PDA

View Full Version : Worm.Lover.A/Brontok.cu: Botnet Victim?



GeorgeC
2008-08-12, 01:08
Yesterday morning I got a Warning from AVG 75 Antispy that I was infected by Worm.Lover.A. Spybot 1.6, Spysweeper, and Symantec didn't catch it. The virus hit Internet Explorer, got into every instance of iexplore.exe and changed them, including the restore volumes. Brontok.cu also made some changes in msconfig (system32\dllcache\msconfig.exe) and in (helpcenter\ binaries\msconfig.exe). AVG fixed the intrusions, by quarantining the files and loading backups, but the backups didn't work. I downloaded Firefox so I could get back on the web. Later, some other strange things happened, including a system hangup on boot, which Microsoft program said was caused by Spybot, so I uninstalled it. after two unsuccessful tries. I was also unable to go to restore points, or to enter safe mode. I was planning then to do a System Restoration (non-destructive) in the next few days if I couldn't get things to work again. Also, I now do not have all my icons in the system information tray, although MS Process Explorer shows that they are loaded. Today I was browsing my Norton Firewall logs, and discovered what seemed to be worse news. I think my computer has been put in a bot net. I found numerous changes to my firewall settings that I had not done, but also a "new" network called Teredo Tunneling Pseudo-Interface, on a strange IP address: fe80::211.11ff:fe80:b18b, and fe80::ffff:ffff:fffd). I also noted numerous network connections to sites that I had never visited, with on-time of maybe 1/4 to 1/2 second. A Google search brought up this was used on some networks requiring the ipv6 protocol. My broadband network does not use that. So I went to a command prompt, typed uninstall ipv6, enter, and went back to my log. The connection log showed my normal Intel PRO100 information again. I then went to my firewall settings, and changed the "Port Block NetBios allow" to block, and specifically blocked out the weird IP's. So far, so good, but I wonder what other surprises await? I don't want to, but I think I had better just bite the bullet and use my E-machine restoration disks, reload my data, and start fresh. My boot time has been increasing steadily to about 10 minutes, XP/SP3, with 2GB RAM. Any suggestions?

GeorgeC
2008-08-12, 16:09
After my post yesterday, I again looked at the Symantec log, and my own personal computer use log, and found that the new IP address and firewall changes came at about the same time. I had removed the corrupt IE7, and went to the Microsoft IE7 Homepage to get a fresh copy, a 14.7 MB file. I clicked the download, and instead of the normal download progress window in the center of the screen, I got a similar box in the upper left hand corner of the screen, saying you are preparing to download a binary file, is this correct? Thinking that this was just a new way that MS was doing downloads, I checked yes. The file downloaded, and prior to installation beginning the installer said to turn off all running programs, and all antispyware, antivirus, and firewalls, so I did. Looking back, it seemed a little strange that MS would recommend turning off all the protection, just for IE7, but since they recommended turning off AV and security during install of SP3, it didn't seem too odd. And now, looking back, that is when the strange IP address and network appeared, and the firewall changes were made. I don't know now how many other changes were made, or what is being done secretly on my computer. This morning I am going to reinstall SD 1.6. Apparently the seemingly frozen screen, and the MS error message saying the program was not responding on boot, was caused by the SD Systems Protector, trying to stop the bad changes from being made. And I had just turned it off, how foolish. I don't know how an apparently good MS site was spoofed. BTW, I saved the downloaded binary file in my recycle bin, if its study or name would be of use to the analysts. It is IE7-WindowsXP-x86-enu.exe. Windows Explorer shows it at 15,092 KB, created at 1537, 10 Aug (when I installed it). Properties show its creator as Microsoft, file 6.6.29.0, and size 14.7 MB. My gut feeling is that I need to reformat the disk and start fresh, although I don't look forward to it.

GeorgeC
2008-08-12, 19:59
I reinstalled SD 1.6, ran a scan, and found 8 items to fix, affecting IE7, and firewall/AV. I had tried initially to use the copy of 1.6 I downloaded on the 10th, but got an error message, so went to the Spybot news page, and tried to download a new copy of 1.6. However, as I clicked download, I again got a small window on my screen saying I was about to download a binary file, so I quit. Not sure what is happening here, but the SD 1.6 is working fine. I again went to my Symantec activity logs, and found quite a bit of activity on the web, when I was not even on. The IP's were numeric, with no site names, etc. Some were downloading 3 MB or more, but getting only 300-400 bits from my computer. Using my Symantec log info for selected IP's, and my wife's McAfee tools IP Tracer function, I found that my computer was talking to Prague, Czech republic, Kaarlsruhe Germany, Sunnyvale, CA, Boston, and two to Chicago, IL. The Prague site was something to do with Anti-Malware Design, Karlsruhe was something from Schlund-MNT, Boston was RIPEone.net, Sunnyvale was Teleglobe/Akamai Technologies; Chicago, one was with Networking Solutions, and the other was TDS Telecom out of Madison, WI.

