« Mapping a CVS user to a real user (SSPI ... | Main | Hanselminutes Podcast 12 »

Tracking down a Trojan

Posted 2006-04-07 05:31 PM in Musings.

I'm not even a tenth as clever as Mark Russinovich in tracking these things down, but I got to play IT department a bit today. You're probably the IT department for your family as well. When Uncle Frank gets a virus, he calls you. In this case, I was called upon to track down a virus.

With all due respect to Russia, there's very few things that regular folks need to be visiting in a .ru domain. In this case it was SMTP traffic and there's ZERO reason anyone should be sending mail in this way.

He had ran all sorts of anti-virus, anti-spyware, and anti-malware applications and didn't find anything. A cursory glance for funky .exe's in Task Manager showed nothing obvious.

I showed up and suggested we download the three horsemen: TCPView, Autoruns, and ProcessExplorer.

First step was to find out what process was asking for the Russian sites. TCPView to the rescue. We can see from the first screenshot that the port is being opened by winlogon.exe, the Windows NT Login Manager - certainly a legitimate executable.

Russiantrojan1

There must be an evil DLL loaded inside of winlogon.exe. Next stop, Process Explorer.

Russiantrojan2Looking at winlogon.exe within Process Explorer and changing the Lower View to show DLLs. Then I sorted by Company Name, just because it never seems that evil software writers are clever enough to include a Company Name, does it?

That hywklcsj.dll looks a smdge suspicious, no? Smells auto generated to me and that fact that there's no Google results for it confirmed it to me.

Russiantrojan3Now, Autoruns. Note the now-missing ddcyv DLL. Perhaps that was the bootstrapper that started this whole thing, but now it's run away.

Russiantrojan4The BrowserHelperObject (BHO) section of Autoruns shows that this trojan also listens to IE and probably pops up porno ads while surfing.

After cleaning all this crap up and restarting, we're clean. No funky DLLs get loaded by explorer or winlogon and no suspicious traffic tries to get our of the computer.

I'm sure this Trojan has a name, but I couldn't figure out what Google Terms I could use to find our which version it is. I suspect a Trojan.Vundo varient, but this one doesn't quite fit the profile.

Tracked by:
"Some interesting links from the week" (Damn Ralph) [Trackback]
"ComputerZen.com - Scott Hanselman - Tracking down a Trojan" (Rickey Whitworth) [Trackback]
"Interesting Finds" (Jason Haley) [Trackback]
"Programing Tools" (Dan) [Trackback]
"Tracking down a trojan" (mUnit) [Trackback]
"Items of Interest: 2006.04.14" (Ellis Web) [Trackback]
"Programing Tools" (Dan Hilderbrand) [Trackback]


Friday, April 07, 2006 9:07:45 PM (Pacific Standard Time, UTC-08:00)
I just spent quite a bit of time trying to remove the trojan.vundo infection from a neighbors machine. That was a nasty one to get rid of. Safe mode, and a couple malware programs later, I think I finally got it cleaned up. Luckily the vundo infection was well documented on the web. I noticed that their computer was much less responsive while it was infected. It would have been interesting to see what was going through the network card. Glad it wasn't mine.
Hazzard
Saturday, April 08, 2006 7:47:30 AM (Pacific Standard Time, UTC-08:00)
Nice job Scott. Maybe you're no Mark Russinovich (a super nice guy...I highly recommend meeting him if you get the chance), but you certainly slam dunked this one...nothing but net! :)
tod
Saturday, April 08, 2006 11:39:36 AM (Pacific Standard Time, UTC-08:00)
Good work and nice explanation. Thanks for sharing the details of your detective session - I'm going to try to remember to utilize the same approach when contacted by family members in similiar situations. The tools at SystemsInternals are awesome !
Steven J. Ackerman
Saturday, April 08, 2006 12:35:12 PM (Pacific Standard Time, UTC-08:00)
Very impressive job Scott!!

darn, do i hate reading "news" like this about Russian "software", yet unfortunately it seems that the only kind there is :(( reasons why they do it are of course obvious (few smart guys living in 50$/mon per capita income and no outsorcing jobs around) yet it not making me feel any better :(
MaxS
Saturday, April 08, 2006 12:35:54 PM (Pacific Standard Time, UTC-08:00)
Very impressive job Scott!!

darn, do i hate reading "news" like this about Russian "software", yet unfortunately it seems that the only kind there is :(( reasons why they do it are of course obvious (few smart guys living in 50$/mon per capita income and no outsorcing jobs around) yet it not making me feel any better :(
MaxS
Monday, April 10, 2006 7:08:49 AM (Pacific Standard Time, UTC-08:00)
Nice read Scott ... I also like the use of the lightbox 2.0 script.
GMoney
Monday, April 10, 2006 8:22:45 AM (Pacific Standard Time, UTC-08:00)
Note that there are some malware programs that run in an invisible mode where they do not show up in task manager. They work closer to kernel mode.

