[Barbwatkins]

Logfile of HijackThis v1.97.7
Scan saved at 7:38:22 PM, on 6/16/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\JoiExpress\propelac.exe
C:\WINDOWS\System32\f0r0r\dirote.exe
C:\Program Files\Sierra\Planner\PLNRnote.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\DAP\DAP.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Outlook Express\msimn.exe
C:\downloads\pte downloads\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Joi Internet
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\Program Files\DAP\DAPBHO.dll
O2 - BHO: (no name) - {04079851-5845-4dea-848C-3ECD647AA554} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4401FDC3-7996-4774-8D2B-C1AE9CD6CC25} - C:\Program Files\E-Book Systems\FlipViewer\fplaunch.dll
O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {656EC4B7-072B-4698-B504-2A414C1F0037} - C:\Program Files\JoiExpress\prpl_IePopupBlocker.dll
O2 - BHO: (no name) - {8A8EA7B8-9B0C-454A-9019-A820B1B061E7} - (no file)
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\Program Files\DAP\DAPIEBar.dll
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Propel Accelerator] C:\Program Files\JoiExpress\propelac.exe
O4 - HKLM\..\Run: [rn4d] C:\WINDOWS\System32\f0r0r\kolder.exe C:\WINDOWS\System32\f0r0r\dirote.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Event Planner Reminders.lnk = C:\Program Files\Sierra\Planner\PLNRnote.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Allow pop-ups from this site - C:\Program Files\JoiExpress\pac-addwl.html
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\JoiExpress\pac-page.html
O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\JoiExpress\pac-image.html
O9 - Extra button: Run DAP (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.micros...tes/ieawsdc.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...ector/swdir.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yaho...s/yinst0401.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.micros...ontent/opuc.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.webs...44/QDow_AS2.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7954.2399537037
O16 - DPF: {BA83FD38-CE14-4DA3-BEF5-96050D55F78A} (FViewerLoading Class) - http://www.flipviewe.../exe/fvgen1.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...ta/SymAData.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ash/swflash.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://flash.blackj...oom/FlashAX.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.s.../ActiveData.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E2449729-8F6C-4590-B26E-D519906AE12B}: NameServer = 209.244.0.3 209.244.0.4

[Advertisements]

Hi Barb,

Bad news, you have a new trojan that's pretty difficult to remove. If you're comfortable working from a command line, it's not too hard. If you're not comfortable, perhaps you can get someone to help you follow the instructions below.

REMOVING F0R0R:

For now, the only safe way to remove this worm from an infected system is to perform the following actions:

1) Boot using windows CD-ROM.
2) Enter the recovery console.
3) Delete the f0r0r folder located in the C:\WINDOWS\SYSTEM32 directory, using the RD command (e.g.: rd f0r0r).
4) Boot back to windows.
5) Locate and delete the C:\WINDOWS\TEMP folder.
6) Check whether the f0r0r directory exists in the C:\WINDOWS\SYSTEM32 directory, and if positive delete it once again.
7) Restore win.ini from a backup copy, or manually undo the changes made by W32.MotivFTP - delete any text that links to PPI.EXE.
8) Download Hijackthis ( http://www.geekstogo...n=download&id=3 ), execute it, fix out any strings pointing at PPI.EXE and DIROTE.EXE, and select "Fix". Or, post it back here for analysis.
9) Reboot your computer.
10) Scan your computer with your anti-virus software of choice. If you don't have an Anti-Virus program, you could obtain a free copy of "AVG Free Edition" at www.grisot.com.
11) Update your windows installation (http://windowsupdate.microsoft.com). I can't stress enough how important it is to update your copy of windows.
12) Install a personal firewall program, or enable Windows Personal Firewall.

[admin]

Hi Barb,

Bad news, you have a new trojan that's pretty difficult to remove. If you're comfortable working from a command line, it's not too hard. If you're not comfortable, perhaps you can get someone to help you follow the instructions below.

REMOVING F0R0R:

For now, the only safe way to remove this worm from an infected system is to perform the following actions:

1) Boot using windows CD-ROM.
2) Enter the recovery console.
3) Delete the f0r0r folder located in the C:\WINDOWS\SYSTEM32 directory, using the RD command (e.g.: rd f0r0r).
4) Boot back to windows.
5) Locate and delete the C:\WINDOWS\TEMP folder.
6) Check whether the f0r0r directory exists in the C:\WINDOWS\SYSTEM32 directory, and if positive delete it once again.
7) Restore win.ini from a backup copy, or manually undo the changes made by W32.MotivFTP - delete any text that links to PPI.EXE.
8) Download Hijackthis ( http://www.geekstogo...n=download&id=3 ), execute it, fix out any strings pointing at PPI.EXE and DIROTE.EXE, and select "Fix". Or, post it back here for analysis.
9) Reboot your computer.
10) Scan your computer with your anti-virus software of choice. If you don't have an Anti-Virus program, you could obtain a free copy of "AVG Free Edition" at www.grisot.com.
11) Update your windows installation (http://windowsupdate.microsoft.com). I can't stress enough how important it is to update your copy of windows.
12) Install a personal firewall program, or enable Windows Personal Firewall.

