Winlogon.pif

I detected Winlogon.pif as a virus on August 10, 13.00 GMT during a Microsoft updating from their Dutch server because of alerts by WinPatrol and Sygate firewall and subsequent examination of the file. This does not necessarily mean that the Microsoft server was itself infected. In spite of denial the virus installed itself by means of the Windows updates installation.
In the meantime the Russian antivirus products detected the virus, like DrWeb: Win32.HLLW.MyBot. There is more information on the F-Secure site (Google the file name).
In addition I found that more registry keys are placed than reported (search the entire registry for the file name) but first kill the process in Task Manager and delete or rename the file (which is in the systems folder, i.e system32). This seems to be sufficient. No rootkit detected.

If the virus succeeds in accessing the internet complete malicious control of your computer will follow and all kinds of sensitive data will be stolen. The winlogon.pif process will anyway listen on all ports up to 5000 (which may be seen if an active ports program is used).

I hope this message may be useful…

Hi Nicolas,

As more and more viruses require this lately, also this malware backdoor must be disinfected manually, renaming the infected file in the Windows System folder and then restart the system. Windows must be set to show read-only, system and hidden files to take out the start up keys this backdoor file has created. For exact instructions to do this see: http://www.f-secure.com/v-descs/sdbot_ada.shtml

greets,

polonus

PS “Bedankt voor je bijdrage Nicolas”

Hi Polonus !

Because the winlogon.pif virus places more registry keys than F-Secure reports, I have now found the LSA rootkit keys (GencTurK rootkit/ wkssv32.exe) associated. However, the known rootkit files in C:\ and system32 are not present. Probably WinPatrol or Spyware Blaster did a good job. Hence my rootkit detection was negative.

There is also another suspicious file associated that has “Microsoft Corporation” in the header, is PE compressed and encrypted, and behaves like winlogon.pif : aspfnet.exe in system32. I killed this process first (before winlogon.exe) and removed the file. Registry keys are clearly related and the timestamps are equal. The latter file was not recognized as a virus by any of the online scanners; not found in a Microsoft database and therefore probably not genuine. Although not completely sure (this occurred during a Microsoft update !) I decided to take action. Both processes tried again and again to access the internet, but in vain because of the firewall.

Yes, we have a big problem with this kind of viruses. How to design a signature ?
Fortunately, they are not destructive for the aim is to steal data and to get in control of the computer. They say already some 90 % of all computers is already infected.

Nicolas, I don’t have a aspfnet.exe file in system32 but my Windows is fully updated… are you sure this already infected 90% of the computers?

Hi Nicolas,

If LSA rootkit is dropped, you can think of running this removal tool, just to be sure:
http://securityresponse.symantec.com/avcenter/venc/data/w32.mytob.ar@mm.removal.tool.html

Then MyTob has been there, as the dropper, and known to do this. According to me both SDBot and MyTob infected this machine. Did you do an online scan? SpywareBlaster is a blessing on clean systems, installed on infected OS-es it is a two-sided sword because it can protect infected files, which is not actually what it should do. And malcreants know all these things. They know a lot. They know how system protection and restore work, they know what ActiveX does to ruin Norton. It is not actually a cat and mouse game, my boy, it is full blown cyberwar, like a game of chess, ever evolving. Good luck with cleaning your system(s).

greets,

polonus

Hi Tech, Hi Polonus.

In general 90 % of all machines is anyway infected, but in this case I’m afraid it may also be true because the security updates of Microsoft were compromised. Users of WinXP without additional protection must all be lost… I got a warning from Winpatrol and Sygate both during the download and from that moment the downloads of the security updates failed (checksum error).
I had already removed all the run keys for winlogon.pif (also LSA and OLE) when Spybot S&D detected the LSA group.
A thorough scan (incl. archives) of Avast also revealed Win32:SQLSlammer in the Sygate Rawlog.log files: removed after rebooting. This virus could do no harm because my Win2k Pro has SP4 and has therefore the required patch. It appeared that same day, the day before all was absolutely clean.
My experience with WinPatrol is quite good. It saved my machine several times. The activities of SpywareBlaster are hard to evaluate.

Thanks for the symantic link for the mytob removal.

In my opinion the guy who designed this virus garbage (are you also reading this ?) made a number of stupid mistakes. He will be mated soon.

