I never thought it would happen to me...
As I have just contracted a nasty piece of uber-malware that whipped through NAV as if it weren't there, I thought I would post a compilation of what I have learnt through personal experience and on this and other forums. I have noticed that about 4 people have complained about this beast in the last couple of days in different places, so I thought I would post what I have learnt.
It's a bit rough, but it's a start.
My system, which runs Microsoft Windows XP Pro with SP2, has become infected with a particularly nasty little Trojan.
For the record, my security tools are:
1) Ad-Adware Professional, with Adwatch running constantly. I do a full scan each start-up
2) Norton Anti-Virus, with definitions updated as of Thursday, Dec 30, 2004, system is scanned weekly
3) Fully updated XP patches through Microsoft Automatic Update
4) SP2 firewall, plus hardware firewall on my Cisco router
I have no idea how I got infected – I became aware of it when I noticed the Adwatch icon flashing in the start-up menu and found that 4 attempts or so per minute were being made to modify the registry files. I then noticed that NAV was inactive (no icon present) and that the Microsoft security icon was flashing for my attention. However, each time I attempted to open it, the window shut immediately.
Safe mode changed nothing – NAV was still unable to open. Here’s what I have learnt from research:
Properties of the Trojan:
1) Disables antivirus software
2) Disables all firewall software (including MS security Center and SP2 Firewall)
3) Disables access to Windows updates
4) Closes Mozilla and IE browser windows if you search on certain topics like `antivirus’
5) Prevents web access to all major AV sites, similar to MyDoom
a. Changes the hosts file in C:\WINDOWS\system32\drivers\etc to block major AV sites and online virus scans. I was able to access and run the Trendmicro scan by accessing it through their European page but the scan found nothing. I was also able to run McAfee’s Stinger, which found nothing.
6) Regedit and msconfig are both disabled – attempting to run will display a window for a fraction of a second before reclosing
a. DisableRegistryTools value is set under HKEY_CURRENT+USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\ & Explorer
b. One program – Registrar Lite – allowed registry access. However, editing the registry without killing the main process meant that registry edits were immediately restored.
7) Certain programs will not run or will not install if not loaded. These include registry editors, Process managers, AVscanners, HijackThis.
8) All of the above `features’ still apply in safe mode.
9) Spybot was one of the few relevant apps I was able to install without a hitch. It revealed an instance of Kazaa.Irc.Spybot13.World running, which is strange because I have never installed Kazaa before. Although the Kazaa process was fixed by spybot, it reoccurred on follow-up searches and so I suspect it is part of, or responsible for the Trojan.
I put a call in to my ISP to let them know I had this Trojan and to ask if they could monitor my account for any untoward activity. They called me this evening to let me know that they had been watching and hadn’t seen any unusual mail server or port activity. However, one TechSpot forum poster, Ranalin, pointed out on Dec 25, 2004, that there was some evidence his system was being used for a ddos attack
Microsoft AV support was pretty unhelpful as they didn’t seem to have come across this behavior before. They were friendly enough, but I spent several hours on the phone with different techs to no avail. However, as I have found five almost identical reports of this behavior in the last five days, I thought it might be useful to pool the information learned. It is possible that these are different variants of the same Trojan or even different Trojans/viruses, but the behavior in each case is sufficiently similar to make it interesting.
I was also able to run CWShredder which found copies of SmartSearch and TheRealSearch but was unable to remove them. However, research suggests that these two programs could not be responsible for all of the symptoms.
The only way it seems possible to regain control of your machine is to find a registry editing program that the Trojan does not block, install it and end the malware process.
I used Uniblue WinTasks Pro 5 application to finally access the processes.
I was also able to open the registry using a program called Registrar Lite. However, until I killed the main process, any registry edits made to the Windows\CurrentVersion\Policies entries were immediately changed back to trojan’s disallowance settings.
The descriptions I have read of the problem each differ on which process to kill. You might look for:
1) chkinit.exe & rmctrl.exe
2) dllserv.exe or regserv.exe
I didn’t have any of these processes. I did, however, find a process I didn’t recognize:
3) svcxnw32.exe, which another person infected with Kazaa.Irc.Spybot13 reported in a HijackThis log.
