Hi malware fighters,
In C:/Windows/system32/drivers sysinternals process explorer is named:
剐䍏塅ㅐ〰匮卙 How come, the file is clean, uploaded to jotti.
What is this?
polonus
Hi malware fighters,
In C:/Windows/system32/drivers sysinternals process explorer is named:
剐䍏塅ㅐ〰匮卙 How come, the file is clean, uploaded to jotti.
What is this?
polonus
How did you get a process explorer file in the system32\drivers\ folder, I thought it was a stand alone non installed application. Mine is in my D:\Utilities-Non-Registry folder. I just downloaded the procexpnt.zip and extracted the files into the above folder. Since it doesn’t appear in add remove programs, I assume the above about stand alone application is correct.
http://www.microsoft.com/technet/sysinternals/ProcessesAndThreads/ProcessExplorer.mspx
I just downloaded the procexpnt.zip and extracted the files into the above folder. Since it doesn't appear in add remove programs, I assume the above about stand alone application is correct.same here davidr..did the same and its a stand alone and not in add/remove programs ::)
Hi you two,
I have no clue how it landed there. Had some problems downloading from a browser so that could be why it landed there. Changing the name in the above way seems to be cool to masquerade it. Going to start to analyse this file thoroughly, and keep you informed of the results. Just spotted it by chance, exploring the aec.sys file in the system32/driver folder. The latter was a FP by COMODO BOClean (after an update the prompt vanished, and jotti .de and virustotal could not find any on both files). You hear from me later,
polonus
You hear from me later,i sure we will polonus the almighty malware fighter.... hope the above mentioned problem didn't damage anything to your system :)
what’s a egel ???
Hi fellows,
BintScan could not open the file, because of "???.rpj - invalid argument. FileAlyzer could not open it because of an error in the syntaxis of the filename, foldername or volumename.
Opened it up after renaming it, and these are the contents:
/////////////////
00004D !This program cannot be run in DOS mode.
0012A2 RtlFreeAnsiString
0012C0 RtlUnicodeStringToAnsiString
0012E0 ObQueryNameString
0012FE ZwDuplicateObject
001312 ZwOpenProcess
001322 KeDetachProcess
001334 ObfDereferenceObject
00134C ObReferenceObjectByHandle
001368 KeAttachProcess
00137A PsLookupProcessByProcessId
001398 MmIsAddressValid
0013AC ObOpenObjectByPointer
0013C4 ZwQueryInformationProcess
0013E0 NtBuildNumber
0013F0 ZwOpenProcessToken
001406 IofCompleteRequest
00141C SeReleaseSubjectContext
001436 SePrivilegeCheck
00144A ExGetPreviousMode
00145E SeCaptureSubjectContext
001478 IoDeleteDevice
00148A IoDeleteSymbolicLink
0014A2 RtlInitUnicodeString
0014BA IoCreateSymbolicLink
0014D2 IoCreateDevice
0014E4 ExAllocatePoolWithTag
0014FA ntoskrnl.exe
001516 KfLowerIrql
001524 KfRaiseIrql
0018C8 L3P3`3h3l3t3x3
001949 :!:?:H:k:t:
001973 ?!?3?A?U?{?
002162 _DriverEntry@8
002171 _ProcExpGetComponentFileName@8
002190 _ProcExpGetObjectName@12
0021A9 _ProcExpOpen@8
0021B8 _ProcExpReadKstack@12
0021CE _ProcExpGetMutantOwner@12
0021E8 _ProcExpQueryDep@12
0021FC _ProcExpGetKcontext@12
002213 _ProcExpClose@4
002223 _ProcExpDeviceControl@36
00223C _ProcExpDispatch@8
00224F _ProcExpUnload@4
002260 __imp__RtlFreeAnsiString@4
00227B __imp__strncpy
00228A __imp__RtlUnicodeStringToAnsiString@12
0022B1 __imp__ObQueryNameString@16
0022CD __except_list
0022DB __except_handler3
0022ED __imp__ZwClose@4
0022FE __imp__ZwDuplicateObject@28
00231A __imp__ZwOpenProcess@16
002332 __imp__KeDetachProcess@0
00234B _imp@ObfDereferenceObject@4
002369 __imp__ObReferenceObjectByHandle@24
00238D __imp__KeAttachProcess@4
0023A6 __imp__PsLookupProcessByProcessId@8
