A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #16736  by thisisu
 Wed Nov 21, 2012 1:18 am
https://www.virustotal.com/file/b300ed8 ... 353459593/

This .DLL (etypemngr.dll) has proven difficult to delete. I'm no expert at "unloading" a .DLL but what I have noticed is that it is loaded into other executables.
So far, I've seen it being attached to the following processes. And the .DLL cannot be deleted until the processes are stopped.
procexp.exe / procexp64.exe
firefox.exe
etypemngr.exe
WmiPrvSE (C:\Windows\sysWOW64\wbem\wmiprvse.exe)
MGtools (C:\MGtools.exe)
I'm guessing list goes on and on..
What is its trick? Is there a list of processes that it will attach itself to? If so, can someone reveal for others to review?
I'm targetting this type of adware / PUP in my program and would like to be able to fully delete it. The folder with this .DLL is always failing to delete.

I've also noticed that among other registry keys and values that it creates, that a random key is created at HKLM\Software, HKCU\Software, and HKLM\SOFTWARE\Wow6432Node

I think the same number of digits are used each time. In my case, it was 5d0dddbb068b840

Here is the installer for those wanting to experiment. Thanks to EP_X0FF for finding it for me.
What I've noticed is that it doesn't always install its service (eType Manager) nor does it always create the .DLL in %allusersprofile%\eType Manager\...\
I have to install it on a machine that has never had it installed before to get its full effects (this is making analysis take longer for me).

