FAQs About Malware on Auctiva.com Last Week

Hi Community,

We have received reports from several customers that believe they may have been infected with a virus when the Auctiva.com site was infected within the last week and we have asked one of our engineers with experience in this area to compile a list of things that may help and posted that information below. We cannot guarantee this information will help everyone who may have been affected in this manner and we assume no risk or liability for providing this information, so it is up to you to decide whether you would like to try what is being mentioned here. If this information helps even one customer, the effort required to compile it will be worthwhile.

One of the problems most of you may have noticed is that even after your anti-virus software says your computer is clean, you keep getting messages that you have been re-infected. This is not what is happening (technically it is, but not in the way you might think). The problem is that most of the anti-virus programs out there do not know the originating file for the virus yet, there are only 3 known versions that are currently detecting and removing the host-virus files. When your current software detects the files, it is detecting “distraction” files to make you think the machine is clean, and these files are generated by the host-virus. In order to completely clean the machine, you will need to locate and remove the host-virus files and all of its associate components. It is more important to remove the host file so that it does not re-generate itself, which will give you time to back up your files, gather your software licenses and get your computer the latest updates or re-install your operating system (not a re-format, a re-install to replace files that may have been deleted or lost to the virus). The tools below are in order for how you will need to use them depending on how complex things get for removing the infection.

Before doing anything here, you should try to restore to a previous point in time (if you are using Windows XP) using the System Restore functionality, and that point in time should be prior to the day you first recognized the infection. Most of the time, this will fix the problem or at least get things good enough for you to run the other programs and remove any remnant files. If you still have the infection, you’ll need to start with the tools below to get started. The links provided here are from highly trusted sources that you can independently verify.

Tools that you will need or want to have

1. There are only 3 programs right now that are detecting and removing the host files (choose one):

a. Avast Anti-Virus
b. Sophos
c. VBA32

Again, the files that the other anti-virus programs are currently detecting are the “oil slick” for the anti-virus programs to make you believe the files have been removed. Usually, this is not the case and the above 3 programs are the only ones currently identified as having the definitions to remove the file where the other files are originating from. Some of the variants of this infection are called (this will help with Googling):

a. Mal/Dropper-AE
b. Troj/Agent-IWW
c. Mal/Generic-A
d. Trojan.Rincux.AW
e. Win32:Refpron
f. Trojan_Gamethi.eal
g. Trojan_WoW.cs
h. Trojan_GameThief.AW

2. HijackThis – This software is completely free and is the industry standard for identifying files, processes and registry keys that should not be there. A majority of the time, you will not see these items in the standard views within Windows or Task Manager, so you’ll have no idea that they are even there. This software identifies with incredible precision, those items that you will not recognize and assist in the process of removal.

3. Blacklight by F-Secure – this software is a free Root Kit detection program. A Root Kit is a set of files and programs designed to hijack your entire computer and the majority of virus and malware sites use this to further inject things into your computer or capture your data. Blacklight is free and is used to detect and remove a root kit if you have one. There are others out there, but this one has never let me down and I highly recommend it.

4. Combofix.exe –This is a very reputable program for removing malware/spyware/virus software and may be a little advanced for most, but it has the highest effective kill rate of malicious software, including most root kit detection. If you are serious about getting rid of your problem, you will need this utility to do it.

5. ProcessExplorer (SysInternals) – This software is very popular in the business computing world… it helps find rogue processes running on your computer that shouldn’t be and is a good tool for identifying things that don’t show up in the Task Manager or other common places. It is currently hosted and maintained by Microsoft.

6. Microsoft Recovery Console – this is not required for Combofix to work, but definitely recommended for recovering a fatal crash on your computer and it can save you when your system restore point is corrupted. Combofix will automatically download this for you if you require it.

7. SmitFraudFix – This is also a well-known hacker-unfriendly application that identifies a huge variety of malware/spyware/virus and removes them. This is more effective for some of the older malicious software that has been resurrected and some of the more recent variants, but has worked in cases when other software didn’t.

For all of these programs, you can do your own independent research and make a decision to use them or not, but they are all free and have worked in every instance thus far for removing infections.

