Mark Minasi's Reader Forum
Mark Minasi's Reader Forum
Home | Profile | Register | Active Topics | Active Polls | Members | Search | FAQ | Minasi Forum RSS Feed
Username:
Password:
Save Password
Forgot your Password?

 All Forums
 OTHER HALP! Linux, Hardware, and Anything Else
 Viruses, worms, and spyware advice
 Virus hacks Forefront
 New Topic  Reply to Topic
 Printer Friendly
Author Previous Topic Topic Next Topic  

crackerjack
Here To Stay

USA
179 Posts
Status: offline

Posted - 04/14/2010 :  12:05:35 PM  Show Profile  Visit crackerjack's Homepage  Reply with Quote
This thing renames MSASCui.exe by putting a space character before the .exe. It drops a file with the identical name into the same folder, \Antimalware. So now the virus file is launched instead of the real MSASCui.exe.

Been fighting this one for 2 days. It started as the "XP Internet Security" virus, which displays itself as about 50 different names depending on what OS it's on. It had some sypmtoms of different viruses also, so I was going nuts.

Bottom line, after every scanner I know of, including Malewarebytes, ComboFix, Spybot, and about 5 others including Forefront all performed completely clean scans I made a System State backup of the machine. Next morning the virus was back with a vengeance. Among many other things, it had created about 50 Scheduled Tasks that ran during the night.

Restored the System State backup and disconnected it from the network. Again spent entire day running scans, deleting dormant files left from the virus(es), deleting "left over" registry entries most of which were virus created service entries shown by the GMER rootkit logger (which detected nothing also). Left the machine disconnected from the network overnight and Forefront's "quick scan" logged a heuristics find of "trojandownloader:win32/unruy.h" giving no other details but the process ID and saying it had been quarantined. Little information searching on that virus name.

Finally went to the Forefront log and on the quick scan entry it had a line that says "Binary name:" listing MSASCui.exe (no space in the name)! Went to the \Antimalware folder and at first thought there were 2 files with identical names until I noticed the real file had a space in the name.

Since the Forefront user interface is working, it appears the virus does launch it. In fact, the running process has the filename with the space in it.

Is this known malware with a fix, or do I have something completely new? Anyone heard of this before?

timberk
Major Contributor

USA
786 Posts
Status: offline

Posted - 04/14/2010 :  12:28:23 PM  Show Profile  Reply with Quote
I ran across something similiar last week on a laptop. It had MS Security Essentials installed on it. MSE hadn't updated or scanned in quite some time. I scanned with Super Anti Spyware, Spy Bot SEarch and Destroy and the AVG anti virus boot disk. Each of these caught some malware but nothing seemed to get it all. I tried re-installing MSE and ForeFront client security and each time the installer failed, becuase it couldn't start the MSASCui.exe service. Both MCE and FCS run this service. I finally got AVG 9.0 installed and running. It claims the machine is clean, though I don't beleive it. Never was sure if there was an installer problem with MCE/FCS or some malware specifically blocking that executable (MSASCui.exe) from running. I never noticed the .exe with a space in the name. I'll check for that. This machine also had the "XP Internet Security" virus when I got to it.

~tb
Go to Top of Page

JSCLMEDAVE
Administrator

USA
6378 Posts
Status: offline

Posted - 04/14/2010 :  2:31:54 PM  Show Profile  Visit JSCLMEDAVE's Homepage  Click to see JSCLMEDAVE's MSN Messenger address  Reply with Quote
Tim, did you keep at it or reload the image? Curious if you ever fixed it.

A White List would have prevented this...

Tim-

ďThis too shall pass"
Go to Top of Page

crackerjack
Here To Stay

USA
179 Posts
Status: offline

Posted - 04/14/2010 :  3:05:52 PM  Show Profile  Visit crackerjack's Homepage  Reply with Quote
Couldn't figure out how to search for file names with a space in them before the extension, through the Search panel or command line. I probably just don't remember all the ways to use wildcard characters.

Used my own program that I created several yrs. ago. Among other things it creates a list of all files in the drive root and entire directory tree of %SystemRoot% and %ProgramFiles%. Includes file sizes and dates. I can also run it against an earlier list and it shows anything new or changed.

Found 5 files with the name changed by adding a space before the extension, and a virus dropped with the original file name. All 5 are registry loaded executables. Here's the files (cut and pasted from output of my program):

c:\program files\adobe\reader 8.0\reader\reader_sl .exe1/11/2008 11:16:38 PM
c:\program files\adobe\reader 8.0\reader\reader_sl.exe4/12/2010 4:25:19 PM

c:\program files\common files\microsoft shared\dw\dwtrig20 .exe3/22/2007 8:29:28 PM
c:\program files\common files\microsoft shared\dw\dwtrig20.exe4/12/2010 4:25:19 PM

c:\program files\cyberlink\powerdvd\pdvdserv .exe12/8/2003 5:35:14 PM
c:\program files\cyberlink\powerdvd\pdvdserv.exe4/12/2010 4:25:19 PM

c:\program files\microsoft forefront\client security\client\antimalware\msascui .exe9/3/2009 5:48:26 PM
c:\program files\microsoft forefront\client security\client\antimalware\msascui.exe4/12/2010 4:25:19 PM

c:\program files\sweetim\messenger\sweetim .exe2/24/2010 3:53:10 PM
c:\program files\sweetim\messenger\sweetim.exe4/12/2010 4:25:19 PM

For Forefront, I'll uninstall and make sure everything from it is off the machine then reinstall. I'll see if I can boot a WinPE CD and delete/rename the others. Then several more scans to decide if I keep it or blow it away and reformat.

