Sunday, December 7, 2008

Trojan wars

by John D Ramsey

Lisa somehow managed to get a Trojan and a slug of malware on her computer this week. The suspected source is a malevolent company masquerading as an inexpensive telecom solution. No, I am not referring to Skype. If you want an inexpensive telecom solution, my advice is to stick with Skype. It isn’t AT&T, but it’s a good choice to back up mobile phones. Lisa has our Skype calls forwarded to her cell. That way people can call a local exchange in Kansas City while we retain our old numbers from Minnesota on our cell phones.

Back to the Trojan: Lisa’s Avast antivirus program updated daily, and every time I ran a full scan on boot, Avast would delete files from the System32 directory as well as from the recovery cabs. Regardless, the behavior remained. I could not navigate to helpful websites such as www.mozilla.com. Avast blocked the popups from the domains I identified, but the viral behavior remained. The symptoms also included unfamiliar registry values in the HKLM\Software\Microsoft\Current Version\Run key. The data included a string such as “Run32dll.exe ‘C:\Windows\System32\filename.dll’,s” where the DLL called had absolutely nothing to do with Windows or any legitimate software vendor.

When I deleted an entry, it immediately regenerated. Navigating to another key and back again revealed that the Trojan was not so easily defeated.

When I looked for the file names referred to in the registry, they did not appear in Windows Explorer even though I had it configured to show hidden and system files. Nevertheless, with the computer disconnected from the Internet, I opened a command prompt, and entered:
C:\Windows\System32> dir *.dll /A H > dll.hell
This created a text file containing all the DLL’s with an attribute of hidden. I opened the dll.hell file in notepad and found the likely suspects by the last date written. From the command prompt, I entered:
C:\Windows\System32> attrib -h -s filename.dll
C:\Windows\System32> del filename.dll
This deleted some files, but on a few files I received “Access is denied” errors indicating that the files were resident in memory. For these files, I typed:
C:\Windows\System32> cacls filesname.dll /D Everyone
When the system prompted, “Are You Sure?” I answered with a quick “Y” keystroke. (Sure, I’m sure.) After denying permission to the DLL, I rebooted the system. Error messages appeared on boot saying that the file name was missing. I was then successfully able to delete the registry values that were causing the Trojan to load.

I repeated this process until no more values appeared in the registry and I could successfully navigate to www.mozilla.com and download Firefox. Microsoft just lost another loyalist in the browser wars.

It appeared that the Trojan had a keystroke logging component. Lisa took countermeasures to mitigate the damage. Now we wait to see.

Unfortunately, my router does not allow me to block traffic to a particular subnet, otherwise I would block all traffic to and from the Class B 85.12.0.0. I need no information from the Netherlands, anyway. Maybe I'll get a better router for Christmas.

Disclaimer: If this information is helpful, I’m glad. If you don’t know what you are doing, I’m sorry, but don’t do it. If I’ve missed something important, please leave a comment.

Now that Lisa has her computer back, I know she'll be posting about the fun Christmas party we had at our house Saturday night.

No comments:

Post a Comment