[Barbwatkins]

Thank you so much for the help, I think I will have to get someone to help, can you tell me the name of the worm? is it a virus? Should norton have caught it? or ad aware? I truly appreciate your help!

[admin]

Norton or Ad-aware won't catch or remove it yet--they're still working on a fix. A properly patched Windows installation will prevent you from getting infected.

The instructions above will remove it. I've usually seen it refered to as the F0R0R trojan, but that could vary.

Here's more info:

This trojan horse has kept the security community for some while, now that I have completed its analysis I can post some information regarding its payload.

Apparently, f0r0r spreads mainly through the LSASS vulnerability (MS04-011), using one of its components, more on that later.

Upon infection, the trojan drops an installation executable in the %SYSTEMDRIVE%\TEMP directory, the file is always named d0r1t1s.exe. Then, the file is

launched.

Here starts the second phase in the infection process, which is in fact a collection of worms. The virus files are placed in the %SYSTEMROOT%\SYSTEM32\f0r0r

directory. First the worm installs HXDEF (HackerDefender), this is done to harden the process of analysis and removal of this virus. Here's how HXDEF works:

The f0r0r variant of HXDEF is installed by a file named dorod.exe in the f0r0r directory. It is installed following a virus rule set which is defined in the

file dorod.ini, which will later become invisible too. This INI file has all the information HXDEF needs in order to complete its installation and serve

the parent virus.

HXDEF then, provided the information in the INI file, renders predefined folders, files, registry keys, registry values, and services invisible. This goal

is achieved through a complex root-kit system, involving a system level driver. Here's how that's achieved:

1) Allocating a memory pool inside a host process, and injects viral handler functions into this pool.
2) Collecting a list of API functions to infect.
3) Placing a jump instruction n the beginning of each API function, in order to hook it - the purpose of this jump function is to hand over the control over
a hooked function to hxdef, so when the API hands back the handler function, hxdef executes its filtering routine in order to conceal the predefined folders, files, registry keys, registry values, and services.

After I could isolate the .ini file for the f0r0r variant, I have examined it. Here is the highlight of this examination:

Hidden directories, files, processes: f0r0r, temp, dorod* ; This reflects that any file/folder/process possessing one of these names will be hidden. In order to prove that, you can attempt to create a directory with one of these names on an infected machine, it will disappear instantly. the "*" character at the end of "dorod" is a wildcard, meaning that each file, folder, or process starting with "dorod"' and no matter what next to it will be hidden.

Hidden service: HackerDefender* ; This reflect that any services starting with "HackerDefender" will be hidden (again, using "*" as a wildcard).

Hidden registry keys: HackerDefender100, LEGACY_HACKERDEFENDER100, HackerDefenderDrv100, LEGACY_HACKERDEFENDERDRV100 ; This reflects that any registry key possessing the above names will be invisible. In this particular case these names represent driver registry settings, and this is done in order to sabotage any attempt of locating these registry keys and disabling them, and thus disabling the driver.

There are four other options in this ini file, but they are not activated in f0r0r. They stand for hiding registry values (note the difference between a registry value and a registry key), placing hidden objects in the system startup, manipulating disk free space, and hiding TCP/IP ports.

There are some other settings in this ini file such as: Password (probably a password for root kit management), Driver name (dordodrv) and driver file name: dordo.sys

An interesting point is that whenever the driver file is being accessed by the user, it is reported to be 0 bytes in size, even when the root kit is inactive (Clean DOS Book Disk). This is probably a deceiving technique which implemented within hxdef to harden the analysis of its driver. So to speculate, the root kit automatically voids the driver after it's loaded in memory, so the SYS file is no longer required for that session. Each reboot the driver is loaded into the memory, and then its SYS file is voided.

Returning to the API functions, here's the list of the hooked API's:

1) Kernel32.ReadFile
2) Ntdll.NtQuerySystemInformation
3) Ntdll.NtQueryDirectoryFile
4) Ntdll.NtVdmControl
5) Ntdll.NtResumeThread
6) Ntdll.NtEnumerateKey
7) Ntdll.NtEnumerateValueKey
8) Ntdll.NtReadVirtualMemory
9) Ntdll.NtQueryVolumeInformationFile
10) Ntdll.NtDeviceIoControlFile
11) Ntdll.NtLdrLoadDll
12) Ntdll.NtOpenProcess
13) Ntdll.NtCreateFile
14) Ntdll.NtLdrInitializeThunk
15) WS2_32.recv
16) WS2_32.WSARecv
17) Advapi32.EnumServiceGroupW
18) Advapi32.EnumServicesStatusExW
19) Advapi32.EnumServicesStatusExA
20) Advapi32.EnumServicesStatusA

Other yet unknown API functions may also be hooked.
This list reflects that hxdef is operative only under Windows NT-based platforms, although the only infections I have seen to date were under Windows XP. Again, this trojan may infect other NT-based platforms as well.

HXDEF has weaknesses, many of them. We'll not discuss all of them here, but just one, because the information is too advanced to provide in this article. One can only guess that these weaknesses will be exploited in attempts to create a permanent solution for the hxdef virus.

