One of our home computers was recently infected with Win32.Locksky and finding a remedy for it (without installing a humongous anti-virus) was a challenging but fun activity.
The Challenge
This particular computer was rented out and when done, I was surprised to find out that the Windows Task Manager button is disabled in the Windows Security dialog box when I pressed CTRL-ALT-DEL simultaneously. Do note that the computer doesn’t have an anti-virus installed (yeah! yeah! I know, it’s supposed to have an anti-virus. But I didn’t install it. I’m lazy. So?) I examined the system further and found some Internet Explorer bars installed and some items appeared in Programs||StartUp. I opened RegEdit, and wasn’t surprised that it was not disabled, so I continued on and checked for irregularities in HKCU\Software\Microsoft\Windows\CurrentVersion\Run, HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce, HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx keys. True enough I found some suspicious startup entries and removed them. I of course took note of the file locations and proceeded to HKLM\Software\Microsoft\Windows\CurrentVersion\Run, then HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce, and HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx, and also removed the same suspicious entries.
After removing the suspects from the registry, I then closed RegEdit, and proceeded in deleting the malicious files. I then restarted the machine. Just to be sure, I first downloaded HiJackThis (http://www.merijn.org) and then did a system scan. Not surprised, HiJackThis was able to list out some more registry startups that I wasn’t able to remove previously. Regardless, I still couldn’t click on the Task Manager button. I checked my system for any connection attempts going in and out of the computer and lo! SMTP connections galore! So I downloaded AVG Free, updated and scanned. It was able to detect still additional trojans and deleted their corresponding files. However, it too was able to detect the Win32.Locksky worm! This is going to be a challenge. Although I could install any quote “rock-solid” anti-virus (commercial), I didn’t chose to. I aimed to find what this virus is all about. It is the first time I encountered this worm from the wild.
AVG reported C:\WINNT\SYSTEM32\WMEDIA16.EXE and C:\WINNT\TEMP\POL8E5D.TMP to be Win32.Locksky. I then tried to let AVG remove the virus, however, no dice! AVG can’t quarantine it, nor can it be deleted. Another challenge!
The Doctor is In!
I needed to assemble my tools now. I am determined to discover what makes this virus tick. I first looked at Symantec’s Security Response Database, and searched for Win32.Locksky in its Virus & Risks section (http://securityresponse.symantec.com/avcenter/venc/data/w32.looksky.f@mm.html). However, after reading the security advisory and virus info, I found out that the one Symantec has on record is different from what infected the computer I’m working on! Certainly, a variant. I searched further through Google this time and entered “wmedia16.exe” then clicked “Search”. I found out that this file is prevalently being used as a delivery agent for trojans and worms. Aside from Locksky, this was also used for MyDoom, the Goldun trojan dropper, and the Gurong.A rootkit. Useful little bugger… I grew tired of wading through old Google search results so I decided to go all out. Bring out the tools!
The Tools
To try and combat Locksky, I downloaded the following:
1. HiJackThis (http://www.merijn.org) - done earlier.
2. StartDreck (http://www.niksoft.at/download/startdreck.htm) - works like HiJackThis but with a little more nifty features.
3. CWShredder (http://www.intermute.com/spysubtract/cwshredder_download.html) - popular remover of the CoolWebSearch adware/malware, which is a favorite delivery system for most trojans, droppers, downloaders, and spywares. Now already a part of TrendMicro.
4. SpywareBlaster (http://www.javacoolsoftware.com) - blocks website-borne adware and spyware, rogue activex controls and applets, as well as website-borne viruses.
5. Spybot Search and Destroy (http://security.kolla.de) - scans and removes existing adware, spyware, trojans, some viruses, activex controls, and other components related to rogue applications.
6. Autoruns (http://www.sysinternals.com/Utilities/Autoruns.html) - See what programs are configured to startup automatically when your system boots and you login. Autoruns also shows you the full list of Registry and file locations where applications can configure auto-start settings.
7. Process Explorer (http://www.sysinternals.com/Utilities/ProcessExplorer.html) - Find out what files, registry keys and other objects processes have open, which DLLs they have loaded, and more. This uniquely powerful utility will even show you who owns each process.
With these tools extracted and installed, I proceeded in scanning the system again using HiJackThis. I found WMEDIA16.EXE, a 2040204.EXE, and POLYMORPH.DLL running in the background. I tried stopping them using HiJackThis, however, the processes keep coming back up. I closed HiJackThis, and opened StartDreck. StartDreck gave me a whole list of registry keys and entries to play with. I was even able to terminate some Windows services that were unessential, and also change their start settings from automatic to disabled. Pretty neat. Regardless, StartDreck was still unable to terminate POLYMORPH.DLL. I tried using the REGSVR32 -U command to unregister the DLL. However, no dice. Windows yelled the dll is being used by a process or application. Moron. So ran first CWShredder to try if CoolWebSearch is in the system. So far so good, CWShredder reported nothing to be alarmed of (except the existing virus).
By now, I’m not really pissed off, but rather eager to find a way how this virus works and how to terminate it without putting too much pressure on the system by running more strenous scans. To cover my bases, I opened up SpywareBlaster and downloaded some updates on protection for Internet Explorer, Firefox/Mozilla, and Flash holes. Then activated the protections to make the system a little bit “closed” than the previous. After that, I fired up Spybot Search and Destroy, downloaded some updates for it, and scanned the system. After scanning, it managed to detect some more registry entries that it considers malicious. So far it reported 150 more registry entries and files that were related in one way or another to rogue applications. Fixed them all with one click. 5 entries remained requiring a restart to be resolved. Restarted, and continued the repair, then activated “immunization” which will block further activex and rogue components from penetrating the system. This now leaves only the virus remaining. Two files, and two tools to go.
The Showdown
This is it. The last hurrah. I pulled out Autoruns and scanned the system. It actually comes in two versions - the Windows (GUI) version, and the command line version (Autorunsc). What Autoruns offers is an organized “mess” of settings, registry entries and values that you can sift through, and adjust for the system. You can see everything from Logon events, Scheduled Tasks, Boot Execute, Drivers, DLLs, settings for Explorer, Internet Explorer, Winsock, LSA, WinLogon, AppInit, and more. A little swiss army knife. I “shopped” around Autoruns and found polymorph.dll sitting there in the WinLogon list. Right Clicking on it gave me a context menu with some settings and surprised to find “delete” as one of them. I chuckled and clicked the option. Saw the entry disappear, and came back again in 2 seconds! Whoa! One persistent little bugger. Okay, one more reconnaisance. I opened Process Explorer and poked around looking for anything related to POLYMORPH.DLL. So far, still WinLogon. Ok, so this must be activating upon logon. So I decided to move the battle to a different zone. On to safe mode!
I closed everything, restarted the system and pressed F8 and chosen to use safe mode. I entered my administrator password, and saw myself in the dreary 16-bit color land of safe mode. before proceeding, I scanned the system again using Autoruns, and what do you know? POLYMORPH.DLL is there! However, WMEDIA16.EXE is not. Hmmm we’re making progress here. I then opened an explorer window, looked for WMEDIA16.EXE in C:\WINNT\SYSTEM32 and found nothing! Ok, so it must have been hidden. I then clicked on Tools | Folder Options in the Explorer menu bar, then clicked on the View tab and chose Show Hidden Files and Folders, then removed the check on Hide Extensions for known file types, and also removed the check on Hide Protected Operating System Files. I then clicked Apply then Ok. I then proceeded to look for WMEDIA16.EXE and after I locatedit sitting cozily in C:\WINNT\SYSTEM32, I gave the bugger the “Beat it!” sign, and deleted the living daylights out of it. One down, one to go. I opened Autoruns again and disabled POLYMORPH.DLL from autoloading. Deleted the file in C:\Documents and Settings\All Users\Documents\Settings\POLYMORPH.DLL, then restarted expecting victory. Then it hit me. It’s not starting from the registry! WMEDIA16.EXE is back again and so does POLYMORPH.DLL! Hmmmm… it must start from somewhere. Sherlock made a very big impression in me so I looked at one possible location - C:\WINNT\SYSTEM32. I opened up Windows Explorer and navigated to the folder, I clicked the View button in the Explorer toolbar and chose Detailed View then arranged the entries in alphabetical order. Just doesn’t make sense! What am I looking for? Then I remembered to check for dates and times. I then clicked on the “Modified” header and looked at the dates and time. I noticed a definite pattern to most of the system’s files. They were mostly modified sometime in the year 1999. Although some insignificant files were modified quite recently, these files didn’t cause alarm so I neglected them. However, I noticed one file has been modified recently. The file is SHELL32.EXE. Most other files that must come along with it like USER32.EXE and others were modified 1999, this one is quite recent. This must be it! I am now going to risk it. I first made a copy of a fresh SHELL32.EXE from a separate machine (Windows 2000) and pasted it on top of the suspected SHELL32.EXE. Then rebooted.
After rebooting, I was presented with the logon screen, then proceeded. Glad that everything seemed to be going well, I was suddenly was greeted by an error. “Explorer.Exe has generated errors…” Hmmm, I forgot that the SHELL32.EXE that I “grafted” into the sick computer has not been patched. The sick computer was already in Service Pack 4 while the previous one isn’t. So I pressed CTRL-ALT-DEL, clicked Task Manager then clicked File | New Task then clicked Browse looked for the Service Pack 4 installer then proceeded with the update. The system prompted a restart and proceeded. After logging in, Explorer came up nice and easy as if nothing happened! Whoa! Alright!
Mopping up Operations
By now the computer is functioning well, didn’t even slow up. I checked for rogue connections using Netstat -an. So far, nothing. No more SMTPs. I then proceeded in deleting POLYMORPH.DLL and WMEDIA16.EXE and performed another set of scans with AVG, SpyBlaster, and Spybot. So far, they turned up nothing.
It turned out that the computer was compromised and has been “rooted”, with SHELL32.EXE replaced with a trojaned copy. Good thing I remembered to check the date and time the file was modified. Chances are, we always commonly ignore these infos and turns out to be the saving grace.
Now the system is clean eversince.
Technorati Tags: security, virus, locksky, shell32.exe, polymorph, rootkit
Site Search Tags: security, virus, locksky, shell32.exe, polymorph, rootkit
browser, internet, explorer, IE, major, flaw, microsoft, security