Since I ran out of options in hammering the virus, I've decided to take your approach and view videos for tips. I've scanned the HKCU\Software\Microsoft registry entries for any sign of weird rundll32.exe calls, but nothing came up besides calls to dlls inside C:\Windows\System32. I've decided to look through the %appdata% folders to find something and I think I've found a trail to follow; found under in AppData\Roaming\rt1.png with ATTRIB -H -S *.* :
(image is slightly cut off, view image shows the entire thing)
I'll search through the rest of it and see what I can find.
edit: scanning through ATTRIB -H -S *.* once more, I found that APPDATA\Roaming was the only folder that didn't display the "*.* file not found" error even after multiple times, however explorer wasn't showing anything new. Quick google search, "DIR /AHS" just like dir but only shows files with both the H and S attribute on. only one thing showed up, a folder called "System". I enter it, empty... "DIR /AHS" reveals a file by the name of "winlogon.exe", file size 146.432 bytes, created 10/01/2012. SUSPICIOUS A BIT? what do next? Gonna be sweeping the registry for links to this file in the mean time. Samples of this piece of shit availible to anyone who PM's me, I'm not hosting this crap on my website.
edit 2 :
searching through the registry for "System\winlogon.exe" I found 1 key under HKCU\Software\Microsoft\Windows\CurrentVersion\Run with the name "Update" of type "REG_SZ" with a direct path to the virus. I feel like a fucking idiot considering that is one of the first places that I looked. Herp Derp. I just disabled the key and run the system normally, seems to be functioning perfectly normal again, but I'll still look around for any other parts of it. For such a nasty rootkit, it seems too simple to have only 1 file and a run key.
edit 3 :
for anyone who cares, while testing this malicious exe on my home computer, I found that Microsoft Security Essentials cleans this file immediately as soon as it is created. MSE also registered it as Trojan:Win32/Malagent (however this appears to be a category of malicious Trojans, not just this virus).
-- Wed Oct 03, 2012 12:15 am --
Well, system is now clean enough for use. Hard to consider that such a tough piece of malware is so small. I was expecting at least 2 exes and dozens of run keys, but no. Just one of each. Case Closed, I'd like to thank you limdis. If it wasn't for you, I would've given up 4 hours ago and handed it back as is. Lessons learned from this:
1. If the virus never obtained anything higher than user permissions, than it's just a matter of searching for any program that isn't in or doesn't start from Program Files or System32. If I would have realized this earlier, I could've finished this ages ago.
2. I actually found 2 registry entires with references to the virus, the second was under [[HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache]] which seems to be some kind of log for recent run keys because I found not only a key pointing to the virus but also keys pointing to the backdoor and the scripts to fight the virus which I loaded onto the computer and set run keys, but have since deleted all of them. Might be of interest to anyone studying the artifacts left by viruses and rootkits.
3. In my search for an unkillable program, I stumbled upon this: RtlSetProcessIsCritical(UInt32 v1, UInt32 v2, UInt32 v3) (look at http://stackoverflow.com/questions/1109 ... le-process
). It is apparently a method for declaring a process more important than the rest of the entire system. It is for some reason a part of the Windows API, but apparently undocumented, and highly unsupported. I've seen it accessible from C and C# and I'm sure it's possible to tap into it from other languages. It works in some very weird ways, and I'm not entirely sure how it is supposed to be implemented. It has been warned that attempting to kill a process guarded by this will result in an instant BSoD, something that I have confirmed on my own system by starting such a process and right-click > close. It instantly BSoD'd, but thankfully didn't corrupt my system. C# source code for all who want to play around with it (can cause BSoD, you have been warned):
- Code: Select all
public static class Unkillable
[DllImport("ntdll.dll", SetLastError = true)]
private static extern void RtlSetProcessIsCritical(UInt32 v1, UInt32 v2, UInt32 v3);
public static void MakeProcessUnkillable()
RtlSetProcessIsCritical(1, 0, 0);
public static void MakeProcessKillable()
RtlSetProcessIsCritical(0, 0, 0);
static void Main(string args)
Please don't judge my terrible C# skills, I've never actually studied C# and getting this to run was painful enough. Compiled using csc.exe version 3.5.