Wednesday, December 31, 2008

Zlob fake codec rootkit removal procedure

Lately there has been a rise in rootkit based Zlob fake codecs and video players. The rootkit belongs to TDSServ family, and is quite difficult to remove using standard anti-malware tools. Now, we will see how to remove these rootkit based Zlob malware. This removal procedure holds good for Zlob variants that drop kernel mode rootkits such as BrakePlayer, Moon-Player, TurboPlayer and Light-Track etc.

The removal process consists of three steps:
  1. Removing rootkit driver file and its Registry entry
  2. Removing other malware files dropped by Zlob installer
  3. Removing stray "shell open command" entry (a.k.a malicious autorun.inf file)

Download the following tools and install them (do not run them as of now):
  1. GMER
  2. Malwarebytes' Anti-Malware (MBAM)

Removing rootkit driver file and its Registry entry:
  1. Launch GMER.exe. As soon as GMER starts, it performs a preliminary system scan. If it finds any traces of rootkit, it will ask you to run a full PC scan. Click "No" for this prompt.
  2. Now, click on "Rootkit/Malware" tab and then select only "Services" checkbox (deselect all other scan options). Click "Scan" button to start scan. An example is shown in screenshot below.


  3. GMER should show the rootkit service after the scan. Right-click on that entry and click "Delete Service". Click "Yes" for the prompts that pop up. An example screenshot is shown below.


  4. Reboot the PC.
  5. Run GMER again and repeat steps 1, 2, 3 and 4 again (GMER will again detect the same rootkit service again).

Note: If GMER does not detect any rootkit in its preliminary system scan (in Step 1 above), then you may not have kernel-mode rootkit variant of Zlob (or GMER is not detecting it ;)). Proceed to the section below.

Update: Zlob rootkit driver can also be removed using SysProt AntiRootkit. More information can be found here.


Removing other malware files dropped by Zlob installer:
  1. Run Malwarebytes' Anti-Malware (MBAM), click "Update" tab and then click "Check for updates" button to download latest malware database.
  2. Once the update completes, click "Scanner" tab and select the "Perform full scan" option. Select all the hard disk partitions (C:\, D:\ etc) and then click "OK" to start scan.
  3. Once the scan completes, remove all the malware that MBAM may report. An example screenshot is shown below.


  4. Reboot the PC.

Removing stray "shell open command" (a.k.a malicious autorun.inf file):
  1. Go to Start Menu > Search option to open Windows Search tool. Make Search to look in sytem/hidden folders and files. Finally, search for files named autorun.inf. An example screenshot is shown below.


  2. These autorun.inf files contain few commands which instruct Windows Explorer to load a Zlob malware file (generally, %rootdrive%\resycled\boot.com) whenever a user double-clicks on drive icons. Delete all the autorun.inf files found in hard disk partitions (for ex: C:\, D:\ etc)
  3. Reboot the PC.
Finally, run an online scan at F-Secure or TrendMicro to make sure that the PC is clean. Hopefully, the Zlob rootkit will be gone for good by this time!

Labels: ,

Tuesday, December 30, 2008

Rogue security software video tutorials

This is really hilarious. It seems that the rogue software gang decided to improve OOBE of their software! They now have video tutorials at YouTube, which tell how to run online malware-scan and how to remove malware using their software for FREE! Check out these screenshots of the video:


Here are the links to some videos:
http://www.youtube.com/watch?v=jykJ1erupZ4
http://www.youtube.com/watch?v=FSQ0WpoyZJo

Video uploaders' profiles:
http://www.youtube.com/user/AntiVirusSpywareMalw
http://www.youtube.com/user/OkThisJustAnti

The webiste, www.antiviruson.com (89.111.176.21), mentioned in those tutorials redirects to another website that hosts System Security rogue application. Do NOT follow the steps told in those tutorials ;)

Sunday, December 28, 2008

Zlob updates

Zlob gang does not seem to be in holiday mood. They are churning up more domains to spread their badware. Here are some of the new domains:

94.247.3.232
216.240.151.112
78.159.99.52
www.newdllsolution.com (92.241.163.90)
http://brakeplayer.net (94.247.2.183)


One of the site mentioned above, http://brakeplayer.net (94.247.2.183), hosts a fake media player installer called BrakePlayer. This installer actually installs a nasty kernel mode rootkit. Following screenshot shows the kernel mode hooks installed by rootkit driver:


The backdoor component of this rootkit establishes connection with a remote rogue server 85.255.112.188 (whois). VirusTotal scan results for the installer and rootkit driver files can be found here and here respectively.

Update: BrakePlayer removal procedure has been posted here. Hope that helps :)

Friday, December 26, 2008

New rogue: System Security

System Security is new rogue software. The installer is hosted at http://webnetworksecurity.com (91.211.64.31). Here's a screenshot of System Security:


VirusTotal scan results for the installer can be found here. BleepingComputer has a removal guide here.

Monday, December 22, 2008

Zlob updates

Here are some of the new Zlob trojan spreading domains:

http://vidzwares.com (92.241.163.90)
http://light-player.net (94.247.2.183)
http://fire-player.net (93.190.140.48)
http://downloadallsoft-now.com (94.247.3.228)
http://myprivatetubes09.net (91.208.0.221)


One of the Zlob variant (named wmpcdcs.exe, hosted at http://myprivatetubes09.net) uses Microsoft Windows Background Intelligent Transfer Service (BITS) to communicate with rogue servers to transfer data. Since BITS is a trusted Windows component, firewalls don't block it; making it easy for malware to download files from remote servers (info here and here). An automated analysis of this malware is available at ThreatExpert here.

Sunday, December 21, 2008

Antivirus 360 featured in top PC magazines and antivirus certification labs!

No, we are not talking about Norton 360, which is a genuine security software. This is about Antivirus 360, one of the latest rogue security software (info here).

Now, gang responsible for Antivirus 360 has gone one step further! Their new site, http://anti-viruspcscanner.com (78.46.216.238), claims that Antivirus 360 has been rated as top antivirus solution by reputed websites like Computer Shopper, LAPTOP Magazine, PC Magazine, Computer Active, PC Advisor and CNET.



Apart from this, they also blatantly display Virus Bulletin, West Coast Labs Checkmark and ICSA Labs certifications, which are obviously fake!


All these fake recommendations and a deceptive name may lead an innocent PC user to download Antivirus 360 into his/her PC.


As per the site http://anti-viruspcscanner.com (78.46.216.238), the company responsible for Antivirus 360 is:
BOLZAR LIMITED Arch. Makariou III. 69. TLAIS TOWER. P.C. 1070. Nicosia, Cyprus.
Contact email: company@Antivirus360pro.com


And, it seems that BOLZAR LIMITED (http://bolzar.biz (216.195.62.169)) develops few other fake security software as well:
Antivirus Security - http://antivirussecurity-solution.com/ (89.149.255.191)
Antispyware32 - http://antispyware32.com/ (84.16.231.194)

VirusTotal scan result of Antivirus 360 is available here. An automated analysis of Antivirus 360 is available at ThreatExpert. Stay away from these rogues :)