Spyware more and more dangerous

Hi ye all,

Spyware is getting more and more dangerous. Spyware authors are coming to use rootkit techniques more frequently to prevent the malware is found up on systems that were infected.
Recent versions of CWS, one of the nastiest of spyware malware, now has rootkit-like features to hide the files on Windows systems. The new spyware variants showing a trend - malware is becoming more and more complex and the makers more ingenious. The new forms found over the last few weeks hide the rootkit files in various datastreams. This is a new way for spyware, that wants to spread unseen. The spyware rootkit does not have the advanced features of a kernel rootkit yet. Nevertheless one should be alerted to these facts,

kindest regards,

polonus

Is this different than what was discussed in the following thread? Just curious…
http://forum.avast.com/index.php?topic=14287.msg120796#msg120796

Yes bob3160,

It is different, because the thread you replied to (thanx) is about certain new spyware found, and of a specific type the Cool Web Search crap. It was not known before that CWS used rootkit like features, but not the things from the other thread, that deals with a more threating variety of the future to come, spyware with inbuilt kernel rootkit (just a bit more nasty) and spyware distributed through a difficult to stop way as RSS (something that works like a webpage but has the automatic functionality of the e-mail, it opens up in your reader or browser. The new IE 7.0 gonna have the RSS feed reader aboard. Just think what havoc malware makers can evoke, and to what a gigantic outbreaks this instantly can come, when all these readers are getting these infected messages instantaneously. That was the message of the other thread. Quite something different, is n’t it Bob?
Keep up the good work,

yours faithfully,

polonus

and spyware distributed through a difficult to stop way as RSS
I have a few news letters that I receive which come in RSS format. will have to be careful and find out if that's going to be changed... Thanks

Yep Bob3160,

An ounce of prevention pays more than a pound of cleansing afterwards. If the security people tackle this subject, this means it is on their minds, and as the wise say “Where there is smoke, there is gonna be fire”. Don’t worry yet, but keep an eye out on developments in the future.

polonus

Hey speaking of spyware, I recieved news that Aurora.exe is a spyware disguised in a file called drpmon. Does any of you guys know about this? :-\

Hello Fixer,

Yep, it is like a continuing story, but alas no happy ending in sight. It all has to to with the workings of the so-called BHO Transponder gang. Musings and news on this notorious crap or rather scumware makers (although they themselves think otherwise because there is a site to be found up where you can uninstall their Frankenstein malware), can be found here:
http://www.webhelper4u.com/tnewswritigs/bolger_aurora.html
Go there and get the latest information. Here is another link:http://www.vitalsecurity.org/2005/05/exploring-aurora.html
Spyware is getting that nasty, because the clock is ticking out on the “normal” malware, because lawmakers want that users have a choice with spyware. And now they are re-organizing into a new theater,

Greetings,

your friend polonus

Hello polonus,

So all what means that standart antispyware programs such AdAware and Spybot SD soon won’t be able to detect latest threats? :o Somewhere in my CD’s I had small program called rootkit reavealer. Need I to find it or not? ??? ;D

Hello Ylap,

Yes, the Aurora spyware or nail.exe is a huge problem at the moment. The nasty beast is called Trojan.Win32.Stervis.b
The best you can do against it, can be found in this thread:
http://forums.maddoktor2.com/index.php?showtopic=4730
For rootkitrevealer this is a good program, also get the program flister from the Warszaw expert Pani Joanna Rutkowska here: http://invisiblethings.org/tools.html
Enjoy,

Yours sincerely,

Polonus

thaks polonus. just downloaded this program. but in the other hand rootkits are the weakest side of my knowledge about security, so it’s dificult to me to understand some things. :frowning:

Hi Fixer,

Relating this post

I have found this disinfection method, as I suppose you certainly know what you are doing, I give it here as I have found it, may come in handy:
The Aurora Virus (yes, it is a virus) is a quite a pest. Many people
have tried ridding themselves of it by using antimalware/virus/spyware
programs to no avail. The reason for this is because Aurora has a self duplicating, randomly named executable. This file is located in C:\windows\system32 and the name of it is six characters long (example:
qwxogr.exe) The solution to this post is as follows.

I’m assuming you are computer literate and know how to use Microsofts’s
regedit.exe. If not, search this forum on how to use it.
Some files (exes, dlls) can be hidden from regedit.exe. I suggest you
use Reglite http://www.resplendence.com/download/reglite.exe instead.

Instructions for Aurora removal:

To make this process easier, follow these two steps:

  1. Boot to safe mode
    1a) Restart you computer
    1b) Press the F8 key continuously until the Safe Mode screen appears
    1c) Choose: Safe mode, with networking (If you need the references of
    the internet)

  2. Show hidden and system files
    Start > MyComputer > Tools Menu > Folder Options > View Tab
    Under the Hidden files and folders heading select Show hidden files and
    folders
    Uncheck the Hide protected operating system files (recommended) option

It is not necessary, but if you wish to disable the annoying popup:
“Windows File Protection” (which will appear many times during this
process), navitgate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon and modify the key “SFCDisable” from 0 to
ffffff9d. If you would like to turn it back on later, just change the
value back to 0.