Try using some good antimalware with shield capabilities like spyware doctor. Any time a program tries to install a BHO, mess with the hosts file, install an autorun program or just acts suspecious, you get prompted. This way you handle it before they plant their bomb.

abdu
Abdu Bukres
Comments are closed.

Contact

  • Scott Hanselman

Sponsors

Hosting By

Dedicated Windows Server Hosting by ORCS Web
Silverlight Store

Hot Topics

Tags

Africa (92) Agile (4) Arcade (8) ASP.NET (641) ASP.NET Ajax (5) ASP.NET Dynamic Data (21) ASP.NET MVC (75) BabySmash (18) Back to Basics (16) BCL (1) Bugs (169) Channel9 (13) Cloud (1) CodeRush (21) Coding4Fun (39) Corillian (26) DasBlog (131) Deployment (1) DevCenter (1) DevDays (5) Diabetes (61) DLR (4) eFinance (14) Gaming (115) Home Server (1) HttpHandler (16) HttpModule (21) Identity (3) IIS (16) INETA (8) Internationalization (44) IOC (1) Javascript (71) Learning .NET (114) LINQ (16) Longhorn (11) Microsoft (81) Mix (17) Mobile (2) Mono (2) Movies (44) MSBuild (1) MSDN (4) Musings (506) Nant (39) NCover (12) NDC (11) NDoc (6) NerdDinner (4) NotNorthwind (2) NUnit (47) Open Source (24) PDC (65) Personal (2) PHP (3) Podcast (203) PowerShell (61) Programming (251) Python (3) Remote Work (9) Reviews (141) Ruby (61) Screencasts (22) Silverlight (37) Source Code (61) Speaking (191) Subversion (15) TechEd (127) Thabo (3) Tools (424) VB (8) ViewState (19) Vista (2) VS2010 (2) Watir (21) Web Services (433) Win7 (14) Windows Client (49) WPF (36) XML (292) XmlSerializer (32) Zenzo (38)

Calendar

<November 2009>
SunMonTueWedThuFriSat
25262728293031
1234567
891011121314
15161718192021
22232425262728
293012345
Posts in timeline
Posts in Large Calendar

Archives

November, 2009 (2)
October, 2009 (19)
September, 2009 (11)
August, 2009 (12)
July, 2009 (21)
June, 2009 (26)
May, 2009 (16)
April, 2009 (13)
March, 2009 (17)
February, 2009 (17)
January, 2009 (18)
December, 2008 (32)
November, 2008 (17)
October, 2008 (22)
September, 2008 (16)
August, 2008 (14)
July, 2008 (25)
June, 2008 (19)
May, 2008 (17)
April, 2008 (17)
March, 2008 (26)
February, 2008 (21)
January, 2008 (28)
December, 2007 (19)
November, 2007 (17)
October, 2007 (31)
September, 2007 (39)
August, 2007 (37)
July, 2007 (43)
June, 2007 (37)
May, 2007 (32)
April, 2007 (38)
March, 2007 (29)
February, 2007 (46)
January, 2007 (31)
December, 2006 (27)
November, 2006 (31)
October, 2006 (32)
September, 2006 (39)
August, 2006 (34)
July, 2006 (40)
June, 2006 (18)
May, 2006 (31)
April, 2006 (34)
March, 2006 (30)
February, 2006 (38)
January, 2006 (44)
December, 2005 (19)
November, 2005 (34)
October, 2005 (24)
September, 2005 (37)
August, 2005 (20)
July, 2005 (24)
June, 2005 (33)
May, 2005 (16)
April, 2005 (22)
March, 2005 (34)
February, 2005 (15)
January, 2005 (37)
December, 2004 (28)
November, 2004 (30)
October, 2004 (34)
September, 2004 (22)
August, 2004 (34)
July, 2004 (18)
June, 2004 (64)
May, 2004 (49)
April, 2004 (21)
March, 2004 (29)
February, 2004 (29)
January, 2004 (36)
December, 2003 (25)
November, 2003 (24)
October, 2003 (59)
September, 2003 (42)
August, 2003 (24)
July, 2003 (44)
June, 2003 (29)
May, 2003 (21)
April, 2003 (30)
March, 2003 (27)
February, 2003 (47)
January, 2003 (50)
December, 2002 (31)
November, 2002 (38)
October, 2002 (44)
September, 2002 (15)
May, 2002 (2)
April, 2002 (4)

Google Ads