Internet Security 2010

[Malekal_morte]

Pour supprimer l'infection suivre la procédure donnée sur la page : https://www.malekal.com/InternetSecurity2010.php

Internet Security 2010 est un rogue (faux anti-spyware) qui s'installe sans permission, le malware affiche de fausses alertes vous indiquant que vous êtes infecté par un spyware et vous recommande d'acheter ce faux anti-spyware pour soit disant désinfecter votre ordinateur.

Même famille que Advanced Virus Remover

Ce rogue s'installe automatiquement soit via des Faux codec soit via des exploits sur des sites WEB.

Dans le premier cas, faites un peu attention à ce que vous exécutez comme fichier... dans le second cas, pensez à mettre à jour vos programmes, voir scan de vulnérabilités.



Au démarrage de la session, une popup "Spyware Alert!" - "Security Warning!" s'ouvre avec une fausse alerte sur la détection d'un malware, ici Worm.Win32.NetSky



et le "traditionnel" fond d'écran noir modifié avec le message "YOUR SYSTEM IS INFECTED!"

[Malekal_morte]

Les lignes HiJackThis relatives à l'infection

winupdate86.exe est donc devenu winlogon86.exe

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\winlogon86.exe
O4 - HKLM\..\Run: [winupdate86.exe] C:\WINDOWS\system32\winupdate86.exe
O4 - HKCU\..\Run: [Internet Security 2010] C:\Program Files\InternetSecurity2010\IS2010.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\winhelper86.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\winhelper86.dll

Le scan VirusTotal du dropper :

File 0444df80179a224f713128e972158cad received on 2009.12.17 07:10:14 (UTC)
Current status: finished

Result: 6/41 (14.63%)
Compact Print results
Antivirus Version Last Update Result
a-squared 4.5.0.43 2009.12.17 -
AhnLab-V3 5.0.0.2 2009.12.17 -
AntiVir 7.9.1.114 2009.12.16 -
Antiy-AVL 2.0.3.7 2009.12.17 -
Authentium 5.2.0.5 2009.12.02 -
Avast 4.8.1351.0 2009.12.17 -
AVG 8.5.0.427 2009.12.16 -
BitDefender 7.2 2009.12.17 -
CAT-QuickHeal 10.00 2009.12.16 Win32.Packed.Krap.ah.4
ClamAV 0.94.1 2009.12.17 -
Comodo 3269 2009.12.17 -
DrWeb 5.0.0.12182 2009.12.17 -
eSafe 7.0.17.0 2009.12.16 -
eTrust-Vet 35.1.7179 2009.12.16 -
F-Prot 4.5.1.85 2009.12.16 -
F-Secure 9.0.15370.0 2009.12.17 -
Fortinet 4.0.14.0 2009.12.17 -
GData 19 2009.12.17 -
Ikarus T3.1.1.78.0 2009.12.17 -
Jiangmin 13.0.900 2009.12.17 -
K7AntiVirus 7.10.922 2009.12.16 -
Kaspersky 7.0.0.125 2009.12.17 -
McAfee 5834 2009.12.16 -
McAfee+Artemis 5834 2009.12.16 -
McAfee-GW-Edition 6.8.5 2009.12.17 -
Microsoft 1.5302 2009.12.17 TrojanDownloader:Win32/Fakeinit
NOD32 4694 2009.12.16 -
Norman 6.04.03 2009.12.16 -
nProtect 2009.1.8.0 2009.12.17 -
Panda 10.0.2.2 2009.12.15 Suspicious file
PCTools 7.0.3.5 2009.12.17 -
Prevx 3.0 2009.12.17 Medium Risk Malware
Rising 22.26.03.03 2009.12.17 Trojan.Win32.Generic.51F3F24B
Sophos 4.49.0 2009.12.17 Mal/FakeAV-BX
Sunbelt 3.2.1858.2 2009.12.17 -
Symantec 1.4.4.12 2009.12.17 -
TheHacker 6.5.0.2.095 2009.12.17 -
TrendMicro 9.100.0.1001 2009.12.17 -
VBA32 3.12.12.0 2009.12.16 -
ViRobot 2009.12.17.2093 2009.12.17 -
VirusBuster 5.0.21.0 2009.12.16 -
Additional information
File size: 18944 bytes
MD5 : 0444df80179a224f713128e972158cad
SHA1 : de31c07d6af82a4382f4700f9faf2fbd727fa793

[Malekal_morte]

Une page pour supprimer l'infection : https://www.malekal.com/InternetSecurity2010.php

Malwarebyte Anti-Malware nettoye bien l'infection :

Malwarebytes' Anti-Malware 1.42
Database version: 3381
Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

17/12/2009 11:10:04
mbam-log-2009-12-17 (11-10-04).txt

Scan type: Quick Scan
Objects scanned: 95510
Time elapsed: 3 minute(s), 46 second(s)

Memory Processes Infected: 2
Memory Modules Infected: 1
Registry Keys Infected: 0
Registry Values Infected: 3
Registry Data Items Infected: 10
Folders Infected: 0
Files Infected: 11

Memory Processes Infected:
C:\Program Files\InternetSecurity2010\IS2010.exe (Rogue.InternetSecurity2010) -> Unloaded process successfully.
C:\WINDOWS\system32\winupdate86.exe (Trojan.Downloader) -> Unloaded process successfully.

Memory Modules Infected:
C:\WINDOWS\system32\winhelper86.dll (Trojan.FakeAlert) -> Delete on reboot.

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\General\wallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\internet security 2010 (Rogue.InternetSecurity2010) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdate86.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.Userinit) -> Bad: (C:\WINDOWS\system32\winlogon86.exe) Good: (Userinit.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Downloader) -> Data: system32\winlogon86.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Downloader) -> Data: c:\windows\system32\winlogon86.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\activedesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Malekal_morte\Desktop\tube_preview.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Malekal_morte\Local Settings\Temporary Internet Files\Content.IE5\MK0Z9QK6\SetupIS2010[1].exe (Rogue.InternetSecurity2010) -> Quarantined and deleted successfully.
C:\Program Files\InternetSecurity2010\IS2010.exe (Rogue.InternetSecurity2010) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-1214440339-1454471165-682003330-1003\Dc20.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\msa.exe5 (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\41.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\critical_warning.html (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\winhelper86.dll (Trojan.FakeAlert) -> Delete on reboot.
C:\WINDOWS\system32\winlogon86.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\winupdate86.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

[Malekal_morte]

NOTE : Etant donné que l'infection se charge maintenant dans Winsock
(ligne O10 - Unknown file in Winsock LSP: c:\windows\system32\winhelper86.dll)

il se peut que le réseau (et donc internet) ne fonctionne plus suite à l'infection, pour pallier à cela :

• Cliquez sur Menu Démarrer
• Cliquez sur Executer puis tapez cmd et cliquez sur OK
• