Trojan Dropper

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by Geek1ndy@n, Dec 22, 2008.

  1. Geek1ndy@n

    Geek1ndy@n Private E-2

    I recently received a computer which initially was infected with a Trojan.
    Autoit.CI.14 [Avira], WORM_DELF.AF [Trend].This usually comes in with removable drives, which is how this particular system got damaged.

    It had a host of other malware that came packaged with it; a content filter, a key logger, a trojan dropper etc. I had cleaned other machines with this infection, but this one came with another twist. As usual it blocked access to safe mode, but then it also put the system in \SAFEBOOT mode which kept the system in a loop. It simply didnt get to the desktop and kept restarting. I had to use the recovery console to rebuild the boot.ini to get it to boot. Usually this infection tries to establish SMTP type connections to send out spam, so I was wondering why it put the system in an unending restart loop :confused. Why go for a Denial Of Service mode like this when the original intentions lie elsewhere, anyways.

    Once inside I ran through the READ and RUN from your website which sorted out quite a few things. However there might be some niggles remaining, which is evidenced by the fact that SAS keeps showing 6 items which even after a removal/reboot continue to persist (log attached). I tried to remove the offending file with Avenger but it doesn't even show up. Probably its being spawned by some other process, not sure which one. Another anomaly I came across was with ComboFix which after running through its gamut of steps gets stuck on the "Rebooting" message (is this normal).All the other tools came up clean, including the AV on the system(Panda AV) which after it was freshly installed did remove quite a few bad guys who tried to reclaim lost turf.But now even Panda comes up clean. I ran HijackThis just to be sure and it came up R'level' objects and '0X' type objects which were not malicious. So, the only thing that comes up shows up in the SAS scan. File info from the internet shows that it might be a Trojan Dropper. The only visible issue I see in the system is with downloads, which get bogged down and stopped midway. The browser being used is Chrome. Is the Trojan trying to hijack bandwidth to download stuff of its own ? What would be the best way to get rid of this niggle.

    regards
    :cool
    Geek1ndy@n
     

    Attached Files:

  2. Geek1ndy@n

    Geek1ndy@n Private E-2

    Ok its been a busy :boxing couple of days with a few more systems which I was working on. I finally got some time and got back to this one. I decided to deep dive and check out some %SystemRoot% files which were only visible in Safe mode. The system wasn't misbehaving much apart from some botched downloads and not booting to safe mode (yep again, goes to show that the infection still persists). So, I merged a ".reg" file having the required entries with the registry to boot to safe mode. Once inside I found the following files which I promptly removed, using Avenger.

    %SystemRoot%\system32\vbsdfe0.dll
    %SystemRoot%\system32\vbsdfe1.dll
    %SystemRoot%\system32\CF3268.exe
    %SystemRoot%\system32\CF6204.exe
    %SystemRoot%\expiorer.exe
    %SystemRoot%\sensor.INI

    %SystemRoot%\SET3.tmp (probably from an old install which may be misused)
    %SystemRoot%\SET8.tmp (probably from an old install which may be misused)
    %SystemRoot%\SET4.tmp (probably from an old install which may be misused)

    It looks like old wine in a new bottle, some algorithm has been added to existing Malware code to create random filenames. Have any of the Mods or senior members, come across this variant.Last time I cleaned up this dropper Trojan, it had consistent filenames with minor variations.It has downloaded a whole slew of other trojans

    However, the good part is that modification dates for these files show 21st Dec 2k8 which means the trojan hasn't been able to download anything for a while now. I'll keep this machine under observation for a couple of days now. In the meanwhile I'll write protect the win.ini (temporarily) and indulge in some more deep diving. More for later, any pointers or tips would be truly appreciated.

    regards
    :cool
    Geek1ndy@n
     
  3. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Welcome to Major Geeks!

    Please follow the instructions in the below link and attach the requested logs when you finish these instructions.


    • If something does not run, write down the info to explain to us later but keep on going.
    • Do not assume that because one step does not work that they all will not.
    READ & RUN ME FIRST. Malware Removal Guide

    Notes:

    1. If you run into problems trying to run the READ & RUN ME or any of the scans in normal boot mode. You can running steps in safe boot mode but make sure you tell us what you did later when you post logs. See the below if you do not know how to boot in safe mode:
    2. If you have problems downloading on the problem PC, download the tools on another PC and burn to a CD. Then copy them to the problem PC. You will have to skip getting updates if (and only if) your internet connection does not work. Yes you could use a flash drive too but flash drives are writeable and infections can spread to them.
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds