Today my kid 8 years old makes me “happy” again. He was browsing the Internet searching for online games and suddenly call me to see something at the computer. An avalanche of warnings and alerts was appearing on the desktop claiming the computer is infected and involved in illegal actions as spamming, the BIOS will be destroyed or will be necessarly to buy a new motherboard, I will be disconnected from the Internet and thrown maybe in the prison, and so on. The malware offered anyway a solution to solve ALL my problems : to buy Desktop Security 2010 , the only antivirus that can help me to get rid of the problems. Childish, I could say but a really scaring experience for anyone less experienced. My first thought was if the malware was eating all the CPU power, or I will have enough to take screenshots.
Immediately I disconnected the computer from the Internet because a malware is in 99% of cases a gate for other malware and I started to take screenshots :
or
or
or
And the main software in “action”:
or
and finally the “browser” leading me to buy the software at official site, because yes, this or these malware creators has an official site as you can see at http://www.desktopsecuritycorp.com :
A lot of new processes created by the malware exploded in the Task Manager and using Security Task Manager I was able to locate some of the executables :
securitycenter.exe
vdsfvrwx.exe
OperatingMicrosoft6.00.2900.5512.exe
m.2A7.tmp.exe
InstallShieldSetup.exe
BannerBannerWizard.exe
NS37.tmp
DreamweaverAdobe.exe
DWIntlsecurity.exe
SDISampleSDISample.exe
www.desktopsecuritycorp.com
timedate3.exe
systemframework.exe
datavisualizationsystem.exe
and using Security Task Manager I was able to locate some of the executables :
C:\WINDOWS\system32\timedate3.exe
C:\Documents and Settings\jmp\Local Settings\Temp\vdsfvrwx.exe 138 KB (141,312 bytes)
CRC32: 37A694A5
MD5: 0658C2A124630C4E4D572E08269081D5
SHA-1: 1D4DD92BD2DDA06739CF053C11F28D83C9FEF9EE
C:\program files\installshield installation information\{58582977-44d2-44a0-a09b-031cc2ae5938}
138 KB (141,312 bytes)
installshieldsetup.exe
CRC32: 37A694A5
MD5: 0658C2A124630C4E4D572E08269081D5
SHA-1: 1D4DD92BD2DDA06739CF053C11F28D83C9FEF9EE
dwintl20reporting.exe 138 KB (141,312 bytes)
C:\program files\common files\microsoft shared\dw\1028
CRC32: 37A694A5
MD5: 0658C2A124630C4E4D572E08269081D5
SHA-1: 1D4DD92BD2DDA06739CF053C11F28D83C9FEF9EE
The host file used by Windows to map hostnames to IP addresses, was also modified, making practically imposible to access the sites in subject, these lines was added to the file :
64.91.255.87 www.dcsresearch.com
127.0.0.1 thepiratebay.org
127.0.0.1 www.thepiratebay.org
127.0.0.1 mininova.org
127.0.0.1 www.mininova.org
127.0.0.1 forum.mininova.org
127.0.0.1 blog.mininova.org
127.0.0.1 suprbay.org
127.0.0.1 www.suprbay.org
and who are trying to reach these adresses will be automatically redirected to the localhost or loopback adress, their own computer : 127.0.0.1
Trying to kill the malware processes using the Windows Task Manager gives no results, the processes were very persistent. If I was ending a process, immediately a new one with a different name takes its place but looking at the size of executables shown above — 141,312 bytes the same for all, it seems it’s about the clones of the same executable. It must be said my antivirus, a popular one, asked me to reboot the computer in order to disinfect the computer but the infection survive.
The main tool I’ve used was Autoruns from Sysinternals, any virus need to run at boot time and this is very often their vulnerability. So, what dubious entries reveal Autoruns ? Here you go :
and what attract my attention was an entry associated with a service, sshnas.dll, viewable also with Security Task Manager as a process associated with a service :
sshnas.dll is a component of Desktop Security 2010 malware.
