Why is the file procexp.sys now is called 剐䍏塅ㅐ〰匮卙 ?

[polonus]

Hi malware fighters,

In C:/Windows/system32/drivers sysinternals process explorer is named:
剐䍏塅ㅐ〰匮卙 How come, the file is clean, uploaded to jotti.
What is this?

polonus

[DavidR]

How did you get a process explorer file in the system32\drivers\ folder, I thought it was a stand alone non installed application. Mine is in my D:\Utilities-Non-Registry folder. I just downloaded the procexpnt.zip and extracted the files into the above folder. Since it doesn't appear in add remove programs, I assume the above about stand alone application is correct.

http://www.microsoft.com/technet/sysinternals/ProcessesAndThreads/ProcessExplorer.mspx

[drhayden1]

I just downloaded the procexpnt.zip and extracted the files into the above folder. Since it doesn't appear in add remove programs, I assume the above about stand alone application is correct.

same here davidr..did the same and its a stand alone and not in add/remove programs

[polonus]

Hi you two,

I have no clue how it landed there. Had some problems downloading from a browser so that could be why it landed there. Changing the name in the above way seems to be cool to masquerade it. Going to start to analyse this file thoroughly, and keep you informed of the results. Just spotted it by chance, exploring the aec.sys file in the system32/driver folder. The latter was a FP by COMODO BOClean (after an update the prompt vanished, and jotti .de and virustotal could not find any on both files). You hear from me later,

polonus

[drhayden1]

You hear from me later,

i sure we will polonus the almighty malware fighter....
hope the above mentioned problem didn't damage anything to your system

what's a egel

[polonus]

