coder . cl

Recently I’ve discovered a spyware infecting computers though the weak autoplay implementation.

I was looking for the connections at one notebooks that I use frequently — but many of them I don’t own — and I look a strange connection to some irc ports. Since I don’t enter to IRC servers while I’m under Wintendo, it was completely strange. Using the third party sysinternalls sysinternals tools from Micro$oft, I’ve pointed to the process that were making these strange connections. I’ve examined the processes with procinfo, killed them with the same tool, and moved the files outside of the system, compressed and carried out to my FreeBSD workstation.

C:WINTENDO> procinfo -p "\system32\explorer.exe" -dk
[16] C:WINTENDOsystem32explorer.exe
	Base Addr   : 0x7E340000
	Entry Point : 0x00000000
	Image Size  : 53248.00 bytes
[16] Killing process... done!
All actions over 10 done!
C:WINTENDO> procinfo -p "\system32\ctfmonv.exe" -dk
[12] C:WINTENDOsystem32ctfmonv.exe
	Base Addr   : 0x75546000
	Entry Point : 0x00345634
	Image Size  : 53248.00 bytes
[12] Killing process... done!
All actions over 9 done!

Inside FreeBSD, I’ve installed a disassembler, and looking at the assembler code, linked libraries, I’ve seen that the spyware/troyan was linked against Visual Basic Runtime Libraries, ugly implementation for a virus. Also, I’ve seen some messages sent to the IRC channel where it connects, some typical signature as:

Welcom to Sun@w0rm.a You are the rOot ;) sL#>
www.xxxxxx.cl | www.xxxxxx.cl/foro

I’ve tested at least three antiviral solutions. None of them have detected anything, and also the installed antiviral solution have not detected it. Just the McAfee virus research center have detected it as w32/autorun.worm.bo. This means just that the last antiviral solution of some providers can detect it. Imagine how weak is Wintendo and how big is the antivirus business. Then I’ve tried creating security policies under Wintendo, but it didn’t work. Only deactivating the autoplay feature I was able to stop the spyware — Wintendo does not comes with a tool to do that, you must download the TweakUI powertoy.

Now, based on the disassembled code, I know the server, channel and nick that is using this guy. Also, the backdoor creates a file called "c:file.txt" that is readed by cmd.exe. The commands are given from the IRC chat as messages and the commands output is sent as message back to the attacker. If you have Wintendo XP, you may be asked by the Wintendo Firewall to allow or deny the access to the Internet for both Windows Library and Messenger programs to communicate outside. Since both programs have concurrent names, you will allow them. Check your registry for the Run, RunOnce, RunServices, RunServicesOnce and Startup registry keys for the string values "Messenger" — pointing to "C:WINTENDOsystem32ctfmonv.exe — and "WinXP", "Windows XP" or "winxp" — pointing to "C:WINTENDOsystem32explorer.exe" and use procinfo tool to kill the processes pointing to these executable files, then remove the registry entries.

Not because I’ve made it, but procinfo is a nice tool, you can kill a process that have a lock on some DLL that is infected, and then remove the referred DLL, just by running:

C:WINTENDO> procinfo -m "\s345dfg.dll" -dk
[16] C:WINTENDOexplorer.exe
	Base Addr   : 0x7E340000
	Entry Point : 0x00000000
	Image Size  : 53248.00 bytes
[16] Killing process... done!
All actions over 10 done!

Well, as weak as is Wintendo, I hate to use it… And I ask my self for "how many unknown viruses are infecting computers running Wintendo right now?". Too weak for my taste…