The virus files are dropped in :
C:\Documents and Settings\Current User\Application Data\Desktop Security folder
- Desktop Security 2010.exe –Size:1,600,512 bytes–CRC32: 49D87720
MD5: F915AFEF70D69733411DA9BE722249EE
SHA-1: F9ADE96D06128AC21EF938C0B7D0E836E36D916D - securitycenter.exe–Size:270,336 bytes–CRC32: FD0F5A57
MD5: FE657A1494BED8614674899BC6B0E217
SHA-1: 9425A4D2C0E4683CE52802894A4859236079A4FA - securityhelper.exe–Size:2,732,032 bytes–CRC32: F2115B13
MD5: 31A3A496E72360A511FE9CA564AF872A
SHA-1: 2ED7D9422DEF948C5283E89609360CA201DCC122
- taskmgr.dll–Size:76,288 bytes–CRC32: 7A9A53D3
MD5: 4DF1B6785ADD442FFE51EAF436BB8E0F
SHA-1: 097A13B576D1CD62D29D8AAE7DBD3BB4B8517351
C:\Documents and Settings\Current User\Application Data\Microsoft\Internet Explorer\Quick Launch
A shortcut with “C:\Documents and Settings\Administrator\Application Data\Desktop Security\Desktop Security 2010.exe” as Target
C:\Documents and Settings\Current User\Local Settings\Application Data\Microsoft\Internet Explorer
A file called MSIGMSIZ.dat –Size:16,384 bytes–CRC32: A0E29DA1
MD5: 2DF6E3207711EA63C57C735F0CBC678B
SHA-1: 534CD87A75CA4EEB51D3B91B66F278EB04A68888
C:\Documents and Settings\Current User\Local Settings\Temp
87 executables, 2 .tmp files and 1 file with an unknown extension .exex, as you can see in the image below :
C:\Documents and Settings\Current User\Local Settings\History\History.IE5
A file called index.dat –Size:49,152 bytes–
C:\Documents and Settings\Current User\Local Settings\History\History.IE5\MSHist012010080120100802
A file index.dat –Size:49,152 bytes–the same as above
C:\Documents and Settings\Current User\Local Settings\Temporary Internet Files\Content.IE5
4 folders with random names containing malware resources: images, icons, html files,logos,javascripts for images transformation and so on.
C:\Documents and Settings\Current User\Cookies
A cookie : administrator@1[2].txt with the following content :
IxgK5WTSfRwV1
1
www.desktopsecurity2010ltd.com/buy/index/1/
1546
3065087000
30094875
3220234496
30587674
*
scanner_site234de234947
1
www.desktopsecurity2010ltd.com/buy/index/1/
1536
3065084780
30093875
3810224496
30067574
*
and another index.dat file –Size:32,768 bytes–
For who does not know, index.dat are a file containing all the browsing history.
C:\Documents and Settings\Current User\My Documents\My Pictures
Empty folder
C:\Documents and Settings\Current User\Start Menu\Programs\Desktop Security
Contain 4 shortcuts named :
- Activate Desktop Security
- Desktop Security
- Help Desktop Security
- How to Activate Desktop Security
The interesting Registry keys added by this malicious software are :
[HKEY_USERS\user\current\software\Desktop Security]
“BuyUrl”=”8DEEB72ECA56C4933E84F50FB1FE33E3F83F710EB0186375694366792998675F3007647C3E043FE03EB7F9CF5D03AD7C8
A6E302281A808A83AA0D3AB18B13CCA062A9B1E2FEBE8A8141″
@=”C:\\Documents and Settings\\Administrator\\Application Data\\Desktop Security”
“ADVid”=”1”
“InstallDir”=”C:\\Documents and Settings\\Administrator\\Application Data\\Desktop Security”
“SoftID”=”Desktop Security”
“ScanSystemOnStartup”=dword:00000001
“AutomaticallyUpdates”=dword:00000001
“MinimizeOnStart”=dword:00000000
“BackgroundScan”=dword:00000001
“BackgroundScanTimeout”=dword:00000001
“LastTimeStamp”=dword:00000078
“LastUpdateDate”=”2010/7/11”and for running at start-up(everytime the Windows starts) :
[HKEY_USERS\user\current\software\Microsoft\Windows\CurrentVersion\Run]
“2dqfqnurddw3″=”G:\\acute\\analysis\\m.2A7.tmp_sample.exe”
“Desktop Security”=”\”C:\\Documents and Settings\\Administrator\\Application Data\\Desktop Security\\Desktop Security 2010.exe\” /STARTUP”
“SecurityCenter”=”C:\\Documents and Settings\\Administrator\\Application Data\\Desktop Security\\securitycenter.exe”
