<

*2012* Malware Variants

Published on
38,105 Points
7,505 Views
26 Endorsements
Last Modified:
Awarded
younghv
Some of the most commonly posted questions in the "Virus & Malware" Zones are related to the family of rogue malware with the date "2012" somewhere in the title.

Examples:
XP Antispyware 2012
XP Antivirus 2012
XP Security 2012  
XP Home Security 2012
XP Internet Security 2012  

Vista Antispyware 2012
Vista Antivirus 2012
Vista Security 2012
Vista Home Security 2012
Vista Internet Security 2012

Win 7 Antispyware 2012
Win 7 Antivirus 2012
Win 7 Security 2012
Win 7 Home Security 2012
Win 7 Internet Security 2012  

Proper repair of this malware is a 3-step process, using automated tools that are readily downloadable from the Internet.
1.      Fix the registry.
2.      Kill the rogue processes spawned by the malware.
3.      Run the scanner to find/repair/delete the infection.

Links to the tools are:
1.      FixNCR.reg (http://download.bleepingcomputer.com/reg/FixNCR.reg)
2.      RogueKiller (http://www.geekstogo.com/forum/files/file/413-roguekiller/)
3.      Malwarebytes (http://www.malwarebytes.org/) and
                TDSSKILLER (http://support.kaspersky.com/downloads/utils/tdsskiller.zip)

Your first step is to fix the Windows registry to make sure that the applications (.exe files) you select to run will work properly. If you don’t fix this first, the infection will launch itself instead to the tool/scanner you are trying to run.

Next you have to stop the rogue processes that have taken control of your system. A related EE Article is here: http://www.experts-exchange.com/A_4922.html (Rogue-Killer-What-a-great-name)

The third step is to run a reliable scanner application. My scanner tool of choice is “Malwarebytes” (MBAM). The free version linked above is available to anyone wanting to scan/repair their personal computer(s) – although I recommend the PRO version as a terrific layer of protection on top of your normal AV program. A PRO version is available for enterprise/network deployment, with significant discounts for multiple licenses.

After downloading and installing MBAM, click on the “Update” tab and make sure you have the latest definition files. These are updated several times a day, so you should always run the ‘update’ immediately prior to starting the scan. It is normally sufficient to just run the "Quick Scan" to clear away the malware, but I always run the “Full Scan” (as a precaution) before returning the computer to a customer.

Many malware variants are also carrying the "TDSS" payload which we need to check for as a matter of course. TDSSKILLER does a good job of this and is fairly simple to use.

* Download the file TDSSKiller.zip and extract it into a folder on the infected (or potentially infected) PC.
* Execute the file TDSSKiller.exe.
* Wait for the scan and disinfection process to be over. You do not have to reboot the PC after the disinfection is over.

If the tool finds a hidden service it will prompt you to type "delete",  you can also just hit "Enter" without typing in and the scan will continue...

RogueKiller, Malwarebytes, and TDSSKILER will all generate log files upon completion. If you are working with the EE Experts in a question, be sure to attach these log files to your question for them to review.

I am tempted to say that repairing this malware variant is as easy as “1, 2, 3”, but have been in the business way too long to make that kind of claim.

Although it is true that about 80% of the infected computers I repair ARE fixed with these 3 steps, there are times when I have to run additional scanners – and even post an Experts-Exchange question of my own and get some additional help.

For additional reading on malware repair, please see these other articles:

MALWARE - "An Ounce of Prevention..."
Basic Malware Troubleshooting
Rogue-Killer-What-a-great-name
Stop-the-Bleeding-First-Aid-for-Malware
Latest-Malware-Threat-Windows-Stability-Center


***Edit on 12/30/2011***

Please review the detailed comments down below  (http:#c34001)

Depending on the variant of this malware you are trying to repair, the work may be much more extensive than what is detailed in this article.
26
Comment
Author:younghv
  • 13
  • 4
  • 4
  • +8
33 Comments
 
LVL 47

Expert Comment

by:rpggamergirl
Voted Yes! :)
0
 
LVL 74

Expert Comment

by:Glen Knight
Looks like an excellent well thought out article to me.

Should be well received by all.

Well done younghv
0
 
LVL 38

Author Comment

by:younghv
rpg & demazter -
Thank you for the comments and votes.
I appreciate them (and you).
0
Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

 
LVL 61

Expert Comment

by:mbizup
Voted 'Yes!'

I love checklists... they're just so easy to follow.

That 1,2,3 process really sticks with you.
0
 
LVL 38

Author Comment

by:younghv
mbizup -
Thank you.

In my world, we call that Infantry Simple - and it works.
Semper Fi!
0
 
 

Administrative Comment

by:modus_operandi
0
 
LVL 38

Author Comment

by:younghv
I love this line:
"no matter how expert you may be, well-designed check lists can improve outcomes"

How appropriate!
0
 
LVL 1

Expert Comment

by:modus_operandi
The Checklist Manifesto is a terrific book.  For that matter, so are Gawande's other ones, such as Complications and Better.  Heck, I'd probably read "The Collected Shopping Lists of Atul Gawande" if he ever got around to publishing it :)
0
 
LVL 32

Expert Comment

by:willcomp
Vic, first time I've seen this one. Good job!
0
 
LVL 38

Author Comment

by:younghv
Hey Dalton -
Thanks for the comment and the vote.

