBDLZTW.COM |
CFVFRFJWARC.COM |
ou2dkuz71t.com |
YQRUGKKJQGH.COM |
RRSMCOOOZ.COM |
rac5kymzk6u.com |
Since VirIT 6.1.13 it is possible to automatically remove rootkit variants coming from Gromozon on Windows 2000/XP/2003. VirIT has to be executed with Administrator rights from normal boot mode. After having restarted the computer scan it with VirIT to proceed with the removal of the Trojan and all malwares related to it.
For Windows 9x/ME and NT users it is possible to manually remove the rootkit with the procedure described below.
Verifying if the PC is infected
To verify wether the computer has been infected by the rootkit you have to install VirIT eXplorer anti-virus & anti-spyware by TG Soft.
Users that have bought VirIT have to refer to the Professional version of the software.
For all the other users it is available a trial version (30 days trial), called VirIT eXplorer Lite, that can be downloaded from: https://www.tgsoft.it
On Windows 2000/XP/2003 VirIT automatically identifies known Trojan.Win32.RootKit variants during memory scan.
If the virus is not being identified (because it is a new version) you can do it by using VirIT's Intrusion Detection system.
VirIT is able to recognize malware's presence thanks to the Intrusion Detection system integrated in VirIT Security
Monitor, available on the Professional version of the software. Rootkit's detection on Lite version happens thanks to VirIT Lite Monitor. Both programs shows the list of programs that runs on startup.
[Professional]
By clicking on VirIT Security Monitor shield icon (The yellow and blue shield icon near windows' clock), and then on TOOLS- >Automatic Startup, a list of programs that runs at startup will be shown.
[Lite]
By clicking on VirIT Lite Monitor icon (The spy icon near windows' clock), and then on TOOLS- >Automatic Startup, a list of programs that runs on startup will be shown.
Keys to be controlled on the list are number 4 for Win 95/98/ME and number 17 for Win NT/2000/XP/2003 Server
Operating System |
Icon | Key | Value | Data |
Win 95/98/ME | 4 | *random | "c:\program files\[random file name].exe | |
Win NT/2000/XP/2003 | 17 | AppInit_DLLs |
\\?\C:\WINDOWS\system32\lpt?.??? o com?.??? or C:\WINDOWS\system32:[ads_stream] |
The icon (information) means that the file exists on the pc, i.e. that it has been found.
The icon(error) means that the file does not exists on the pc anymore, i.e. the voice on the registry exists but the file does not.
VirIT's Intrustion Detection system (spy icon) will report rootkit presence at every system startup.
We're going to analyze the two different cases based on the operating system:
[Windows NT/2000/XP/2003]
The record to watch for is the one relative to Key 17:
Value: AppInit_DLLs
Data: \\?\C:\WINDOWS\system32\lpt?.???
or: Data: \\?\C:\WINDOWS\system32\com?.???
where: ? = number
??? = three causal letters
e.g.: com1.ufc
Other possible names of suspects forbidden filenames are: com, lpt, aux, nul, prn
Some examples on the data field are:
If the data field starts with: \\?\ then this is a clear signal that the computer is infected by a rootkit.
There are other rootkit variants which uses ADS (Alternate Data Stream), they are recognisable on Automatic Startup by this key:
Key: 17
Value: AppInit_DLLs
Data: C:\:Ranom_File_Name or C:\windows\system32:[ads_stream]
e.g.: C:\WINNT\system32:atriprxe.csy
Watch out for ":" after "c:\winnt\system32", this indicate that there is an ADS Stream and, in this case, an infection.
[Windows 95/98/ME]
The record to watch for is the one relative to Key 4:
Key 4 corresponds to HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
Value: *???
Data: "C:\PROGRAM FILES\COMMON FILES\SYSTEM\[random file name].exe" ??????
The value field will always start with *, followed by 3 random letters,e.g.: *WYO
On the Data field file's path will be stored, it will be a random named file situated into one of these folders (depending on the variant):
"C:\PROGRAM FILES\COMMON FILES\SYSTEM\TLTXW.EXE" QSUEZMVY
"C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\EMT.EXE" B
The folder could also be C:\PROGRAM FILES.
