alibaba.com
November 11, 2006 on 9:17 pm | In Malware analysis | 1 CommentOriginally posted Jan 21 2006, 07:55 PM
After I figured out this hijacker I found several people complaining about a svchost.exe in the wrong directory that kept returning and about a Trojan.Downloader being detected that their AntiVirus couldn’t remove.
This malware starts using the ShellExecuteHooks key which does not show up in a HijackThis log.
The involved keys looks like this:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
“{00212521-4FEF-4AD3-B3AA-E0531B8DC123}”=””
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00212521-4FEF-4AD3-B3AA-E0531B8DC123}\InprocServer32]
@=”C:\\WINDOWS\\system32\\usbadpt32.dll”
What happens is that usbadpt32.dll downloads and runs C:\WINDOWS\System32\DirectX\svchost.exe
That file downloads WITBLOG.OCX and/or MSDATGRPS.OCX and places them in the system directory.
The cure:
Download and unzip BFUzip from http://www.merijn.org/files/bfu.zip
Download the BFU script located at this url:
http://metallica.geekstogo.com/alibaba.bfu
and place it in the same folder as BFU.exe
Close as many programs as possible since this script will reboot your computer.
Your taskbar will also disappear during the procedure. This is normal.
Doubleclick BFU.exe to run the program.
Use the folder symbol to find and select the alibaba.bfu you have downloaded.
Execute the script by clicking the Execute button.
If you have any questions about the use of BFU please read here:
http://metallica.geekstogo.com/BFUinstructions.html
For those unable to download the script, copy the code in the block below into notepad and save it as alibaba.bfu in the same folder as BFU.exe
Set Filetype to “all files”
RegDeleteKey HKLM\SOFTWARE\Classes\CLSID\{00212521-4FEF-4AD3-B3AA-E0531B8DC123}
RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks|{00212521-4FEF-4AD3-B3AA-E0531B8DC123}
OptionUnloadShell
FileDelete %SYSDIR%\usbadpt32.dll
FileDelete %SYSDIR%\DirectX\svchost.exe
FileDelete %SYSDIR%\WITBLOG.OCX
FileDelete %SYSDIR%\MSDATGRPS.OCX
RegDeleteKey HKLM\SOFTWARE\Classes\CLSID\{09F59435-7814-48ED-A73A-96FF861A91EB}
RegDeleteKey HKLM\SOFTWARE\Classes\CLSID\{0C588F7D-A2B3-4001-B59B-D856C1BF3AD7}
RegDeleteKey HKLM\SOFTWARE\Classes\CLSID\{850B69E4-90DB-4F45-8621-891BF35A5B53}
RegDeleteKey HKLM\SOFTWARE\Classes\Interface\{42CB709C-A1D6-4C3A-9F9C-B077FF86A760}
RegDeleteKey HKLM\SOFTWARE\Classes\Interface\{63C8AF31-AD6E-417C-BF8B-48B96E95DC25}
RegDeleteKey HKLM\SOFTWARE\Classes\Interface\{AB44756F-FCE0-454D-AF29-930B89BB44D2}
RegDeleteKey HKLM\SOFTWARE\Classes\TypeLib\{448F1BD5-C41A-4551-83CF-8CD2309ABC66}
RegDeleteKey HKLM\Classes\AlibabaIEToolBar.AlibabaButton
RegDeleteKey HKLM\SOFTWARE\Classes\AlibabaIEToolBar.AlibabaButton.1
RegDeleteKey HKLM\SOFTWARE\Classes\AlibabaIEToolBar.AlibabaSearchBar
RegDeleteKey HKLM\SOFTWARE\Classes\AlibabaIEToolBar.AlibabaSearchBar.1
RegDeleteKey HKLM\SOFTWARE\Classes\AlibabaIEToolBar.ShowBarObject
RegDeleteKey HKLM\SOFTWARE\Classes\AlibabaIEToolBar.ShowBarObject.1
RegDeleteKey HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{09F59435-7814-48ED-A73A-96FF861A91EB}
RegDeleteKey HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{09F59435-7814-48ED-A73A-96FF861A91EB}
RegDeleteKey HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{13b0c05c-ef05-4bf6-b0ea-f6111af25544}
RegDeleteKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{850B69E4-90DB-4F45-8621-891BF35A5B53}
RegDeleteKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Alibaba Toolbar
RegDeleteKey HKLM\SOFTWARE\Ablibaba
FolderDelete %SYSDIR%\alitb
FolderDelete %SYSDIR%\alitb1
FolderDelete %SYSDIR%\alitb2
FolderDelete %SYSDIR%\alitb3
SystemRestart Let the computer reboot now|1
1 Comment »
RSS feed for comments on this post. TrackBack URI
Leave a comment
Powered by WordPress with Pool theme design by Borja Fernandez.
Entries and comments feeds.
Valid XHTML and CSS. ^Top^
Originally posted May 31 2006, 06:52 PM
The script was updated after a new variant was found by Erik of http://www.hijackthis.nl
Norman Sandbox said:
Norman Scanner Engine 5.90. 7
Sandbox 05.90, dated 23/04-2006
orthnapp.exe : Not detected by sandbox (Signature: W32/DLoader.RQT)
[ General information ]
* **IMPORTANT: PLEASE SEND THE SCANNED FILE TO: ANALYSIS@NORMAN.NO – REMEMBER TO ENCRYPT IT (E.G. ZIP WITH PASSWORD)**.
* File might be compressed.
* Decompressing Petite.
* File length: 3565 bytes.
* MD5 hash: ef5db03a6e174ca15f4eb39ecd267188.
[ Changes to filesystem ]
* Creates file outhera.exe.
* Creates file northwist.dta.
[ Network services ]
* Downloads file from {Obfuscated} as outhera.exe.
* Downloads file from {Obfuscated} as northwist.dta.
[ Signature Scanning ]
* C:\WINDOWS\outhera.exe (4096 bytes) : no signature detection.
* C:\WINDOWS\northwist.dta (4096 bytes) : no signature detection.
File downloaded from {Obfuscated} – recognized as type PE_I386
orthnapp.exe_Download.tmp : Not detected by sandbox (Signature: NO_VIRUS)
[ General information ]
* **IMPORTANT: PLEASE SEND THE SCANNED FILE TO: ANALYSIS@NORMAN.NO – REMEMBER TO ENCRYPT IT (E.G. ZIP WITH PASSWORD)**.
* File length: 192512 bytes.
* MD5 hash: a8e008f116e56bcdc14eaa6f2a176586.
[ Changes to system settings ]
* Creates WindowsHook monitoring cbt activity.
© 2004-2006 Norman ASA. All Rights Reserved.
The material presented is distributed by Norman ASA as an information source only.
Comment by metallica — November 11, 2006 #