Password stealer virus/program? Which one is it?

[sagor]

My Zonealarm flashed a warning about a program (blank name) trying to access the internet when I ran a "keygen" program. Yes, I know these are known to be nasty, but I scanned it with virus scanner before running it and it came up clean.

Now, I've run the 8 steps (I think I got them all), but nothing obvious came up. There were a few "trojan" pointers, but nothing that indicated a specific virus that is still resident.

What the virus does is this: When the program (keygen.exe - 160k) runs, it creates a smaller copy of keygen.exe (92k) in my local "temp" folder (%temp%). It then creates a specific named .html file in the "%temp% folder, which gets deleted right away if the network is off. However, if I keep the program locked up with zonealarm, I can copy the .html file and see all my browser (both IE and Firefox) login accounts and passwords, including ebay, paypal, etc...
Running the smaller version of "keygen.exe" in the %temp% folder does NOT create any .html file or FTP traffic, yet it comes up with the same screens as the 160k version. Looks like the virus attached itself to the original 92k file
Now, I captured the packets using etherreal, and got the FTP login information from the virus. It logs into www-dot-0catch-dot-com with a specific user id and password. I logged into that account and was saddened to see dozens of captured files, all from different people (not my file though). All .html files have a machine name and timestamp as part of the filename. Some machines even had 2 or 3 copies of the same file, indicating the "virus" program runs a one-shot deal, and was run a few times. (I did email 0catch support about this user)
So, I'm trying to figure out what variant of a virus this is, since virus scans seem to miss it. I've seen viruses before, that were so new that McAfee, Trend, Symantec did not even detect it till 3 days later. Maybe this is another one of those?
What generic virus is out there that scans browser files for accounts and passwords, then FTPs it to a server? It looks like it may not stay resident, hence the log files may not show much.
the 3 log files look relatively clean now. The virus still activates when I run the keygen.exe file, so it does not seem to be driven by registry entries or startup areas. It does seem to be "only when program is run" type of virus. To be safe, I've blocked the entire 0catch-dot-com IP range in my firewall, but that's only safe for this variant that uses this specific FTP server. Any new version that uses another FTP server may still pass, unless I create some content filtering rule in my firewall (I'm seriously looking into it)
Now, as a final test, I created a clean version of XPSP2 under VMware, and loaded etherreal and the "keygen.exe" file. Nothing else. What happens is nothing, no network queries for 0catch, no .html files created (but did create the smaller 92k copy of "%temp%\keygen.exe"). It may be because the IE browser files are empty (I suspect), hence it has nothing to report.
Anyway, a heads up that there is this thing out there - make sure your firewall traps new outgoing programs, else you can be a victim to this type of virus/hack. If anyone has an idea of what variant this is, let me know.
Thanks

 

[mflynn]

Run HJT Scan only select and Fix the below
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

Then..

Another run indicated!
OK there were found/removed items in both MBAM and SAS so we need to run again as the first run likely exposed things that were not even seen the first time.

So another run Quick Scan with both will likely find more. So UPDATE run both again.

Mike

 

[sagor]

Ok, I re-followed the 8 steps and heres a log of what was done...

Step 1) Symantec AV - clean scan
Step 2) CCleaner - cleaned up cache, cookies, a couple registry pointers
Step 3) Disable TeaTimer (exit/terminated process) (I don't really like disabling this - it has saved me a couple of times from website-based auto-injected viruses)
Step 4) MAM full scan C:\ - clean
Step 5) SaS - Full Scan - 2 items removed from restore points. Second time in a row, SaS crashes when done, with a R6025 error - pure virtual function call. Items seem to be cleaned ok however.
Step 6) Java was V6, upd 7, upgraded to V6.12. Gave warning about unsupported OS, I'm XP pro SP1, they want SP2. Too bad...
Step 7) Ran Hijackthis and cleared the 2 "O6" variables. re-ran scan.
Step 8) here we go...

My gut feeling is that this "virus" is a "run only" type. It only runs when the keygen program is run, and does not seem to install anything to registry or elsewhere. It seems to be basically a "stealing program" disguised (added onto) another. However, I could be wrong.

Log files appended...

 

[mflynn]

You can turn TeaTimer back on when finished cleaning. It just interferes with the scans we do!

You may be correct on the KeyGen but these things that seem harmless have a tendency to invite some really nasty friends over who like to RUMBLE!

Just to be sure do the 2 below..

Download SDFix to Desktop.

http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

On Desktop run SDdFix It will run (install) then close.

Then reboot into Safe Mode

As the computer starts up, tap the F8 key several times.

On the Boot menu Choose Safe Mode.

Click thu all the prompts to get to desktop.

At Desktop
My Computer C: drive. Double-click to open.

Look for a folder called SD Fix. Double-click to enter SD Fix.

