New Skype Worm ANNOYING

[rhat0]

So, I get back from school today to awake my computer system. Upon waking my system from sleep(Win 7 64bit updated, had Avast running).. a Skype notification appears at the bottom right of my screen.

Next thing I know explorer.exe all of the sudden crashes within seconds of waking my system from sleep. Now whenever I'm using Skype it appears that somehow Skype is forcefully hooked into and Skype's RAM usage jumps from the normal 70-80,000 up to 300,000. Along with that the CPU idles around 25-50 for me, which the normal is about 2.

It is very evident to me that this worm is attempting to spread. It looks like this:
X

Those image files are mine from the default selected receiving folder path for my Skype. I'm still not entirely sure how I was infected nor what is infected. I'm guessing explore.exe is being hooked by something.

I'm not very good with reverse engineering malware/worms, but I understand a lot of the terminology and will figure out what to do if someone can provide me with a set/short list of tools. I just want this damn worm off my system.

I've switched from Avast to BitDefender in hopes of BD picking it up. No luck at all, I'll be switching back to Avast. I'm guessing this thing is crypted to bypass AV detections.

Anyone's help would be greatly appreciated. I want this Skype worm halted quick by Avast and I'm willing to help however I can.

[Pondus]

we need some logs from you..... attach not copy and paste
Malwarebytes / OTL / aswMBR.     http://forum.avast.com/index.php?topic=53253.0

removal experts are notified,  be patient as it may take some hours before thay are online

[rhat0]

http://www.hastebin.com/cikuvatemu.tex

Will this do or must I get something more advanced?

Also, I'm much more into Web App Security. I'm actually studying Information Security in college. I believe that I've had enough fun with Windows. This pretty much pissed on my cake. I was happy running Windows as my platform, but as of recently I have realized that it is simply just too simply exploited and "rooted". Only on Windows can you go from guest to full admin in seconds. It's really sad, so I think that if I don't get this fixed in the next 48 hours... I'm just going to call it quits. I'll backup all my important docs and wipe this baby clean. Windows is overused, too big of a target and too closed source for my taste. I also hate restarting every other damn day for updates. Seriously, who has time for that nonsense? It's all garbage, not me.

I won't be one of the 80% much longer, I don't think lol.

Everything on Windows has a damn buffer overflow. It's like Microsoft's goal to set everything up perfectly right just to have some sort of overflow, to provide for remote execution or DoS. If I do for any reason slap Win back on my current box, I'm hardening it stronger than Carbyne and running everything that touches the net inside of a VM that is NOT Win based. GRRRRRRRRRR.. I hate that feel of compromised.

<--- This guy is having a serious case of butthurt, so mad at Microaloft/Windblows. How can someone get infected from a DAMN notification popup that doesn't even get clicked? How CAN ONE FAIL SO HARDD at security.. I guess the lesson has just been reinforced. Treat every bit of software like it is poop. Put on loads of gloves, wrap it up all nice and don't get any on your hands. The only one we can really blame for malware is ourselves(I've just fallen victim). We're using horribly flawed security systems that just open the backdoor(laugh). Our systems of operation are so far gone when it comes to security that you're pretty much wandering the forest with hungry bears unless you have some sort of condom installed(Antivirus/Firewall/AV+FW), why has it come to this? Why are all of our systems set up in such a similar way that it is actually worth smashing keys to develop this sort of crap? I DO NOT GET ITTTTTT GRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR

Okay, rant is done.. I'm going to eat some food and go to sleep. Oh yeah, one more thing.. GRRRRRRRRRR!!

*opens up ZoneAlarm and stops all internet activity* >.> Doesn't matter, if there is any skillful dev behind this hell torched creation all my passwords and personal sh*t has been stolen. *rips hair out* I'm going to have to change each and every damn account password now and just restart my whole life. Wow, this is so suck. I feel so invaded right now, I live too much on the computer. Maybe I should just quit using this damn thing and do more irl stuff I don't know. Don't worry, I'm okay... I just need to sleep on this lol.

[Pondus]

Will this do or must I get something more advanced?

you attach the logs requested to your next reply.... see the guide i gave link to above

see Attachments and other options  below the box you write in here

[TwinHeadedEagle]

Monitoring...

[rhat0]

Does someone need me to recreate the incident or something? I'm comfortable with attempting to delete all my friends and add just a couple people and get Skype up in a VM and capture exactly what happens. I don't care what must be done to stop/fix this, I just want this sh*t fixed. I've reinstalled Skype twice, renamed the Skype EXE. I've tried to replace explorer, every SINGLE damn time I load up Skype the ram goes up to f*kin 300,000 usage and CPU chills at 25-50... also, when I try sending messages to people it does NOT send them as it is busy trying to spread/infect others I believe.

I'll post an example picture in a second.

This is my Skype.exe renamed:
X

EVERY DAMN TIME, this is like ten seconds into logging in.

It doesn't stop there, the RAM just climbs... just seconds later it ended up chilling around at 277,000.

Now this s**t keeps making file transfer noises:
X

I'm sure you can understand the frustration. My Skype is rendered unusable as whatever the hell I do, It's like trying to swim through piles of sh*t. My entire Skype randomly locks up. It's clear as day that my Skype is being abused for some purpose. I don't know if it is using my Skype as a bot or if I'm backdoored. I am clueless as to how the hell this is working. If anyone would like to tackle this with me, I'll give you an e back rub.

Typing in the friend search textbox results in it being cleared. Example: typing "friendname", you end up with f... cleared r... cleared i... cleared. Once in a while I'll get two or three characters in before it clears, but what the SERIOUS F*CK? Who makes this stupid sh*t???!?!?!

Eventually it anal screws my Skype so hard to the point of it just doing absolutely nothing but spreading.



Does someone want me to create a damn .dmp(dump) file of the exe... I don't know how useful that would/could be. When it comes to malware analysis consider me a scrub/noob. I'm just good with website security, though I do have interest in malware destruction/removal. I want a damn patch for this bullsh*t because anyone that feels the pain I'm in right now shouldn't have to. It's more than annoying to have a stupid little notification appear and all the sudden you're infected, no clicking or anything. I'm so clueless right now, because I'm not retarded. I don't click links, I don't install random software that is untrusted. I check md5s of exe files before I run them. I'm borderline paranoid. I'm going complete psycho if I don't get this fixed as I said earlier within two days of this occurring. I believe this has something to do with Microsoft ending API support by December ending(2014), so that pushed some pissy Skype bnet creators to quickly hop on abusing a forceful API hook or something similar. I've probably got some damn hidden Skype IMs right now to "chinese.leet.haxor" -.- ffs, this is so laaaaaaaaaaaame

Side-note: When you close/exit Skype it appears to be entirely exited/closed, but you still have your EXE open under process list. That's the only way I usually close programs anyways is by ending the task, so I'm not bothered much.. but for someone a little less experienced, they would likely just exit the software and continue spreading or being a slave.

I would suggest only running Skype as a guest user or an account with VERY limited system privs, but then again... as I've already said, I have wiped Skype off my system, wrecked the app data files, tried crawling registry in search of anything Skype. I'm stuck... I looked for newly added services or irregular ones that I've not noticed or seem suspicious. I'm stumped to hell right now and as I've said, I will do ANYTHING at all someone wants me to do. I don't even care if someone gets access to my Skype account. Hell, I will give people my Skype user/pass if they want to figure this out. I advise not running this on a system you love. I don't know if it infects the account itself or the system.. perhaps both. I'm thinking it infects individuals from friends on a list. Whatever needs to be DONE, ANYTHING... I beg you Avast guys to help me out. This could be a really nasty widespread Skype botnet or something of that sort. Whatever it is, it is doing some really weird stuff with my Skype. Maybe it is mining such as bitcoin mining or something of that nature. I'm not sure how malicious this is in nature, but whatever it is.. It's pretty much a certain DoS for Skype and makes me really sketched out to do anything on my computer for the fear of having my accounts jacked.

An additional potentially helpful note is that I'll notice that when the RAM usage shoots up high and CPU is demanded highly by the Skype EXE, especially when it is starting... when I click different windows in Skype everything just loads black. I'll try to get a picture to demonstrate in a second.

Okay, so I just executed the Skype EXE and my windows explorer showed that "Please select how you want to open this file." for a fraction of a second. I happened to catch that it had the radio box selected "Choose how you want to open this with your own selected application.", so there appears to be some sort of way that my Skype exe is being ran within another SOMESHIT.. I DONT FREAKINGGGG KNOOOOOWWWW.. this makes me want to punch holes in my wall so hard -.- ugghhhhh.