Thanks
Attachments
installer
(480.63 KiB) Downloaded 94 times
pass: infected
(910.14 KiB) Downloaded 67 times
 #16738  by EP_X0FF
 Wed Nov 21, 2012 2:16 am
It uses HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls. Multiple IAT hooks in every process where this dll loaded. Including hooks to protect own registry entry, files so it sort of primitive user mode rootkit.
Code: Select all
[1192]explorer.exe-->kernel32.dll-->LoadLibraryA, Type: IAT Modification 0x010011D4-->022B9540 [etypemngr.dl]
[1192]explorer.exe-->kernel32.dll-->LoadLibraryW, Type: IAT Modification 0x01001254-->022B9590 [etypemngr.dl]
[1192]explorer.exe-->kernel32.dll-->ntdll.dll-->NtCreateFile, Type: IAT Modification 0x7C801008-->022B9770 [etypemngr.dl]
[1192]explorer.exe-->kernel32.dll-->ntdll.dll-->NtOpenFile, Type: IAT Modification 0x7C801014-->022B9700 [etypemngr.dl]
[1192]explorer.exe-->kernel32.dll-->ntdll.dll-->NtQueryInformationFile, Type: IAT Modification 0x7C801018-->022B90A0 [etypemngr.dl]
[1192]explorer.exe-->kernel32.dll-->ntdll.dll-->NtSetInformationFile, Type: IAT Modification 0x7C801030-->022B98B0 [etypemngr.dl]
[1192]explorer.exe-->kernel32.dll-->ntdll.dll-->NtClose, Type: IAT Modification 0x7C80103C-->022BC1D0 [etypemngr.dl]
[1192]explorer.exe-->kernel32.dll-->ntdll.dll-->NtQueryValueKey, Type: IAT Modification 0x7C801058-->022BBFC0 [etypemngr.dl]
[1192]explorer.exe-->kernel32.dll-->ntdll.dll-->NtOpenKey, Type: IAT Modification 0x7C80105C-->022BC110 [etypemngr.dl]
[1192]explorer.exe-->kernel32.dll-->ntdll.dll-->NtSetValueKey, Type: IAT Modification 0x7C801064-->022BC030 [etypemngr.dl]
[1192]explorer.exe-->kernel32.dll-->ntdll.dll-->NtCreateKey, Type: IAT Modification 0x7C801068-->022BC0A0 [etypemngr.dl]
[1192]explorer.exe-->kernel32.dll-->ntdll.dll-->NtEnumerateKey, Type: IAT Modification 0x7C8010E8-->022BBEE0 [etypemngr.dl]
[1192]explorer.exe-->kernel32.dll-->ntdll.dll-->NtEnumerateValueKey, Type: IAT Modification 0x7C801194-->022BBF50 [etypemngr.dl]
[1192]explorer.exe-->kernel32.dll-->ntdll.dll-->NtReadFile, Type: IAT Modification 0x7C80119C-->022B9080 [etypemngr.dl]
[1192]explorer.exe-->kernel32.dll-->ntdll.dll-->NtWriteFile, Type: IAT Modification 0x7C8011BC-->022B97F0 [etypemngr.dl]
[1192]explorer.exe-->kernel32.dll-->ntdll.dll-->NtQueryKey, Type: IAT Modification 0x7C8011D0-->022B9060 [etypemngr.dl]
[1192]explorer.exe-->kernel32.dll-->ntdll.dll-->NtDeleteValueKey, Type: IAT Modification 0x7C8011D4-->022BC2A0 [etypemngr.dl]
[1192]explorer.exe-->kernel32.dll-->ntdll.dll-->NtFlushBuffersFile, Type: IAT Modification 0x7C801240-->022B9420 [etypemngr.dl]
[1192]explorer.exe-->advapi32.dll-->kernel32.dll-->LoadLibraryW, Type: IAT Modification 0x77DC11E0-->022B9590 [etypemngr.dl]
[1192]explorer.exe-->advapi32.dll-->kernel32.dll-->LoadLibraryA, Type: IAT Modification 0x77DC1214-->022B9540 [etypemngr.dl]
[1192]explorer.exe-->advapi32.dll-->ntdll.dll-->NtQueryKey, Type: IAT Modification 0x77DC125C-->022B9060 [etypemngr.dl]
[1192]explorer.exe-->advapi32.dll-->ntdll.dll-->NtEnumerateKey, Type: IAT Modification 0x77DC1274-->022BBEE0 [etypemngr.dl]
[1192]explorer.exe-->advapi32.dll-->ntdll.dll-->NtQueryInformationFile, Type: IAT Modification 0x77DC12B0-->022B90A0 [etypemngr.dl]
[1192]explorer.exe-->advapi32.dll-->ntdll.dll-->NtCreateFile, Type: IAT Modification 0x77DC12F0-->022B9770 [etypemngr.dl]
[1192]explorer.exe-->advapi32.dll-->ntdll.dll-->NtWriteFile, Type: IAT Modification 0x77DC12F8-->022B97F0 [etypemngr.dl]
[1192]explorer.exe-->advapi32.dll-->ntdll.dll-->NtReadFile, Type: IAT Modification 0x77DC130C-->022B9080 [etypemngr.dl]
[1192]explorer.exe-->advapi32.dll-->ntdll.dll-->NtFlushBuffersFile, Type: IAT Modification 0x77DC1310-->022B9420 [etypemngr.dl]
[1192]explorer.exe-->advapi32.dll-->ntdll.dll-->NtSetInformationFile, Type: IAT Modification 0x77DC1314-->022B98B0 [etypemngr.dl]
[1192]explorer.exe-->advapi32.dll-->ntdll.dll-->NtDeleteValueKey, Type: IAT Modification 0x77DC1344-->022BC2A0 [etypemngr.dl]
[1192]explorer.exe-->advapi32.dll-->ntdll.dll-->NtEnumerateValueKey, Type: IAT Modification 0x77DC1348-->022BBF50 [etypemngr.dl]
[1192]explorer.exe-->advapi32.dll-->ntdll.dll-->NtDeleteKey, Type: IAT Modification 0x77DC1424-->022BC250 [etypemngr.dl]
[1192]explorer.exe-->advapi32.dll-->ntdll.dll-->NtQueryValueKey, Type: IAT Modification 0x77DC1428-->022BBFC0 [etypemngr.dl]
[1192]explorer.exe-->advapi32.dll-->ntdll.dll-->NtSetValueKey, Type: IAT Modification 0x77DC142C-->022BC030 [etypemngr.dl]
[1192]explorer.exe-->advapi32.dll-->ntdll.dll-->NtOpenKey, Type: IAT Modification 0x77DC1448-->022BC110 [etypemngr.dl]
