Below is a list of detail that I have gathered recently whilst investigating numerous malware incidents.
If you are that way inclined, there are a number of samples of most of these on my domain, but clearly only head to these if you know what you are doing. (You will be intentionally infecting your PC with a virus). Further more, be aware that the command & control or script issuing sites will be offline, largely affecting the viruses capacity to do evil, so that others infected in the traditional sense, do not suffer harm.
Zeus
Known capacities
- Html injection
- Communication with C&C
- Man In The Middle / Man In The Browser
- Capacity to engineer two factor beating scenarios
- Receipt of customised javascript pages, to allow engineering of page specific attacks and exploits.
Known file locations / tell tale signs
- Modified registry key HKLM\Software\Microsoft\Windows NT\Current Version\Winlogon\Userinit
Value Data – C:\Windows\system32\ sdra64.exe. Should be C:\Windows\system32\userinit.exe,Malicious executable - C:\Windows\system32\ sdra64.exe - Config files – Located within C:\Windows\system32\lowsec There will typically be a user.ds and local.ds file, although sometimes there will be others. These can all be assumed malicious, because the lowsec folder would never exist under normal circumstances.
- The virus also carries with it the capacity to shut down or at least disable some antivirus and firewall programs. Therefore the unexplained ‘switch off’ of your AV may be indicative of an infection.
Removal
I have recorded and made a screen capture video of the removal available below. I learnt by following someone’s video guide, so I would suggest doing the same. I have however also recorded additional steps, for further ease.
- Open regedit (normally via Start > Run) and drill down into the HKLM\Software\Microsoft\Windows NT\Current Version\Winlogon\Userinit string and note its value data.
- Assuming that the sdra64.exe was present in the above key, then you are infected and you will need to kill a thread, loaded into memory, which retains the malicious presence within the Winlogon key.
- Download and run the ProcessExplorer application from the TechNet website.
- Access View and ensure that Lower Pane view is enabled.
- On the top menu bar, select Find Handle or DLL. Within search type and search for sdra64.exe
- This should find and select sdra64.exe within your Lower Pane. In the top pane, locate and double click on Winlogon.
- From the new Window select the threads tab (this will sometimes produce an error which can just be clicked past).
- Once the threads have displayed, sort by CSwitch Data. There will be one thread which shows as constantly active (retains a numeric value).
- Once this thread is identified, highlight it and select Kill from the bottom right.
- Exit ProcessExplorer, reopen regedit and drill down onto the Winlogon\Userinit key. Delete the sdra64 location data (typically this is c:\windows\system32\sdra64.exe)
- Restart the PC.
- This should have stopped the virus loading at boot, allowing you to locate the C:\windows\system32\sdra64.exe and ..\lowsec files (user.ds and local.ds) . All of these should be purged from the system.
Zeus Jabber
As the name suggests, this virus is an extension of the Zeus family trojan, so much of its technical ability and its file locations, mirror that of the above. Removal of this virus, is achieved in the same manner as removing the above, Zeus virus.
Known capacities
- Html injection
- Communication with C&C / admin via messenger service
- There is some talk of MitB capacity, but I have yet to see this implemented successfully in the wild (far from proof that it does not retain this ability however).
Known file locations / tell tale signs
- Modified registry key HKLM\Software\Microsoft\Windows NT\Current Version\Winlogon\Userinit
Value Data – C:\Windows\system32\ sdra64.exe. Should be C:\Windows\system32\userinit.exe,Malicious executable - C:\Windows\system32\ sdra64.exe - Config files – Located within C:\Windows\system32\lowsec There will typically be a user.ds and local.ds file, although sometimes there will be others. These can all be assumed malicious, because the lowsec folder would never exist under normal circumstances.
- Drops php files into %system%/temp, typically containing credentials obtained in clear text (so a good way to see what data of yours have been stolen). These files should record the malicious servers IP address, so tracking and shutting down the related malicious or hosting servers for shut down is made somewhat easier.
- Packet capture will show a lot of chatter, watch and record this to fathom how and who it is speaking with.
- Config files cannot currently be decrypted by the ZeusDecoder @ ThreatExpert. Expect updates
- The virus also carries with it the capacity to shut down or at least disable some antivirus and firewall programs. Therefore the unexplained ‘switch off’ of your AV may be indicative of an infection.
Removal
See above Zeus removal steps and video.
Silon v2
Known capacities
- Key logging
- HTML Injection
- Man In The Middle / Man In The Browser
- C&C communication
- Capacity to engineer malicious two factor scenarios, allowing for Bank or other secure site security exploitation
Known file locations / tell tale signs
- HKCR\CLSID\{50D5107A-D278-4871-8989-F4CEAAF59CFC}\InProcServer32\Default
- Value data should read c:\windows\system32\msimtf.dll If however a Silon infection has occured, the malicious key data item will instead show a malicious msls50.dll
- The virus will install its config details and C&C information within a newly created registry key. This registry key is created, using system specific values, arranged in a set format. In this instance it obtains your C drive’s serial ID and then applies its format to the 8 digit hex value (excluding the hyphen). To find your drives serial ID, open a command prompt and type “vol”. This will provide you with the number in the format xxxx-xxxx.
- Open your registry editor and search for a key containing those 8 digits (without the hyphen). You should find a key with these 8 digits and other permutations of those 8 digits. This will contain a ProcServer32 element which itself contains subkeys named 0, 1, 3 & 4. These all contain encrypted data and will look like nonsense, but actually contain the targeted website list and Command & Control server locations.
- The virus will also create two files which it uses to store stolen credentials. To find these navigate to your c:\windows\temp folder, where two files using the drive ID in differing format.
Removal
Despite the viruses obvious technical ability, the removal is incredibly simple. I am working on a quick video to show this graphically, but the below should certainly suffice in the meantime.
- Open regedit and drill down into the HKCR\CLSID\{50D5107A-D278-4871-8989-F4CEAAF59CFC}\InProcServer32\key.
- Open the default key and over type the value data with the correct DLL location namely c:\windows\system32\msimtf.dll
- Restart PC
- Locate and delete malicious DLL from c:\windows\system32 folder. (Sometimes the dll is hidden, so you need to ensure hidden files are visible Tools > Folder Options > View > Show Hidden Files and Folders.
- Delete the registry key named with your C:\ serial
- Delete the located dump files from your hard drive, retained within C:\Windows\temp.
Dropper / installer not yet understood, Re-infection if executed again highly possible.