Report New Spyware Here

Another variant :

O4 - HKCU\..\Run: [winrar] C:\WINDOWS\winrar.exe

Attempts to change the homepage to hxxp://my.search/sp.php and tries to launch editpad.exe, which is a known cws file.

As seen HERE

Cheers,

Thanks Pieter and Unzy, I've added that last one to CWShredder as well.

I'm a little fuzzy on the variants that kill HT/CWShredder/AA/SSD, and/or use the ShellServiceObjectDelayLoad startup. I'm seeing bits and pieces all over the boards, but I can't form a clear picture out of these. Do you know anything about them?

Hi Merijn,

Here is a nice example:
http://www.wilderssecurity.com/index.php?board=17;action=display;threadid=19475

The thread at SWI Expert forum is here

Regards,

Pieter

OK, got it. I got a sample and added the whole thing to CWShredder as CWS.Smartfinder.

Good job, as always Merijn!

Cheers,

[**]

A little update, once again :

This new CWS domain seems to be spreading fast :

hxxp://www.magicsearch.ws/?q=

Triggered by a variety of .exe's , (there are probably a lot more)

O4 - HKCU\..\Run: [MicrosoftWindows] C:\Program Files\Common Files\Services\winmgnt.exe
O4 - HKLM\..\Run: [MicrosoftWindows] C:\Windows\system\systeem.exe
O4 - HKCU\..\Run: [MicrosoftWindows] C:\Windows\system\exploreer.exe

-> the name ID tag always is [MicrosoftWindows] , so watch out for that entry

**Taken from TonyKlein's weekly startups update at SWI :

As for MicrosoftWindows = winmgnt.exe, this CWS variant uses various other file names as well.
Merijn just provided the following list of alternatives spotted:

autorun.exe
clrssn.exe
critical.exe
directx32.exe
directx.exe
explore.exe
explorer32.exe
iexplorer.exe
inetinf.exe
milannet.exe
sistem.exe
systeem.exe
time.exe
uninstall.exe
volume.exe
win32e.exe

Log examples :

HERE


Also look out for this new CWS variant, random name tag and random executable, but pretty easy to recognise (10 digit exe file):

O4 - HKCU\..\Run: [ww64wzwhyi] C:\WINDOWS\FUPBCYV0Z5.EXE
O4 - HKCU\..\Run: [yd036jz1oh] C:\WINDOWS\5h5budvghj.exe

Usually combined with a hijack to a cws domain

Additional info :

Seemingly a dropper for DNSErr.dll and control.exe

thnx to FAL and Merijn for analyzing

Log examples :

HERE

HERE

Have files in my possession

Cheers,

O2 - BHO: ShowSearch module - {E2DDF680-9905-4dee-8C64-0A5DE7FE133C} - C:\Documents and Settings\4nvile\Application Data\winny\mssearch.dll

O4 - HKLM\..\Run: [Image] rundll32 C:\WINDOWS\image.dll,Install

Variant of Winshow. The winny folder name changes.
First spotted here: http://boards.cexx.org/viewtopic.php?t=4092

Found by Mosaic1:

As seen here:
http://computercops.biz/postp83223.html#83223

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.enjoysearch.info/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.enjoysearch.info/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.enjoysearch.info/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.enjoysearch.info/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.enjoysearch.info/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.enjoysearch.info/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.enjoysearch.info/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.enjoysearch.info/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.enjoysearch.info/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.enjoysearch.info/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.enjoysearch.info/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.enjoysearch.info/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.enjoysearch.info/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.enjoysearch.info/search.html

O4 - HKLM\..\Run: [xxxvid] C:\WINDOWS\system32\xxxvideo.hta
O4 - HKCU\..\Run: [xxxvid] C:\My Documents\xxxvideo.hta

[Merijn, if you read this, I have the files as well, so if you can't reach Mosaic1...]

Thanks Pieter, I got the files from Mosaic at ComputerCops.
Added to CWShredder 1.49 as CWS.Xxxvideo, compiled and uploaded, but I'm not sure if anyone can even reach the download

We're working on a solution.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.2020search.com/search/9884/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.2020search.com/search/9884/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.2020search.com/search/9884/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.2020search.com/search/9884/search.html

O2 - BHO: Windows Resources - {2D38A51A-23C9-48a1-A33C-48675AA2B494} - D:\WINDOWS\winres.dll

http://discuss.futuremark.com/forum/showflat.pl?Cat=&Board=techoperatingsystems&Number=3450803

I have saved winres.dll if you want me to submit it.

Hi Shooter,

Hmm, I had a look at that dll he uploaded and the version tab says it's a Microsoft dll

I hope it's not one of those cws infections where they try to trick the shredder into removing a valid windows file.

Waiting for an opinion from Merijn or Pieter

Cheers,

KAV does not like it:

Current object: winres.dll
winres.dll Packed: UPX
winres.dll Infected: Trojan.Win32.Ideach.f

Certainly no MS file.

I will have a closer look later on, but it sure looks like a hijacker at first glance.

Pieter

Yep it sure does

The version tab of the file displays microsoft corp.

tsss

Cheers,

I'd love to take a look at winres.dll. I remember working on that one just before the DDoS started and haven't finished it yet. [edit] I got the file from futuremarks.com. Not sure if it's a new variant of a new version of Googlems.

Added it as CWS.Winres to CWShredder 1.50.

I'm emailing it to phoenix22 of Computercops.biz for his mirror. If anyone else wants to mirror it, send me your email addy and I'll notify you when a new ver is out.