Unable to remove this spreading threat - infected

Norton Security | Norton Internet Security
1

Hi all

 

I was testing out some newly reported malware and came upon this almost brand new but apparently rapidly spreading threat earlier today. I ran the .exe file on a test machine, which as usual is running NIS09, and was immediately infected. It seems to bypass SONAR almost effortlessly, yet drops rootkits into Windows system32.

 

I have posted some logs below. Note, Malwarebytes picks up the infected registry keys, but they return on reboot. Virus Total today reports that 8/36 of their listed vendors have just added definitions for the .exe file, Norton and Kaspersky have not yet picked up the threat, however I have uploaded the file to both for analysis and am awaiting a response.

 

These are the tracking numbers from Symantec Security Response:

 

Symantec Security Response Automation: Tracking #10006864‏

Symantec Security Response Automation: Tracking #10006869‏

 

Note that a full Norton scan comes up clean, with aggressive heuristics, and HijackThis logs are also clean. The symptoms of the infection are rogue advertisements coming up in IE, as a result of redirection after waiting for a typed URL to load.

 

Here are the logs from Malwarebytes and the result from Virus Total, I was hoping someone may be able to shed some light or help find some removal tips for this nasty infection.

 

Look forward to any suggestions.

 

Thanks

 

Virus Total: Link.

 

Malwarebytes Log:

 

31/10/2008 9:41:04 PM
mbam-log-2008-10-31 (21-40-59).txt

Scan type: Full Scan (H:\|)
Objects scanned: 64918
Time elapsed: 19 minute(s), 28 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 6
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.210 85.255.112.67 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{ce50f76f-2cf6-47a1-a110-86b21ec499af}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.210 85.255.112.67 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.210 85.255.112.67 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{ce50f76f-2cf6-47a1-a110-86b21ec499af}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.210 85.255.112.67 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.210 85.255.112.67 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{ce50f76f-2cf6-47a1-a110-86b21ec499af}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.210 85.255.112.67 -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
Message Edited by johna on 10-31-2008 10:59 PM
2

Removal instructions for Trojan.Flush.K: http://www.symantec.com/security_response/writeup.jsp?docid=2007-011811-1222-99&tabid=3; look in the "Also Known As" and the Note in the Summary Page.  Looks like symantec already have this covered.

 

If I am incorrect about the Threat Name - because different A.-V. Companies have different names for different Threats - let me know.

Message Edited by Floating_Red on 10-31-2008 01:03 PM
3

Thanks Floating_Red

 

I had previously found that particular document, however, it does not help to remove this particular variant. Interestingly, the threat would normally have  been shot down by auto-protect if it was going to be picked up in the first place, but wasn't.

 

One of the reasons for my concern was how easily the infection got around SONAR, whilst still managing to corrupt running software, and drop malicious files into Windows system 32.

 

Thanks for the reference.

Message Edited by johna on 10-31-2008 11:16 PM
4

Auto-Protect does not always Detect Threats on the computer as it only Scans the Files with which you are using, as I am sure you know; in that case, I would suggest you do a Full System Scan with Norton if not already done so?

 

Also, you do not say if you have Scanned in Safe Mode with Updated Virus Definitions.

 

You're welcome.

Message Edited by Floating_Red on 10-31-2008 01:10 PM
5

Hi FR

 

I did scan in Safe Mode with updated defs. The infection actually knocked NIS09 out completely, I had to reinstall it.

 

Thanks

Message Edited by johna on 10-31-2008 11:20 PM
6

Hello, johna,

        With what Products did you do the Safe-Mode Scan with?

Message Edited by Floating_Red on 10-31-2008 01:22 PM
7

Hi FR

 

Windows One Care, Kaspersky Virus Removal Tool,  NIS09, Malwarebytes' Anti-Malware and a couple more tools which did not help.

 

Windows One Care got rid of the system 32 corruptions, (interestingly it is one of the few vendors in the Virus Total list which even recognizes this new threat), which allowed me to get back into normal mode. Malwarebytes was the only other scanner which picked up the registry infections causing the DNS corruptions, but they reappeared on reboot.

8
johna wrote:

Windows One Care, Kaspersky Virus Removal Tool,  NIS09, Malwarebytes' Anti-Malware and a couple more tools which did not help.

Were all these Full Scans, yes, and done in Safe Mode, yes?  Sorry for asking again; just want to be totally sure.

9

Hi FR

 

Indeed the scans were all performed in Safe Mode with updated definitions and enhanced heuristics where available. Along with this I used some other removal tools but there seems little known about this threat for the time being. 

 

As I said earlier, my main concern was how easily it got around SONAR when executing itself, (even to the point of disabling NIS09), which is usually trusted as a backup when auto-protect fails to pick up potentially malicious malware.

 

Thanks again.

Message Edited by johna on 10-31-2008 11:52 PM
10

Hi, johna,

     Why not give Norton AntiBot ago?  Might be worth a try although N.I.S. 2009 has Anti-Bot Protection...

 

Have you looked in the History to see if there is any indication what this might be and where it may be Attacking your computer?

11

Hi FR

 

There is nothing in the history as NIS09 has not detected anything malicious. All firewall logs are normal.

 

Would you know I have had to go back into Safe Mode with network drivers even to get onto the internet.

 

Here is the latest screenshot of Malwarebytes scan, (just performed in Safe Mode):

 

MWB4

 

Thanks

 

 

Message Edited by johna on 11-01-2008 12:34 AM
12

What time and what Date did you Submit the Files to s.S.R., e.g. Friday, October 31, 2008; 0700?

 

What other Removal Tools did you try?

 

This is a nasty Trojan and it is spreading like Wild Fire as it has only been on your system for at least a few hours!

Message Edited by Floating_Red on 10-31-2008 02:35 PM
13

About eight hours ago.

14

AntiBot may work for this paticular threat. Interesting, I had 2 instances of Trojan.DNSchange and 2 Rootkit.DNSchange detected by MalwareBytes Anti-Malware. It was removed. N360 also detected it and said it was "fixed", however MalwareBytes still detected them.

 

However, I recommend that you use a-squared antimalware to resolve this threat and to stop installing other security software, which could have been behind "knocking Norton out completely". 

 

 

15

Have you tried SuperAntiSpyware. Its actually more powerful then MBAM.

16

Hi Johna,

 

Can you provide some detail on how exactly you "tested this newly reported malware". SONAR is a behavioral system and is tuned to detect malware that gets onto the machine through the "natural process" of using the internet. That is, it gets on the machine via clicking a link in an email, on a web page, drive-by download etc. Sometimes, behavioral characteristics of the "test" dont match those of the real world and hence the engine doesn't pick it up.

 

Hence some specific questions:

- How did you download the exe ? Through email ? Web ? etc.

- where did you save it to and where did you run it from ?

- How did you run it ? Just double-clicked it ?

17

Yes, you will want to execute the file to exercise Sonar’s capibilities.

18
Tech0utsider wrote:
Yes, you will want to execute the file to exercise Sonar's capibilities.

 

Hi Tech0utsider,

 

I would not advise this. You should never execute or purposely run a file you know is malicious. While you are protected with Norton Security, a lot of staying free from infection is to practice safe surfing habits and to avoid known threats. 

19

Whether it is malicious or not is questionable. If you know it is malicious, how come Norton can not figure it out?

20

Hello Tech0utsider,

 

I'm not questioning that you would be protected. I'm fully confident in the layered protection in NIS to keep you secure. You could always submit the sample to Symantec to have it analyzed if the file was questionable.