Cancelling a file will look like this sometimes:

While doing something like opening up a conversation window with a friend can sometimes be entirely transparent or sometimes opaque/solid black as if my graphics card is doing some work.

http://www.coindesk.com/litecoin-radeon-shortage/

I suppose I should give launching Skype a go and checking into my GPU usage. That would be a pretty smart idea, so then I can know if these lame kids are just mining coins or whut. -.-

X

And now.. I've just found out that when those file send noises randomly come up, my GPU goes up a bit. What the hell is going on x_0 the GPU load normally idles at about 1%/0% in GPU-Z. The second one of those send notifications appeared, my GPU load went up to 15%. I'm not making sense of this at all.

[TwinHeadedEagle]

@rhat0

You need to stop doing anything, before you damage something

Let me fix this issue for you

Important: Do not use use USB until we fix PC, if you have one, unplug it and do not use.


Please download Farbar Recovery Scan Tool by Farbar and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.

• Double-click to run it. When the tool opens click Yes to disclaimer.
  
• Under Optional Scan ensure "List BCD" and "Driver MD5" are ticked.
  
• Press Scan button.
  
• It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  
• The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

[rhat0]

Thanks mate, getting the 64 version as I'm running W7 64 

Will post results shortly.

[rhat0]

Here are my two txt files that were dumped. 

*facepalm* BitDefender just erased 700+ files. As a security researcher, some of those were possibly training labs. Best day ever, lol.

Removing BD and setting up Avast again.

I'm not plugging anything into my system, I'm treating my computer like a toxic waste dump at the moment with my cute little passwords floating encrypted within it, but still... I don't even like the idea of my passwords in encrypted form floating inside a poop pool. ;[[[[

This sure has awoken me though, after this gets fixed up... I'm running everything inside a VM except for only very trusted software that is modified to have limited abilities/system access. All of my confidential documents shall be stowed away in an encrypted and hidden partition. Security is no joke, it's just an illusion and you must do your best to make it believable.

If you figure a way to fix this issue for me from those dumped log files, I will bow down and praise you =]] I appreciate you helping me. Thanks in advance!!

[TwinHeadedEagle]

1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system

Code: [Select]

C:\Users\Plutonium\jagex_cl_loginapplet_LIVE.dat
C:\Users\Plutonium\jagex_cl_runescape_LIVE.dat
C:\Users\Plutonium\lulz.exe
C:\Users\Plutonium\lulz2.exe
C:\Users\Plutonium\random.dat
C:\Users\Plutonium\AppData\Local\Temp
AlternateDataStreams: C:\ProgramData\TEMP:58DD92AC
AlternateDataStreams: C:\ProgramData\TEMP:C76EDAC3
AlternateDataStreams: C:\ProgramData\TEMP:DED17083
AlternateDataStreams: C:\Users\Plutonium\Downloads\FRST64.exe:BDU
AlternateDataStreams: C:\Users\Plutonium\Downloads\GPU-Z.0.7.4.exe:BDU
AlternateDataStreams: C:\Users\Plutonium\Downloads\HijackThis (1).exe:BDU
AlternateDataStreams: C:\Users\Plutonium\Downloads\HijackThis.exe:BDU
AlternateDataStreams: C:\Users\Plutonium\Downloads\SkypeSetup.exe:BDU
AlternateDataStreams: C:\Users\Plutonium\Downloads\Walt Disney Tarzan(1999) XviD avi DVDrip English.avi:TOC.WMV
AlternateDataStreams: C:\Users\Plutonium\Downloads\Windows-KB890830-x64-V5.7.exe:BDU
AlternateDataStreams: C:\Users\Plutonium\Downloads\winsdk_web.exe:BDU
cmd: ipconfig /flushdns
2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.


3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.



Then...



Please download aswMBR and save it to your desktop.

Double click aswMBR.exe to start the tool.

• Select Yes if prompted to download the Avast database.
   
• Click Scan
   
• Upon completion of the scan ( Scan finished successfully ) click Save log and save it to your desktop, and post that log in your next reply for review.
  Note: do NOT attempt any Fix yet.

Then...



1. Please download ComboFix by sUBs from here and save it to your Desktop.
If you are unsure how ComboFix works please read this guide carefully.
note: ComboFix must be downloaded to your Desktop.

--------------------------------------------------------------------
2. Temporarily disable your AntiVirus program, usually via a right click on the System Tray icon. They may interfere with Combofix.
If you are unsure how to do this please read this or this Instruction.

Instructions how to disable avast:

• Right click on the avast! system tray icon () in the lower right corner of the screen and scroll up to avast! shield controls;
  
• In the menu that appears, choose Disable Permanently. When you are prompted to turn off security, click Yes.

Note: Do not forget to turn back on this option after the cleaning by choosing avast! shield controls > Enable all shield options.

--------------------------------------------------------------------
3. Run ComboFix. Click on I Agree!

ComboFix will check if there is a newer version of ComboFix available.
Click Yes if prompted to download.
ComboFix will display DISCLAIMER OF WARRANTY ON SOFTWARE.
Click Yes to allow ComboFix to continue.
If Recovery Console is not installed, ComboFix will offer download & installation.
Click Yes to allow ComboFix to install Recovery Console.
Note:Do not mouse-click Combofix's window while it is running.
If you see a message like "Illegal operation attempted on a registry key that has been marked for deletion" just restart computer once more.

--------------------------------------------------------------------
4. When the tool is finished, it will produce a log report for you. (typical location: C:\ComboFix.txt )
Attach log reports ( ComboFix.txt) back to topic.

[Michael (alan1998)]

Sorry to barge here.

First off, Skype is just a traget.
2) Windows is the only major target because of the stock Share.
3) Don't rage. seriously, saying you have to restart every single day is too far. I don't even do that for windows. I restart maybe 1 time in a month for secruity patches.
4) Windows 8.1 I hear is more secure and faster. Try using it? keep a Dual boot just in case (I also know from my EXP, that I hated every second of the UI)
5) Swearing, not cool

[rhat0]

1. Skype is not just a traget, Skype was bought out by sh*tty Microaloft(soft) and ever since it has gone down the drain. It has become more centralized in an attempt to prevent all of the IP resolvers for Skype and the DDoS/booting of Skype users offline.
2. Windows is the target because it is used by the majority of home/personal users(bank info/credit card #s/passwords/emails/keylogs/etc). It's also of all of the systems by far the most easy to code malware for, it helps a lot that each Windows distro is practically the same in operation besides a few changed directory names here and there, plus some additional easy-to-break security enhancements. Windows 8 is bundled with all sorts of nonsense and it has been rumored that there is a built-in backdoor which I don't doubt at all. Of course Microsoft would dance with the NSA and snort baby powder.
3. I'm not quite raging, I'm more ranting. If I was raged, I wouldn't be on my computer.
4. Windows 8.1 more secure and faster? Faster, yes... it does appear the benchmarks appear that way. Compatible and used by businesses? That's a totally different story. If for any reason Windows 8.1 is more secure, it is because it is new and not enough people use it for it to be a worthwhile target. As time passes and Win8 has more time to be tested and exploited, you will probably see even worse crapware appear for it. While security gets stronger, so do attacks. Windows has just always had these proprietary systems that have such simple weaknesses in them. Not long ago there was a stupid RDP buffer overflow which allowed you to BSoD any Windows server with RDP enabled(seriously?).
5. Swearing is just part of expression. If you'd prefer my posts be emotionless, I can be dull. That's just not me though.

[rhat0]

1. Open notepad...
Attach log reports ( ComboFix.txt) back to topic.

Well that kind of sucked at the aswMBR.exe part when it randomly threw me into a BSoD. FixList renamed itself to "㩃䙜卒屔畑牡湡楴敮Ȁ" and I'm still running ComboFix currently. The problem is that what I'm infected with seems like a Skype spreader much more complex than your average malware. I'm pretty good at getting crap off my system quickly. I'll finish up this scan and provide logs, but this is definitely no fun at all. I think the best thing is just prevention. In other words don't use Windows lol. Once this is finished(hopefully getting fixed) I'm backing up and formatting regardless.

"Please note that running this program without supervision can cause your computer to not operate correctly."

Funny that how running software to fix your computer can sometimes break it more than it already is. Oh boy...

I will provide logs, because I'm trusting that you know what you're doing Twin, you seem like a helpful individual and I appreciate that much. This definitely won't be any known *ware though, so the likeliness of this being corrected/fixed by running anything as of yet I'm thinking is going to be 0.001%.

That ComboFix crap has C:\ComboFix which just routes me back to C:\ what the heck?? *yawns*
Something tells me it would be easier to just attempt to back up my vital documents and format... and my fixlog text document is too large to be an attachment. x_0 dang.

[TwinHeadedEagle]

Ok, attach Fixlog.txt along with ComboFix report...

[rhat0]

Ok, attach Fixlog.txt along with ComboFix report...

This is the only thing I'm finding of ComboFix on my system other than its own EXE. The Fixlog is too large to attach on this forum x_0