How to manually remove Trojan.Win32.Rootkit. (Gromozon - LinkOptimizer variants)
Again, we're going to analyze 2 cases based on the operating system.
[Windows NT/2000/XP/2003]
The procedure is composed of more steps, it is complex to execute manually.
To proceed, install VirIT eXplorer and update it to the last version, with Administrator rights. It is very important, because in this phase a VirIT service will be installed and it is crucial for the removal of the virus.
After the update, reboot the computer; at the startup VirIT Secuirty Monitor (Professional) or VirIT Lite Monitor (Lite) will be active, and an icon near windows' clock will appear.
Wait at least 2 minutes before proceeding with phase 1. In this period of time, VirIT's Intrusion Detection system will give to the user all the required authorizations to have access on the infected service of phase 1.
PHASE 1:
In this phase we have to disable the service created by the malware. Service name is causal, it changes from one infection to another.
From the control panel, click on ADMINISTRATIVE TOOLS and then on SERVICES.
Now the list of services should appear, on the "Connection" column you will find the records "Local System", "Net Service" and an unusual one:
".\random name".
The "random name" is the name of a user created by the malware.
Select the service related to the connection named ".\random name", right click it and select PROPERTIES from the menu.
From service properties, keep in mind the folder and the file name of the file executed by the service that you will find under "Path to executable" (you will need this path to delete the file later).
Set StartUp Type: Disabled (very important!)
At this point reboot the PC and go on with Phase number 2.
If Windows forbid you to disable the service you will have to reboot the PC in safe boot mode, and disable the service from there, here's the procedure to do so:
1) Execute the program REGEDIT and select the following path
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Infected_Service_Name
2) Edit the START value from 2 to 4 (the one of the infected service)
3) Restart the comoputer.
PHASE 2:
Close all programs and update VirIT to the last version.
If you're working on a notebook you have to detach the battery and plug the charger only.
Phase 2 has to be done on normal mode, follow all the steps.
1) Execute REGEDIT and select the path HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
2) Reduce REGEDIT to icon.
3) Execute C:\VIRITEXP\GOVIRITEXPSVC.BAT (Very, very important!) (For Lite users c:\vexplite\GOVIRITEXPSVC.BAT)
4) From Virit eXplorer go on TOOLS->Process Manager
5) Write into the "Kill the thread by starting address" the value 2a93671a or 3ee85b73 (or 2bb34c8c) based on rootkit's variant, and then click on "Kill Thread" more than once.
Rootkit |
valore |
Trojan.Win32.Rootkit.D |
2a93671a |
Trojan.Win32.Rootkit.E |
3ee85b73 |
Trojan.Win32.Rootkit.F |
2bb34c8c |
Trojan.Win32.Rootkit.G |
2a2a3889 |
Trojan.Win32.Rootkit.H |
3e1e6857 |
Trojan.Win32.Rootkit.I |
3e524cd7 |
Trojan.Win32.Rootkit.J |
2a1969d5 |
Trojan.Win32.Rootkit.K |
2aa24da7 |
Trojan.Win32.Rootkit.L |
3ebb5852 |
Trojan.Win32.Rootkit.M |
3e56420a |
Trojan.Win32.Rootkit.N |
3e4f7328 |
Trojan.Win32.Rootkit.O |
3e3439b4 |
Trojan.Win32.Rootkit.P |
2b8d6697 |
Trojan.Win32.Rootkit.Q |
3e975c61 |
Trojan.Win32.Rootkit.R |
3e3a48c6 |
Warning: we recommend to repeat the operation for all the values above.
6) Quit VirIT eXplorer Pro
7) Now reopen Regedit (it was reduced to icon), right click on AppInit_DLLs click on EDIT, and then on Edit String, wrint on data the following value: prova.dll and then on OK.
8) Press various time F5, to verify wether the Data value remains Prova.dll or not, if not: repeate phase 2.
9) Now don't close any program and press the RESET button of the PC (the one on the case) to restart it brutally (very important). If the computer doesn't have a reset button, then unplug it from the power source. For notebooks, you have to perform the phase 2 without the battery, because this shut down has to be brutal or the rootkit will be executed again at the next startup.
