A family of backdoor and autorun trojans are working together to plague users. The malware is custom configurable by attackers, so symptoms (and consequences) of the infections may vary from user to user. In all cases, however, infection by this family of malware should be considered severe.
One tell-tale sign may include changing the C: drive name and icon. For example, the volume name may be changed to %$thb$%(C). But while the component responsible for this change is fairly easy to spot and remove, too often those attempting manual removal leave the worst component - the actual backdoor - intact.
Typically, the infection starts with the original malware dropping itself to the Temp folder. The name of this file may vary, following is one example:
C:\Documents and Settings\<username>\Local Settings\Temp\winthb.exe
The malware attempts to load via the Active Setup registry key, an often overlooked AutoStart entry point. Entries to the Active Setup registry key are via individual CLSIDs. Each may include a "StubPath" value that points to a designated file that will be executed when Windows is started. Example Active Setup entries made by the trojans include:
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\
{04F4BA85-A3C7-4235-0200-060204060705}
"StubPath" = "%System%\com.exe"
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\
{1487F83F-1361-ADB5-0700-050302070504}
"StubPath" = "%SYSDIR%\svchost.exe"
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\
{1EC04D97-5F10-DD1B-0306-020403060503}
"StubPath" = "C:\WINDOWS\system32\SecSystem.exe"
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\
{2E811653-4F55-1574-0104-010302040505
"StubPath" = "%SYSDIR%\systio.exe"
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\
{49871F1F-14B0-1AB7-CBDE-39CA532B3E2B}
"StubPath" = "%System%\mssn.exe"
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\
{F85CE349-A422-9CBD-0000-00C04F79FA66}
"StubPath" = "C:\Program Files\Internet Explorer\shlwapi.exe"
The malware may also load via traditional Run keys in the registry, or it may download and run other malware via Run keys in the registry. The combined threats may also drop trojan components as follows:
C:\WINDOWS\system32\win.dll
C:\WINDOWS\system32\win_socks.exe
These components may also be installed as hidden NTFS alternate data streams (ADS), attached to the root drive volume or system folders. An autorun component is generally involved, which drops a malicious autorun.inf file (that loads a copy of the trojan) to the root of all mapped and removable drives.
The trojans typically assign hidden attributes to the files and folders, and may block access to the Folder Options menu to prevent changing the settings to enable viewing of hidden files and folders. The steps below can help you ferret out the combined trojans used in these attacks:
- Create a BARTPE Recovery CD and use it to boot the infected system.
- Search the autostart entry points for signs of the malware loading, paying particularly close attention to the Active Setup registry keys.
- Delete the malicious load points and their associated files.
- Run a program such as ADS Spy to ferret out any malicious alternate data streams that may be attached.
- Search all removeable/USB/fixed/mapped drives for the presence of an autorun.inf file in the root and delete any autorun.inf files found.
Tip: You can disable autorun entirely via the following registry hack:
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]
@="@SYS:DoesNotExist"
For a full explanation of why this registry hack is necessary to fully prevent autorun worms, see Nick Brown's blog entry on "Memory stick worms".