Stand by for my annual "Best Components for a New Custom Computer" question. I'm running out of time to beat the tax man this year.

Vic
0
 
LVL 5

Expert Comment

by:9660kel
Nice overview, any standout ee questions to read regarding this little slice of heaven?
0
 
LVL 15

Expert Comment

by:Russell_Venable
First time I have seen this article. Its pretty good. +1 Youngv keep it up.
0
 
LVL 38

Author Comment

by:younghv
RV - thanks. I'm still monitoring your help on the zeroaccess problems.
Semper Fi!
0
 
LVL 26

Expert Comment

by:pony10us
@younghv:  Great job.  While I have been able to keep this out of my work environment so far (I am a state bank network manager) using proper tools, I still encounter this on many friends and family computers. Having this checklist is a great way to "remember" to do all the steps.

Thank you for the article.
0
 
LVL 45

Expert Comment

by:aikimark
I encountered this SOB for the first time Christmas Day (2011) on my mother's neighbor's system.  I was able to run programs with right mouse click and the start or run as admin menu items.  I had to start the Task Manager from the Ctrl+Alt+Del dialog.

After killing the virus processes in Task Mgr, I was able to get to the Lavasoft and MalwareBytes sites.  The neighbor had an old version of AVG and I suspect its virus definitions hadn't been updated in a while.

Due to the 2012 virus, the neighbor was still having trouble double-clicking on desktop program icons.  The shell thought it needed to associate a program with EXE files.  I found a .REG file posted by a Microsoft MVP that corrected this problem.

I took my time leaving after the second fix and he hasn't reported any more problems.

I wish I'd read this article before this weekend.  I would have been better prepared.
0
 
LVL 38

Author Comment

by:younghv
pony10us - Thank you. I appreciate the comments.

aikimark - Step #1 (FixNCR.reg) was written by an MS MVP also.
;)

Next year buy all your friends and family the Premium version of Malwarebytes - about 20 bucks a pop for a 10 pack of lifetime licenses - and you can spend the holiday drinking eggnog instead of fixing confusers.

This is an old Article, but the concepts still apply. Please share the link:
MALWARE - "An Ounce of Prevention..."
0
 
LVL 45

Expert Comment

by:aikimark
Nice idea.

The AVG caught this once it had been upgraded.  I use them as complementary AV protection.
0
 
LVL 38

Author Comment

by:younghv
AVG has had more than a few "False Postives" - and worse - problems over the past year or so, plus they are a "Suite" type of program. I long ago swore off the 'everything plus the kitchen sink' type of programs due to the interference with the basic Windows OS.

Other than MSE, I don't recommend any of the free AV programs.
0
 
LVL 26

Expert Comment

by:pony10us
younghv:

I had similar experiences with Avast having a lot of false positives. What do you think about PrevX? I tried using it for awhile and it did a lot to protect my system however it also has some issues that I didn't care for.

As long as Malwarebytes is kept up to date it does a great job. I run it at least once or twice a week just as a preventitive measure. I also have Spybot running all the time and keep it updated as well. This keeps my home system pretty clean.

What AV program do you recommend? (I know that is a personal prefference question) I have had issues with both Norton and McAffee in the past.
0
 
LVL 38

Author Comment

by:younghv
pony10us -

For home and small network enterprises, I still stand by the recommendations in MALWARE - "An Ounce of Prevention..."

Back when I was managing some fairly large enterprises, McAfee ePO was my weapon of choice - but that was many eons ago. I changed away from Norton/Symantec when it let the "Melissa" virus pass through and never considered using it again.
0
 
LVL 26

Expert Comment

by:pony10us
Thank you,  I am looking at that article now.  
0
 
LVL 47

Expert Comment

by:rpggamergirl
These rogues can be easily removed with the tools mentioned here but sometimes the damaged done also needs to be fixed.
Some of the variants also delete services in the registry, the Base Filtering Engine (BFE), the Windows Firewall (mpssvc) and may also deletes Security Center (mscsvc) so you need to check these services and make sure they are running specially the Base Filtering Engine (BFE) since some services are dependent on that service.
0
 
LVL 38

Author Comment

by:younghv
rpggamergirl:
Thank you for the information.

I just saw your comments in http://www.experts-exchange.com/Q_27513892.html and will continue to monitor that question.

I haven't seen that problem yet in any of the computers I've worked on. Is there anything else (other than the instructions you posted) that needs to be added here?