The weakness to point here is the inability of hxdef to stop the classic DOS "CD" command (Change Directory). This may be explained by the fact that the CD command doesn't use any hooked API in order to change directory, so the virus fails to lay its impact on it. Attempt to run CMD (command prompt) on an infected machine, and using the "CD" command in order to get inside the f0r0r directory, you'll succeed.


So long the HXDEF part of this article. Here we move to the other elements of f0r0r:

(*) PPI.EXE: an executable of the W32.MotivFTP backdoor trojan horse, this executable allows anonymous FTP access to the infected computer's data through an FTP server at port 21. That means that every infected computer acts as an unrestricted FTP server, allowing any procedures to be done on the infected computer's hard disk. Also modifies some lines in WIN.INI file to compromise the security of the infected computer. the WIN.INI file will have to be restored to its original state in order to remove the security threat. This executable file is compressed with UPX.

WEXP.EXE: A remote exploit backdoor (W32.RPCLsa) for the MS04-011 vulnerability, it might act as a scanner in order to infect other computers, in the same fashion as the infamous W32.Blaster and W32.Sasser viruses. This executable file is compressed with Cexe.

VAN32.EXE: A HackTool.HideWindow executable, used in order to hide windows of malicious programs (in this case the components of f0r0r). This executable is compressed with FSG.

CALCU.EXE: A non-malicious file, in fact it's a legitimate process viewer (PRCVIEW) written by Igor Nys (http://www.teamcti.c...iew/prcview.htm), this executable is probably placed in order to allow the exploiter to see some information about the infected system, however, this file is not malicious. This executable is compressed with UPX.

(*) DIROTE.EXE: A non-malicious file, in fact it's an executable of the mIRC version 6.03 chatting program (www.mirc.co.uk). It is used to connect to predefined servers in order to receive commands from the exploiters.

KOLDER.EXE: Additional window hiding utility, similar to VAN32.EXE. This executable file is compressed with UPX.

KLTYE.EXE: A legitimate program, Sysinternals PsExec (http://www.sysintern...re/psexec.shtml). A "light-weight telnet-replacement", as the authors say. Probably placed in order to gain privileges on the infected system. This file is compressed with UPX.

DIR32.EXE: An additional instance of a window hiding tool. This executable file is compressed with Cexe.

ROMTO: Probably a system infection log, indicating the time and date at which the system infection took place [e.g.: %infecttime DAY xx/xx/xxxx xx:xx:xx].

ICHAT.BAT: Not a real batch file, but a list of IRC channels - probably for connecting to the worm control point by its authors.

DORDO.SYS: HXDEF system driver.

DEMO.XT: A word list container, probably (but not limited to) placed in order to assist in peforming dictionary attacks on password protected network shares.

REDROSES: A regular mIRC .ini file, manipulated to serve the virus. Set to connect to a predefined IRC server.

NIMAX: A malicious mIRC script file.

SOUNDS and LOGS directories: Regular mIRC directories, created by mIRC, they are empty and non-malicious.


(*) = Processes are active in memory, upon system initialization.



As we can see, f0r0r is just a bunch of worms put together in order to grant its creators complete control over a victim's computer. This trojan strain,
probably by the same authors, is also known as W32.Aladinz/W32.Randon. This time, escorted by hxdef in order to make analysis and removal harder.


REMOVING F0R0R:

For now, the only safe way to remove this worm from an infected system is to perform the following actions:

1) Boot using windows CD-ROM.
2) Enter the recovery console.
3) Delete the f0r0r folder located in the %SYSTEMROOT%\SYSTEM32 directory, using the RD command (e.g.: rd f0r0r).
4) Boot back to windows.
5) Locate and delete the %SYSTEMDRIVE%\TEMP folder (in most cases C:\TEMP, unless your system drive is not drive C:\).
6) Check whether the f0r0r directory exists in the %SYSTEMROOT%\SYSTEM32 directory, and if positive delete it once again.
7) Restore win.ini from a backup copy, or manually undo the changes made by W32.MotivFTP - delete any text that links to PPI.EXE.
8) Download Hijackthis (www.spywareinfo.com/~merijn), execute it, opt out any strings pointing at PPI.EXE and DIROTE.EXE, and select "Fix".
9) Reboot your computer.
10) Scan your computer with your anti-virus software of choice. If you don't have an Anti-Virus program, you could obtain a free copy of "AVG Free Edition" at www.grisot.com.
11) Update your windows installation (http://windowsupdate.microsoft.com). I can't stress enough how important it is to update your copy of windows.
12) Install a personal firewall program, or enable Windows Personal Firewall.


CONCLUDING COMMENT:

Finally, solutions for quick hxdef removal are being currently worked on by many individuals, as mentioned before hxdef has many weaknesses and it's only
a question of time when such a solution will be published. For now, the only safe way to remove f0r0r is the above one. Stay tuned for developments.


Sincerely Yours,
A Spyware Expert



J Lo's song, "All I wanted", inspired me during the writing of this article.
Article created: 6/10/2004
Article updated: 6/11/2004

[Kat]

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.