Government Security
Network Security Resources

Jump to content

Photo

I got infected with this

windows scanner malware virus c++ md5 patch
  • Please log in to reply
12 replies to this topic

#1 Lie8

Lie8

    Private First Class

  • Members
  • 41 posts

Posted 16 June 2009 - 09:16 AM

well ... untill now i used to clean this USB spreading shittys with hijackthis+lbprocman combo ... but this shit keeps coming back as %System32%ctfmon.exe and i still couldn't found a good way remove it ... amazingly enuff it has a quite decent record in online scanner for a gen malware

VirusTotal :
Result: 4/41 (9.76%)

AVG	8.5.0.339	2009.06.16	Patched_c.BWX
eSafe	7.0.17.0	2009.06.16	Win32.Agent.kxqu
McAfee+Artemis	5647	2009.06.15	Artemis!C182878D8545
Prevx	3.0	2009.06.16	Medium Risk Malware

PEiD..: -
TrID..: File type identification
Win32 Executable MS Visual C++ (generic) (53.1%)
Windows Screen Saver (18.4%)
Win32 Executable Generic (12.0%)
Win32 Dynamic Link Library (generic) (10.6%)
Generic Win/DOS Executable (2.8%)

http://www.virustotal.com/analisis/bd7f620e336d7e945ccec9d05d7a8f34136269170e78e4828097f32146b89b00-1245171512

http://virusscan.jotti.org
AVG 2009-06-16 Patched_c.BWX

File size: 	 97791 bytes
Filetype: 	PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5: 	c182878d8545a827becf299c1832b1b7
SHA1: 	21e72728bc046b8ec16155c1aa5a715079c4faef


here is the sample guys ... if only can someone find a removal method

Attached Files



#2 bonarez

bonarez

    Retired GSO Second Lieutenant

  • Sergeant Major
  • 1,252 posts

Posted 16 June 2009 - 10:00 AM

there are a lot of ways to disable usb autorun, most simply don't work

easiest way I found was using ms powertoys, more specificly tweakui (on xp that is)
hxxp://download.microsoft.com/download/f/c/a/fca6767b-9ed9-45a6-b352-839afb2a2679/TweakUiPowertoySetup.exe

been meaning to do a regcompare to find out what keys are actually affected, cause I see a lot of 'reg recommendations' that do not deliver..

this just keeps you safe from autoruns, not from metadata xplo's, just 'browsing' your usb device can still get you infected
"Ask the right question and you will receive the right answer. I'm just very sensitive about the right syntax"

Read the rules before you post

#3 Jeremy

Jeremy

    Commander in Chief

  • Retired Admin
  • 2,459 posts

Posted 16 June 2009 - 01:53 PM

You can disable autorun by mapping all your drive letters to a share leaving 0 available drive letters to assign to the USB drive. :D

#4 Lie8

Lie8

    Private First Class

  • Members
  • 41 posts

Posted 16 June 2009 - 08:45 PM

thnx for the reply guys ... but i'm not talking about autorun ... i disabled that already ... i just want to know how to kill it manually ... the file ctfmon.exe keeps coming back how many times i kill it ... and i am not able to find the main file ... could it be that it's injected in explorer.exe? if yes then any solution for that?

#5 bonarez

bonarez

    Retired GSO Second Lieutenant

  • Sergeant Major
  • 1,252 posts

Posted 17 June 2009 - 11:20 AM

the file ctfmon.exe, in the %windir%\system32 directory, has a startup in HKCU\Software\Microsoft\Windows\CurrentVersion\Run. but it also starts when you startup office, as it is a part of office.

if the file is infected you could try to remove office, then remove the file, and reinstall office. or replace it by another ctfmon.exe from a 'safe' system.

but it's prolly better to play safe and reinstall windows completely.
"Ask the right question and you will receive the right answer. I'm just very sensitive about the right syntax"

Read the rules before you post

#6 GhostShell

GhostShell

    Staff Sergeant

  • Members
  • 345 posts

Posted 18 June 2009 - 04:49 PM

It doesn't look like any typical behaviour of an auto run trojan but maybe someone else has seen this behaviour.

Hope this helps, Click here to view the analysis of the executable.
http://pcsubject.com/ <- My new Blog

"As a young boy, I was taught in high school that hacking was cool." -Kevin Mitnick

"It's easy to point and click programs, but thats not real hacking." -illwill

#7 Lie8

Lie8

    Private First Class

  • Members
  • 41 posts

Posted 21 June 2009 - 08:20 PM

@bonarez, i know m8 thats the way ... but i like to discover a way to kill it ... i always killed other viruses like brontok etc ... and thats why i dont even use AV ... i may re-install xp but i wanna try killing it first

@GhostShell,thnx for the help m8 ... i totally forgot bout this ... now i can research a little with it ... also anyone else's help is needed too ... thnx in advance