[HKEY_USERS\sandboxed\user\current\software\Microsoft\Windows\ShellNoRoam\MUICache]
“G:\\acute\\analysis\\m.2A7.tmp.exe”=”m.2A7.tmp_sample”
“@xpsp3res.dll,-20001″=”Diagnose Connection Problems…”
“C:\\WINDOWS\\System32\\msiexec.exe”=”Windows® installer”
“C:\\WINDOWS\\system32\\mspaint.exe”=”Paint”
“C:\\WINDOWS\\system32\\shimgvw.dll”=”Windows Picture and Fax Viewer”
The malware itself is an executable called m.2A7.tmp.exe –Size: 2,732,032 bytes
CRC32: F2115B13
MD5: 31A3A496E72360A511FE9CA564AF872A
SHA-1: 2ED7D9422DEF948C5283E89609360CA201DCC122
Knowing all these informations and using simple tools, disinfection is easy.
The tools used were :
-Autoruns for deleting malicious start-up entries;
–Security Task Manager for killing the persistent processes and quarantine the associated executables mentioned above;
–SysAnalyzer and Process Hacker for grabbing malicious processes and executables details;
The steps are in this order:
-kill malicious processes;
-delete the start-up registry entries;
-delete the Temporary folder content;
-reboot;
In case the disinfection does not succeed from the first try, repeat the steps. A good trick is to not close the malware window, instead just minimize it, when the malware shows its warnings it’s a wait state with a minimum CPU cycles consumption, permitting you to close its processes, to delete the registry entries or to take screenshots if you want.
There are many variants of a malware, some of them monitor the registry entries and their files and as an consequence is quite difficult to delete them or to kill the procceses. Sometimes the malicious processes are injected in legitimate processes as svchost.exe, services.exe or Default Browser process and the disinfection can give some headaches.A process like svchost.exe can’t be killed but the priority at CPU can be set Bellow Normal for example if the process consume too much CPU resource. In these cases it’s recommended to do all the disinfection procedures in Safe Mode, there are more less chances for the malware to be loaded.
Don’t forget, always delete the Temporary folder content during a disinfection procedure.
Also bear in mind that are rare the cases when a malware are dropped in your computer alone. In this case, Desktop Security 2010 a Fake Alert type malware the symptoms are more annoying than dangerous, and the application is not very elaborated, for example can be Sandboxed. The more elaborated malware has Anti-Sandbox code inside preventing them from run in a virtual environment. However, along with the main malicious activity of a FakeAlert malware to force people buy it, can be more dangerous activities like stealing private data, collecting browsing history or open the gate for other malware.
If the manual disinfection procedure descripted above looks difficult to you and hard to accomplish it’s advisable to keep a drive clone of your main partition saved on another one. This clone can be made with a software like Acronis True Image for example, but it will prevent the data loss. The partition can be restored in afew minutes and you will have a fresh new Windows installation.
When I verified the browsing history of my son for the infection source, I was not able to find it but I found a lot of warez sites. It’s not my son fault that when he search in Google for his kids games, Google deliver such results on the first pages as infected warez sites. A kid 8 years old can not make the differences between a warez site and a “good and clean” one.
However, to prevent computer infections and data loss it’s better to keep an eye on your kids computer, the infections comes in no time even visiting a website and the disinfection can be tough for an unexperienced user, even if he run the best antivirus from the market.
Leave a Reply