0023CA _imp@KfLowerIrql@4
0023DF __imp__MmIsAddressValid@4
0023F9 _imp@KfRaiseIrql@4
00240E __imp__ObOpenObjectByPointer@28
00242E __imp__ZwQueryInformationProcess@20
002452 _NtBuildNumber
002461 __imp__ZwOpenProcessToken@12
00247E _imp@IofCompleteRequest@8
00249A __imp__SeReleaseSubjectContext@4
0024BB __imp__SePrivilegeCheck@12
0024D6 __imp__ExGetPreviousMode@0
0024F1 __imp__SeCaptureSubjectContext@4
002512 __imp__IoDeleteDevice@4
00252A __imp__IoDeleteSymbolicLink@4
002548 __imp__RtlInitUnicodeString@8
002566 __imp__IoCreateSymbolicLink@8
002584 __imp__IoCreateDevice@28
00259D __imp__ExAllocatePoolWithTag@12
0025BD _RtlFreeAnsiString@4
0025D2 __IMPORT_DESCRIPTOR_ntoskrnl
0025EF _RtlUnicodeStringToAnsiString@12
002610 _ObQueryNameString@16
002626 _RtlUnwind@16
002634 __global_unwind2
002645 __local_unwind2
002655 __abnormal_termination
00266C __seh_longjmp_unwind@4
002683 _ZwClose@4
00268E _ZwDuplicateObject@28
0026A4 _ZwOpenProcess@16
0026B6 _KeDetachProcess@0
0026C9 @ObfDereferenceObject@4
0026E1 _ObReferenceObjectByHandle@24
0026FF _KeAttachProcess@4
002712 _PsLookupProcessByProcessId@8
002730 _MmIsAddressValid@4
002744 _ObOpenObjectByPointer@28
00275E _ZwQueryInformationProcess@20
00277C __imp__NtBuildNumber
002791 _ZwOpenProcessToken@12
0027A8 @IofCompleteRequest@8
0027BE _SeReleaseSubjectContext@4
0027D9 _SePrivilegeCheck@12
0027EE _ExGetPreviousMode@0
002803 _SeCaptureSubjectContext@4
00281E _IoDeleteDevice@4
002830 _IoDeleteSymbolicLink@4
002848 _RtlInitUnicodeString@8
002860 _IoCreateSymbolicLink@8
002878 _IoCreateDevice@28
00288B _ExAllocatePoolWithTag@12
0028A5 __NULL_IMPORT_DESCRIPTOR
0028BF ntoskrnl_NULL_THUNK_DATA
0028D8 __imp__RtlUnwind@16
0028EC @KfLowerIrql@4
0028FB __IMPORT_DESCRIPTOR_HAL
002913 @KfRaiseIrql@4
002923 HAL_NULL_THUNK_DATA
002937 _lh_continue
002944 _lh_dismiss
002950 _lh_return
002965 _lh_unwinding
002973 _gu_return
00297E __unwind_handler
00298F _uh_return
00299A _lu_continue
0029B1 terd:\winddk\1381\lib\i386\free\procexp100.sys
002C5D VeriSign, Inc.1705
002C75 .Class 3 Public Primary Certification Authority0
002CA8 040716000000Z
002CB7 140715235959Z0
002CDF VeriSign, Inc.1
002CF8 VeriSign Trust Network1;09
002D18 2Terms of use at https://www.verisign.com/rpa (c)041.0,
002D55 %VeriSign Class 3 Code Signing 2004 CA0
002EE7 https://www.verisign.com/rpa01
002F15 http://crl.verisign.com/pca3.crl0
002F92 Class3CA2048-1-430
002FEC VeriSign, Inc.1705
003004 .Class 3 Public Primary Certification Authority
00311A Washington1
003141 Microsoft Corporation1)0’
003160 Microsoft Code Verification Root0
003185 060523170129Z
003194 160523171129Z0_1
0031BB VeriSign, Inc.1705
0031D3 .Class 3 Public Primary Certification Authority0
003386 Dhttp://crl.microsoft.com/pki/crl/products/MicrosoftCodeVerifRoot.crl0
003628 VeriSign, Inc.1
003641 VeriSign Trust Network1;09
003661 2Terms of use at https://www.verisign.com/rpa (c)041.0,
00369E %VeriSign Class 3 Code Signing 2004 CA0
0036C8 060202000000Z
0036D7 070404235959Z0
003720 Sysinternals1>0<
003736 5Digital ID Class 3 - Microsoft Software Validation v21
003777 Headquarters1
00378E Sysinternals0
003871 /http://CSC3-2004-crl.verisign.com/CSC3-2004.crl0D
0038CB https://www.verisign.com/rpa0
00391A http://ocsp.verisign.com0?
00393F 3http://CSC3-2004-aia.verisign.com/CSC3-2004-aia.cer0
0039B8 47009c3de442d876ef3ae87cca155f6d0
003B2E VeriSign, Inc.1
003B47 VeriSign Trust Network1;09
003B67 2Terms of use at https://www.verisign.com/rpa (c)041.0,
003BA4 %VeriSign Class 3 Code Signing 2004 CA
//////////////////////////////
Anyone to comment?
polonus
PS. egel = porcupine (Dutch)
Anyone to comment?so i guess a zaba is a frog ??? ::)
Hi malware fighters,
We are getting nearer to the identification of this file.
“PROCEXP.SYS” file created/located under the "D:\WINDOWS\system32\drivers" directory ?? I’ve seen it for the first time yesterday …
You see, the thing is that AFAIK Process Explorer uses those special so-called “on-the-fly” created drivers, that are created (as files), loaded to RAM and deleted right away. They are named like for instance PROCEXP86 (older version), PROCEXP100 etc. Also, there is one new somehow strange entry visible in Autoruns, while it points to the following key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PROCEXP
See the screenshot of that Autoruns entry attached:
Import table ntoskrnl.exe
HAL.dll
Security : User
System NT AUTHORITY
Administrators (built-in)
ntoskrnl.exe is a critical process in the boot-up cycle of your computer although should never appear in WinTasks whilst under normal circumstances Note: ntoskrnl.exe can be altered by the w32.bolzano and variants. If this process appears in WinTasks, please update your virus definitions immediately.
When Hall.dll (Hardware Abstraction DLL) is in a different partition, make sure it is placed under “$SystemDir”/hall.dll.
polonus
Hi malware fighters,
Here is some more information on this mysterious driver file: procexp.sys from the horse’s mouth:
http://blogs.technet.com/markrussinovich/archive/2006/03/27/the-case-of-the-mysterious-driver.aspx
If I grasp what I read there right, it has to do with DRM. There is really nowhere to hide anymore.
polonus
Very interesting, but the driver he is on about is asctrm.sys and not a process explorer device driver and it doesn’t account for the renaming of the procexp.sys file.
I also don’t have the procexp entry in the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services registry key.
Important: Some malware camouflage themselves as ASCTRM.sys, particularly if they are located in c:\windows or c:\windows\system32 folder. Thus check the ASCTRM.sys process on your pc whether it is pest. We recommend Security Task Manager for verifying your computer’s security. It is one of the Top Download Picks of 2005 of The Washington Post and PC World.
just saw this davidr and maybe :
http://www.file.net/process/asctrm.sys.html
http://www.neuber.com/taskmanager/download.html
Hi DavidR.
We aren’t out of the woods yet, because there could also be malicious stroke to it: http://www.cnxhacker.com/Article/Print.asp?ArticleID=4200
But because it is on a normal user account, probably not effective in getting this Exploit.VBS.Phel.1 to work…
ASCTRM.sys is not there.
polonus
I don’t have ASCTRM.sys on my system either legit or otherwise.
Having a look at the snxhacker.com link you gave, glad I have the FF translator (Web Site translation extension), my simplifire Chinese is non-existent.
Hi DavidR,
Well nice translation tool that FF translator add-on, uh, makes you read all that scary Chinese rootkit stuff or comments on the mysterious procexp.Sys driver. Well I went to start - programs -accessories - system tools - system information, and double clicked software environment, and doubleclicked drivers to see all that was started up and running for signs of Ali or Poot trojan related drivers, scanned all with GMER- not a trace of something fishy there - so no driver ierk8248 neither.
For the moment the only reason for it being there is me installing the oriental browser sleipnir or a malformed URL-buffer overflow to get access to run something with full rights (which was warded off by my configuration, I hope), also BoClean reacted but apparently that was an F.P. So my Dear Watson, that is where we are at the mo.
Just a question on trust here, what is the status of something that runs as AUTHORITY Administrators (built-in) it is part of the SYSTEM NT AUTHORITY. I think I told here once that something run as SYSTEM could surpass all, that this can be used to elevate the authority on another process to run.
I remember I had it mentioned in a thread here somewhere: scanning as SYSTEM…
yours truly,
polonus
Polonus, I don’t know if this has anything to do with this file you found or not. But, when I have tried to download that oriental browser “sleipnir” to my pc using WinXP, SP2 I get a prompt that states something to the effect that it cannot install sleipner because another program is using the file. I am not at home now and can’t tell you what file it referred to but I just thought I would pass this on to you.
Hi neal63,
Thanks for your reaction. Yes and this crossed my mind also. I forwarded the files the original Oriental one and the renamed one to a Chinese security expert for comment, analysis and additional info.
Hope to hear from him what we have here.
polonus
The Chinese translation comes here:
谢谢您的反应. Yes and this crossed my mind also.不错,这想过还. I forwarded the files the original Oriental one and the renamed one to a Chinese security expert for comment, analysis and additional info.我提交的文件的原东方一和一更名为中国安全问题专家征求意见,分析和补充信息.
Hope to hear from him what we have here.希望听到他什么,我们都在这里.
Translation Google English to Chinese Beta…
polonus