#8 Edu

Edu

    First Sergeant

  • Members
  • 2,269 posts

Posted 22 June 2009 - 05:07 PM

you may try changing file permissions on ctfmon so that it will not be executed. (deny administrators / system / users / power users any kind of access, including reading access). You may use the command line tool cacls.exe. But this can be circunvented if there is something more running there that you dont know. Alternatively you can hijack the execution of ctfmon by creating an entry in the registry :

HKLM\SOFTWARE\Microsoft\windows\currentversion\image file execution options

new key named ctfmon.exe

at ctfmon.exe key, create a new string value called Debugger

set the data to another program you wish, can even be calc.exe.

this will cause the program you selected to be executed instead of ctfmon every time some other program tries to run it. be ware what program you choose because actually the command line executed is :

someprogram.exe ctfmon.exe, not simply someprogram.exe
http://www.secumania.net - Secumania security blog.


Embed any executable in a JPEG image and get it to run upon opening the image with this cool tool that abuses a feature of GDI in Windows systems. for governmentsecurity.org members only! click here to get it!

#9 bonarez

bonarez

    Retired GSO Second Lieutenant

  • Sergeant Major
  • 1,252 posts

Posted 22 June 2009 - 07:30 PM

little offtopic but cacls.exe or xcacls.vbs used to be nice, not anymore:

consider this:
$badfile = "%windir%\system32\ctfmon.exe"
$objACL = Get-ACL $badfile
$objACL.RemoveAccessRuleAll
Set-ACL $badfile $objACL
wrote it up without testing, but it's about right

setinacl was pretty good, but limited too as id does not work on dfs

I'm really taking a liking to powershell, at least MS doesn't have to be ashamed anymore compared to sh/bash :lol:
"Ask the right question and you will receive the right answer. I'm just very sensitive about the right syntax"

Read the rules before you post

#10 Edu

Edu

    First Sergeant

  • Members
  • 2,269 posts

Posted 23 June 2009 - 02:08 AM

little offtopic but cacls.exe or xcacls.vbs used to be nice, not anymore:

consider this:

$badfile = "%windir%\system32\ctfmon.exe"
$objACL = Get-ACL $badfile
$objACL.RemoveAccessRuleAll
Set-ACL $badfile $objACL
wrote it up without testing, but it's about right

setinacl was pretty good, but limited too as id does not work on dfs

I'm really taking a liking to powershell, at least MS doesn't have to be ashamed anymore compared to sh/bash :lol:


if the intention is only blocking execution of a file then cacls is fine. Of course an administrator is able to reset the permissions, but if the malware doesn´t perform a check on permissions then the trick will work. Maybe it is easier and more effective to hijack the execution of the program using the method I described above or a less used one which consists in appending a data stream named zone.identifier and giving it an ID of 3 or 4.
http://www.secumania.net - Secumania security blog.


Embed any executable in a JPEG image and get it to run upon opening the image with this cool tool that abuses a feature of GDI in Windows systems. for governmentsecurity.org members only! click here to get it!

#11 bonarez

bonarez

    Retired GSO Second Lieutenant

  • Sergeant Major
  • 1,252 posts

Posted 23 June 2009 - 06:45 PM

if the intention is only blocking execution of a file then cacls is fine. Of course an administrator is able to reset the permissions, but if the malware doesn´t perform a check on permissions then the trick will work. Maybe it is easier and more effective to hijack the execution of the program using the method I described above or a less used one which consists in appending a data stream named zone.identifier and giving it an ID of 3 or 4.

Of course you are right, one should not rely on acl's to prevent execution of files. I was commenting only on cacls.exe
The debugger method described by you (new to me) does indeed do a better trick at execution prevention.

About the data stream, would that be an 'alternate data stream' as in ntfs ads?
"Ask the right question and you will receive the right answer. I'm just very sensitive about the right syntax"

Read the rules before you post

#12 Edu

Edu

    First Sergeant

  • Members
  • 2,269 posts

Posted 24 June 2009 - 01:58 AM

ah yes mate, I am talking of NTFS Ads. This particular ADS thing I commented about only works on XP SP2 and above OSes. It is a feature that forces a downloaded file into the security zone of the website it was downloaded from. 2 possible values to prevent it from running are 3 and 4 (internet and restricted sites zones respectively). The setting which affects this is "launching programs and unsafe files". This only affects Windows Explorer and programs that utilizes Internet Explorer webbrowser control.
http://www.secumania.net - Secumania security blog.


Embed any executable in a JPEG image and get it to run upon opening the image with this cool tool that abuses a feature of GDI in Windows systems. for governmentsecurity.org members only! click here to get it!

#13 SL4Y3R

SL4Y3R

    Private

  • Members
  • 10 posts

Posted 22 July 2009 - 03:51 PM

Hopefully this can help


http://www.howtogeek...-is-it-running/





Also tagged with one or more of these keywords: windows, scanner, malware, virus, c++, md5, patch