Raising the Bar: Rustock.A and Advances in Rootkits

[FreewheelinFrank]

The never-ending game of hide-and-seek between the antivirus industry and rootkits has begun a new chapter. Recently our lab discovered a new rootkit sample in the wild that is very unique given the techniques it uses. It was named Backdoor.Rustock.A, and because of its special characteristics it can be considered the first born of the next generation of rootkits. Rustock.A consists of a mix of old techniques and new ideas that when combined make a malware that is stealthy enough to remain undetected by many rootkit detectors commonly used (such as RootkitRevealer, BlackLight and IceSword). We consider it to be an advanced example of "stealth by design" malicious code. [1]

http://www.symantec.com/enterprise/security_response/weblog/2006/06/raising_the_bar_rustocka_advan.html

Via:

http://sunbeltblog.blogspot.com/2006/12/gromozon-has-evolved.html

[polonus]

Hi FwF,

Removal info here:
http://www.2-spyware.com/remove-rustock.html


polonus

[Nath²]

Good evening, sorry, I'm French and I try to explain in the best English I have.
trojan-backdoor-rustock is on my computer since this week end (29 of december). Spy sweeper finds it, says it delates it but it comes back, I've juste finished a very long analysis with avast (in safemode) (up to date), avats found it, says it has delated it. I've made an analysis with spysweeper and this trojan is stil on the computer. What can I do ? I use avast sinc one year without any problem but at today, I've difficulties. Iwould like not to be obliged to reformat my hard drive. Thanks by advance for all helps.
PS : I'm a good computer user, if i have to make modification in regedit or other, I think I'm able if you explain me well

[galooma]

Hi and welcome

Have you tried the procedure outlined in the previous post by Polonus?

[Nath²]

the software method, yes, it's by spysweeper and it comes back. The manual, not yet, do I need to do it in safe mode ?

[Nath²]

Soory, i didn't see that spy doctor was other than spysweeper because of publicity for spysweeper just after. I try and say if it goes
Thanks

[galooma]

there is an automatic removal tool at the link on previous post (this one  http://www.2-spyware.com/sd2-Spyware-4.0.0.2602.exe )

Have you downloaded it and tried it??

If you have and still have the problem i suggest a HJT  scan and post the log it generates so we can look it over
http://www.majorgeeks.com/download3155.html

good luck

[Nath²]

I've downloaded it, it says i'm infected but van't destroy it with the free software. I'm sorry, I did'nt understood what you mean with "a HJT  scan and post the log it generates so we can look it " what is it ?

[galooma]

its a small tool that copies all your sytem files to a log and allows others to see what problems you have .
this is the best way forward now 

Here is a tutorial if you need more info
http://forums.majorgeeks.com/showthread.php?t=38752

[Nath²]

and i let it here in copy/paste ? Sorry, it seems to me very long....

[galooma]

if it wont paste into post then copy into notepad then attach to post

[Nath²]

Logfile of HijackThis v1.99.1
Scan saved at 23:49:17, on 05/01/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9IE.EXE
C:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\Program Files\SPAMfighter\SFAgent.exe
C:\Program Files\Fichiers communs\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
C:\Program Files\SuperCopier2\SuperCopier2.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Alwil Software\Avast4\ashLogV.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\Nath\LOCALS~1\Temp\Rar$EX01.422\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.free.fr/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O1 - Hosts: 205.238.40.1 winmx.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat

7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: NTIECatcher Class - {C56CB6B0-0D96-11D6-8C65-B2868B609932} - C:\Program Files\Xi\NetTransport

2\NTIEHelper.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON

Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON

Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Smapp] "C:\Program Files\Analog Devices\SoundMAX\SMTray.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo RX700 Series] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9IE.EXE" /P31

"EPSON Stylus Photo RX700 Series" /O6 "USB001" /M "Stylus Photo RX700"
O4 - HKLM\..\Run: [EEventManager] "C:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe"
O4 - HKLM\..\Run: [RaidTool] "C:\Program Files\VIA\RAID\raid_tool.exe"
O4 - HKLM\..\Run: [SPAMfighter Agent] "C:\Program Files\SPAMfighter\SFAgent.exe" update delay 60
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [Digital Video Duplicator OLR] "C:\PROGRA~1\DIGITA~1\BVRPOlr.exe" /Digital Video Duplicator
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
O4 - HKCU\..\Run: [SuperCopier2.exe] "C:\Program Files\SuperCopier2\SuperCopier2.exe"
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O18 - Protocol: compta - {365B8213-2402-48CF-9907-A4E4A757DE38} - C:\Isa\isacowp\coNetIE.ocx
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Fichiers communs\Microsoft

Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} -

C:\PROGRA~1\FICHIE~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winpdc32 - winpdc32.dll (file missing)
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil

Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service

(file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service

(file missing)
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware

Doctor\sdhelp.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program

Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Moteur Webroot Spy Sweeper (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program

Files\Webroot\Spy Sweeper\SpySweeper.exe

[Nath²]

Sorry, i don't know how to attach a file to a post 
These last days, i installed demo version of bitdefender and i desinstall it (didn't find the trojan), i feel that some entries in system missing are from this installation. I let you see, i don't see anything strange in these informations, but I'm not pro with this (i use code stuff starter pro to verify regularly the process runing, i didn't see any strange these last days but i think i've clicked on a file it musn't, and since, the trojan is in). I'm in France, it's more than midnight, spent already a lot or hours tonight to try again to understand where the trojan was still, I won't be able to well understand your informations, it's too late for my little brain. i'll see tomorrow if you have an idea. Even if not, thanks a lot to have spent so much time to help me.

[galooma]

I suggest you read the tutorial and familiarise yourself with the functions it can do .

its best if the HJT program sits in a folder on C drive as it saves copies of scans in case you need to backtrack

im not an expert with reading these scans so if you have time you might prefer to wait for others to comment .

An online scan shows that the following lines can be FIXED

   O1 - Hosts: 205.238.40.1 winmx.com

O20 - Winlogon Notify: winpdc32 - winpdc32.dll (file missing)

and unless you are familiar with this program and can verify it ,it may be bad as well

    O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)


Important that you check back as others might have opinions contrary to mine .

[Lisandro]

I'm not sure if you're infected or not...
To be sure, you could try on-line scanning and report what you get.

http://www.virustotal.com/flash/index_en.html
http://www.kaspersky.com/virusscanner
http://www.mwti.net/antivirus/mwav.asp
http://www.security-ops.tk
http://housecall.trendmicro.com/
http://www.bitdefender.com/scan/index.html
http://support.f-secure.com/enu/home/ols.shtml