C:\Documents and Settings(User Name)\Local Settings\Temp\toc_0032.exe
could possibly be the Aurora installer, delete this ASAP. (it could also
be in your Temporary Internet Files folder)

Deleting Harmful Files

  1. Clear temp dirs (temp AND temp internet files) and cookies

  2. Navigate to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run using
    regedit.exe or reglite (Some of the entries in this directory are
    required for certain programs to start when Windows starts (example:
    antivirus) I prefer to have only require Windows files load at startup,
    so I deleted these registry entries. If you wish to have the programs
    start when Windows does (which will take up CPU cycles and RAM) leave
    them there.

It take you a while to figure out which entries are harmful, and which
are not. (If you see any random numbers or letters (example:
alsh2lhjasl), they are harmful. Some of the malicious processes will be
masked with names that look ligitimate such as “rundll32.exe”. Under
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run there will be some
registry keys that are dlls, not exes. If you modify the key, you will
see: 1) a mask (example: rundll32.exe) 2) the actual dll name to delete
(located in c:\windows\system32)

  1. Once you figure out which entries are harmful, right click them,
    select “modify” to find out where they are located.

  2. After locating the files, delete them, then go back and delte the
    registry entries they were linked to. You must be in safe mode to delete
    some of the files, however, there is an alternative. Killbox
    http://www.bleepingcomputer.com/files/spyware/KillBox.zip will allow
    you to delete them in normal mode, but I will not provide instructions.

  3. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
    NT\CurrentVersion\Winlogon. Modify key: “Shell”, Remove
    “C:\WINDOWS\Nail.exe” from “Explorer.exe C:\WINDOWS\Nail.exe” (There is
    a major vulnerability in windows’ registry. Many executables listed in
    the registry do not contain the full pathname. The registry entry could
    therefore be point to a “fake” explorer.exe. To fix this change the
    “Shell” key from: “Explorer.exe” to “C:\WINDOWS\explorer.exe” Now you
    know for a surety that it points to the right executable.)

The following files are on a reciprocal duplicating system (meaning,
when you delete one, the other one recreates it)

C:\WINDOWS\Nail.exe
C:\Documents and Settings(User Name)\Local Settings\Temp\toc_0032.exe
(main installer)
C:\Documents and Settings(User Name)\Local Settings\Temp\tp7543.exe
(main installer)
C:\WINDOWS\system32\adlinstallwin32.exe
C:\adlinstallwin32.exe

To permanently delete these files, follow these steps:

  1. Create new text document and rename it to XXXX.exe or whatever you
    choose.
  2. copy the the name of the file (example: Nail.exe)
  3. shift+delete the file
  4. Rename xxxx.exe by pasting the text Nail.exe before Nail.exe remakes
    itself
  5. Right click the new Nail.exe and click read only
    Leave this file in place, it is not harmful, it contains no code.
    Confirm this by checking the size of the file. It should be 0 bytes.
    Repeat these steps for all five of the reciprocating files.

Delete these directories (if they exist):
C:\temporary
c:\windows\browserxtras

Delete the main Aurora registry directory:
HKCU\Software\aurora

Once you are finished, none of these files or directories should exist:

Files:
C:\Documents and Settings(User Name)\Local Settings\Temp\toc_0032.exe
(main installer)
C:\Documents and Settings(User Name)\Local Settings\Temp\tp7543.exe
(main installer)
C:\WINDOWS\vwzailkubk.exe
C:\WINDOWS\Nail.exe
C:\WINDOWS\tdtb.exe
C:\WINDOWS\svcproc.exe
C:\windows\system32\elitealp32.exe
C:\WINDOWS\system32\adlinstallwin32.exe
C:\adlinstallwin32.exe
C:\WINDOWS\TASKMAN.exe
C:\WINDOWS\ilaijn.exe
C:\WINDOWS\ieuninst.exe
C:\WINDOWS\Q330994.exe

Directories:
C:\temporary
c:\windows\browserxtras
C:\WINDOWS\EliteToolBar

Main registry directory:
HKCU\Software\aurora

The file that Windows File Protection keeps saying was replaced was
Windows Media Player. If, after you have removed all of the harmful
files, WMP doesn’t work run the following program:
C:\Program Files\Windows Media Player\setup_wm.exe
If that doesn’t update and fix WMP, then go to the Add/Remove Programs
list and uninstall WMP. Once you restart your computer WMP should be
reinstalled. If not insert your windows cd and install it.


Further prevention
This is the best guide on prevention:
»www.silentrunners.org/sr_disinfection
http://www.silentrunners.org/sr_disinfection.html

Thanks but I’m not infected with the spyware, but thanks again for the advance removal. ;D

Hi FIXER,

I knew you were not infected, but maybe you have to disinfect someone of it. That is why, I placed it there.

greets,

polonus

So as it sits now, Avast can remove all of the problematic files with Aurora/nail.exe (during boot-time scan) if the signatures are updated to the newest, otherwise nail.exe runs via explorer.exe so you’d have to kill the processes.

Spyware Removers