Again, if this looks familar to anyone I would appreciate some words of wisdom.
Go to Top of Page

crackerjack
Here To Stay

USA
179 Posts
Status: offline

Posted - 04/14/2010 :  5:26:22 PM  Show Profile  Visit crackerjack's Homepage  Reply with Quote
Deleted all 5 fake files and corrected the names of the real files. Malwarebytes ran a clean full scan. Forefront is 20 minutes into a full scan right now. These 5 files might have been all that was left of the original infection, and couldn't download because I had the network cable disconnected. Maybe it's actually fixed. I'll know more tomorrow morning.
Go to Top of Page

timberk
Major Contributor

USA
786 Posts
Status: offline

Posted - 04/14/2010 :  6:12:12 PM  Show Profile  Reply with Quote
quote:
Originally posted by JSCLMEDAVE

Tim, did you keep at it or reload the image? Curious if you ever fixed it.

A White List would have prevented this...



Agreed, on the White list. However, this is a very special laptop. This is a 4 years plus old Toshiba Tecra laptop. It has the original Toshiba XP image on the disk. And it belongs to my wife. So a lot of the ordinary techiques for System Management don't apply. After carefully weighing the options and reviewing the latest published guidance from MS, SANS and others, my solution was to order her a new laptop. It should be here in a day or two. When I get her moved onto Windows 7 on the new laptop, I'll revisit the old Toshiba like the four horsemen of the Apocalypse.............

~tb
Go to Top of Page

don2007
Honorable But Hopeless Addict

2142 Posts
Status: offline

Posted - 04/14/2010 :  6:59:41 PM  Show Profile  Reply with Quote
Use quotes to search for a file with a white space.

When all the anti malware programs say the machine is clean but a problem still exists, try hijack this.

Many trojans & viruses hide in
HKLM
software
microsoft
windows
run

& the same path in HKCU.

If at first you donít succeed, skydiving is not for you.
Go to Top of Page

crackerjack
Here To Stay

USA
179 Posts
Status: offline

Posted - 04/15/2010 :  11:50:03 AM  Show Profile  Visit crackerjack's Homepage  Reply with Quote
don, yes quotes do the trick. The simple dir command is >dir "* .*" to list files with "white space" before the extension, even multiple space characters.

Forefront started detecting these "fake" files after I removed the fake copy of MSASCui.exe. I had copied the virus files to a folder to take home and rip apart but Forefront detected them "on access" when I opened the folder and it deleted them. It detected them as Trojan:Win32/Meredrop. The Forefront full scan found one more Trojan:Win32/Meredrop, a .com file in the \Fonts folder, and deleted it.

Everything looked good this morning. I started one more full scan before giving the machine back to the user. While the scan was running I notice in Task Manager an instance of iexplorer.exe running without Internet Explorer visible! That was one of the many symptoms I had early on, and then if I killed the process it would be back in about 5 minutes. I killed this one and it didn't return. Before the Forefront scan ended I noticed dllhost.exe running. Appears that was from COM+ System Application Service starting. Don't know why that started during a Forefront scan, maybe it's normal. User's back on the machine and I am holding my breath.

Well aware of HKLM and HKCU Run key. I think this was a bundle of different viruses, but one auto start entry was actually in HKEY_USERS\.DEFAULT Run key. This is actually the profile of the Local System. Didn't know it had a Run key before going through this.
Go to Top of Page

don2007
Honorable But Hopeless Addict

2142 Posts
Status: offline

Posted - 04/15/2010 :  4:30:03 PM  Show Profile  Reply with Quote
I didn't know HKEY_USERS\.DEFAULT had a Run folder either. I'll add that to my list of hiding places.

dllhost shouldn't be a cause for concern.

Post an update if the machine has any more problems.

If at first you donít succeed, skydiving is not for you.
Go to Top of Page

NSFEddie
Old Timer

USA
558 Posts
Status: offline

Posted - 04/16/2010 :  3:34:30 PM  Show Profile  Reply with Quote
"And it belongs to my wife. So a lot of the ordinary techiques for System Management don't apply."

Truer words have yet to be uttered.

NSFEddie
CO front range
Go to Top of Page
  Previous Topic Topic Next Topic  
 New Topic  Reply to Topic
 Printer Friendly
Jump To:
Mark Minasi's Reader Forum © 2002-2011 Mark Minasi Go To Top Of Page
This page was generated in 0.09 seconds. Snitz Forums 2000