Sunday, January 06, 2008

Trojans, locking and scams, oh my!

This post was originally posted at my Windows Live Spaces blog. [View original post]

Disclaimer: While this post is about something that happens to everybody, it might get a tad too geeky[1]. Continue at your peril.
Note: This account is based on what I remember, and so might be a smidge inaccurate. I only took a few screenshots, and in hindsight I realise I probably should have taken more. Ah well, what's done is done.
I'd also like to note that I don't usually do stuff like this. It just so happens that my bro's computer got a trojan that I needed to manually remove, and I like to tell you guys about my experiences. However, I don't go out looking for nasties just to document them. Such things are best left to the likes of Paperghost and the Sunbelt guy(s).

While I was going to post about this sometime-or-another, what prompted me to do so today was a post I came across in the security-minded Sunbelt Blog with a chillingly familiar screenshot. (You'll see how familiar in a second.) The Sunbelt post is more investigative on the who rather than the what, but it's still an interesting read.

One day in late December, my younger brother Andrew mentioned something like "Windows XP [on his computer] needs to activate". I thought it was odd, as nothing went wrong during activation (I had recently reinstalled it), and I decided I would do something about it the next day.

The next day came, and Andrew called the problem to my attention again. Looking at the screen, I saw the following:


Riiiiiight. Clicky-button probably equals lotsa nasties. This was a trojan horse.

Cleverly, the usual key combinations (<Ctrl>+<Alt>+<Del>, <Ctrl>+<Shift>+<Esc>, <Alt>+<F4>, <Super>+Anything[2]) had been disabled, the only recourse being to reboot your computer or to give in to the program's demands. Note that the keys work fine until the program pops up, suggesting some kind of key-hooking.

So I rebooted into Windows 2000 and scanned the computer for evil stuff with Spybot.


16 nasties found and removed = problem gone, right?

trojan-2 trojan-1-0

Wrong. This time it also popped up with what seemed like an IE shell (selectable text, permanent scroll bar to the right, right-clickyness). Oh, and the spelling! What exactly is "exprited" anyway, death by Sprite? I guess when you drink several bottles in a row, it could get rather dangerows...

OK, enough with the bad puns. During the process of trying-to-beat-the-trojan-at-startup, I discovered that if you open the start menu and leave it open while the program loads, it stays up, thus enabling me to run Windows Explorer, and thus Task Manager, with which I can kill the offending processes (locker.exe and iexplore.exe). Me 1, Trojan 0.

During this, I had noticed two interesting things: The "IE shell" wasn't one at all, but rather Internet Explorer itself, stripped down to its bare bones. If one had his Search sidebar up, it would also appear in the trojan-thingy, and so I had a little fun using it as an actual web browser. Also, once you terminated "locker.exe", the keys listed above would continue to be inoperable. A separate TSR perhaps?

It's registry time! As the trojan had seemingly also removed msconfig, I traversed to HKLM\Microsoft\Software\Windows\CurrentVersion\Shell\Run. Sure enough, we had a key that launched something called "License". So, on a hunch, I looked up App Paths. Bingo! "License" linked to locker.exe. Removing both entries ensured that locker.exe would never darken our startup again. Two for two!

Another interesting thing is that it seems to have eaten the Computer Browser, Security Center and Windows Firewall services. As a result, it can't explore the local network, the computer's wide open and the security center won't tell you about the lack of a firewall.

Of cause, many trojans install themselves into the Windows directory, and so I travelled there and surprise, surprise: locker.exe. Sorting by date revealed two other files created the same day as locker.exe: WinLockDll.dll, and wl.exe. So I moved them to a zip file where they could no longer do no harm (at least, in theory), intending to send them as samples to a security research thingy. With all due respect to Batman, BIFF! BAM! POW!

So, if I'm right, locker.exe uses either wl.exe or WinLockDll.dll to "lock" the computer. It then proceeds to display a screen prompting you to renew your license (the black one), and then launches IE (presumably with arguments that force it to shed most of it's stuff) which shows a (webpage-based) fake anti-whatever downloader. Or something.

trojan-1-3 trojan-1-1 trojan-1-0 trojan-1-2

The webpage in itself is quite interesting. It starts off with a loading graphic (far left). Once the dialog is "loaded", it "attempts" to download some "update files" on a public channel (mid left) with a ridiculously long estimation. It then "fails" (mid-right). The private channel is advertised as being a ridiculously short estimation (35 sec v. two days?) but, of cause, you have to pay for it. A nice touch is that the dialog is moveable (far right).

The whole charade seems to be aimed at those people who frequently download from "free" file hosting services and/or GameSpy's file download site, both of which usually advertise free vs premium accounts, where premium dudes don't have to wait in line and/or get faster servers. Most people will look at it and think "getting in my way, must get rid of it", which, of cause, means "activating" your "account", and won't even look at the rest of the stuff.

So, now we have a de-gunkafied computer, although it looks like I might have to do a repair reinstallation of Windows XP (again). Ah well. Happy new year, and may your days be without malware!


[1] Mandatory disclaimer, as most of the readers of this blog will be my peers in high school.

[2] <Super> is more commonly known as the Windows key.