Steps to Detect/Prevent/Remove Malicious Files

These steps MUST be followed in the order that is explained here or there will be much less certainty of cleaning your computer. Please make sure you print this out and that you understand the steps. If you do not understand them, there is a list of resources below that will further explain things for the individual pieces listed here.

1. NUMBER ONE – GET ALL MICROSOFT UPDATES BEFORE ANYTHING ELSE! This is the key to getting infected or hacked is not having the updates that Microsoft specifically puts out to safeguard against these kinds of attacks. In most cases, when an exploit has been identified, Microsoft will patch it fairly quickly. This is 95% of how people get infected, the other 5% is people who are insane enough to have no anti-virus or anti-spyware software on their computers while they surf the internet. If you can’t get the updates online, you will need to download them to a thumb drive or burn them to a CD and install them.

2. Now that you have the operating system updates, make sure you’ve downloaded the tools and printed the directions here. You should now run a complete scan of your machine using one of the anti-virus programs mentioned above. This has a higher degree of success in removing the infected files instead of manually going through steps to do it yourself. Even after a full-scan, you will probably want validation of the removal by following the manual steps. If your anti-virus software does not detect the programs that are running, you will need to go on to the next step. If it does, remove the infected files and restart the computer. Do another full scan to verify that the computer is clean after reboot. To be safe, you should do one more scan within a 24-hour period since some infections will “sleep” for a period of time to increase their chances of not being detected.

3. Go to www.opendns.com and follow the steps for signing up there. It is 100% free and keeps a current list of malware/spyware/virus websites which will automatically plug in to your computer’s DNS lookup or home router (or DNS servers if you are a business) and BLOCK all of these sites from you being able to access them intentionally or otherwise. It puts a layer of prevention and protection on your computer that is almost impossible to beat. It has incredible benefit and is used by millions of people and businesses. If your computer tries to go to a known infected site/address for any reason, your browser will display a re-directed page to opendns.com and not allow you to become infected. Before doing anything else, I recommend this because if requests are going out to the internet from your computer without you knowing it, and they are downloading more malicious software, than this service will prevent it the minute you complete the set up process. It will ensure that you aren’t allowing anything else through the internet to get to your machine (providing it has been identified as a known malicious site). Again, it is added protection that is free. After setting this up, go to the next step. At this point, you have taken the biggest steps in preventing further infection, but now you have to contend with the one you have.

4. Open up the ProcessExplorer software and keep it open so that you can monitor any processes that are running (usually within svchost.exe). You will want to look for processes that are not part of any programs you recognize or do not have the same properties as the other processes (such as Microsoft specific properties). This can sometimes be hard to detect, but if you leave it open while going through the next steps, there is a chance you can find the process or file that the virus is running from. From there, you can make much more progress at removing dependent files that it creates or uses. If you don’t see anything in this program or don’t understand how it works, just move on to the next step.

5. Do a search in Windows for all files that have been modified in the past few days since you were infected. The list should include only files that you know have been changed. Anything else, you will want to put into a list of some sort and keep it handy because you will likely need to come back and clean up these files once you’ve found the host that is creating them. More detailed information on what kinds of files to look for, names, locations, etc. can be found below. Once you have the list of all files modified since your infection started (or slightly before), you can start looking for patterns between the files that helps identify if they are associated with a known infection and you can google the names of them to see if anyone else knows. This helps narrow down looking for the needle in the haystack.

a. The following files are known to be host-infection files for the more common type of infection that people are infected with:

i. Msrstart.exe
ii. Nxtepad.exe
iii. Afisicx.exe
iv. W.exe

b. If any of the above files show up on your computer, you are likely infected. These will reside in the System32 folder and you can check the properties of them to see if they are related.

6. Open HijackThis and run a full scan of your system. Usually, the report from this can be shared with forums and communities to identify the culprit for infections ( there are experts that are very familiar with this). These reports can sometimes be very long, so posting them into this Auctiva community for review is not recommended. The log file from HijackThis will reveal a lot of information about what is running on your computer that you might not even be aware of. Using this log, experts in this area can further assist you. Identify anything in the list that is not familiar to you.

DO NOT take action on this list yet, we will return to that in another step. The things to be particularly suspicious of is anything that is located in the registry in the “****/Software/Microsoft/CurrentVersion/Run” sections. This is the most common place for a virus to execute from because it will run every time you start Windows, so even if you get the contaminating files, the one referenced in this area is usually the originating infection so that it can re-infect the computer after a reboot, even after a virus scan comes up clean. You should compare this with the next step to determine if this is the case and especially be looking for any of the files mentioned in the previous step.

7. In Windows, go to Start -> Run and in the box that comes up, type in “msconfig” and enter. The screen that comes up will have tabs at the top of it and you will want to look in the “Services” and “Startup” tabs for items that do not match installed software or bear a Microsoft or verifiable signature. The suspicious items will usually not have a directory location for the files listed, or they will be running out of the “Windows\System32” folder. This is the common place where these types of infections linger and wreak havoc on the operating system. There are some files in this folder that should run at startup from the system folder as part of the operating system, but they will usually have a reference to a program that you’ll recognize. In some very rare cases (depending on the variant of the virus), they can mask themselves as legitimate programs, but in those circumstances the anti-virus software is pretty good about catching them. What you are looking for in this list is anything suspicious but more importantly, anything that is suspicious AND matches an entry from HijackThis or is listed as one of the known malicious files of this virus. Those will be the areas of focus. The file listed in msconfig under the “Startup” section will likely reside in system32, so you’ll want to open up that folder for the next step.

8. If at this point, you have identified something that you think may be the root infection, you will need to validate it prior to doing any kind of removal. The first and best thing to do is to Google the file and see if it is known to be part of Windows or other known software. If not, go to the location where the file(s) exist. Make sure you are able to view hidden files and system files by going to “Tools -> Folder Options -> View tab” and checking those off in the list. This will allow you to see files that are hidden by default, which is where infections like to stay hidden but still might not be visible to you. Once you can see the file, you should right-click on the file and go to “Properties”. In most cases, you should see detailed information about what that file belongs to. Usually, for the majority of products, there is author, copyright, version, etc. information. If it is a malicious file, it will rarely contain any of these features. If you have successfully identified one of files to match this type of profile, you will need to remove them. This is not as simple as just deleting the file, there are several steps that will need to happen. What is important is that you document the names of the files that you suspect, the locations of those files, any registry keys associated to those files and any information you may have gained from the above steps that can assist you or someone else trying to help you.
NOTE: Make sure you backup any important files before attempting to delete system files!

9. Boot into Windows Safe Mode by pressing the F8 key repeatedly while Windows is loading. This will bring you to a loader that will give you a selection to choose from. You’ll want to choose “Safe Mode” or “Safe Mode w/Networking” if you will need to access the internet for any reason. If asked to continue to stay in Safe Mode, click “Yes”.

10. At this point, you will want to run the Combofix.exe utility. Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix! Please visit HERE if you don't know how to disable them. You should not be running any programs or doing anything on the computer while this runs. Follow the instructions when running this program. It will reboot your computer to finalize the cleaning, so you must log back in to safe mode when rebooting by pressing F8 again on reboot. After the reboot, it will finish and write out a log file. You will need to save this log file, similar to saving the HiJack this log. You should keep all log files and records of what you are doing in one place. If someone asks you for this file, you’ll want to send it to them for analysis to see what was removed in case anything was a Windows component that needs to be replaced. In some cases, it also resets the clock in Windows which can be a little annoying, but it doesn’t happen to everyone.

11. After Combofix.exe has completed, you’ll want to run Blacklight again to make sure there is no Root Kit on the computer. It should come back clean, but if not, it will remove it providing it finds it. After getting rid of any root kits that could be there, do a full anti-virus scan again. All of this should be done in Safe Mode because nothing external will be running. This is important because if you scan clean, but show re-infection after a restart, it means that the original host file made copies of itself or is still lingering when booting up. If you found a malicious file previously, you’ll want to check to see if the file is still there after the Combofix utility ran. If it was not removed, chances are that the utilities will not catch it (this happens if it is a very very new variant of infection that hasn’t had time to be identified by the people who maintain these programs). This is where things get much more advanced and difficult, but not impossible. With a few simple utilities and basic knowledge, you can resolve the problem yourself but you will need to have some patience and it would help to have an uninfected computer to browse the internet with. If the files that you were originally suspicious of were removed by Combofix, there is a good chance you are infection free.

12. Run another HijackThis scan and compare it to the original scan paying specific attention to the suspicious files or registry keys. Again, you want to see that they were removed from the list. If not, you will need to try these steps again before attempting a more advanced fix.

13. Reboot your computer normally providing that the HijackThis log looks clean, that your anti-virus software produced a clean scan and that the Root Kit detection was clean. At this point, you are ready to verify that the infection is gone by booting into Windows normally and seeing if any of the removed files re-appear. Now that you are in Windows normally, you’ll want to do one last final scan using all of the above mentioned products. If those scans do not show infection, than there is fairly high degree of confidence that you are infection free.

If these basic steps above haven’t helped you, here is a lot of additional information that can be used to step through an advanced manual removal process as well as some other helpful resources:

http://novirusthanks.org/blog/?p=994 - specifc to variants of virus discussed here

http://novirusthanks.org/blog/?cat=35 - list of detections and workarounds for other infections

http://support.microsoft.com/kb/307654 - installing the ms recovery console

http://mvps.org/winhelp2002/hosts.htm - hosts file that blocks all known ad sites and malicious sites

http://www.threatexpert.com/re...1a47ff208ef47a348f27 – info on infection

http://www.prevx.com/filenames...1/MSRSTART2EEXE.html - info on infection

http://download.bleepingcomput...om/sUBs/ComboFix.exe - download Combofix (trusted)

http://www.download.com/Trend-...8022_4-10227353.html - download HijackThis (trusted)

http://www.bleepingcomputer.co...sources/link243.html - download SmitFraudFix (trusted)

http://download.sysinternals.c.../ProcessExplorer.zip - download ProcessExplorer (trusted)

ftp://ftp.f-secure.com/anti-virus/tools/fsbl.exe - download BlackLight from f-secure

http://www.bleepingcomputer.com/forums/forum22.html - spyware removal forums

-Mike

Additional Information:

File Behavior

MSRSTART.EXE has been seen to perform the following behavior:

• Executes a Process
• This Process Deletes Other Processes From Disk
• Registers a Dynamic Link Library File
• This process creates other processes on disk
• Copies files
• Looks at the contents of the autoexec.bat file
• Reads email address and phone book details
• Uses DNS to retrieve the IP address for web sites
• This Process is a file infector which modifies program files to include a copy of the infection
• Changes to the file command map within the registry
• Adds a Registry Key (RUN) to auto start Programs on system start up
• Violates Windows/Vista Physical Memory Protection allowing it to look inside the data areas of other programs
• Terminates Processes

MSRSTART.EXE has been the subject of the following behavior:

• Added as a Registry auto start to load Program on Boot up
• Copied to multiple locations on the system
• Executed as a Process
• Registered as a Dynamic Link Library File
• Created as a process on disk
• Changes to the file command map within the registry

File Name Aliases

MSRSTART.EXE can also use the following file names:

• TPSZXYD.SYS
• NXTEPAD.EXE
• 07409245.SYS
• 81244974.DAT
• 64063935.DAT
• TMP0_401322499073.BK

Filesizes

The following file size has been seen:

• 376,320 bytes
• 241,152 bytes
• 375,808 bytes
• 259,584 bytes

Vendor, Product and Version Information

Files with the name MSRSTART.EXE have been seen to have the following Vendor, Product and Version Information in the file header:

• ; ; 2.0.1.154
• ; ; 2.0.1.162
• ; ; 2.0.1.151
• ; ; 2.0.1.152
• ; ; 2.0.1.166

File Type

The filename MSRSTART.EXE refers to many versions of an executable program.