[1192]explorer.exe-->advapi32.dll-->ntdll.dll-->NtCreateKey, Type: IAT Modification 0x77DC144C-->022BC0A0 [etypemngr.dl]
[1192]explorer.exe-->advapi32.dll-->ntdll.dll-->NtOpenFile, Type: IAT Modification 0x77DC148C-->022B9700 [etypemngr.dl]
[1192]explorer.exe-->advapi32.dll-->ntdll.dll-->NtClose, Type: IAT Modification 0x77DC1494-->022BC1D0 [etypemngr.dl]
[1192]explorer.exe-->user32.dll-->kernel32.dll-->LoadLibraryA, Type: IAT Modification 0x7E3612F4-->022B9540 [etypemngr.dl]
[1192]explorer.exe-->user32.dll-->kernel32.dll-->LoadLibraryW, Type: IAT Modification 0x7E361340-->022B9590 [etypemngr.dl]
[1192]explorer.exe-->user32.dll-->ntdll.dll-->NtQueryKey, Type: IAT Modification 0x7E3613F4-->022B9060 [etypemngr.dl]
[1192]explorer.exe-->user32.dll-->ntdll.dll-->NtEnumerateValueKey, Type: IAT Modification 0x7E3613F8-->022BBF50 [etypemngr.dl]
[1192]explorer.exe-->user32.dll-->ntdll.dll-->NtCreateKey, Type: IAT Modification 0x7E361454-->022BC0A0 [etypemngr.dl]
[1192]explorer.exe-->user32.dll-->ntdll.dll-->NtSetValueKey, Type: IAT Modification 0x7E361458-->022BC030 [etypemngr.dl]
[1192]explorer.exe-->user32.dll-->ntdll.dll-->NtDeleteValueKey, Type: IAT Modification 0x7E36145C-->022BC2A0 [etypemngr.dl]
[1192]explorer.exe-->user32.dll-->ntdll.dll-->NtEnumerateKey, Type: IAT Modification 0x7E3614C8-->022BBEE0 [etypemngr.dl]
[1192]explorer.exe-->user32.dll-->ntdll.dll-->NtOpenKey, Type: IAT Modification 0x7E3614CC-->022BC110 [etypemngr.dl]
[1192]explorer.exe-->user32.dll-->ntdll.dll-->NtClose, Type: IAT Modification 0x7E3614D0-->022BC1D0 [etypemngr.dl]
[1192]explorer.exe-->user32.dll-->ntdll.dll-->NtQueryValueKey, Type: IAT Modification 0x7E3614D4-->022BBFC0 [etypemngr.dl]
[1192]explorer.exe-->gdi32.dll-->kernel32.dll-->LoadLibraryA, Type: IAT Modification 0x77F11084-->022B9540 [etypemngr.dl]
[1192]explorer.exe-->gdi32.dll-->kernel32.dll-->LoadLibraryW, Type: IAT Modification 0x77F110B8-->022B9590 [etypemngr.dl]
[1192]explorer.exe-->gdi32.dll-->ntdll.dll-->NtOpenFile, Type: IAT Modification 0x77F11154-->022B9700 [etypemngr.dl]
[1192]explorer.exe-->gdi32.dll-->ntdll.dll-->NtQueryInformationFile, Type: IAT Modification 0x77F11158-->022B90A0 [etypemngr.dl]
[1192]explorer.exe-->gdi32.dll-->ntdll.dll-->NtOpenKey, Type: IAT Modification 0x77F11194-->022BC110 [etypemngr.dl]
[1192]explorer.exe-->gdi32.dll-->ntdll.dll-->NtQueryValueKey, Type: IAT Modification 0x77F11198-->022BBFC0 [etypemngr.dl]
[1192]explorer.exe-->gdi32.dll-->ntdll.dll-->NtClose, Type: IAT Modification 0x77F1119C-->022BC1D0 [etypemngr.dl]
[1192]explorer.exe-->shell32.dll-->kernel32.dll-->LoadLibraryA, Type: IAT Modification 0x7C9C13E8-->022B9540 [etypemngr.dl]
[1192]explorer.exe-->shell32.dll-->kernel32.dll-->LoadLibraryW, Type: IAT Modification 0x7C9C15A0-->022B9590 [etypemngr.dl]
[1192]explorer.exe-->shell32.dll-->ntdll.dll-->NtCreateFile, Type: IAT Modification 0x7C9C16DC-->022B9770 [etypemngr.dl]
[1192]explorer.exe-->shell32.dll-->ntdll.dll-->NtEnumerateValueKey, Type: IAT Modification 0x7C9C16F4-->022BBF50 [etypemngr.dl]
[1192]explorer.exe-->shell32.dll-->ntdll.dll-->NtOpenKey, Type: IAT Modification 0x7C9C16F8-->022BC110 [etypemngr.dl]
[1192]explorer.exe-->shell32.dll-->ntdll.dll-->NtOpenFile, Type: IAT Modification 0x7C9C1724-->022B9700 [etypemngr.dl]
[1192]explorer.exe-->shell32.dll-->ntdll.dll-->NtQueryInformationFile, Type: IAT Modification 0x7C9C172C-->022B90A0 [etypemngr.dl]
[1192]explorer.exe-->shell32.dll-->ntdll.dll-->NtClose, Type: IAT Modification 0x7C9C1730-->022BC1D0 [etypemngr.dl]
[1192]explorer.exe-->shell32.dll-->ntdll.dll-->NtSetInformationFile, Type: IAT Modification 0x7C9C1734-->022B98B0 [etypemngr.dl]
[1192]explorer.exe-->shell32.dll-->user32.dll-->SetWindowsHookExW, Type: IAT Modification 0x7C9C20F0-->022B94E0 [etypemngr.dl]
[1192]explorer.exe-->wininet.dll-->kernel32.dll-->LoadLibraryW, Type: IAT Modification 0x771A122C-->022B9590 [etypemngr.dl]
[1192]explorer.exe-->wininet.dll-->kernel32.dll-->LoadLibraryA, Type: IAT Modification 0x771A1250-->022B9540 [etypemngr.dl]
[1192]explorer.exe-->ws2_32.dll-->kernel32.dll-->LoadLibraryA, Type: IAT Modification 0x71A910A8-->022B9540 [etypemngr.dl]
[1192]explorer.exe-->crypt32.dll-->kernel32.dll-->LoadLibraryA, Type: IAT Modification 0x77A71190-->022B9540 [etypemngr.dl]
[1192]explorer.exe-->user32.dll-->DialogBoxParamW, Type: Inline - RelativeJump 0x7E3747AB-->022B4430 [etypemngr.dl]
It doesn't check their integrity however, once they are removed it is possible to remove reg entry. The direct syscalls also will work.

