Gromozon Rootkit

* R3 - Default URLSearchHook is missing * O2 - BHO: Class - {CLSID casuale} - C:\WINDOWS\[random 5 lettere]1.dll (file missing) * O2 - BHO: Class - {CLSID casuale} - C:\WINDOWS\[random 2 lettere]aa.dll (file missing) * O4 - HKLM..Run: [[random 4 lettere]1.exe] C:\WINDOWS\Temp\[random 4 lettere]1.exe * O4 - Startup: w32.exe * O16 - DPF: {CLSID casuale} - http://td8eau9td.com/a33ed837/50310/1/xp/FreeAccess.ocx * O23 - Service: [Random] - Unknown owner - \?C:\Programmi\File comuni\System\[random].exe (file missing) * Java exploit Byte.Verify, easily detected by almost every antivirus software (on Internet Explorer 5): * An ActiveX called FreeAccess.ocx that needs user permission to be installed; * www.google.com on which we'll dedicate a full paragraph; * img.tif, a WMF exploit that downloads some malware from the server (in case you still need some more malware The dropper connects to a remote server, 195.225.177.22 Windows Service Immediately after the dropper is launched, a new - fake - user account is created in Windows with a random name and a random password. After the new user account is created, a directory under C:\Dokumente und Einstellungen with the same name as the new account is created. After this, a new file is created under C:\Programme\Common Files\system\ C:\Programme\Common Files\Microsoft Shared\ This file has a random name and random size. It is encrypted using the Windows Encrypting File System (EFS) feature so that only the fake account has rights to it, preventing any other user from moving, reading, or deleting it. The file can be recognized because it is marked with a green colour. C\Programme\Gemeinsame Dateien\System\aXH.exe C\Programme\Gemeinsame Dateien\System\cMF.exe »»» Den folgenden Text in den Editor (Start - Zubehör - Editor) kopieren und als listen.bat mit 'Speichern unter' auf dem Desktop. Gebe bei Dateityp 'Alle Dateien' an. Du solltest jetzt auf dem Desktop diese Datei finden. --> die listen.bat doppelt klicken--> kopiere den Text, der erscheint ------------------------------- cd\ dir "C:\Programme\Gemeinsame Dateien" >>files.txt dir "C:\WINDOWS\Downloaded Program Files" >>files.txt dir "C:\Programme\Common Files\system" >>files.txt dir "C:\Programme\Common Files\Microsoft Shared" >>files.txt dir "C:\Programme" >>files.txt notepad files.txt ----------------------------- a rootkit, and a fake Windows service. ServiceFilter.zip http://virus-protect.org/artikel/tools/ServiceFilter.zip Rootkit http://virus-protect.org/artikel/tools/ADSSpy.exe - Quick scan - Ignore system info data streams - Calculate MD5 checksums of streams' contents wenn der Scan beendet ist, klicke mit der rechten Maustaste auf das Fenster Save scan results to disk If you want to see the ADS features of the NTFS file system, you can click on Start - Run and write this command: notepad C:\autoexec.bat:mytest.txt After this, the rootkit removes the SeDebugPrivilege privilege to all Windows user accounts. This will prevent some anti-rootkit programs from running - for example, the F-Secure BlackLight To remove the infection caused by W32/Agent.VP - the Windows service - it is possible to use a cleaner developed by Paolo Monti which is downloadable from http://www.nod32.it/cgi-bin/mapdl.pl?tool=Agent.VP If you have a file called: com4.gip and try to do del C:\com4.gip you will receive an error because you can't access this file as it uses a reserved name, but if you try to do: del \\.\C:\com4.gip del \\.\C:\com7.fdn del \\.\C:\WINDOWS\System32\com7.fdn Executing rootkit removal engine.... Fehlermeldung: Start -> Ausführen -> cmd.exe In der Konsole wechsele nach C:\ Start -> Ausführen -> cmd.exe cd c:\ http://virus-protect.org/artikel/tools/cmd.html ------------------------------------ Disabling rootkit file: \\?\C:\WINDOWS\System32\com7.fdn \\?\C:\WINDOWS\System32\com7.fdn Resetting file permissions... Host C:\WINDOWS\System32\drivers\etc\ http://virus-protect.org/host.html 127.0.0.1 aagxgbdlztw.com 127.0.0.1 mioctad.com 127.0.0.1 cvoesdjd.com 127.0.0.1 mufxggfi.com 127.0.0.1 e-46.com 127.0.0.1 ou2dkuz71t.com more websites are blocked. Moreover, the rootkit tries to block removal tools developed to remove the infection. An incomplete list of blocked tool is below: Prevx Gromozon removal tool; Symantec Fix LinkOptimizer; GMER antirootkit; AVG Antirootkit; Sophos Antirootkit; F-Secure BlackLight; The Avenger; IceSword Antirootkit;

O2 - BHO: Class - {A9DB0BC1-9BA5-8840-A638-86FBA9755B3D} - C:\WINDOWS\naelq1.dll (file missing)