At the next reboot, verify if AppInit_DLLs's value is still "Prova.dll"
PHASE 3:
If AppInit_DLLs is different from "Prova.dll" you'll have to repeat PHASE 2.
Now starts VirIT eXplorer Pro/Lite and proceed with a deep scan of the PC to remove the rootkit.
VirIT, very likely, will find some infected files and will remove them.
On PHASE 1, we told you to keep in mind the path of the executable. To remove this file, you have to see if it's crypted or not.
Windows XP will color CRYPTED filenames of GREEN !!! If the infected file is green, you'll have to change permissions of the file.
Right click on it and select PROPERTIES, the click on PROTECTION.
Now click on ADVANCED and then on OWNER, here select the ADMINISTRATORS account
and click on OK (or apply) and then OK again until you go out of PROPERTIES.
Now go back on PROPERTIES, PROTECTION and then on ADVANCED, click on ADD from PERMISSIONS
and add the ADMINISTRATOR account, then select GRANT "COMPLETE CONTROL"
and click OK to exit.
Now click on PROPERTIES and remove "READ ONLY" and HIDDEN flags.
Now you can delete the file.
N.B.: In Windows XP HOME Edition the PROTECTION tab it's visible only if you are in safe mode.
In Windows XP Professional the PROTECTION tab is visibile if from FOLDER OPTIONS the voice "Use simple file sharing" is unflagged.
[Windows 95/98/ME]
During the "Verifying if the PC is infected" we've detected that the rootkit file abbiamo individuato il file del rootkit invisibile che viene caricato dalla Key 4.
The record to watch for is the one relative to Ket 4, you have to read the Data field, where you will find the name of the invisible rootkit file.
At this point, you can delete the file by rebooting the pc in MS-DOS mode (Windows 95/98) or from a BOOT disk (Windows ME). From the DOS prompt you'll have to rename the file in .VIR
After restarting the computer in normal mode, start a deep scan with VirIT eXplorer Pro/Lite to remove the rootkit.
If VirIT doesn't find the .VIR file, it is better to send the file to TG Soft because it means it is a new variant.
VirIT, very likely, will find other infected files and will remove them.
The rootkit infection and of trojans linked to it comes from the website Gromozon, from which an image named pic.tiff containing the exploit-WMF and a file named www.google.com (file with .COM extension, not a website) will be downloaded. These two files will infect the pc.
We strongly recommend to install this patch: http://www.microsoft.com/technet/security/bulletin/MS06-001.mspx
gromozon.com is located in Ukraine, it is linked to a lot of advertising websites.
% This is the RIPE Whois query server #2. % The objects are in RPSL format. % % Note: the default output of the RIPE Whois server % is changed. Your tools may need to be adjusted. See % http://www.ripe.net/db/news/abuse-proposal-20050331.html % for more details. % % Rights restricted by copyright. % See http://www.ripe.net/db/copyright.html % Note: This output has been filtered. % To receive output for a database update, use the "-B" flag % Information related to '195.225.176.0 - 195.225.179.255' inetnum: 195.225.176.0 - 195.225.179.255 netname: NETCATHOST descr: NetcatHosting country: UA admin-c: VS1142-RIPE tech-c: VS1142-RIPE status: ASSIGNED PI mnt-by: RIPE-NCC-HM-PI-MNT mnt-lower: RIPE-NCC-HM-PI-MNT mnt-by: NETCATHOST-MNT mnt-routes: NETCATHOST-MNT source: RIPE # Filtered remarks: **************************************** remarks: * Abuse contacts: abuse@netcathost.com * remarks: **************************************** person: Vsevolod Stetsinsky address: 01110, Ukraine, Kiev, 20Á, Solomenskaya street. room 206. phone: +38 050 6226676 e-mail: vs@netcathost.com nic-hdl: VS1142-RIPE source: RIPE # Filtered % Information related to '195.225.176.0/22AS31159' route: 195.225.176.0/22 descr: NETCATHOST (full block) origin: AS31159 mnt-by: NETCATHOST-MNT remarks: **************************************** remarks: * Abuse contacts: abuse@netcathost.com * remarks: **************************************** source: RIPE # Filtered