This dll can't be unloaded until these hooks are in place, otherwise application will crash. So I think reboot is required.
 #16739  by thisisu
 Wed Nov 21, 2012 3:15 am
Hi,

Thank you for your continued help :)
EP_X0FF wrote:The direct syscalls also will work.
Can you go into more detail on this please?

Any other information that may help? Is it most important to remove the AppInit_DLLs value data first (nulling it) or would you prioritize something else?
 #16741  by rinn
 Wed Nov 21, 2012 4:42 am
Hi.
thisisu wrote:Is it most important to remove the AppInit_DLLs value data first (nulling it) or would you prioritize something else?
As I understand from the log above, this dll intercepts Read/Write to registry keys and you won't be able modify this key in regedit or autoruns. NtSetSecurityObject however is not intercepted. Remove file permissions with cacls/icacls

cacls "path to dll" /e /c /r "Group\UserName" (probably will enough remove current user)

reboot, remove Appinit_Dlls value, revert file permissions

cacls "path to dll" /e /c /g "Group\UserName:F"

delete dll.


Best Regards,
-rin
 #16743  by thisisu
 Wed Nov 21, 2012 5:21 am
Thanks for the additional help (+Rep)

Before I read your responses I noticed the my tool will remove the stubborn .DLL after 3 runs (reboot after each run too).
Not what I want but I guess it's better than nothing.

Also noticed these keys are being stubborn:
Code: Select all
Failed to delete: [Registry Key]"hkey_current_user\software\datamngr"
Failed to delete: [Registry Key]"hkey_current_user\software\datamngr_toolbar"
Failed to delete: [Registry Key]"hkey_local_machine\software\datamngr"
and also that a couple of bad policies are set: DisableTaskMgr and DisableRegistryTools 0x1

reg.exe is not considered a Registry Tool? because it was deleting the other bad keys except for the ones mentioned above even with that policy set.

Why can I delete these keys without any problems using regedit.exe, but not with reg.exe? I get "Error: Access is denied" in reg.exe

Will try to improve :)
 #16898  by Tigzy
 Thu Nov 29, 2012 5:28 pm
Hello

RK log:
¤¤¤ Processus malicieux : 2 ¤¤¤
[SUSP PATH] etypemngr.exe -- C:\Documents and Settings\All Users\Application Data\eType Manager\2.4.897.176\{52de144c-c70b-4e0a-9b16-29a2e18c255e}\etypemngr.exe -> TUÉ [TermProc]
[SUSP PATH] etypemngr.exe -- C:\Documents and Settings\All Users\Application Data\eType Manager\2.4.897.176\{52de144c-c70b-4e0a-9b16-29a2e18c255e}\etypemngr.exe -> TUÉ [TermProc]

