Video Screencast Help
Security Community Blog

Man vs Worm

Created: 06 Jul 2011 • Updated: 07 Jul 2011
mon_raralio's picture
0 0 Votes
Login to vote

First of all, I'll admit that this is not my best blog so far. It looks like I'm rambling. But I hope that in the chance that you'll read this in its entirety that you'll learn somthing related to malware removal.

This was checked in for fixing. It's a laptop with wi-fi capabiliy. Used in one of the branch offices. And just by looking at the shortcut icons shows that it is being used for unrestricted broadband Internet connections. The laptop was obviously infected. SAV client was disabled and non of the softwares ran. The nature of the threat also disables the task manager, the folder options, and the command prompt. Other default MS softwares are also disabled and the main concern here is to be able to run the AV first.

To be able to check this further. I needed to 1.) Gain access to the programs, and 2.) Identify the malware.

The first one would be a challenge. I started with identifying the malware which is pretty much straightforward. With USB on the computer enabled - malwares rarely disable features that prevents them from transferring themselves to other media by any means. I just plugged in one of my USB to get it infected and scan it on a PC with SEP installed and has updated virus definitions. The Autoplay/Autorun feature should have been disabled by now so it would be relatively safe. Take note that all AVs will clean up to 99% of all risks. You need to be careful about that remaining 1%. This is where the command prompt will come in handy instead of using the MS explorer to view the files. Using explorer could preload some of the files for faster access or load custom folder features. Worm was W32.Daprosy

A quick search on Symantec's website on the threat found would give lot's of information. The problem is with the almost standard procedure. 1. Go to Safe Mode, 2. Update virus definitions, 3. Run full scan. Especially if the executables in the said PC is corrupted including the AV. Searching the web using the filename of the virus also helps half of the time.

This is an old worm. It copies itself to all the directories that was accessed. At this point I still cannot use the task manager nor tasklist and taskkill commands. The run option was also not present and all applications opened were immediately closed. I was able to launch pskill but when started immediately quits. Something to do with the EULA pop-up before I get to use the software.

I was able to create a text document and on folder options allows me to show extensions for a while. So I made a batch file that contains these lines:
cmd
dir/p/s
pause

'cmd' to re-launch the command prompt, dir so that I can do something else and 'pause' to pause the batch file so that I can cancel the batch file leaving me at the command prompt and not have it close. At this point I can use programs that can reset Windows to enable you to use the other features that was initially disabled or make and use batch files to revert registry changes and prevent the malware from launching. I can use the 'dir' command and look for suspicious files. Further research and actual searching on the PC directory resulted in the following suspicious files:

C:\Classified.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Classified.exe

...and it also indicates that there are other files created by the malware:
C:\Documents and Settings\All Users\Application Data\Microsoft\KBDriver\Classified.exe
C:\SysinternalsSuite\Classified.exe
C:\WINDOWS\Classified.exe
C:\Documents and Settings\All Users\Application Data\Lambda\DirLock.exe
C:\WINDOWS\system32\winnthlp1.exe
C:\WINDOWS\system32\winnthlp2.exe
C:\Documents and Settings\All Users\Application Data\Microsoft\Keyboard\kbdsys.exe
C:\Windows\Shutdown.dll

Classified.exe is also found throughout the directories that Explorer touched. changing the folder properties and creating executables. At this point all I can do is go to safe mode and use the comand prompt to manually delete all the infections. Loading in Normal mode would only reinfect the system and replace the deleted malware files.

To completely remove the malware, I searched the web and found a batch file that manually that. It contains numerous taskkill commands that you can write yourself. taskkill followed by delete commands.

To successfully use this, I started in safe mode with DOs prompt.
Listed all the suspected files and piped them to a text file.
dir classified.exe /s > classified.txt
etc...
then made a batch file to delete all these files.
batch file was:
del C:\Classified.exe
del C:\Documents and Settings\All Users\Application Data\Microsoft\KBDriver\Classified.exe
del C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Classified.exe
del C:\Program Files\NetMeeting\Classified.exe
del C:\SysinternalsSuite\Classified.exe
del C:\WINDOWS\Classified.exe
del C:\Documents and Settings\All Users\Application Data\Lambda\DirLock.exe
del C:\WINDOWS\system32\winnthlp1.exe
del C:\WINDOWS\system32\winnthlp2.exe
del C:\Documents and Settings\All Users\Application Data\Microsoft\Keyboard\kbdsys.exe
del C:\Windows\Shutdown.dll

Just enough I thought to make sure it doesn't start up.

It kept coming back. All the deleted files returned, the folders are hidden replaced with exe files of the same name. Until I finally re-ran the batch files and deleted the prefetch data.

del c:\windows\prefetch\*.pf  < all the apps that failed to run including the ones i used.

After a nervous restart, all went well, installed the SEP, updated and ran a full scan.

It did manage to remove most, but browsing to some folders, SEP still shows alerts. But at least it's up and running and it's a matter of time until it gets them all. I just made sure that SEP loads first before the malware files.

here's what the autorun says:
[autorun]
open=Read1st.exe
shellexecute=Read1st.exe
shell=auto
shell\auto=View multimedia
shell\auto\command=Read1st.exe
shell\open\command=Read1st.exe
shell\explore\command=Read1st.exe
action=Auto-protect folders and files
icon=shell32.dll,8