Spysheriff Hijack :

ok , so we know spywareno and spysherrif are the exact same program only with a diff name now ..

Spyware Blog:
http://netrn.net/spywareblog/archives/2005...eno-has-a-twin/

Lavasoft Research:
http://www.lavasoftresearch.com/spywareno.shtml

Just a few of the most recent additions to the excellent spywarewarrior rogues gallery:
http://www.spywarewarrior.com/family_resemblances.htm#15

Well here's a closer look at the hijack methods they use to infect unprotected people with their junk , and try and trick them into buying a program to fix the infection that was caused by the installation of their program , not to mention the trojans that come with it.

Looks extremely similar to the searchterror hijack logged by the webhelper here:
http://www.webhelper4u.com/CWS/Research/sc...rordesktop.html


Thanks to the Webhelper for his help with the hijack links.

You will need to log in if you want to see the hijack pics on the page instead of clicking on and opening each one ..

These are the results of the second infestation log

-----------------
File details:
-----------------

C:\WINDOWS\System\svchost.exe
C:\WINDOWS\System\svchost.dll
C:\WINDOWS\System\svchosthook.dll
C:\WINDOWS\System\loader.dll
C:\WINDOWS\System32\web.exe
C:\WINDOWS\System32\kernels32.exe
C:\winstall.exe

------------------------
files in system32 folder:
------------------------

web.exe
vxgame4.exe
thun32.dll
thun.dll
vxgame3.exe
init32m.exe
vxgame1.exe
maxd.exe
vx.tll
vxh8jkdq7.exe
bre32.dll
bre.dll - http://www.sophos.com/virusinfo/analyses/trojdloaderof.html
vxh8jkdq6.exe
vxh8jkdq5.exe
vxh8jkdq2.exe
vxh8jkdq8.exe
vxh8jkdq1.exe
sys3157.exe
rundll32.exe



---------
Trojan Files identified with TDS-3 :
---------

Scan Control Dumped @ 13:44:57 05-06-05
RegVal Trace: RAT.Glacier: HKEY_LOCAL_MACHINE
File: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
[ WindowsUpdate=C:\WINDOWS\System\svchost.exe /s ]

Positive identification (DLL): RAT.Agent.iw1 (dll)
File: c:\windows\system\svchost.dll

Positive identification (DLL): RAT.Agent.iw2 (dll)
File: c:\windows\system\svchosthook.dll

Positive identification (embedded in file): TrojanDownloader.Win32.Agent.ho4
File: c:\windows\system32\init32m.exe

Positive identification: TrojanDownloader.Win32.Agent.ho4
File: c:\windows\system32\init32m.exe

Positive identification: TrojanDownloader.Win32.Small.aqu
File: c:\windows\system32\kernels32.exe

Positive identification (DLL): TrojanProxy.Win32.Small.bk2 (dll)
File: c:\windows\system32\thun32.dll

Positive identification: TrojanDropper.Win32.Small.wv1
File: c:\windows\system32\vxgame1.exe

Positive identification (embedded in file): TrojanDownloader.Win32.Agent.ho4
File: c:\windows\system32\vxgame3.exe

Positive identification: TrojanDownloader.Win32.Agent.ho4
File: c:\windows\system32\vxgame3.exe

Positive identification: TrojanDropper.Win32.Small.wp1
File: c:\windows\system32\vxh8jkdq1.exe

Positive identification: Hoax.Win32.Renos.a1
File: c:\windows\system32\vxh8jkdq2.exe

Positive identification: TrojanDownloader.Win32.Small.aqu
File: c:\windows\system32\vxh8jkdq6.exe

Positive identification: TrojanDownloader.Win32.Small.aqu
File: c:\windows\system32\vxh8jkdq7.exe

Positive identification: TrojanDropper.Win32.Small.wp1
File: c:\windows\system32\vxh8jkdq8.exe

Positive identification: TrojanDownloader.Win32.Small.aqu
File: c:\windows\system32\web.exe

------------------------------------------------------------------------------

Hidden svchost.exe system trojan :



= 04 - HKLM\..\Run: [Windows Update] C:\WINDOWS\System\svchost.exe /s

Name: WindowsUpdate
Type: Machine Startup
Path: c:\windows\system\svchost.exe
Registry: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
= C:\WINDOWS\System\svchost.dll -
= C:\WINDOWS\System\svchosthook.dll - terminates / denies program execution

Seems to be mostly covered on this symantec page.
http://securityresponse.symantec.com/avcen...r.shellbot.html

well the svchosthook.dll hooks into all running processes from what I could see , and it prevents any new processes from running , including spysheriff lol , which tried to run and crashed.

It even killed my Regrun process manager...



If anyone of my security programs werent already running then it was usless , just wouldnt start. Some that were already running wouldnt work properly until I killed svchosthook.dll.

Hijack this could scan but would crash trying to save a log each time.

svchosthook.dll wasnt a hidden file so I could find it easily. I unloaded the .dll from most processes that it was hooked into and all my programs were working again. 8)

Then removed the hidden, system and read only attributes from the svchost.exe and .dll files before I could get a copy and then kill them.

The svchost.exe I had to delete on reboot , couldnt kill it any other way.




They kill the taskmanager and hosts file really easy.

----------------

= 04 - HKCU\..\Run: [Windows installer] C:\winstall.exe

Inside the winstall.exe file is the desktop hijack html file:

---------------------------------------------------------



html
head
title SYSTEM STOPPED title
script lagnuage javascript

SYSTEM STOPPED

System has been stopped due to a serious malfunction. Spyware activity has been detected.

It is recommeded to use spyware removal tool to prevent data loss.<br>
Do not use the computer before all spyware removed.

GET /trial.php?rest=%u&ver=%u&a=00000002 HTTP/1.0
Host: www.spysheriff.com
69.50.170.83
GET /notifydownload.php?a=00000002 HTTP/1.0
Host: www.spysheriff.com
WallpaperLocalFileTime
WallpaperFileTime
ComponentsPositioned
TileWallpaper
WallpaperStyle
SOFTWARE\Microsoft\Internet Explorer\Desktop\General
Wallpaper
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
ForceActiveDesktopOn
ClassicShell
NoDesktop
NoActiveDesktop
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoHTMLWallPaper
NoEditingComponents
NoDeletingComponents
NoAddingComponents
NoComponents
NoChangingWallpaper
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop
%s\desktop.html
C:\Program Files\SpySheriff\SpySheriff.dvm
C:\Program Files\SpySheriff\%s
C:\Program Files\SpySheriff
C:\Program Files
Windows installer
C:\winstall.exe
SNInstall
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
C:\Program Files\SpySheriff\SpySheriff.exe
C:\Program Files\SpywareNo\SpywareNo.exe

----------------------

= 04 - HKCU\..\Run: [SpySheriff] C:\Program files\SpySheriff\SpySheriff.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SpySheriff
[Applications] SpySheriff=C:\Program Files\SpySheriff\Uninstall.exe

-----------------------

= C:\Windows\System\Loader.dll : LModule0002

Name: Loader Class
Type: BHO
Path: c:\windows\system\loader.dll
Registry: {2E246FAE-8420-11D9-870D-000C2917DE7F}

-----------------------

Once the spysheriff program is installed , clicking on anything in the program will bring up a prompt to buy the program...

- hxxp://www.spysheriff.com/license.php?

even says it offers an application firewall as part of the features lol.

-----------------------







And shortly after , the popups start to appear , identical to spywareno:





------------------------

First infestation log :


Webhelpers Searchterror Hijack logs:
http://webhelper4u.com/CWS/Research/screen...rordesktop.html

Other similar logs:
http://forums.spywareinfo.com/index.php?showtopic=49303

===========

The task manager is disabled completely [ greyed out ] , hosts file overwritten , internet explorer is just dead , and the whole system basically feels like its about to die




@@@@@@@@@@@@@@@

Sites Involved:

@@@@@@@@@@@@@@@


05/04/2005 03:19:22 hxxp://69.50.190.131/?to=nan11&from=in

calls ;
qwe.porn-host.org/5.html

calls:
www. vxiframe.biz 66.197.161.149
bestcounter.biz 195.95.218.171
www. globolook.com 69.50.165.243
5sec.info 195.225.176.26
troyanov.net 69.31.91.188
evker.com 66.246.226.171
bn.inf3ct3d.info 72.9.248.118
static.topconverting.com 193.138.228.17

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

Links involved:

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@


hxxp://bestcounter.biz/dl/adv645/sploit.anr
hxxp://vxiframe.biz/adverts/075/sploit.anr

hxxp://vxiframe.biz//adverts//075//targ.chm
hxxp://vxiframe.biz/adverts/075/adload.php
hxxp://vxiframe.biz/adverts/075/win32.exe
hxxp://vxiframe.biz/adverts/progs/search.exe
hxxp://vxiframe.biz/adverts/progs/winlogon.exe
hxxp://vxiframe.biz/adverts/progs/tibs.exe
hxxp://vxiframe.biz/adverts/progs/tool.exe
hxxp://vxiframe.biz/adverts/progs/proxy.exe
hxxp://vxiframe.biz/adverts/075/aduniq.php

hxxp://69.50.182.94/gdnOT2066.exe

hxxp://vxiframe.biz/vxgame/game1.exe
hxxp://vxiframe.biz/vxgame/game2.exe
hxxp://vxiframe.biz/vxgame/game3.exe
hxxp://vxiframe.biz/vxgame/game4.exe

hxxp://vxiframe.biz/tool/tool1.exe
hxxp://vxiframe.biz/tool/tool2.exe

hxxp://evker.com/s.exe



During all that I had a connection to spysherrif : :

VMNAT.EXE 69.50.170.83 www .spysheriff.com 3320 HTTP VMNAT HTTP Rule #1 OUT TCP 253.8 KB 83 Bytes 3:24:20 AM

05/04/2005 03:24:20 Vxh8jkdq2.exe URL hxxp://w.w.w.spysheriff.com/trial.php?rest=0&ver=1241772&a=00000002
05/04/2005 03:24:20 Vxh8jkdq2.exe REQUEST ARG HOST www. spysheriff.com
05/04/2005 03:24:20 Vxh8jkdq2.exe REQUEST (v1.0) GET /trial.php?rest=0&ver=1241772&a=00000002


05/04/2005 03:28:10 Run a DLL as an App URL hxxp://5sec.info/report/ind.php?p=54110736&uid=860187833602&aid=2
05/04/2005 03:28:19 Run a DLL as an App URL hxxp://5sec.info/report/sox.php
05/04/2005 03:30:53 Vxh8jkdq6.exe URL hxxp://vxiframe.biz/tool/tool1.exe
05/04/2005 03:30:55 Vxh8jkdq6.exe URL hxxp://vxiframe.biz/tool/tool2.exe
05/04/2005 03:31:18 Vxh8jkdq7.exe URL hxxp://vxiframe.biz/vxgame/game1.exe
05/04/2005 03:31:56 Vxgame3.exe URL hxxp://evker.com/work/myurl.txt
05/04/2005 03:31:57 Vxgame3.exe URL hxxp://evker.com/s.exe


@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@


Logfile of HijackThis v1.99.1
Scan saved at 03:58:36, on 05/04/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:

C:\WINDOWS\system32\web.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\vxgame3.exe
C:\WINDOWS\System32\vxgame4.exe
C:\WINDOWS\System32\vxgame4.exe
C:\WINDOWS\System32\vxgamet2.exe
C:\WINDOWS\System32\vxgame3.exe
C:\WINDOWS\System32\vxgame4.exe
C:\WINDOWS\System32\vxgame4.exe
C:\Security\Hijack This\HijackThis.exe

F2 - REG:system.ini: Shell=Explorer.exe init32m.exe

O4 - HKLM\..\Run: [System] C:\WINDOWS\System32\kernels32.exe
O4 - HKLM\..\Run: [WindowsUpdate] C:\WINDOWS\System\svchost.exe /s
O4 - HKLM\..\RunServices: [SystemTools] C:\WINDOWS\System32\kernels32.exe
O4 - HKCU\..\Run: [SNInstall] C:\WINDOWS\System32\vxh8jkdq2.exe

O15 - Trusted Zone: *.blazefind.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.ysbweb.com
O15 - Trusted Zone: *.blazefind.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.flingstone.com (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.searchbarcash.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 - Trusted Zone: *.ysbweb.com (HKLM)
O15 - Trusted IP range: 67.19.178.84
O15 - Trusted IP range: 67.19.178.84 (HKLM)

System froze , had to reboot.

===========
Other Files :
===========

web.exe
bre.dll


svchost.exe trojan in the system folder :

C:\WINDOW\SYSTEM\SVCHOST.EXE


=============================================