I used Uniblue’s WinTasks Pro 5 to kill the svcnw32 process. Finally, I had some control of my machine again.
I am currently running NAV and will run a number of online scans to see if I can rid myself of this Trojan. I was also able to access the registry and remove the DisallowRun keys that locked me out of the registry without their reappearance. However, although running msconfig was now possible, and I was able to uncheck the two svcxnw32 entries in the startup tab of the System Configuration Utility, on rerunning msconfig without a reboot, they had become rechecked, so the thing is probably still active.
I am not confident I will be free of this virus easily, although I have much improved my position. I hope NAV, panda, or RAV will be able to locate and finally kill the thing before I reboot. I have never had a Trojan or virus on my home system before, but I have troubleshot plenty of other systems that have had viruses, and I have never encountered anything quite so persistent and with so little good information available on it from sophos/Symantec/etc. This is why I am not hazarding a guess at which one it is – I just don’t know. This is why I compiled this document – hopefully anyone who reads it won’t have to spend an entire day on the phone with Microsoft or reading forum entries to try and find out how to start getting back control of their own system.
Update – NAV has not found anything untoward, despite the fact that the Trojan was able to cripple it. So much for Norton – I will be looking for some new AV protection before I reboot this machine.
I really hope that this BS piece of malware payload doesn’t get fitted with slick sasser-like delivery system or things are going to be very ugly on the internet for a while. And if I ever met the guy who wrote this, I would be inclined to shove a glass bottle up his *** then kick it until it breaks. Good luck to anyone else who finds themselves dealing with this.
Additional info:
Bradshawd on the TechSpot forums also had a problem with the mysterious Kazaa.Irc.Spybot13.World, reporting similar symptoms to me:
I have posted this to the forums where I got the information to compile. Other versions include URLs which violate Techspot's terms. Please feel free to add to, modify, and circulate elsewhere if you found it useful.
As I have just contracted a nasty piece of uber-malware that whipped through NAV as if it weren't there, I thought I would post a compilation of what I have learnt through personal experience and on this and other forums. I have noticed that about 4 people have complained about this beast in the last couple of days in different places, so I thought I would post what I have learnt.
It's a bit rough, but it's a start.
My system, which runs Microsoft Windows XP Pro with SP2, has become infected with a particularly nasty little Trojan.
For the record, my security tools are:
1) Ad-Adware Professional, with Adwatch running constantly. I do a full scan each start-up
2) Norton Anti-Virus, with definitions updated as of Thursday, Dec 30, 2004, system is scanned weekly
3) Fully updated XP patches through Microsoft Automatic Update
4) SP2 firewall, plus hardware firewall on my Cisco router
I have no idea how I got infected – I became aware of it when I noticed the Adwatch icon flashing in the start-up menu and found that 4 attempts or so per minute were being made to modify the registry files. I then noticed that NAV was inactive (no icon present) and that the Microsoft security icon was flashing for my attention. However, each time I attempted to open it, the window shut immediately.
Safe mode changed nothing – NAV was still unable to open. Here’s what I have learnt from research:
Properties of the Trojan:
1) Disables antivirus software
2) Disables all firewall software (including MS security Center and SP2 Firewall)
3) Disables access to Windows updates
4) Closes Mozilla and IE browser windows if you search on certain topics like `antivirus’
5) Prevents web access to all major AV sites, similar to MyDoom
a. Changes the hosts file in C:\WINDOWS\system32\drivers\etc to block major AV sites and online virus scans. I was able to access and run the Trendmicro scan by accessing it through their European page but the scan found nothing. I was also able to run McAfee’s Stinger, which found nothing.
6) Regedit and msconfig are both disabled – attempting to run will display a window for a fraction of a second before reclosing
a. DisableRegistryTools value is set under HKEY_CURRENT+USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\ & Explorer
b. One program – Registrar Lite – allowed registry access. However, editing the registry without killing the main process meant that registry edits were immediately restored.
7) Certain programs will not run or will not install if not loaded. These include registry editors, Process managers, AVscanners, HijackThis.
8) All of the above `features’ still apply in safe mode.
9) Spybot was one of the few relevant apps I was able to install without a hitch. It revealed an instance of Kazaa.Irc.Spybot13.World running, which is strange because I have never installed Kazaa before. Although the Kazaa process was fixed by spybot, it reoccurred on follow-up searches and so I suspect it is part of, or responsible for the Trojan.
I put a call in to my ISP to let them know I had this Trojan and to ask if they could monitor my account for any untoward activity. They called me this evening to let me know that they had been watching and hadn’t seen any unusual mail server or port activity. However, one TechSpot forum poster, Ranalin, pointed out on Dec 25, 2004, that there was some evidence his system was being used for a ddos attack
Microsoft AV support was pretty unhelpful as they didn’t seem to have come across this behavior before. They were friendly enough, but I spent several hours on the phone with different techs to no avail. However, as I have found five almost identical reports of this behavior in the last five days, I thought it might be useful to pool the information learned. It is possible that these are different variants of the same Trojan or even different Trojans/viruses, but the behavior in each case is sufficiently similar to make it interesting.
I was also able to run CWShredder which found copies of SmartSearch and TheRealSearch but was unable to remove them. However, research suggests that these two programs could not be responsible for all of the symptoms.
The only way it seems possible to regain control of your machine is to find a registry editing program that the Trojan does not block, install it and end the malware process.
I used Uniblue WinTasks Pro 5 application to finally access the processes.
I was also able to open the registry using a program called Registrar Lite. However, until I killed the main process, any registry edits made to the Windows\CurrentVersion\Policies entries were immediately changed back to trojan’s disallowance settings.
The descriptions I have read of the problem each differ on which process to kill. You might look for:
1) chkinit.exe & rmctrl.exe
2) dllserv.exe or regserv.exe
I didn’t have any of these processes. I did, however, find a process I didn’t recognize:
3) svcxnw32.exe, which another person infected with Kazaa.Irc.Spybot13 reported in a HijackThis log.
I used Uniblue’s WinTasks Pro 5 to kill the svcnw32 process. Finally, I had some control of my machine again.
I am currently running NAV and will run a number of online scans to see if I can rid myself of this Trojan. I was also able to access the registry and remove the DisallowRun keys that locked me out of the registry without their reappearance. However, although running msconfig was now possible, and I was able to uncheck the two svcxnw32 entries in the startup tab of the System Configuration Utility, on rerunning msconfig without a reboot, they had become rechecked, so the thing is probably still active.
I am not confident I will be free of this virus easily, although I have much improved my position. I hope NAV, panda, or RAV will be able to locate and finally kill the thing before I reboot. I have never had a Trojan or virus on my home system before, but I have troubleshot plenty of other systems that have had viruses, and I have never encountered anything quite so persistent and with so little good information available on it from sophos/Symantec/etc. This is why I am not hazarding a guess at which one it is – I just don’t know. This is why I compiled this document – hopefully anyone who reads it won’t have to spend an entire day on the phone with Microsoft or reading forum entries to try and find out how to start getting back control of their own system.
Update – NAV has not found anything untoward, despite the fact that the Trojan was able to cripple it. So much for Norton – I will be looking for some new AV protection before I reboot this machine.
I really hope that this BS piece of malware payload doesn’t get fitted with slick sasser-like delivery system or things are going to be very ugly on the internet for a while. And if I ever met the guy who wrote this, I would be inclined to shove a glass bottle up his *** then kick it until it breaks. Good luck to anyone else who finds themselves dealing with this.
Additional info:
Bradshawd on the TechSpot forums also had a problem with the mysterious Kazaa.Irc.Spybot13.World, reporting similar symptoms to me:
Three registry keys keep getting remade each restart.
[HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Policies\Explorer]
"DisallowRun"=dword:00000001
[HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Policies\Explorer\DisallowRun]
"0"="blackd.exe"
"1"="blackice.exe"
"2"="lockdown.exe"
"3"="lockdown2000.exe"
"4"="netmon.exe"
"5"="processmonitor.exe"
"6"="taskkill.exe"
"7"="tskill.exe"
"8"="smc.exe"
"9"="sniffem.exe"
"10"="zapro.exe"
"11"="zlclient.exe"
"12"="zonealarm.exe"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Policies\System]
"DisableRegistryTools"=dword:00000001
I have posted this to the forums where I got the information to compile. Other versions include URLs which violate Techspot's terms. Please feel free to add to, modify, and circulate elsewhere if you found it useful.