Manual Discovery and Removal of Malware – Internet Security 2011-2012
Posted by William Diaz on May 19, 2011
Sometimes you have no choice but to approach malware infestations manually, even when running an AV program. Generally speaking, AV relies on malware definitions to detect threats and, if your definitions are not up-to-date, you can get hit by a Trojan, virus, or worm. Even with up-to-date definitions, you are still open to attack by the latest threats for which signatures do not yet exist. When this happens, you need to manually discover the threat and remove it. Such was the case in an earlier blog.
In the example here, one of our users was infected during a “drive by” while browsing the Internet. Our enterprise anti-virus failed to detect the threat and manual AV scans of the system failed to remove it since there was no definition for it yet. This is one of several variants of fake anti-virus (Scareware) from the Braviax suite, XP Internet Security 2011, which presents various security window pop-ups and a fake scan:
It also goes by the name of XP Anti-Virus 2011-2012, XP Security 2011-2012, XP Home Security, Windows 7 Internet Security, etc… There is also a flavor of this for Vista and Win7. The article here deals with the XP variant but the removal process should be similar, if not the same.
To start, I avoided logging into the affected workstation. Instead, I navigated via the UNC path and started to browse common %username% folders where suspicious .exe place themselves. On an XP operating you will often find these executables residing in My Documents, …\Application Data\…, or …\Local Settings\Application Data\…:
Examining the properties of rxh.exe (name can be random) reveals it is trying to pass itself off as Remote Desktop Connection; RDC is actually mstcs.exe.
After looking in other locations and not finding anything else suspicious, I’m guessing this is the only exe I need to worry about. However, it’s not a simple matter of just deleting the file and making the problem go away. Some malware, especially Fake AV, will modify the Windows registry so that launching other applications fail, e.g. registry.exe, msconfig.exe, and and re-launch itself. So, even though the exe would no longer reside on the system and fail to start, so would other applications that rely on the registry to tell them how to execute. This fake AV does just that.
To gauge the impact, I coped rxh.exe to a virtual XP system, opened Process Explorer and Process Monitor, and ran it. There was nothing really remarkable in Process Explorer, it didn’t seem to have any watchdogs (actually, the registry does the job of restarting it) and it didn’t interfere with opening and closing Process Explorer or the Task manager. I was able to kill the process but it would start again after starting other legitimate processes.
Next, I looked at the Process Monitor trace. I was primarily interested in regsitry activity so I set a filter on rxh.exe, and excluded all regsitry operations except for RegCreateKey and RegSetValue, leaving me with only 255 operations out of 300,000+. For the most part, XP Internet Security 2011 creates two new registry keys, .exe and exefile, in HKCU\Software\Classes\ that associate executables with rxh.exe, so anytime a program is run rxh.exe is started1:
There is also a browser intercept involved:
This was the extent of the registry activity and there was nothing remarkable about file activity, minus the fact that a file named t03nh2m4o4am is created when rxh.exe is initially run, which seems to grow in size. Looking inside this file revealed no printable strings and whatever purpose it serves is unknown.
With the information captured from the Process Monitor trace, getting rid of XP Internet Security 2011 involves (you must follow this order to avoid the situation described below in footnote 2):
Opening the windows registry and deleting .exe and exefile subkeys in HKCU\Software\Classes\
Going to HKLM\Software\Clients\StartMenuInternet\IEXPLORE.EXE\Shell\open\command and renaming (Default) REG_SZ to “C:\Program Files\Internet Explorer\iexplorer.exe”. The same goes for any other browsers in this key.
Ending the rxh.exe (or whatever random process name it is assuming).
Going to the location where the program file resided and deleting it (along with t03nh2m4o4am)2 .
Afterwards, reboot, monitor, and look forward to the next encounter with malware. Actually, XP Internet Security 2011 is pretty tame. In fact, if you rather defeat it with some malware cleaner or anti-virus later, you can live with it temporarily by actually going into the main window it opens and registering the product with the following code: 1147-175591-6550.
You now have FREE fake anti-virus.
If you had an anti-virus program installed, you may notice that it has become disabled and cannot be started. In my latest encounter with a different variant of this on my brothers Windows 7 system, it seems to have disabled Microsoft Security Essentials. Upon examination, it looks like it deletes the wscsvc key in the Windows registry (along with some other unknown). This is the Windows Security Center service and MSE will not start without it. The quickest way to restore MSE is to simply reinstall it.
1 You will also find these values in HKCR\.exe. Don’t worry about these. HKCU\Software\Classes is a pointer to HKCR. When you delete the keys in HKCU\Software\Classes they are also deleted in HKCR.
2 If you delete the exe file associated with XP Internet Security 2011 first, you will not be able to open the registry on the local machine and edit it. Afterwards, when you restart, the Windows Explorer shell may not load to your desktop. You will need to start it from the Task Manager and point explorer.exe to C:\Windows\explorer.exe.
However, you will not be able to do the same with regedit.exe. To correct that, you can remote registry to the affected system and delete the keys in step 1 of the removal process outlines above. When doing this, you do not have access to HKCU and you will instead need to use HKEY_USERS\the SID of the affected user account\Software\Classes…
If this is not an option, create a reg file from the text below and import it. This will remove the .exe key created by this scareware. Then run explorer and complete the cleanup by deleting the .exe file and removing the exefile key.
|Windows Registry Editor Version 5.00[-HKEY_CURRENT_USER\Software\Classes\.exe]|
Alternatively, repair the Windows installation if you are not as technically inclined.