Hi fellows,

BintScan could not open the file, because of ".rpj - invalid argument. FileAlyzer could not open it because of an error in the syntaxis of the filename, foldername or volumename.
Opened it up after renaming it, and these are the contents:
/////////////////
00004D   !This program cannot be run in DOS mode.
0012A2   RtlFreeAnsiString
0012C0   RtlUnicodeStringToAnsiString
0012E0   ObQueryNameString
0012FE   ZwDuplicateObject
001312   ZwOpenProcess
001322   KeDetachProcess
001334   ObfDereferenceObject
00134C   ObReferenceObjectByHandle
001368   KeAttachProcess
00137A   PsLookupProcessByProcessId
001398   MmIsAddressValid
0013AC   ObOpenObjectByPointer
0013C4   ZwQueryInformationProcess
0013E0   NtBuildNumber
0013F0   ZwOpenProcessToken
001406   IofCompleteRequest
00141C   SeReleaseSubjectContext
001436   SePrivilegeCheck
00144A   ExGetPreviousMode
00145E   SeCaptureSubjectContext
001478   IoDeleteDevice
00148A   IoDeleteSymbolicLink
0014A2   RtlInitUnicodeString
0014BA   IoCreateSymbolicLink
0014D2   IoCreateDevice
0014E4   ExAllocatePoolWithTag
0014FA   ntoskrnl.exe
001516   KfLowerIrql
001524   KfRaiseIrql
0018C8   L3P3`3h3l3t3x3
001949   :!:?:H:k:t:
001973   ?!?3?A?U?{?
002162   _DriverEntry@8
002171   _ProcExpGetComponentFileName@8
002190   _ProcExpGetObjectName@12
0021A9   _ProcExpOpen@8
0021B8   _ProcExpReadKstack@12
0021CE   _ProcExpGetMutantOwner@12
0021E8   _ProcExpQueryDep@12
0021FC   _ProcExpGetKcontext@12
002213   _ProcExpClose@4
002223   _ProcExpDeviceControl@36
00223C   _ProcExpDispatch@8
00224F   _ProcExpUnload@4
002260   __imp__RtlFreeAnsiString@4
00227B   __imp__strncpy
00228A   __imp__RtlUnicodeStringToAnsiString@12
0022B1   __imp__ObQueryNameString@16
0022CD   __except_list
0022DB   __except_handler3
0022ED   __imp__ZwClose@4
0022FE   __imp__ZwDuplicateObject@28
00231A   __imp__ZwOpenProcess@16
002332   __imp__KeDetachProcess@0
00234B   __imp_@ObfDereferenceObject@4
002369   __imp__ObReferenceObjectByHandle@24
00238D   __imp__KeAttachProcess@4
0023A6   __imp__PsLookupProcessByProcessId@8
0023CA   __imp_@KfLowerIrql@4
0023DF   __imp__MmIsAddressValid@4
0023F9   __imp_@KfRaiseIrql@4
00240E   __imp__ObOpenObjectByPointer@28
00242E   __imp__ZwQueryInformationProcess@20
002452   _NtBuildNumber
002461   __imp__ZwOpenProcessToken@12
00247E   __imp_@IofCompleteRequest@8
00249A   __imp__SeReleaseSubjectContext@4
0024BB   __imp__SePrivilegeCheck@12
0024D6   __imp__ExGetPreviousMode@0
0024F1   __imp__SeCaptureSubjectContext@4
002512   __imp__IoDeleteDevice@4
00252A   __imp__IoDeleteSymbolicLink@4
002548   __imp__RtlInitUnicodeString@8
002566   __imp__IoCreateSymbolicLink@8
002584   __imp__IoCreateDevice@28
00259D   __imp__ExAllocatePoolWithTag@12
0025BD   _RtlFreeAnsiString@4
0025D2   __IMPORT_DESCRIPTOR_ntoskrnl
0025EF   _RtlUnicodeStringToAnsiString@12
002610   _ObQueryNameString@16
002626   _RtlUnwind@16
002634   __global_unwind2
002645   __local_unwind2
002655   __abnormal_termination
00266C   __seh_longjmp_unwind@4
002683   _ZwClose@4
00268E   _ZwDuplicateObject@28
0026A4   _ZwOpenProcess@16
0026B6   _KeDetachProcess@0
0026C9   @ObfDereferenceObject@4
0026E1   _ObReferenceObjectByHandle@24
0026FF   _KeAttachProcess@4
002712   _PsLookupProcessByProcessId@8
002730   _MmIsAddressValid@4
002744   _ObOpenObjectByPointer@28
00275E   _ZwQueryInformationProcess@20
00277C   __imp__NtBuildNumber
002791   _ZwOpenProcessToken@12
0027A8   @IofCompleteRequest@8
0027BE   _SeReleaseSubjectContext@4
0027D9   _SePrivilegeCheck@12
0027EE   _ExGetPreviousMode@0
002803   _SeCaptureSubjectContext@4
00281E   _IoDeleteDevice@4
002830   _IoDeleteSymbolicLink@4
002848   _RtlInitUnicodeString@8
002860   _IoCreateSymbolicLink@8
002878   _IoCreateDevice@28
00288B   _ExAllocatePoolWithTag@12
0028A5   __NULL_IMPORT_DESCRIPTOR
0028BF   ntoskrnl_NULL_THUNK_DATA
0028D8   __imp__RtlUnwind@16
0028EC   @KfLowerIrql@4
0028FB   __IMPORT_DESCRIPTOR_HAL
002913   @KfRaiseIrql@4
002923   HAL_NULL_THUNK_DATA
002937   _lh_continue
002944   _lh_dismiss
002950   _lh_return
002965   _lh_unwinding
002973   _gu_return
00297E   __unwind_handler
00298F   _uh_return
00299A   _lu_continue
0029B1   terd:\winddk\1381\lib\i386\free\procexp100.sys
002C5D   VeriSign, Inc.1705
002C75   .Class 3 Public Primary Certification Authority0
002CA8   040716000000Z
002CB7   140715235959Z0
002CDF   VeriSign, Inc.1
002CF8   VeriSign Trust Network1;09
002D18   2Terms of use at https://www.verisign.com/rpa (c)041.0,
002D55   %VeriSign Class 3 Code Signing 2004 CA0
002EE7   https://www.verisign.com/rpa01
002F15    http://crl.verisign.com/pca3.crl0
002F92   Class3CA2048-1-430
002FEC   VeriSign, Inc.1705
003004   .Class 3 Public Primary Certification Authority
00311A   Washington1
003141   Microsoft Corporation1)0'
003160    Microsoft Code Verification Root0
003185   060523170129Z
003194   160523171129Z0_1
0031BB   VeriSign, Inc.1705
0031D3   .Class 3 Public Primary Certification Authority0
003386   Dhttp://crl.microsoft.com/pki/crl/products/MicrosoftCodeVerifRoot.crl0
003628   VeriSign, Inc.1
003641   VeriSign Trust Network1;09
003661   2Terms of use at https://www.verisign.com/rpa (c)041.0,
00369E   %VeriSign Class 3 Code Signing 2004 CA0
0036C8   060202000000Z
0036D7   070404235959Z0
003720   Sysinternals1>0<
003736   5Digital ID Class 3 - Microsoft Software Validation v21
003777   Headquarters1
00378E   Sysinternals0
003871   /http://CSC3-2004-crl.verisign.com/CSC3-2004.crl0D
0038CB   https://www.verisign.com/rpa0
00391A   http://ocsp.verisign.com0?
00393F   3http://CSC3-2004-aia.verisign.com/CSC3-2004-aia.cer0
0039B8    47009c3de442d876ef3ae87cca155f6d0
003B2E   VeriSign, Inc.1
003B47   VeriSign Trust Network1;09
003B67   2Terms of use at https://www.verisign.com/rpa (c)041.0,
003BA4   %VeriSign Class 3 Code Signing 2004 CA
//////////////////////////////
Anyone to comment?

polonus
PS. egel = porcupine (Dutch)

[drhayden1]

Anyone to comment?

so i guess a zaba is a frog

[polonus]

Hi malware fighters,

We are getting nearer to the identification of this file.
"PROCEXP.SYS" file created/located under the "D:\WINDOWS\system32\drivers\" directory ?? I've seen it for the first time yesterday ...

You see, the thing is that AFAIK Process Explorer uses those special so-called "on-the-fly" created drivers, that are created (as files), loaded to RAM and deleted right away. They are named like for instance PROCEXP86 (older version), PROCEXP100 etc. Also, there is one new somehow strange entry visible in Autoruns, while it points to the following key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PROCEXP


See the screenshot of that Autoruns entry attached:

Import table ntoskrnl.exe
                  HAL.dll
Security : User
              System NT AUTHORITY
              Administrators (built-in)

ntoskrnl.exe is a critical process in the boot-up cycle of your computer although should never appear in WinTasks whilst under normal circumstances Note: ntoskrnl.exe can be altered by the w32.bolzano and variants. If this process appears in WinTasks, please update your virus definitions immediately.
When Hall.dll (Hardware Abstraction DLL) is in a different partition, make sure it is placed under "$SystemDir"/hall.dll.



polonus

[polonus]

Hi malware fighters,

Here is some more information on this mysterious driver file: procexp.sys from the horse's mouth:
http://blogs.technet.com/markrussinovich/archive/2006/03/27/the-case-of-the-mysterious-driver.aspx

If I grasp what I read there right, it has to do with DRM. There is really nowhere to hide anymore.

polonus

[DavidR]

Very interesting, but the driver he is on about is asctrm.sys and not a process explorer device driver and it doesn't account for the renaming of the procexp.sys file.

I also don't have the procexp entry in the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services registry key.

[drhayden1]

Important: Some malware camouflage themselves as ASCTRM.sys, particularly if they are located in c:\windows or c:\windows\system32 folder. Thus check the ASCTRM.sys process on your pc whether it is pest. We recommend Security Task Manager for verifying your computer's security. It is one of the Top Download Picks of 2005 of The Washington Post and PC World.
just saw this davidr and maybe
http://www.file.net/process/asctrm.sys.html
http://www.neuber.com/taskmanager/download.html

[polonus]

Hi DavidR.

We aren't out of the woods yet, because there could also be malicious stroke to it: http://www.cnxhacker.com/Article/Print.asp?ArticleID=4200
But because it is on a normal user account, probably not effective in getting this Exploit.VBS.Phel.1 to work....
ASCTRM.sys is not there.

polonus

[DavidR]

I don't have ASCTRM.sys on my system either legit or otherwise.

Having a look at the snxhacker.com link you gave, glad I have the FF translator (Web Site translation extension), my simplifire Chinese is non-existent.

[polonus]

Hi DavidR,

Well nice translation tool that FF translator add-on, uh, makes you read all that scary Chinese rootkit stuff or comments on the mysterious procexp.Sys driver. Well I went to start - programs -accessories - system tools - system information, and double clicked software environment, and doubleclicked drivers to see all that was started up and running for signs of Ali or Poot trojan related drivers, scanned all with GMER- not a trace of something fishy there - so no driver  ierk8248 neither.
For the moment the only reason for it being there is me installing the oriental browser sleipnir or a malformed URL-buffer overflow to get access to run something with full rights (which was warded off by my configuration, I hope), also BoClean reacted but apparently that was an F.P. So my Dear Watson, that is where we are at the mo.
Just a question on trust here, what is the status of something that runs as AUTHORITY Administrators (built-in) it is part of the SYSTEM NT AUTHORITY. I think I told here once that something run as SYSTEM could surpass all, that this can be used to elevate the authority on another process to run.
I remember I had it mentioned in a thread here somewhere: scanning as SYSTEM....

yours truly,

polonus

[neal62]

Polonus, I don't know if this has anything to do with this file you found or not. But, when I have tried to download that oriental browser "sleipnir" to my pc using WinXP, SP2 I get a prompt that states something to the effect that it cannot install sleipner because another program is using the file. I am not at home now and can't tell you what file it referred to but I just thought I would pass this on to you.