Today I was hit by the Spyware, "XP Antispyware 2012". It looks very genuine and quite advanced to trick any naive user. It kick starts an intuitive interface. It pretends to Scan your PC for Trojans/Viruses/Rootkits/Malwares/Spywares and provides you various options to remove them and clean your PC though it's doing the exact opposite.
So, this is dangerous and had to be removed as soon as possible. I wanted to find this one manually and take it down. After around, 1 hour of research, I fixed it myself without the use of any Spyware Removal Kits.
Below are the details about this Spyware:
It copies itself into the Application Data directory. It updates some really important Windows Registry Keys. To summarize, it binds itself to the Operating System Subroutine which is used to open and run any Executable File.
The name of the Spyware was: kts.exe
If you remove it from the Application Data folder and place it somewhere else or even delete it. The result would be, you won't be able to run any executable on your PC.
It was time to check the registry for all the occurrences of this Spyware.
A comprehensive listing below which can be used as a reference by anyone here:
Key Path: HKEY_CLASSES_ROOT\.exe\shell\open\command:
{Default} - "C:\Documents and Settings\My computer\Local Settings\Application Data\kts.exe" -a "%1" %*
Key Path: HKEY_CLASSES_ROOT\exefile\shell\open\command
{Default} "C:\Documents and Settings\My computer\Local Settings\Application Data\kts.exe" -a "%1" %*
Key Path: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
3793153621: C:\Documents and Settings\My computer\Local Settings\Application Data\kts.exe
Key Path: HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache
C:\Documents and Settings\My computer\Local Settings\Application Data\kts.exe kts
Key Path:
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command
{Default} "C:\Documents and Settings\My computer\Local Settings\Application Data\kts.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe"
Key Path:
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command
{Default} "C:\Documents and Settings\My computer\Local Settings\Application Data\kts.exe" -a "C:\Program Files\Internet Explorer\iexplore.exe"
Key Path:
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command
As you can see, it prefixes the Key values with the path to the kts.exe spyware. Now, if you delete the spyware manually, you should be able to make out from the above Key Values, why no executable runs.
After editing all the above Registry keys, the executables were running as expected.
However, the interesting part would be to do some reverse engineering on this spyware and see what it really does.
Ofcourse, it wasn't designed to scan your PC for Spywares/Malwares and protect it, right? Lulz!
Is there any sort of Network Activity exhibited by it. What are the DLLs it loads into the Process Memory and a bunch of other stuff needs to be checked.
I need to copy over this spyware from my Host Machine to the Virtual Machine and attach it to a debugger like Immunity Debugger. Then we can start with the analysis.
Listening Now: Adema - Giving In
|
This entry was posted on Sunday, July 31, 2011 and is filed under . You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.
0 comments: