• RSS
  • Twitter
  • FaceBook

Security Forums

Log in

FAQ | Search | Usergroups | Profile | Register | RSS | Posting Guidelines | Recent Posts

New Trojan?

Users browsing this topic:0 Security Fans, 0 Stealth Security Fans
Registered Security Fans: None
Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Spyware // Adware // Trojans Discussion

View previous topic :: View next topic  
Author Message
mrozner
Just Arrived
Just Arrived


Joined: 05 Jul 2004
Posts: 0


Offline

PostPosted: Sat Feb 28, 2009 5:08 pm    Post subject: New Trojan? Reply with quote

has anybody been infected by this trojan yet?

bifupade.dll

I got smacked last nite, despite a full and updated Trend Micro Internet Security 2009. A popup said

"your system is infected. click ok to start disinfecting"

and stupidly I clicked the close X (I should have used task manager to kill off all IE windows).

I started getting IE window popups shortly thereafter. Looking at Windows/System32, I saw a number of dll files newly installed.

Went to Hijack. Hijack saw a bunch of stuff that did not belong, although I did not save the log. Even in safe mode and manual delete on reboot, I could not clean this.

Although "zobuyare" was another one of the bad guys that I was able to delete with Hijack, stuff kept coming back, even with safe mode and delete on reboot.

Most searches were dead ends, but zobuyare was found on a Netherland Hijack Forum (1/12/09)

h**p://www.hijackthis.nl/forum/viewtopic.php?p=146568&sid=b840416e46553a28fefcac02cde84750

which had a reference to Malwarebytes. I downloaded Malwarebytes antimalware, which reported

FIRST LOG

Quote:

Malwarebytes' Anti-Malware 1.34
Database version: 1812
Windows 5.1.2600 Service Pack 3

2/27/2009 9:19:44 PM
mbam-log-2009-02-27 (21-19-44).txt

Scan type: Quick Scan
Objects scanned: 64622
Time elapsed: 4 minute(s), 12 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 8
Registry Values Infected: 4
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
c:\WINDOWS\system32\lovafufu.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{055703e6-33c1-4f84-b25e-ca5712962345} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{055703e6-33c1-4f84-b25e-ca5712962345} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mefupiyino (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpmf318f722 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\lovafufu.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\lovafufu.dll -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\StartMenuLogOff (Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\system32\lovafufu.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\mazuguhu.dll (Trojan.Vundo) -> Quarantined and deleted successfully.



needless to say, even with reboot and safe mode, some stuff reappeared
I ran a Symantec VUNDO cleaner. Took all night, reported no trojans, but stuff was still present. In retrospect, it might have been old.

went to safe mode. ran Malware. Got this log

Quote:

Malwarebytes' Anti-Malware 1.34
Database version: 1812
Windows 5.1.2600 Service Pack 3

2/28/2009 6:19:07 AM
mbam-log-2009-02-28 (06-19-07).txt

Scan type: Quick Scan
Objects scanned: 62502
Time elapsed: 1 minute(s), 54 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 2
Registry Values Infected: 1
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\bifupade.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{055703e6-33c1-4f84-b25e-ca5712962345} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{055703e6-33c1-4f84-b25e-ca5712962345} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mefupiyino (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\bifupade.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\bifupade.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\bifupade.dll -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\bifupade.dll (Trojan.Vundo.H) -> Delete on reboot.


Immediately booted UBCD4win, and I deleted these keys. Searched the "registry" (limited foreign registry search on UBCD) for all terms and found bifupade.dll embedded into a winlogon notify key where it did not belong. I deleted that as well. I deleted all files in my personal TEMP directory on my harddrive as well as all files in the IE Temp directory.

On full restart, I now have a clean machine.
Quote:

Malwarebytes' Anti-Malware 1.34
Database version: 1812
Windows 5.1.2600 Service Pack 3

2/28/2009 8:20:43 AM
mbam-log-2009-02-28 (08-20-43).txt

Scan type: Quick Scan
Objects scanned: 64456
Time elapsed: 3 minute(s), 46 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


While I caution folks about doing their own registry edits (I have a full Ghost backup of this 500 GB hard drive from last Friday, which I could have used), I am concerned that neither Hijack nor Malwarebytes could not eradicate this virus, Symantec had a VUNDO cleaner that did not find this stuff, and the infection got past my Trend installation.

In addition, none of the file names can be found on google, except for the one lucky hit on zobuyare.
Back to top
View user's profile Send private message
RoboGeek
SF Mod
SF Mod


Joined: 13 Jun 2003
Posts: 16777166
Location: LeRoy, IL

Offline

PostPosted: Sat Feb 28, 2009 11:26 pm    Post subject: Reply with quote

Its sorta new - its a variant of the XPAV stuff - xp antivirus 2008, 2009, 2010, AV360,etc.

The new ones are installing TDSS rootkit and there is a new version daily it seems. I don't use scanners - I clean rootkits and malware manually, but I do know that my shop gets machines from other shops that can't clean them.

It requires not only registry edits, but also a linux distro to completely clean it. A bootable windows CD like ERD or UBCD4Win will give you the same error permissions in regedit that safe mode does.

I'm writing a script to manually delete this stuff that will run in powershell, just so i don't have to do it manually anymore
Back to top
View user's profile Send private message Visit poster's website
Godsp3ed
Just Arrived
Just Arrived


Joined: 23 Apr 2009
Posts: 0
Location: Universe

Offline

PostPosted: Fri Apr 24, 2009 6:08 am    Post subject: Reply with quote

Your MAlwarebytes' Anti-MAlware is not Upto-date, Update it, Run the pc in normal mode, close all apps and run a 'Full System Scan'....When done, remove all infections and reboot immediately...

After Reboot download Trend Micro HijackThis 2.0.2 (http://download.cnet.com/Trend-Micro-HijackThis/3000-8022_4-10227353.html) and click on 'Run a scan and save a logfile'....You can create a new thread in the Hijackthis logs section or ask a moderator to move it for analysis...
Back to top
View user's profile Send private message
Display posts from previous:   

Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Spyware // Adware // Trojans Discussion All times are GMT + 2 Hours
Page 1 of 1


 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Community Area

Log in | Register