Yesterday I finalized my “Forensic Analysis” of the unknown malware that my work PC had contracted. I sent the results to McAfee, and was given instructions on how to provide them with the actual files. I did this, and I got an immediate response from an automated system that indicated complete ignorance of any known maliciousness.<\/p>\n
I now believe I know how it was able to launch itself even in safe mode, and keep itself alive no matter what. However I don’t know how it got there, unfortunately. I suppose I could just begin brazenly surfing teh innernets full throttle until I saw it again, but at this point I’ve got other things to work on.<\/p>\n
The way that I finally discovered the malicious files was using Filemon from SysInternals, which I had done a few days ago but did not realize that what I was witnessing was malicious.<\/p>\n
In the Windows Registry, the following new key was inserted:<\/p>\n
HKLM\\Local machine\\software\\microsoft\\windows NT\\CurrentVersion\\Winlogon\\<\/p>\n
Attempting to delete \/ rename \/ remove permissions from this key result in it getting instantly re-created back to the original state! This DLL is also listed in two other areas of the registry as well; the DLL register areas or something. (In an area that I don’t go into very often, under the CurrentControlSet region).<\/p>\n
This apparently is causing winlogon.exe to execute the DLL located in C:\\PROGRAM FILES\\WINDOWS MEDIA PLAYER\\ICONS\\ODSCA.DLL.<\/p>\n
In the same directory, multiple files of similar but different files were getting created. the filenames were called acsdoXX.dat, where XX is some combination of ascending or descending letters; such as acsdoaa.dat, acsdoab.dat, acsdoac.dat, etc. I did not try to delete these files, or if I did, I also got “Access Denied”.<\/p>\n
Attempting to delete the file results in “Access Denied”.<\/p>\n
After determining this, I finally decided that I need to get to some other projects and tasks at work so I’m reformatting C:\\ and reinstalling windows. If McAfee or SANS get back to me, and anything more comes of this, I’ll let you know.<\/p>\n
WAB<\/p>\n","protected":false},"excerpt":{"rendered":"
Yesterday I finalized my “Forensic Analysis” of the unknown malware that my work PC had contracted. I sent the results to McAfee, and was given instructions on how to provide them with the actual files. I did this, and I got an immediate response from an automated system that indicated complete ignorance of any known… Continue reading odsca.dll malware update – day 5<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[12],"tags":[13,14,23],"class_list":["post-97","post","type-post","status-publish","format-standard","hentry","category-windows","tag-malware","tag-odscadll","tag-windows","entry"],"_links":{"self":[{"href":"https:\/\/www.tungsai.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/97","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.tungsai.com\/blog\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.tungsai.com\/blog\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.tungsai.com\/blog\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.tungsai.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=97"}],"version-history":[{"count":0,"href":"https:\/\/www.tungsai.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/97\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.tungsai.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=97"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.tungsai.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=97"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.tungsai.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=97"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}