Dialer hiding from HijackThis

November 11, 2006 on 4:32 pm | In Malware analysis | No Comments

Originally posted Aug 3 2005, 07:29 PM

EGDAccess aka InstantAccess (pusher of p0rn-dialers) have found a way to hide from HijackThis.

I am not yet exactly sure how they do it, but these lines in the log disappeared as soon as the Scan is run with the HijackThis window open, but they do show up if you run HijackThis from the command line (or from a batch)

O4 – HKLM\..\Run: [bvmgarjxy] c:\windows\system32\bvmgarjxy.exe -start

O4 – HKCU\..\Run: [Instant Access] rundll32.exe EGDACCESS_1061.dll,InstantAccess

O16 – DPF: {FA83E942-B796-46DE-9155-1632ECC5473B} – http://akamai.downloadv3.com/binaries/EGDA…ESS_1061_XP.cab

The filename for the Startup is random.

The easiest way of removal is to click Start > Run > type %Windir%\system32\random name once you found it.exe -uninstall > OK
In our example that command would be:

c:\windows\system32\bvmgarjxy.exe -uninstall


Tested the process and ran it from the system32 folder. The file copied itself and started it’s clone. I did not alllow any of the two dll’s it created as well to do anything and the process and startup remained visible for HijackThis.

You have sto start the process from the command prompt with the -start switch to run the executable. Doubleclicking it makes it vanish (except when it is running)
Mosaic1 wrote a script to find the name of the running executable and put that to use together with the -uninstall switch. We are testing a method of removal with this now. Hopefully this will work out.

The uninstall followed by running a BFU script I wrote seems to take care of the infection.

We have reason to believe that a program called Mailskinner is bundling this dialer now.

Thanks to dvk01 for spotting the connection

Investigation reports to follow …

No Comments yet »

RSS feed for comments on this post. TrackBack URI

Leave a comment

XHTML: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

Powered by WordPress with Pool theme design by Borja Fernandez.
Entries and comments feeds. Valid XHTML and CSS. ^Top^