In spite of uninstalling the IPV6 protocol and tightening up my firewall settings yesterday, I am still being used as a "bot", although the weird Teredo Tunnelling Pseudo Interface IP has not come back - yet. I have run system scans today by Spybot, Spysweeper, AVG Antispy, and Symantec. Other than the items found and fixed by Spybot, nothing else bad was found. Is this a rootkit issue?

Hijack This File follows. Any suggestions?

-----
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:39:00 AM, on 8/12/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\tcpsvcs.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\MS PROCESS EXPLORER\procexp.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.att.net/ie4/search/index.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.att.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gocyberlink.com/registration/new/product/app_reg.jsp?Product=PowerDVD&Version=5.0&VersionType=OEM&CDKey=MV88357364561518&Language=Enu&SR=DVD040514-08&BuildNumber=5.00.1107&Hardware=Desktop%20PC&CustomerNO=1842&Channel=OEM
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;*.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.7\NppBho.dll
O2 - BHO: Toolbar BHO - {2AE0A4BD-F9CD-473B-8DA1-C0581B963EB2} - C:\Program Files\AT&T Worldnet Service\Toolbar\Programs\Toolbar.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: ShowTB_BHO Class - {80273A16-C326-45FC-B961-5BD86F6E924D} - C:\Program Files\AT&T Worldnet Service\Toolbar\Programs\ShowTB.dll
O2 - BHO: (no name) - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - (no file)
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: AT&&T Toolbar - {4A32DB77-BE7B-461B-8A3E-7FE4DCE9A594} - C:\Program Files\AT&T Worldnet Service\Toolbar\Programs\Toolbar.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.7\UIBHO.dll
O4 - HKLM\..\Run: [sunkistem] "C:\Program Files\Digital Media Reader\shwiconem.exe"
O4 - HKLM\..\Run: [remotecontrol] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [nerofiltercheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [isusscheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [isuspm startup] "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" -startup
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [hotkeyscmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [zBrowser Launcher] "C:\Program Files\Logitech\iTouch\iTouch.exe"
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [AppleSyncNotifier] "C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [OM2_Monitor] "C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
O4 - Startup: WKCALREM.LNK = C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.att.net
O15 - Trusted Zone: http://*.moaa.org
O15 - Trusted Zone: f1.nolo.com
O15 - Trusted Zone: http://*.symantec.com
O15 - Trusted Zone: http://*.turbotax.com
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gateway.com/support/profiler//PCPitStop.CAB
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {2DFF31F9-7893-4922-AF66-C9A1EB4EBB31} (Rhapsody Player Engine) - http://forms.real.com/real/player/download.html?f=windows/mrkt/rhapx/RhapsodyPlayerEngine_Inst_Win.cab
O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {4EFA317A-8569-4788-B175-5BAF9731A549} (Microsoft Virtual Server VMRC Advanced Control) - http://www.windowsvistatestdrive.com/ActiveX/VMRCActiveXClient1.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5036.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1129121802406
O16 - DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} (Java Plug-in 1.4.2) -
O16 - DPF: {CAFEEFAC-0014-0002-0011-ABCDEFFEDCBA} (Java Plug-in 1.4.2_11) -
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} (Java Plug-in 1.5.0_06) -
O16 - DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} (Java Plug-in 1.5.0_09) -
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - https://www-secure.symantec.com/techsupp/asa/SymAData.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} -
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} -
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 12770 bytes

GeorgeC
2008-08-21, 18:29
Might as well call this thread closed. On 18 Aug I did a destructive restoration, built up Windows to SP3 plus other critical updates, installed and updated Norton Internet Security 2008, and scanned the system; no issues found. I then downloaded and updated Spybot SD 1.6.0, scanned the system, and found nothing. I also custom scanned my two data backup flash drives, and found nothing wrong. Unless the presumed bug/bot was in the BIOS or CPU I conclude that I am OK now; I certainly hope so. The Teredo tunneling issue was strange, and I am still not sure why it popped up. That is a name given by Microsoft to its proposed ipV6 protocol, which allows ipV6 net traffic to access ipV4 nets. But in my case, this was out of the blue, no reason, weird address on Port 80, plus the fact that some of my password protected firewall settings were changed made me worried. I still wonder about the security of my system, but will just observe for a few days. One advantage of reformatting the disk is that the computer now boots and shuts down in a flash. After 3 1/2 years I guess it was time.