Double-click to RunThis.bat. Type Y to begin.

SD Fix does its job.

When prompted hit the enter key to restart the computer

Your computer will reboot.

On normal restart the Fixtool will run again and complete the removal process then say Finished,
Hit the Enter key to end the script and load your desktop icons.

Once the desktop is up, the SDFix report will open on screen and also be saved to the SDFix folder as Report.txt.
Attach the Report.txt file to your next post.
=========================================
Download ComboFix

NOTE: If you have had ComboFix more than a few days old delete and re-download.

Get it here: https://www.techspot.com/downloads/5587-combofix.html
Or here: http://subs.geekstogo.com/ComboFix.exe

Double click combofix.exe follow the prompts.

Install Recovery Console if connected to the Internet!

When finished, it will open a log.
Attach the log and a new HJT log in your next reply.

Note: Do not click combofix's window while its running. That may cause it to stall.

Mike

 

[sagor]

Ok, I ran the 2 programs. I didn't like combofix, as it ( I believe it was that program run last) tried to reset all my browser search pages, default pages, etc., whereas I set them all to blank or to google.com. I hate someone (like MS) telling me where or how I should search/start my browsers. I denied many of the changes with teatimer....
Anyway, here are the 2 logs from the 2 programs, and the hijackthis log. Note that some of the "trusted" zones have changed, as I add some on an as-needed basis.

 

[mflynn]

SDFix was clean Combofix had several real bad boys.

Boot to Safe Mode only and run combofix again as it may find more but in any case we need to see a clean log.

Mike

 

[sagor]

I'll run again in safe mode. But, which are the "bad boys" you are refering to? It would be nice to know ahead...
I'll re-post when done safe mode scan.

Steve

 

[mflynn]

From ComboFix!

These

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\regedit.com
c:\windows\system32\Cache
c:\windows\system32\drivers\npf.sys
c:\windows\system32\hvgfobmj.ini
c:\windows\system32\packet.dll
c:\windows\system32\pthreadVC.dll
c:\windows\system32\wpcap.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_FILEMON
-------\Legacy_NPF
-------\Service_FILEMON
-------\Service_NPF

Mike

 

[sagor]

Ok, I ran the combofix in safe mode.
However, some comments first. The regedit.com was my creation, a simple copy and rename of regedit.exe. This was one way (a while ago) to get around a rootkit/virus that killed the .exe version, but a .com version could run (I used it to remove a run key in registry)
As for Filemon, I loaded that in the last couple of day, to track the files opened by this virus. I was able to determine the .html file name the virus created on my machine via Filemon's log files.
Wpcap i believe is part of the etherreal capture program. It allows the capture of certain packets. That in fact, was what I was able to determine what the virus FTP login information was (etherreal capture, with manual DNS re-directed via my firewall to my web server/proftp and then I allowed the virus through zonealarm manually).
To summarize my capture of this virus, Zonealarm flagged a blank program name originating from a "keygen.exe", trying to FTP to a specific IP address. I ran a whois on the IP, and found out it was the "0catch" ftp site. I made a manual entry of the DNS for 0catch in my firewall to re-direct to my webserver's FTP. I then ran the virus, zonealarm trapped it again, but this time I allowed it through once. It failed on login on my webserver, but with etherreal, I was able to capture all the userid and password info used by the virus. After that, I cleared the DNS entry, and logged into the virus writer's ocatch FTP site to see what the files contained.. rest is history and I'm here lol...
I'm still not sure if this code actually infected my machine (not to say I don't have some old infections), or it is a one-shot every time it runs..

Combofix log file attached...

PS I re-added the \temp\crack directory with the infected file. I had deleted it a while back, but figured I'd add it back in just for the scans, just in case.
PPS, Yes, deleting the wpcap makes my etherreal fail in capturing packets now... I think Combofix deletes things it does not understand....

 

[mflynn]

Yes some of these are legit but they are often used by Malware. If clean can easily be reinstalled.

You are now clean these are gone.

If your issue pops up again and you have not reinstalled any of these but they come back it will be Malware.

So test for resolution.

Mike

 

[sagor]

Yes, after being all clean, the virus still tries to FTP to 0catch. My zonealarm still traps it.
So as I suspect, it is probably a one-shot VB6 application tacked onto another program, and simply reads the password files from the browsers and sends it when run. It probably does not leave any remnants. It's just like running any other program, but it just does bad things and exits.

So, not much else we can do from here, it is probably not an "infecting" program, but rather just a "mean" application. I did send a copy off to a virus software firm to see what they say. I'll post if I hear anything.

Thanks for the help
Steve

 

[mflynn]

Run Combofix again and see if it reinstalled what we just removed!

Mike

 

[sagor]

Still looks clean to me, combofix did not have to remove anything...