¤¤¤ Entrees de registre : 8 ¤¤¤
[RUN][SUSP PATH] HKCU\[...]\Run : eType (C:\Documents and Settings\tigzy\Application Data\etype\eType.exe) -> TROUVÉ
[RUN][SUSP PATH] HKUS\S-1-5-21-823518204-842925246-839522115-1003[...]\Run : eType (C:\Documents and Settings\tigzy\Application Data\etype\eType.exe) -> TROUVÉ
[APPINIT][SUSP PATH] HKLM\[...]\Windows : AppInit_DLLs (c:\Documents and Settings\All Users\Application Data\eType Manager\2.4.897.176\{52de144c-c70b-4e0a-9b16-29a2e18c255e}\etypem~1.dll ) -> TROUVÉ
¤¤¤ Entrees de registre : 6 ¤¤¤
[RUN][SUSP PATH] HKCU\[...]\Run : eType (C:\Documents and Settings\tigzy\Application Data\etype\eType.exe) -> SUPPRIMÉ
[APPINIT][SUSP PATH] HKLM\[...]\Windows : AppInit_DLLs (c:\Documents and Settings\All Users\Application Data\eType Manager\2.4.897.176\{52de144c-c70b-4e0a-9b16-29a2e18c255e}\etypem~1.dll ) -> REMPLACÉ ()
TaskSTRun snap (notice the IAT hooks and the injected DLL):
Capture.PNG
Capture.PNG (107.12 KiB) Viewed 798 times
LoadAppInitDll is hidden, but AppInit_DLLs is nullify fine.
Sow how does it restart?

EDIT.
Ok, there's a service too
eType Manager
And IB...something

Once the 2 services removed, not more IAT hooks nor processes
No rootkit here, it does only protect the LoadAppInitDll
 #16899  by Tigzy
 Thu Nov 29, 2012 7:32 pm
RK updated.
Nothing left after reboot. definitely not hard to remove
¤¤¤ Processus malicieux : 5 ¤¤¤
[SUSP PATH] etypemngr.exe -- C:\Documents and Settings\All Users\Application Data\eType Manager\2.4.897.176\{52de144c-c70b-4e0a-9b16-29a2e18c255e}\etypemngr.exe -> TUÉ [TermProc]
[SUSP PATH] etypemngr.exe -- C:\Documents and Settings\All Users\Application Data\eType Manager\2.4.897.176\{52de144c-c70b-4e0a-9b16-29a2e18c255e}\etypemngr.exe -> TUÉ [TermProc]
[SUSP PATH] eType.exe -- C:\Documents and Settings\tigzy\Application Data\etype\eType.exe -> TUÉ [TermProc]
[SERVICE] IBUpdaterService -- "C:\Documents and Settings\All Users\Application Data\IBUpdaterService\ibsvc.exe" /SERVICE -> STOPPÉ
[SERVICE] eType Manager -- C:\Documents and Settings\All Users\Application Data\eType Manager\2.4.897.176\{52de144c-c70b-4e0a-9b16-29a2e18c255e}\etypemngr.exe -> STOPPÉ

¤¤¤ Entrees de registre : 5 ¤¤¤
[RUN][SUSP PATH] HKCU\[...]\Run : eType (C:\Documents and Settings\tigzy\Application Data\etype\eType.exe) -> SUPPRIMÉ
[Services][BLSVC] HKLM\[...]\ControlSet001\Services\eType Manager (C:\Documents and Settings\All Users\Application Data\eType Manager\2.4.897.176\{52de144c-c70b-4e0a-9b16-29a2e18c255e}\etypemngr.exe) -> SUPPRIMÉ
[Services][BLSVC] HKLM\[...]\ControlSet001\Services\IBUpdaterService ("C:\Documents and Settings\All Users\Application Data\IBUpdaterService\ibsvc.exe" /SERVICE) -> SUPPRIMÉ
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REMPLACÉ (0)
[APPINIT][SUSP PATH] HKLM\[...]\Windows : AppInit_DLLs (c:\Documents and Settings\All Users\Application Data\eType Manager\2.4.897.176\{52de144c-c70b-4e0a-9b16-29a2e18c255e}\etypem~1.dll ) -> REMPLACÉ ()