Variant of or possibly: CoreFloo-C, TrojanDropper.Win32.Emaner, CoreFlood.dr, Backdoor.Coreflood |
|
References Sophos Page: Article about the same trojan? Article about a similar trojan
|
Created 11/7/2003 Contact Author: b.lucas @ tcu.edu Thanks to David for working with me on ADS and to Derek for being patient while I investigate your machine.
Help Me: I
have this virus and I want to get rid of it! About this virus: If you scan your system (assuming it is NTFS NT4/2000/XP/2003) with Norton Anti-Virus, Ad-Aware, SpyBot, TDS-3, manually search for the infected .dll file, or just try to delete if from the registry run/run once keys you're not going to get anywhere. This is not the coreflood trojan you'll see listed on some of the AV sites like Symantec and McAfee. This is a clever variant. The trojan hides in an alternate data stream (ADS) attached to the actual folder: %System%\system32. Therefore, you can not see it with the native tools provided by Microsoft. You will not see it with most AV programs b/c they don't scan ADS. Ad-aware and Spybot won't see it. You won't see it listed in Task Manager because it injects itself into Explorer.exe. If you delete it from either run or run once keys, it will add itself right back. What can it do? According to sophos and some of the write ups from older variants, it is a remote control program which allows an intruder to gain access to the victim computer via the IRC. In my opinion, that isn't all it does. I believe that this new variant has been developed by a professional spammer. They use it to gain control of lots of computers and send bulk spam at will. Why do you think this virus is used for spam / spamming? Before I explain why, let me say that I have only been able to investigate one machine so far. Until I review additional machines with the same spamming patterns I won't be able to say with 100% certainty, but I feel very confident at this point. One of my duties is maintaining the mail
system and in doing so I discovered the following. A user's computer
began spewing messages at a rate of 16 msgs/sec to what appear to be
randomized @aol.com addresses. Upon sniffing the traffic it revealed
to be spam for prescription drugs and Viagra, surprise. Upon reviewing the computer I found one
infested computer. Here's what the original Run line looked like: So I ran Ad-Aware and Spybot (two great ones by the way) and cleaned everything off. Yet, one registry line refused to delete. "vqmnxl"="rundll32
C:\\WINDOWS\\System32:vqmnxl.dll,Init 1" So I manually deleted it but it came right
back. I cleared the RunOnce line which also had the entry but that
didn't help either. So, I hoped I could I could identify the process
responsible for recreating the key, kill it, then delete the key and all
would be good. Using RegMon, I found it: I loaded Task Manager, killed rundll32.exe PID 1932 and deleted the lines from the registry again. When I opened Regedit again, the lines still key back! This is because it injects itself into the Explorer.exe process. (note: I didn't try killing explorer, bringing up Taskmgr with Ctrl-Alt-Esc, launching regedit from the New Task menu and deleting it, but the author of one of those articles did and reported it did NOT work.) I tried scanning the drive for vqmnx.dll
but didn't find anything because the .dll was hidden in an ADS. So,
using LADS I was able to confirm the files existence. The problem was
it was attached to the System32 folder, I wasn't aware of any easy way to
delete an ADS from that particular folder. I re-ran spybot, ad-aware, NAV 8.0 (which detected KLEZ and audio.exe*, TDS-3, all with current definitions and none of them could see it. TDS-3 specifically has settings for detecting hidden ADS files which I made certain were enabled. I ran it twice just to be sure, but it failed to see it. Perhaps TDS can only see ADS attached to files, not attached to folders. (*note: audio.exe is referenced in another article indicated this trojan was for spam.) So, searching on the various phrases of the registry line turned up some interesting articles, but none which referenced the massive spam to @aol.com. Fortunately the COREFCGUI tool from Sophos was able to spot the ADS and remove it! I find it odd that NAV doesn't scan for ADS (I couldn't find any documentation to the otherwise and I tested 8.0) while Sophos does. Microsoft obviously needs to add the ability to view and delete streams to their code, but better be ready for the chaos that will unleash. Finally, I can't help but notice this machine had Kazaa on it which would be my guess as to where it came from. Note: I recommend TripWire for server security due to the fact that it can track and reports changes to ADS. For further discussion of any of these topics, see the references on the left side at the top of this document. Note: If you are running Win9X, just delete the .dll, ADS doesn't exist on Fat/Fat32 partitions. |