Trojan.FlashBlast

Recently, one system that I worked on was infiltrated by something that manipulated FlashUtil32_11_5_502_135_ActiveX.exe.  Being that it usurped a legitimate Flash component so that no one would be the wiser, I am leaning towards calling this a Trojan, hence the title.  If a Symantec Employee desires to amend the name, feel free to do so. 

 

Background Info:- On said computer, it looked as though an ad for something or anouther had been clicked on a list of Google search results. 

 

Symptoms:- Internet connectivity- pretty much zero.  CPU usage at a stubborn 25%.  Performing a full system scan with N360 in Safe Mode with Networking hung.  Interestingly, the programme reported three [3] threats but only resolved two [2] tracking cookies.  Next up, Malwarebytes’ Anti-Malware full scan turned up nothing.  Windows Defender- nothing.  Norton Power Eraser (NPE)- nothing malicious found.  Kaspersky’s TDSS Killer- not much better.  It revealed Akamai (part of Net Session) which I know to be benign.  This dastardly bogger even went under the radar (so to speak) of enhanced security measures in Win7 such as I.E.7’s Internet Protected Mode and system “change” warnings.

 

I attempted to “pin down” whatever it was examining background processes/ services in MSCONFIG.  I went under HKEY_LOCAL_MACHINE- Software- Microsoft- Windows- Current Version- Run to see if anything lodged there.  No luck.  I then had the idea of leaving up Windows Task Manager (processes tab) whilst I.E.7 tried to connect.  That is where I discovered that FlashUtil32_11_5_502_135_ActiveX.exe would briefly load and then make a hasty exit.  So much so that I had to employ Print Screen function to catch the sneaky devil.  Now I knew what I was dealing with.  Next came the question of where in the registry to properly purge this corruption.  For that, I had to utilise ComboFix.  ComboFix provided me with the framework required to correctly handle this situation.  I should have “zipped” the compromised Flash files in order for Symantec Employees to study the manner in which they were exploited, however, in my fervor, I was just “bent on” destruction of the maliciousness and nothing else.  If it is any consolation, I have attached before/after ComboFix logs. 

 

Please note- Once items pertaining to Flash were exterminated under the “Locked Registry Entries” section, that is when symptoms abated.  For example, Internet operating through Verizon FiOS would load pages quickly such like before infection, CPU usage was no longer stuck at a stale 25% that would not budge.  These logs may only be crumbs from the Master’s Table, however, it is my sincere hope that Symantec Employees will be able to study them and potentially see to it that Flash entries are provided with more security in future updates for N360/ Internet Security. 

 

Please note also- Obviously, in this scenario, Flash had to be freshly re-installed.  Uncompromised FlashUtil32_11_5_502_135_ActiveX.exe will NOT appear then quickly disappear.  Rather, it will “stay up” in the background processes as was the case when I played a video on YouTube.

 

I must admit, after confronting this situation, I have about one-hundred [100] times more respect for the threat remediation Quads provides users of this forum on a consistent basis. 

 

Regards,

 

H.B.      

Well as you have already run combofix, you will have accessed the likelihood of getting support now from the one you named.

 

The purpose of my post is not to muddy the waters but to introduec you to autoruns which you can download from Microsoft tech. site. With autoruns you can quickly see what is running and disable and re-enable far easier that msconfig

Hello Mr. Goldman,

 

How are you?  No, no, you have not “muddied the waters” (so to speak) at all.  Always feel welcome to post on any of my threads and I will do my best to get back to you.  With the holidays, it has been a little hectic, however.  It is an honor to hear from anouther forum Guru.  Usually, I hear from SendOfJive, Mr. Hugh, and Mr. Richard Evans. 

 

Believe it or not, I did run autoruns brought to us by Sysinternals, the same people behind Rootkitrevealer.  I wasn’t overly impressed with the interface, however.  Maybe I’m in the minority, but, it seems a little cluttered?  Ideally, back in the day, I used to love running Norton’s VRQ Tool.  However, now it prompts for an authorisation of some sort?  I’m not sure if that was always the case.  I could swear I remember running it (outside of Symantec’s jurisdiction) without being annoyingly prompted for a code.    


Hammer_Bro wrote:

Hello Mr. Goldman,

 

How are you?  


I'm ok as long as I keep taking the pills (ha ha)

glad u found auto runs, sorry the interface is perhaps not for everyone and if unfamiliar then perhaps left alone, because like registry editors u can do a lot of damage very easily. On the other hand it often helps to fothat's hat  is being loaded under logins and its all in one place rather than having to trawl the registry.

 

anyway good lock in resolving any outstanding issues


Hammer_Bro wrote:

Recently, one system that I worked on was infiltrated by something that manipulated FlashUtil32_11_5_502_135_ActiveX.exe.  Being that it usurped a legitimate Flash component so that no one would be the wiser, I am leaning towards calling this a Trojan, hence the title.  If a Symantec Employee desires to amend the name, feel free to do so. 

 

Background Info:- On said computer, it looked as though an ad for something or anouther had been clicked on a list of Google search results. 

 

Symptoms:- Internet connectivity- pretty much zero.  CPU usage at a stubborn 25%.  Performing a full system scan with N360 in Safe Mode with Networking hung.  Interestingly, the programme reported three [3] threats but only resolved two [2] tracking cookies.  Next up, Malwarebytes’ Anti-Malware full scan turned up nothing.  Windows Defender- nothing.  Norton Power Eraser (NPE)- nothing malicious found.  Kaspersky’s TDSS Killer- not much better.  It revealed Akamai (part of Net Session) which I know to be benign.  This dastardly bogger even went under the radar (so to speak) of enhanced security measures in Win7 such as I.E.7’s Internet Protected Mode and system “change” warnings.

 

I attempted to “pin down” whatever it was examining background processes/ services in MSCONFIG.  I went under HKEY_LOCAL_MACHINE- Software- Microsoft- Windows- Current Version- Run to see if anything lodged there.  No luck.  I then had the idea of leaving up Windows Task Manager (processes tab) whilst I.E.7 tried to connect.  That is where I discovered that FlashUtil32_11_5_502_135_ActiveX.exe would briefly load and then make a hasty exit.  So much so that I had to employ Print Screen function to catch the sneaky devil.  Now I knew what I was dealing with.  Next came the question of where in the registry to properly purge this corruption.  For that, I had to utilise ComboFix.  ComboFix provided me with the framework required to correctly handle this situation.  I should have “zipped” the compromised Flash files in order for Symantec Employees to study the manner in which they were exploited, however, in my fervor, I was just “bent on” destruction of the maliciousness and nothing else.  If it is any consolation, I have attached before/after ComboFix logs. 

 

Please note- Once items pertaining to Flash were exterminated under the “Locked Registry Entries” section, that is when symptoms abated.  For example, Internet operating through Verizon FiOS would load pages quickly such like before infection, CPU usage was no longer stuck at a stale 25% that would not budge.  These logs may only be crumbs from the Master’s Table, however, it is my sincere hope that Symantec Employees will be able to study them and potentially see to it that Flash entries are provided with more security in future updates for N360/ Internet Security. 

 

Please note also- Obviously, in this scenario, Flash had to be freshly re-installed.  Uncompromised FlashUtil32_11_5_502_135_ActiveX.exe will NOT appear then quickly disappear.  Rather, it will “stay up” in the background processes as was the case when I played a video on YouTube.

 

I must admit, after confronting this situation, I have about one-hundred [100] times more respect for the threat remediation Quads provides users of this forum on a consistent basis. 

 

Regards,

 

H.B.      


 

hi

 

 

 

i have some  sites that can help you  re move this

 

 

http://forums.whatthetech.com/index.php

 

http://support.emsisoft.com/forum/6-help-my-pc-is-infected/

 

http://www.bleepingcomputer.com/

 

 

http://www.cybertechhelp.com/forums/

 

http://www.geekstogo.com/forum/

Hello Mr. Thomas,

 

I would like to thank you for providing the links to the other respected technological forums.  Rest assured, I surveyed other forums’ intel if applicable.  Some speculated that it was Google re-direct malware, while others held that it was Trojan.Agent.  I say “FlashBlast” insofar as it compromised Flash.  I have seen it before where different security companies recognise threats (most likely the same) by alternate names.  For example, Stuxnet is recognised by Symantec as W32 Flamer.  I also have an appreciation for TechRepublic, seven, and msdn forums.  Fortunately, this issue has been resolved, this post is to raise awareness hopefully that Norton’s security line will be amended.     

Quote:

 

"For example, Stuxnet is recognised by Symantec as W32 Flamer"

 

FALSE, better luck next time

 

Symantec products "recognise" Stuxnet as W32.Stuxnet in the definitions (before July 19th 2010 as W32.Temphid definitions updated and renamed for after that)

 

Duqu as W32.Duqu

Flamer as W32.Flamer

Narilam as W32..Narilam

Gauss as W32.W32.Gauss

 

Quads

 

 

Hello Quads,

 

For whatever reason, in my mind, I thought that Stuxnet was addressed on this thread: http://community.norton.com/t5/Tech-Outpost/quot-Flame-quot-Virus/td-p/727218 thus the connexion with W32 Flamer.  Clearly upon re-review of aforementioned link, Stuxnet was NOT the focus.  I apologise for any confusion - - it was not my intention to cast mis-information. 

 

Despite the example, my main point still remains that the same threat can be referenced by different titles depending upon which Internet Security programme you employ.  Interestingly enough, I came across an article documenting Flame code found in Stuxnet, please see: http://www.reuters.com/article/2012/06/12/us-media-tech-summit-flame-idUSBRE85A0TN20120612

 

Thank you for correcting the record.

 

Have a prosperous 2013,

 

H.B. 


Hammer_Bro wrote:

Hello Mr. Thomas,

 

I would like to thank you for providing the links to the other respected technological forums.  Rest assured, I surveyed other forums’ intel if applicable.  Some speculated that it was Google re-direct malware, while others held that it was Trojan.Agent.  I say “FlashBlast” insofar as it compromised Flash.  I have seen it before where different security companies recognise threats (most likely the same) by alternate names.  For example, Stuxnet is recognised by Symantec as W32 Flamer.  I also have an appreciation for TechRepublic, seven, and msdn forums.  Fortunately, this issue has been resolved, this post is to raise awareness hopefully that Norton’s security line will be amended.     


 

whoops sorry about that i guss  i miss read your form

 

 

and your most welcome

Hello again Mr. Thomas,

 

No need to worry!

 

Wishing you the best in 2013,

 

H.B.