File Activity

One or more files with the name MSRSTART.EXE creates, deletes, copies or moves the following files and folders:

• Copies filec:\windows\system32\urlmon.dll to c:\docume~1\user\locals~1\temp\mtaw72598.dll
• Opens/modifes c:\autoexec.bat
• Moves c:\windows\system32\udxfytw.sys to c:\windows\system32\tmp0_312103509098.bk.
• Moves c:\windows\system32\tmp0_312103509098.bk to c:\windows\system32\udxfytw.sys
• Deletes c:\windows\system32\tmp0_312103509098.bk.
• Creates c:\windows\system32\Install.tx
• Creates c:\windows\Install.tx
• Moves c:\windows\system32\tmpxr_621171838093.bk to c:\windows\system32\tmp0_57032696252.bk.
• Moves c:\windows\system32\tmp0_57032696252.bk to c:\windows\system32\tmpxr_621171838093.bk
• Deletes c:\windows\system32\tmp0_57032696252.bk.
• Deletes c:\windows\system32\noytcyr.exe
• Moves c:\windows\system32\tmpxr_621171838093.bk to c:\windows\system32\noytcyr.exe
• Moves c:\windows\system32\tmpxr_434138765527.bk to c:\windows\system32\tmp0_793471556187.bk.
• Moves c:\windows\system32\tmp0_793471556187.bk to c:\windows\system32\tmpxr_434138765527.bk
• Deletes c:\windows\system32\tmp0_793471556187.bk.
• Deletes c:\windows\system32\wsldoekd.exe
• Moves c:\windows\system32\tmpxr_434138765527.bk to c:\windows\system32\wsldoekd.exe
• Moves c:\windows\system32\tmpxr_549716366933.bk to c:\windows\system32\tmp0_175036521364.bk.
• Moves c:\windows\system32\tmp0_175036521364.bk to c:\windows\system32\tmpxr_549716366933.bk
• Deletes c:\windows\system32\tmp0_175036521364.bk.
• Deletes c:\windows\system32\afisicx.exe
• Moves c:\windows\system32\tmpxr_549716366933.bk to c:\windows\system32\afisicx.exe
• Moves c:\windows\system32\tmpxr_55360933570.bk to c:\windows\system32\tmp0_618276258932.bk.
• Moves c:\windows\system32\tmp0_618276258932.bk to c:\windows\system32\tmpxr_55360933570.bk
• Deletes c:\windows\system32\tmp0_618276258932.bk.
• Deletes c:\windows\system32\Install.txt
• Creates c:\windows\system32\comsa32.sys
• Copies filec:\windows\system32\urlmon.dll to c:\docume~1\user\locals~1\temp\mta96020.dll
• Deletes c:\docume~1\user\locals~1\temp\mta96020.dll
• Copies filec:\windows\system32\urlmon.dll to c:\windows\temp\mta20954.dll

Registry Activity

One or more files with the name MSRSTART.EXE creates or modifies the following registry keys and values:

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.txt Application C:\WINDOWS\system32\nxtepad.exe
• HKEY_CURRENT_USER\AppEvents\Schemes\Apps\.Default\SystemExclamation\.Current
• HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\International W2KLpk value:
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run ctfmon.exe C:\WINDOWS\system32\ctfmon.exe
• HKEY_CURRENT_USER\Software\Microsoft\CTF\Sapilayr ProfileInitialized value:
• HKEY_CURRENT_USER\Software\Microsoft\CTF\Sapilayr ProfileInitialized value:
• HKEY_CURRENT_USER\Software\Microsoft\CTF\TIP\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\LanguageProfile\0x00000409\{09EA4E4B-46CE-4469-B450-0DE76A435BBB} Enable value:
• HKEY_CURRENT_USER\Software\Microsoft\CTF\TIP\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\LanguageProfile\0x00000809\{09EA4E4B-46CE-4469-B450-0DE76A435BBB} Enable value:

Network Activity

One or more files with the name MSRSTART.EXE performs the following network events:

• DNS Lookup208.43.250.162 bfkq.com
• DNS Lookup74.54.201.210 74.54.201.210
• DNS Lookup208.43.250.162 208.43.250.162
• DNS Lookup74.52.142.226 jsactivity.com
• DNS Lookup74.55.37.210 74.55.37.210
• DNS Lookup174.133.126.2 174.133.126.2
• DNS Lookup63.241.59.58 www.searchfeed.com
• DNS Lookup66.230.188.67 xml.click9.com
• DNS Lookup63.251.210.68 search.epilot.com
• DNS Lookup72.32.202.199 xmlRevenue.com
• DNS Lookup208.79.82.154 infobits.net
• DNS Lookup63.251.210.114 txsearch.epilot.com
• DNS Lookup69.41.173.95 lookcode.com
• DNS Lookup69.41.170.30 www.valusearch2004.com
• DNS Lookup69.41.173.97 www.smarterclickz.com
• DNS Lookup69.41.173.186 2007search.com
• DNS Lookup69.41.173.174 justforclickz.com
• DNS Lookup69.41.173.164 searchdaze.com

Website Activity

One or more files with the name MSRSTART.EXE interacts with the following web sites and pages. Web addresses have been deliberately modified to prevent unintentional use.

• TCP:127.0.0.1:1108 Port:20
• TCP:208.43.250.162:8392 Port:16
• TCP:74.54.201.210:8392 Port:16
• TCP:208.43.250.162:8392 Port:15
• TCP:74.52.142.226:8392 Port:15
• TCP:74.55.37.210:8392 Port:15
• TCP:174.133.126.2:8392 Port:15
• Port 80 IP:63.241.59.58
• Port 80 IP:66.230.188.67
• Port 80 IP:63.251.210.68
• Port 80 IP:63.251.210.114
• Port 80 IP:72.32.202.199
• Port 80 IP:208.79.82.154
• Port 80 IP:69.41.173.95
• Port 80 IP:74.52.164.210
• TCP:174.133.126.2:8392 Port:23
• Port 80 IP:69.41.170.30
• Port 80 IP:69.41.173.97
• Port 80 IP:69.41.173.186
• Port 80 IP:69.41.173.174
• Port 80 IP:69.41.173.164

Malware Activity

• The malware created a lot of files in C:\WINDOWS\system32\:
• C:\WINDOWS\system32\tpszxyd.sys
C:\WINDOWS\system32\msrstart.exe
C:\WINDOWS\system32\comsa32.sys
C:\WINDOWS\system32\afisicx.exe

Virus scanner report:

• Report Generated 24.2.2009 at 0.18.09 (GMT 1)
Time for scan: 187 seconds
Filename: afisicx.exe
File size: 181 KB
MD5 Hash: DA3E12A66735C24D5ECB631D3DA1BE7E
SHA1 Hash: 64485D2C2DA92377002014D11CC2916372C23E08
CRC32: 743296509
Application Type: Executable (EXE) 32bit
Packer detected: Borland Delphi 6.0 - 7.0
Self-Extract Archive: Nothing found
Binder Detector: Nothing found
ASCII Strings: View
Detection Rate: 3 on 23 (13,04 %)

Antivirus Sig Version Result

a-squared 23/02/2009 Nothing found!
Avira AntiVir 7.1.2.64 Nothing found!
Avast 090221-0 Win32:Refpron-I [Trj]
AVG 270.11.3/1967 Nothing found!
BitDefender 24/02/2009 Nothing found!
ClamAV 23/02/2009 Nothing found!
Comodo 986 Nothing found!
Dr.Web 24/02/2009 Nothing found!
Ewido 24/02/2009 Nothing found!
F-PROT 6 20090223 Nothing found!
IkarusT3 23/02/2009 Nothing found!
Kaspersky 24/02/2009 Nothing found!
McAfee 23/02/2009 Nothing found!
MHR (Malware Hash Registry) 24/02/2009 Nothing found!
NOD32 v3 3882 Nothing found!
Norman 2009/02/20 Nothing found!
Panda 07/02/2009 Nothing found!
QuickHeal 23 February, 2009 Nothing found!
Solo Antivirus 24/02/2009 Nothing found!
Sophos 24/02/2009 Troj/Agent-IWW
TrendMicro 861(586100) Nothing found!
VBA32 24/02/2009 Win32 Shadow Driver Install
VirusBuster 10.101.22 Nothing found!

Other created files:

•C:\WINDOWS\system32\pe.dll
C:\DOCUME~1\userxx\LOCALS~1\Temp\Cookiesh
C:\DOCUME~1\userxx\LOCALS~1\Temp\Historyl
C:\WINDOWS\Temp\mtaw31787.dll
C:\WINDOWS\Temp\mta33058.dll
C:\WINDOWS\Temp\mta107493.dll
C:\WINDOWS\system32\post.asp.cikehorse=aaa
• The malware firstly dropped in C:\WINDOWS\system32\ the file named pe.dll and then started to download and then execute all the other files.
• The malware utilize rootkit technology to hide processes from Task Manager and all user-mode process viewers. (not ProcessExplorer)
• The malware add itself to registry startup to be able to run after every reboot of windows OS.

Registry keys created:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Explorer => msrstart.exe

Traffic:

The malware established connections in the remote port number 8392 with mainly 4 IP Addresses:

-208.43.250.162 (208.43.250.162-static.reverse.softlayer.com)
-74.52.142.226 (host30.4hosthelp.com)
-74.55.37.210 (d2.25.374a.static.theplanet.com)
-174.133.126.2 (2.7e.85ae.static.theplanet.com)

The traffic was always the same (with an “echo” inside):

================================================
Index : 12
Protocol : TCP
Remote Address : 208.43.250.162
Local Port : 1035
Remote Port : 8392
Packets : 14
Data Size : 48 Bytes
Total Size : 676 Bytes
Capture Time : 23/02/2009 23.28.52:437
================================================
00000000 00 00 78 E3 00 00 4F 95 00 00 00 04 65 63 68 6F ..xã..O• ….echo
00000000 00 00 00 0C 38 37 2E 31 31 2E 33 39 2E 32 35 31 ….xx.xxx.xxx.xxx

After, the traffic changed in:
================================================
Protocol : TCP
Remote Address : 74.52.142.226
Local Port : 1041
Remote Port : 8392
================================================
00000000 00 00 78 E3 00 00 27 B3 00 00 00 11 32 2E 30 5F ..xã..’³ ….2.0_
00000010 6E 65 77 32 30 30 39 5F 77 2E 65 78 65 new2009_ m.exe
00000000 00 00 00 41 37 34 2E 35 32 2E 31 36 34 2E 32 31 …A90.5 2.164.21
00000010 30 2F 70 31 32 31 32 0D 0A 31 37 34 2E 31 33 33 0/p1213. .174.133
00000020 2E 31 34 37 2E 31 38 2F 70 31 32 31 32 0D 0A 31 .142.18/ p1212..1
00000030 37 34 2E 31 33 33 2E 31 34 37 2E 32 36 2F 70 31 74.133.1 47.21/p1
00000040 32 31 32 0D 0A 212..

Now we can see from the traffic below that the malware is getting some kind of list of “words” that the malware will then use for spam / search engines hijack / browser hijacks / Click hijacks:

================================================
Protocol : TCP
Remote Address : 208.43.250.162
Remote Port : 8392
================================================
00000000 00 00 78 E3 00 00 76 B8 00 00 00 07 6E 65 77 32 ..xã..v¸ ….new2
00000010 30 30 39 009
00000000 00 00 18 A2 72 76 0D 0A 73 74 65 72 6C 69 6E 67 …¢rv.. sterling
00000010 20 73 69 6C 76 65 72 20 6A 65 77 65 6C 72 79 0D silver jewelry.
00000020 0A 50 61 79 2B 50 65 72 2B 43 6C 69 63 6B 2B 41 .Pay+Per +Click+A
00000030 64 76 65 72 74 69 73 69 6E 67 0D 0A 6E 66 6C 20 dvertisi ng..nfl
00000040 74 69 63 6B 65 74 0D 0A 41 6D 61 74 65 75 72 0D ticket.. Amateur.
00000050 0A 62 61 6E 67 6B 6F 6B 2B 68 6F 74 65 6C 0D 0A .bangkok +hotel..
00000060 57 65 69 67 68 74 2B 6C 6F 73 73 2B 70 69 6C 6C Weight+l oss+pill

I hope this information comes in handy to some!

-Mike