0
 
LVL 15

Expert Comment

by:Russell_Venable
Just a warning. I've had a few test samples that actually deleted windows firewall and/or security center. BFE changes are also noted. Other items to add here are.
Userprofile areas
%appdata%\<random chars>.<3 letter> rot13 encrypted file
%appdata%\<random chars> folder and/or files
%userprofile%\Startmenu\<varient antivirus name>
Windows directory
%windir%\<random chars>.dat / <random chars>.dll
%sytemroot%\<random chars>.dat / <random chars>.dll
Files dropped in temp
%temp%\<random chars>.<3 letter>
%temp%\<around 26 random chars>.exe

Also noticed removal of startmenu items and moving into %temp% or flat out removal. Earlier versions just changed file attributes. Seen a few experts here giving advice on using system cleaners.... Big no no.... Might want to include that in this article too.

Rootkit agents are definitely attaching to TDI group drivers like Afd.sys and patching the LSP chain redirecting network traffic through rootkit's TDI driver for filtering. To restore network connectivity on some of these boxes effected after removal of this malware. You will need to find your main network adapter, check for tampering with device manager, uninstall damaged devices(Make sure you have the driver backup installation or new updated driver from manufacture. Reinstall can go wrong!), redownload the driver(Unless already done), remove NIC, install new network adapter driver, replace drivers in driver group listed as "group: TDI" using sc.exe "sc qc <driver>". You can use the dll cache located in the windows system32 folder to copy the backup driver and write over the existing TDI drivers in drivers folder or expand drivers from install cd using recovery console. You also need to check for dependency's on the TDI drivers: DHPC, TCPIP, etc. To make sure there running properly. The service query will tell you this information. Once the TDI driver is replaced and the network driver is reinstalled with a new one, either do a network diagnostic check or netsh Winsock reset catalog. Before doing this make sure you note what LSP's are already in the chain. "Netsh winsock show catalog>c:\lsp.txt". Previous LSP providers will be damaged by winsock catalog reset, so please double check LSP settings before continuing so you know what software needs to be reinstalled.

Software you can use to check LSP:
 Adware SE  has a LSP pluggin called LSPExplorer.
 Powertool ARK
 Xuetr ARK  known as "XT".
 Wsyscheck ARK
 There are a few more slipping my mind for the moment.

Causes for  infection are exploits specifically targeted for these software: Java, Adobe, media player (including 3rd party  codec pluggins), and flash. User education or removal of these software platforms helps remove target vectors. Combining both is good if possible. Finding URL history is privacy intrusive to the user (possibly embarrassing), but! It also allows you find out what sites are being used as a drive-by and allow you to collect information for blacklisting these domains.

There is always more to add. They never stop "Inventing".
0
 
LVL 38

Author Comment

by:younghv
Russell - Thank you for the detailed comments. I am going to put a pointer to them up at the end of the article.

With the level of "Inventing" going on, we (EE) are in serious need of some higher level articles discussing the techniques needed for a full repair. The various automated tools just aren't up to getting the job done.

Thanks,
Vic
0
 
LVL 15

Expert Comment

by:Russell_Venable
Aye, We will continue the other discussion as soon as Tygzy is back.
0
 
LVL 26

Expert Comment

by:pony10us
I think I might have to take early retirement and go ride my Harley.  I'm getting to old to keep up with all of this "inventing".   After almost 34 years working with computers and still something new everyday.   :)

Thanks guys for all the hard work with the articles. They really do help.
0
 
LVL 38

Author Comment

by:younghv
"...and go ride my Harley."

'Bout time for a re-make of "Easy Rider" - I'll be Billy.
0
 
LVL 14

Expert Comment

by:Rob Miners
Kudos to younghv, for dedicating time and effort into investigating and analyzing malicious code. Congratulations on being the Author of the Year!
0
 
LVL 38

Author Comment

by:younghv
rrjmin0 -
Thank you for saying that.

In all honesty, it was a more than a little embarrassing. My articles reflect the efforts of a whole bunch of good guys who create the tools that help us fight malware - not my own work. I'm a pretty good mechanic, but they are the engineers.

The articles are popular because malware is ubiquitous and we have so many EE Members looking for help on the topic.

For really technical advice, follow the posts of rpggamergirl and Russell_Venable

Thank you again. I do appreciate the compliment.
0
 
LVL 15

Expert Comment

by:Russell_Venable
You have done pretty well yourself, Youngv! Good motivation along with good intentions go a long way. The contributions you make are invaluable. Never forget this.
0
 
LVL 14

Expert Comment

by:Rob Miners
Oops, sorry mate I didn't mean to embarass you, and I'm well aware of the efforts of Russel Venable and rpggamergirls excellent contributions.
I've been out of the industry for a couple of years and its refreshing to come back to well documented information that is relevent to these current issues. I was impressed as it has helped me to get back up to speed in a relatively short time.
0
 
LVL 38

Author Comment

by:younghv
rrjmin0 - Your comments were very flattering - as were Russell's. I guess I just need to enjoy it. As an aside, I just found out that I (or my grandsons) will be getting a new EE T-Shirt...which is always a cool thing.

The whole EE Articles concept has been a great idea. I will sometimes wander through some of the non-malware Zones and it is amazing to see the variety of 'right here, right now' usable advice that is posted.

Thank you for the comments.
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Join & Write a Comment

Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

Keep in touch with Experts Exchange

Tech news and trends delivered to your inbox every month