A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #2016  by Quads
 Mon Aug 16, 2010 9:05 pm
I came up against a problem of the Ramnit sample not being able to install properly, but I get a "services.exe" Windows error shortly after the PC startup or restart,
It's gone as far as "Service: Net Logon Z12 (netlogonz12) - Unknown owner - C:\WINDOWS\system32\lpqs.exe"
No further.

I saw the use of Dr Web here http://forums.spybot.info/showthread.php?t=58812
Seems to have worked, Combofix (latest) MBAM (updated) them Dr Web Cureit. to cure Dll's etc.

I see the words of Cure and Disinfected as being able to remove the infection from files, as for Virut.CF, while leaving the file behind without the injection. of Virut or Ramnit...............
Whereas Deleted, removed............... is where the file is deleted gone, which means that programs including Windows may not work properly or startup (boot)
After though SFC may start to check System Files, I remember this happened after the removal of Virut from .exe's

Quads
 #2017  by SecConnex
 Mon Aug 16, 2010 9:13 pm
Was Windows File Protection on?
 #2019  by Quads
 Mon Aug 16, 2010 9:42 pm
DragonMaster Jay wrote:Was Windows File Protection on?
Yes WFP is active, SFCDisable is set to 0 instead of 4

Quads
 #2027  by Quads
 Tue Aug 17, 2010 10:41 am
Infected dll's and .exe's attached as asked for. Small sample

http://www.virustotal.com/file-scan/rep ... 1282039697

Of Note, Stop "desktopLayer.exe" from running shows in Hijackthis process manager as "IEXPLORE.EXE" (I used Hijackthis as a .com file instead of an .exe) then go to the file location of "DesktopLayer.exe" as quick as possible as after some time the process restarts, Delete or rename the file even just to "Desktop.exe", that stops the reloading.
Now with Hijackthis you can remove the F2 Winlogon entry.

Do this before Running scanners like MBAM, SAS etc as if the process is running when the scanner is scanning .exe's, .dll's, and htm(l) files Ramnit will infect these files during the scanning process.

Quads
Attachments
pass: malware
(655.6 KiB) Downloaded 84 times
Last edited by EP_X0FF on Tue Jan 03, 2012 3:02 pm, edited 1 time in total. Reason: edit, password added
 #2058  by Quads
 Thu Aug 19, 2010 12:27 am
OK

Dr Web Cure-It, does cure / disinfect Ramnit .exe and .dll files successfully, if the user happens to ask "DestopLayer.exe" to be cured, Cure-It realises that file actually needs to be deleted (was one of my backup copies).

Cure-It, though cannot cure the .htm(l) files of the Vscript, or only want to delete the .htm(l) files instead. Those files are detected as "Trojan.Inor"

Another thing I noticed is in my case no .exe, .dll, or .htm(l) files were infected inside the WINDOWS folder.

Quads
 #2059  by Jaxryley
 Thu Aug 19, 2010 1:03 am
Some extras running the sample from Quads:
DesktopLayer.exe - 29 /42 (69.0%) - MD5 : ec36b344d81b6beb10df020b9d1ad4ff
http://www.virustotal.com/file-scan/rep ... 1282179244

LSLauncherSrv.exe - 38 /41 (92.7%) - MD5 : 8fcd79a7c6017079711add6c4e190e7a
http://www.virustotal.com/file-scan/rep ... 1282179250

5.tmp - 7 /41 (17.1%) - MD5 : 83f53fd6f0784ce257e9d10a7b907211
http://www.virustotal.com/file-scan/rep ... 1282179255
Attachments
pass: malware
(250.34 KiB) Downloaded 76 times
Last edited by EP_X0FF on Tue Jan 03, 2012 3:25 pm, edited 1 time in total. Reason: edit, password added
 #2060  by Quads
 Thu Aug 19, 2010 3:13 am
I infected my Machine in real world (not VM or sandboxed) let it do what it want for awhile, then set about removing the locked Service, no one has permission or can give permission, then stopped and removed "DesktopLayer.exe and the Winlogon entry. Don't use a web browser or open a new tab as DesktopLayer and the reg entry starts up again.

I did this, simply

1. downloaded all the programs, Installed if needed, and updated them Now do not use browsers and take Flash Drives and CD/ DVD's out.
2. Looked at Hijackthis output. Saw this entry "Service: Net Logon Z12 (netlogonz12) - Unknown owner - C:\WINDOWS\system32\lpqs.exe" (used Hijackthis as "Hijackthis.com" executable)
3. Ran Combofix with Script as Combofix without script doesn't remove it.

killall::

driver::
netlogonz12

Combofix restarted PC to remove it.

4. Turned off System Restore

5. Used Hijackthis to stop the Browser process that is actually for "DesktopLayer.exe" In playing with this step I had either IEXPLORE.EXE or Chrome.exe You will see by the MBAM entries below I tested this step 3 times.
Then quickly, before it reloads, renamed the "DesktopLayer.exe", after I used Hijackthis to remove the Winlogon entry

6. Ran a Full Scan with the Updated Malwarebytes

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files\Microsoft\Desktop.exe (Trojan.Zbot) -> Quarantined and deleted successfully.
C:\Program Files\Microsoft\Desktop1.exe (Trojan.Zbot) -> Quarantined and deleted successfully.
C:\Program Files\Microsoft\DesktopLay.exe (Trojan.Zbot) -> Quarantined and deleted successfully.
C:\WINDOWS\ExplorerSrv.exe (Trojan.Zbot) -> Quarantined and deleted successfully.
G:\RECYCLER\S-3-1-03-2277013152-6508142413-324572255-2073\oAeaoUSB.exe (Trojan.Zbot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lpqs.exe (Trojan.Agent) -> Quarantined and deleted successfully.

7. Ran a Complete scan with Dr Web Cure-it and then had it cure the "W32.Rmnet" entries. It won't cure the .htm(l) entries. but will delete the .htm(l) files

It hasn't come back in 24+ hours now.

I love using programs people can use for free.

Quads
 #2079  by Sneakyone
 Thu Aug 19, 2010 4:38 pm
Hi Quads,

Thanks, I will try those steps when I get another user with it. :)
 #2171  by Quads
 Sat Aug 21, 2010 11:54 pm
The Vscript that is added to htm(l) files is attached

Quads
Attachments
pass: malware
(63.58 KiB) Downloaded 69 times
Last edited by EP_X0FF on Tue Jan 03, 2012 3:27 pm, edited 1 time in total. Reason: edit, password added
  • 1
  • 2
  • 3
  • 4
  • 5
  • 10