Regards, Nicolas

Hi Nicolas,

Just curious because of the line that your comment is going, together with the things you mentioned. What kind of Firewall solution are you using, and is the latter up to date? 90% of all machines can get infected that way, you are absolutely right. Every end-user now-a-days need a multilayered defense against the threats from the Net (1600 attacks per hour approx.). This multilayer defense is one (but only one) resident AV product, and we here advise Avast, optional non-resident second opinion scanners like ClamWin or Bitdefender, some System Safety Monitor, one and only one resident Firewall System together with ScripTrap for instance, and the known combination of anti Ad- and Spyware programmes: think of Ad-Aware, Spybot S&D, SpywareBlaster, Bazooka. To secure the browser, I use Firefox for security reasons with No-Script and a plugged-in link-checker to Dr. Web’s update server to pre-scan all browser links. In this way we are beginning to talk shop security-wise. Otherwise going online is like playing Russian Roulette with a blindfolded partner.

greets,

polonus

For those readers not knowing this ! I forgot to mention that Windows by default does not show these virus files in Explorer: you have to enable “show hidden files” and also extensions and data. Your helpfiles will tell how to do this. You will be surprised :o

Hi Polonus,

Did not see your message last night.

I use the latest version of the Sygate firewall, of course Avast and have Clamwin ready, use Spybot S&D, AdAware, SpywareBlaster; in addition I have a lot of system, registry and file tools. As soon as something suspicious happens, I also examine the known vulnerable folders manually to see whether something has changed there, for you can’t rely on automation completely.
Thus you need a lot of special stuff and a lot of time. Nevertheless, those cyberbastards manage to compromise your system.
Ordinary computer users - running Microsoft’s products - are not quite aware of the risks, even don’t bother about it. I don’t blame Microsoft: they simply can’t design a product that meets the highest security standards and is still as userfriendly and full of capabilities as the general public demands. At Microsoft the largest concentration of computer specialists in the world is constantly busy with security problems…
Linux users are a 5% minority and a kind of people the cyberterrorists are avoiding. Something like radio engineers and -amateurs (as I am myself).

The kind of viruses we are talking about will not last long. Nowadays, all users of high-compression and cryptography are trapped on the internet and immediately traced down. All the concerning software is compromised by the various authorities and therefore worthless for illegal purposes. All bad things have also some good aspects: including paranoia.

Greetings.

Hi Nicolas,

Thanks for the reply, good solid “levertraan” protection, worthy of our generation, though I am slightly younger (na de oorlog voor de watersnood). To let you see that all is not rock solid as some people are made to believe, see this: http://www.malwareblog.com/?p=141. So it is true we are out on our own, and have to educate ourselves.

Greets,

polonus

Dear Polonus, very true indeed.

Spent several hours last night, to check my system thoroughly. No traces of SDBot or Mybot. The specific Symantic virus remover had not detected anything either.

This morning I manually updated Avast and immediately the Sygate firewall alerts started. The bastards use indeed port 80 and merge with update processes. Not very serious this time. From the traffic log:

system32\thebody.exe
tries to open port 1040, to contact fbvnx.dynalias.net (10.0.1.128)

system32\lilbabe.exe
tries to open port 6548, to contact vmware-02.uselessdomain.info (65.110.60.94)

Had to rename them and to reboot for delete. No run keys found.

Tracing all those attacks (indeed hundreds per hour are found in the logs) makes little sense. Almost all come from other infected computers, as I soon found out.

(private in Dutch)

Ik vraag me vaak af wat dit alles voor zin heeft. Vroeger bouwde ik zelf mijn ontvangers en zenders en had wereldwijde contacten met seinsleutel en mike. Dat had iets wat ik nu volledig mis met windows en internet.
De “gewone” mensen hadden hun vertrouwde radio met groene vloedlicht schaal en konden luisteren terwijl ze met iets nuttigs bezig waren. Dat verdween met het staren naar een tv-schermpje in een halfverduisterde kamer. Als student verdiende ik wat bij met het repareren van al die buizen-bakken. Toen de transistoren en de ic’s verschenen begon ook het dilemma of kostbare reparaties nog wel zinvol waren. Thans liggen de prints bij het grofvuil (alleen het netsnoer en de luidsprekers zijn vaak verdwenen).
Ik haatte die computers al vanaf de aanvang, maar kan er niet meer buiten. Mijn wetenschappelijk werk vereist het.
Van een Russische collega, heb ik een “super” Dos programma gekregen: compleet met programmeer mogelijkheden in een soort Forth. Zeer snel, stabiel en veilig (militaire specs). Geen virussen meer, maar niet bepaald een product voor de doorsnee consument.

Groetjes,
Nicolas