odsca.dll malware update – day 5

Yesterday I finalized my “Forensic Analysis” of the unknown malware that my work PC had contracted. I sent the results to McAfee, and was given instructions on how to provide them with the actual files. I did this, and I got an immediate response from an automated system that indicated complete ignorance of any known maliciousness.

I now believe I know how it was able to launch itself even in safe mode, and keep itself alive no matter what. However I don’t know how it got there, unfortunately. I suppose I could just begin brazenly surfing teh innernets full throttle until I saw it again, but at this point I’ve got other things to work on.

The way that I finally discovered the malicious files was using Filemon from SysInternals, which I had done a few days ago but did not realize that what I was witnessing was malicious.

In the Windows Registry, the following new key was inserted:

HKLM\Local machine\software\microsoft\windows NT\CurrentVersion\Winlogon\

Attempting to delete / rename / remove permissions from this key result in it getting instantly re-created back to the original state! This DLL is also listed in two other areas of the registry as well; the DLL register areas or something. (In an area that I don’t go into very often, under the CurrentControlSet region).

This apparently is causing winlogon.exe to execute the DLL located in C:\PROGRAM FILES\WINDOWS MEDIA PLAYER\ICONS\ODSCA.DLL.

In the same directory, multiple files of similar but different files were getting created. the filenames were called acsdoXX.dat, where XX is some combination of ascending or descending letters; such as acsdoaa.dat, acsdoab.dat, acsdoac.dat, etc. I did not try to delete these files, or if I did, I also got “Access Denied”.

Attempting to delete the file results in “Access Denied”.

After determining this, I finally decided that I need to get to some other projects and tasks at work so I’m reformatting C:\ and reinstalling windows. If McAfee or SANS get back to me, and anything more comes of this, I’ll let you know.

WAB

By tungsai

Super Magic Dragon Ninja

8 comments

  1. Just wanted to let you know that you are not the only one with this problem. I have it to. Please let me know what you find out. I am also trying to find an answer. Right now I am looking for the program that creates the file ywrronqm.exe file in the C:\windows\prefetch directory

  2. Also, I don’t have the same files that you have listed on my computer, nor do I have the same registery entry on my computer. I hope this helps you .

  3. Question. Have you installed Windows Service Pack 3 on your computer that has this infection?

  4. Used “Security Task Manager” to find mine, thanks to what you posted. Looked nasty alright! Mine was hiding in C:\WINDOWS\Microsoft.NET\Framework\v1.0.3705 and named ibnhlp.dll, with a lot of .dats. Managed to delete it with Ubuntu then fixed the registry, an touch-wood it’s fixed!

    Thanks and good luck!

  5. Hello!

    I had sort of the same problem that you described recently. Probably I’m late to tell you, but to fix it, you don’t need to reinstall windows. What you need, is some boot disc that will enable you to delete files without loading the infected windows system, and to run regedit in order to delete the registry keys you’ve mentioned.

    I used my Windows PE (Preinstalled Environment) boot CD. I was able to run c:\totalcmd\totalcmd.exe and c:\windows\regedit.exe and delete what needed to be deleted. Unwanted popups and balloons are gone now.

    s.

  6. in working with Symantec they have found this to be another version of trojan.horse and have updated there dat files to find and remove it. i am virus free now. Wooohooo!!!!

  7. I experienced almost the same issues you’re mentioning and also found the culprit.

    On my system a file called fmcurl.dll located in \program files\msagent\intl\ caused the problems. Using regedit, multiple definitions for this file can be found.

    All i did, was removing all access permissions granted to that file, setting a new owner, deleting the according registry entries and rebooting the system.

    Later, you can delete that file or do whatever you want with by reapplying specific or all access permission.

    fu Saliar!

    Greetings,
    redilS

    P.S.
    In case someone wants to dissect that little bastard… grab it here:
    http://rapidshare.com/files/91790114/fmcurl.dll.html

  8. Just did some more research. You have the Virtumod.249 trojan as do I. I found a website with postings regarding this. They recommended using Dr Web CureIt! Its located at http://www.freedrweb.com. Yes it’s free. The program actually doesnt install itself. The .exe activates the scanner. I was reluctant to do this but decided to go ahead. I shut down my internet connection and turned off my trend micro and ran Dr Web CureIt! It found a cacavi.dll file infected with the Virtumod.249 trojan and deleted it. I then rebooted my pc and the messages stopped. I hope this reaches you before formatting your C drive.

Leave a comment