The Case of the Missing Task Manager and Registry Editor part II (Windows Advanced ToolKit Malware)
Posted by William Diaz on June 28, 2012
I was originally introduced to this by co-worker who wanted me to look at someone’s netbook and wrote about it here. The malware-scareware program had already been removed from the system, but the damaged it done had been left behind. Cleaning it up manually, though, would not be too difficult. As pointed out, its counters the user attempt to stop it by taking advantage of a built in process that Windows uses for debugging applications by pointing the Task Manager and Regedit to its own fake anti-virus process. Further, it also counters anti-malware utilities and virus security suites by creating reg keys and using the same Debugger string to point to svchost.exe, which is not able to run other executables. The key to getting access to the registry and the task manager directly was to use AutoRuns.
As it happened, a couple days ago the wife starts complaining that she keeps getting persistent firewall popups. I told her to click allow and let me sleep. Then she mentioned another popup that she says is scanning the system and finding virus. This sounds like classic scareware and when I take a look I see this:
I admit, I’m excited. For all the malware out there, I rarely deal with it. I start the analysis by trying to open, you guessed it, the Task Manager, only to be greeted by the same error message I saw 3 weeks ago: “Windows cannot find ‘C:\Windows\system32\taskmgr.exe’…”
I tried to open regedit next, only to see it fail in the same manner. This didn’t bother me, though, since I already knew how it worked. But I didn’t want to immediately start Autoruns. Instead, I wanted to identify the process I knew from the previous encounter that this malware does not create a reg key in HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options for Process Explorer so I assumed I should be able to start it. Interestingly, nothing happened when I tried to launch it. I could see that the process image did at least try to load because when Procexp.exe starts on a 64 bit OS, it creates procexp64 .exe in the same location:
To see if I could work around this, I renamed procexp.exe on the desktop to proc.exe and successfully fired it up.
You can see the fake AV exe goes by the name of Protector-.exe. A random four letter string follows the hyphen and this variant writes itself to the users roaming profile of C:\Users\Username\AppData\Roaming in Vista\Win7 or C:\Documents & Settings\Username\Application Data in XP. It also creates an autorun in HKCU\Software\Microsoft\Windows\CurrentVersion\Run. Additionally, it launches mshta.exe, the Microsoft HTML application host:
I suppose this could be used to launch or download additional programs or run commands by going to a URL that hosts a script. Or it could be a reporting database. Currently the URL only opens a page that says “OK”.
Besides the executable itself, the registry is modified to include hundreds of anit-malware\anti-virus program keys (approx 764 here). In my case, I run Microsoft Security essentials, which became disabled by creating a key named msseces.exe in Image File Execution Options and pointing it to svchost.exe. Also, if you are running a 64 bit OS, the keys created in HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options will also be created in the WOW6432Node key.
Some local files will also be created, but these on their own are harmless. They include:
result.db file in the same path as the malware executable. These are the fake infection results.
C:\Users\username\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#local\setting.sol. This is a “flash cookie”.
C:\Users\William\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\<RandomeFolder>\cmyip_com.htm. This contains the public IP of the affected system.
Knowing this, manual removal is fairly easy:
Start Process Explorer or some other non-Windows process utility. You might need to rename it as in my case. Kill the protector-.exe process or any other suspicious process. The description is enough to give it away.
Delete the malware program from the system.
Manually cleanup the registry by removing all the .exe keys created in HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options. Considering the large amount of reg keys created, you might be tempted to just delete the parent key outright. Avoid this, as there are some legit programs in here. A better approach would be to use RegScanner from NirSoft and do a search for the Debugger string along with some other filters. For example:
Then focus on the reg path, select all, and Delete. You will need to run RegScanner as Administrator. Another option to run a script that cleans up all reg keys in Image File Execution Options with REG_SZ string Debugger.
Turn UAC back on if it was set to off.