Endpoint Protection

G'day mates,

I've been trying to resolve this issue for a few days on a few of my test systems, and I finally got the culprit reponsible - Its a file called Ryan.exe, and the following are some very basic observations of mine regarding it's behaviour.

• Undetected new Virus / trojan actual file name is Ryan.exe .
•  
• Hooks and integrates into Windows Explorer and calls itself as explorer.EXE in Tack Manager / ProcMon
•  
• Also corrupts all system restore points on WIndows XP computers and stores a hidden copy of itself at the following location - C\Recycle\X-5-4-27-2345678318-4567890223-4234567884-2341
•  
• Everytime a user logs onto the system it kills the native explorer and executes itself.
•  
• Also, it may be trying to spawn itself over the network. On Friday, I faced the issue of it killing explorer and DEP kicking in on only one system. Yesterday, it'd spread over my VLAN to 3 other test systems running XP. Systems running Vista, Windows 7 and Server OS's seem largely untouched.
•  
• I've submitted the file to security response and the tracking number is - 11507701 for anyone interested from SecRes to give this file a personal dekko before it actually starts spreading like wildfire.
•  
• I've also got some wireshark logs, where it seems to be trying to go out on the internet and download something even more nasty.
•  

BTW, I've got SEP, Sophos, Avira, TM, Mcaffee running on different affected test systems, and no one got a whiff of this when it landed on the systems.

Does it disconnect the computer from the network?

hi,
try uploading for virustotal.com for submission to know if this is an threat. It gives immediate results.

I believe you would have followed scanning the system in safe mode with the latest definition running in machine after disabling the system restore.

let us know if this is a new virus once you receive closing of the ticket.

cheers
Pete

hey, i just found the similar symptom to from the threatexpert.com

http://threatexpert.com/report.aspx?md5=ada5795b7658cd3480d90de688e69dd5

its an trojan. You might be intersted to look into this.

you may want to delete these files

The following Registry Key was created:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{28ABC5C0-4FCB-11CF-AAX5-21CX1C987891}
The newly created Registry Value is:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{28ABC5C0-4FCB-11CF-AAX5-21CX1C987891}]
StubPath = "c:\Recycle\X-5-4-27-2345678318-4567890223-4234567884-2341\Ryan.exe"

let me know how it goes?

cheers
Pete

Thanks for all your inputs mates. Just got back and found an email from Symantec in my inbox.

The following are the contents of the Security Response Email -

Developer notes:
ryan.exe is a non-repairable threat. Please delete this file and replace it if necessary. Please follow the instruction at the end of this email message to install the latest available definitions.



Symantec Security Response has determined that the sample(s) that you provided are infected with a virus, worm, or Trojan. We have created RapidRelease definitions that will detect this threat. Please follow the instruction at the end of this email message to download and install the latest RapidRelease definitions.

Downloading and Installing RapidRelease Definition Instructions:
1. Open your Web browser. If you are using a dial-up connection, connect to any Web site, such as: http://securityresponse.symantec.com/
2. Click this link to the ftp site: ftp://ftp.symantec.com/public/english_us_canada/antivirus_definitions/norton_antivirus/rapidrelease/symrapidreleasedefsx86.exe. If it does not go to the site (this could take a minute or so if you have a slow connection), copy and paste the address into the address bar of your Web browser and then press Enter.
3. When a download dialog box appears, save the file to the Windows desktop.
4. Double-click the downloaded file and follow the prompts.


Virus definition detail:

Sequence Number Greater Than: 97068
Defs Version: 110621bm
Extended Version: 06/21/2009 rev.65

Well, seems we have RR's for the trojan.

@ Paul - No, it doesn't cut the computer from the network.


@ Pete - I uploaded the file to virustotal.com, and the result was zilch :P.  That was a few hours ago, let me upload again and see what it says. I actualy used the attrib command to get this file visible, and deleted it using unlocker earlier in the day once I'd submitted it. Thanks for the tip about threatexpert though, will add it to my list of fav's for future reference.

What about Kaspersky did it also missed this threat. ?

Virus total may have shown you whether kaspersky detected or not.

None. Not a single engine picked it up when I put it up earlier in the day. Now it's being detected by most of them.

Thanks Mate..By uploading this new threat you have saved the Symantec Customers  from one threat.
That too a nasty one.like this which hooks into the explorer.

But the real question is - where did it originate from?
Email? (attachment, phishing link, whatever)
Web? (infected web site or an adult site, etc.)
push over net via infected computer? (and got through a firewall?)

Knowing a source means you are already half-way armed to protect against it.

Yes
keep up this good work.

Probably if you can go through your history and find the site where it came from.
Report that as well to symantec. 

But if it was from USB then I think it will become almost impossible to trace it back.

Good work  Abhishek Pradhan.
but how did you detect it in the first place if no Av was able to do that?
Hope you could share more about this.
Do you follow a step by step process to manually check this?
thanks..

to add.. found this opn the web..

http://www.threatexpert.com/files/rYan.exe.html

Please check it out..
Thanks...

@ Nel

I was freaking out when the native explorer was being killed, and that too with DEP (Data Execution Prevention) kicking in.

So did a sigverif for all DLL files, and ther files and found nothing.

The on closer observation, I saw that once the native explorer is killed, a New session of the Hooked Explorer is invoked with a small Windows Script window appearing at the top ltst corner giving the path as C:\Recycle\X*****, so i took a chance and browsed the folder thru COmmand Prompt, ran attrib -h -s -r to force remove the Hidden Attributes, ran command dir, found the file and uploaded it to the Symantec system, and deleted it.

The only giveaway was the Windows Script pop-up that gave the path, else I'd not have been able to find the trojan.

@ Vikram - The affected test systems are used only by me, so no USB drives are allowed on them :D, and I did try to check the logs and all but came up with nothing. I think it might be coming as a Flash Addon ActiveX component, I'll check this and post if I find anything new.

Do you have any leads for the source?

@ Paul

Checked lots of logs and stuff, but no go. :(

Wasn't able to find out where the darn thign came from. Will keep my eyes peeled though and keep out a looksie to check if it affects a new test env. that I'm setting up. Have enabled granular level logging using SCOM to check what all activities happen on the new environment setup.

Will update this thread if i find somethign new.

Check the IE add-ons an see if you find any un-known Add-On loaded...check when it was loaded ..check the DLL for it.. 

Checked again. No addons. I'm startuing to think that this came off another system on my intranet when a colleague had hooked his test setup with mine for testing some things.....Will check the other chaps systems and let you know.

Success! Success! Eureka Eureka !!!!! ;)

Just for the record, I'm not going to run into the street like Archimedes did :D , but I finally did find the infection vector late noon today. Found that a colleague had plugged his USB drive into the test hardware to copy some software over and the threat came from his USB.

Made a trip to his house today and checked and found that even his home systems (5 systems in all) were affected by the same. Manually removed the threats and admonised him for not using a good AV solution, instead depending on a free and so-so AV solution to protect his systems.

Hopefully, this will be last of this threat that I see. Thank you all for chipping in and helping out!

Cheers.

@Abhishek Pradhan: Good work!
Hope you could make an article about the step by step (detailed ) way in resolving RYAN.exe...
We shall be waiting for it.. and vote positively...

This would be a very great document...