odsca.dll malware update – day 5

January 30th, 2008 by tungsai

Yesterday I finalized my “Forensic Analysis” of the unknown malware that my work PC had contracted. I sent the results to McAfee, and was given instructions on how to provide them with the actual files. I did this, and I got an immediate response from an automated system that indicated complete ignorance of any known maliciousness.

I now believe I know how it was able to launch itself even in safe mode, and keep itself alive no matter what. However I don’t know how it got there, unfortunately. I suppose I could just begin brazenly surfing teh innernets full throttle until I saw it again, but at this point I’ve got other things to work on.

The way that I finally discovered the malicious files was using Filemon from SysInternals, which I had done a few days ago but did not realize that what I was witnessing was malicious.

In the Windows Registry, the following new key was inserted:

HKLM\Local machine\software\microsoft\windows NT\CurrentVersion\Winlogon\

Attempting to delete / rename / remove permissions from this key result in it getting instantly re-created back to the original state! This DLL is also listed in two other areas of the registry as well; the DLL register areas or something. (In an area that I don’t go into very often, under the CurrentControlSet region).

This apparently is causing winlogon.exe to execute the DLL located in C:\PROGRAM FILES\WINDOWS MEDIA PLAYER\ICONS\ODSCA.DLL.

In the same directory, multiple files of similar but different files were getting created. the filenames were called acsdoXX.dat, where XX is some combination of ascending or descending letters; such as acsdoaa.dat, acsdoab.dat, acsdoac.dat, etc. I did not try to delete these files, or if I did, I also got “Access Denied”.

Attempting to delete the file results in “Access Denied”.

After determining this, I finally decided that I need to get to some other projects and tasks at work so I’m reformatting C:\ and reinstalling windows. If McAfee or SANS get back to me, and anything more comes of this, I’ll let you know.

WAB

Saliar.com: Malware group, or something else?

January 29th, 2008 by tungsai

OK, so, here’s an update on the strange pop-ups.

When googling these problems, the immediate response was no hits. Then, suddenly, this blog appeared; as well as multiple hits from a company called “Saliar.com”. They claim to be a big important professional organization with some anti-malware software, complete with testimonials from such individuals as “Alferd”, and “Fritz”.

They claim to have been in business for years, yet the domain saliar.com was recently registered in September:

http://www.networksolutions.com/whois/results.jsp?domain=saliar.com

…But check this out. in the Google GROUPS forums, which are actually Usenet posts, some individual named “dodo” posts that they are having the same messages as I have experienced. Then, within 15 minutes, somebody else, FROM THE SAME IP, posts a response, “Yeah, you have malware, you need this program from saliar.com”.

Right. It seems as though the conspiracy theory might be correct after all. In fact, right in the posts, it is revealed by other posters that it’s obviously a “Spammer” (as they called him).

The thing is, this guy / group of individuals are probably in Russia, and not in the cubicle next to me so that I can strangle them. I don’t know how much trouble it’s worth to go after them. Probably not worth it.

It’s only a matter of time before it is revealed by those more skilled than I, how these pop-ups are generated. It’s a very imbedded, well hidden method; I’ll give it that. But ultimately, it is made of 100% FAIL.

Reboot caused new, lamer message to appear

January 29th, 2008 by tungsai

The saga of my unknown malware continues. I tried that RunAnalyzer, and it was just so much information that I had no idea what was legitimate and what wasn’t. Sorry, but I don’t have hours to parse through all that information. I will say that it is very interesting though.

So, I rebooted, to see if a new, randomly generated message would appear. Sure enough, a NEW dialogue appeared! Even dumber than all the previous:

dumbest

Important – Errors found in the system

During the scan of files which are start automatically at computer startup, a critical errors in system registry were found.

0x01ff0010 irql: 1f SYSVER 0xbf04014

NT_Kernel error 1276 (EXCEPTION NOT HANDLED)

[ OK ]

 

So dumb, it’s not even worth commenting how many red lights go off. They just threw a bunch of random windows terminology together! I logged out, then back in, and, the same message popped up again. And again, after a 2nd logout. And again, after a 2nd reboot. I guess maybe they rotate at some random, unknown cycle.

I ran REGEDIT and looked in the Start > Run areas where malware likes to hide; and nothing of note whatsoever there. some NVidia stuff and Pivot Pro, my 3rd party software (Well past its expired trial period), and my AV stuff but nothing weird.

 

The thing is, these messages show up as actual APPS running in the Windows Task manager, yet I can find NO registry, DLL, startup, whatever, of what is spawning them! I really think that possibly some key system DLL or exe has been comprimised but I CANNOT tell which.

taskmon3

 

The SysInternals program ProcExp.exe verified every single EXE I could see. Besides, I don’t think it does a very good job of showing me every execution thread; because when I opened five explorer windows, it did not indicate any new sub-threads of explorer.exe: (Click to Enlarge)

procexp

So this program does not help me.

SIGH!

Possible Malicious Infection – Day 3

January 29th, 2008 by tungsai

So, I log on, boot up, and two pop-ups appear on my desktop. The first one is UltraMon.exe crashing. Probably / Maybe legitimate; Ultramon is the program I use to control my Awesome Triple Monitor setup. But the Other, Oh, the OTHER message…. Well, have a look:

sysfader_error

 

SysFader: IE7XPLORER.EXE – Application Fatal Error

The instruction at 0x0f634739 referenced memory at 0x03ac4e50. The memory could not be read. Click on OK to terminate

[  OK  ]

 

Now, although SysFader is a legitimate thing that I’ve heard of (It’s what windows uses to make your background fade to dark greyscale when logging out, etc.), The executable “IE7XPLORER.EXE” does *not* exist. And even if it were a legitimate IE7, I DID NOT LAUNCH it. Nor was it in my startup. So, why would sysfader / IE7 get an “Application Fatal Error”? Answer: IT WON’T.

Note: This message ALSO appeared as a little warning bubble in the SysTray, you know, those

For laughs, I googled “IE7XPLORER.EXE”…

ie7xplorer

DUH! Big surprise there. Still… it’s amazing that NO HITS occurred. (By the time you read this, Google will have already picked up my Blog.)

Also interesting of note is that no other antivirus companies other than the one mentioned yesterday (SaliarAR) have identified it. It reminds me of the ages old theory about how Antivirus companies would create the viruses, release them into the wild, and then, Voila! Here’s a cure… for $60! Not that I’m accusing this SaliarAR of doing such things… but it just reminds me of that old joke / conspiracy theory.

Since this occurred at boot-up, Noel suggested I try this program called RunAnalyzer, available from the folks who do Spybot Search & Destroy. I downloaded it, installed it, and it appears to be taking a while. I’ll take this opportunity to post this page, for the benefit of White Hatted Admins.

Correction: There IS a legitimate process called "System".

January 28th, 2008 by tungsai

Oh well! *Blush*

However, I have used the following tools to try and discover what is launching these pop-ups, and, near as I can tell, explorer.exe itself is launching them.

–Spybot Search & Destroy

–McAfee VirusScan

–AdAware 2007

–Filemon (SysInternals)

–Procmon (Sysinternals)

–ProcXP (VERY cool util, thanks Ryan) (Sysinternals)

The Plot Thickens… WINSYSLDR.EXE and "Critical Error Occured"

January 28th, 2008 by tungsai

I am convinced that some viral / spyware is knocking on my door. This morning, Monday, January 28th, 2008, I came in to my office and my machine had been logged in all weekend (Locked, of course). Well, well, well, what did we have here: TWO instances of “WINSYSLDR.EXE” on my desktop.

Sigh. Well, at least I’m able to gather additional information about this very possible threat. First, I noticed that the icon for it in the taskbar are the icon for Folders, as shown in this image:

winsysldr_error_2x

 

Second, in the Windows Task Manager, under the “Applications” tag, are two ACTUAL EXECUTABLE APPS, blatantly shown on the task manager. Note, people: A legitimate error message popped up by a legitimate application will NOT show up as a unique APPLICATION.

 

image

 

Thirdly: Under “Processes”, I now see a Process called “System”,

 

system_task_mgr_winsysldr

 

PEOPLE, THERE IS NO LEGITIMATE PROCESS CALLED “SYSTEM”.

No doubt my system is infected, after googling “winsysldr.exe”. as of last week, this very blog is the #1 hit; but many more hits have been added under some lesser-known virus pages; something called “SaliarAR”. I’ve never heard of it.

http://www.downloads-portal.com/security-and-privacy/anti-virus-tools/saliarar_application-59071.html

 

I don’t even trust THOSE sites, though. I must get to the BOTTOM of which EXECUTABLE this shit is running under!! How can I possibly do this? While searching for the answer, Noel suggested that I head over to Spybot Search & Destroy, install it, run it, love it. Well… I didn’t wanna admit defeat, but as I scanned the impossibly long list of services running on my machine, trying to locate WHAT EXE was actually SPAWNING these dialogues,

 

A NEW MESSAGE APPEARED RIGHT BEFORE MY EYES.

critical_error_occurred

 

And sure enough, showed up as “Critical error occured”. SPELLING ERROR! BLATANT SIGN OF ADWARE/SPYWARE! Some foreigner obviously cooked up this malicious bullshit. (Can you tell i’m getting impatient?) Yeah, yeah… I could reinstall everything and be done with it, but that wouldn’t be very fun, now, would it?

I wonder if they have a keylogger installed and are, at this very moment, watching me type in this Blog update.

critical_error_taskmgr

 

“Critical error occured.exe”? RIIIIiiight. Downloaded & installed SBS&D immediately. It’s running a scan now… it’s gonna take a while, so I’ll post this up on teh innernets for immediate consumption.

Strange Windows Pop-up

January 25th, 2008 by tungsai

Today my XP machine popped up with the following dialogue box:

 

weird_error_jan_25_2008

 

WINSYSLDR.EXE

Unhandled exception in WINSYSLDR.EXE (0xCD003592) Division by zero.

 

Not knowing if it was a malicious thing, i.e., a fake pop-up box where if you click “OK” you’re actually launching some evil virus, I Googled WINSYSLDR.EXE. and got…

no_files_found

 

NOTHING.

Yes, that’s right- the Internet has NO knowledge of WINSYSLDR.EXE. Now, everybody knows that a Division by Zero error can happen from time to time if an application is written poorly. This pop-up dialogue box has all the marks of a legitimate error message… EXCEPT for the fact that nobody in the world ever seems to have heard of WINSYSLDR.EXE. That is impossible.

My next step to investigate this strange error is, obviously, to search my system for WINSYSLDR.EXE. It took a while, since I run a very bloated XP machine, loaded with crap, including drivers & extra programs for my Triple Monitor Setup. But, sadly, the little puppy found nothing. NOTHING!! The file does not EXIST on my machine!

 

 

Luckily, the dialogue was still on my desktop, so I used a little trick to find out exactly what process was feeding the dialogue box. By pressing CTRL+ALT+DEL, I brought up the Task Manager and sort by CPU. Then I drag the dialogue around the screen quickly by the title bar, and watch for some process to start taking more CPU power. The only process I could see that was accelerating when I did that was my “UltraMonTaskbar.exe”. I killed it, and the pop-up remained. Perhaps it was just too small to register on the top of the task list, but at this point I had to move on to other things and so I just “X”‘ed the dialogue, rebooted, and posted this blog.

shrug….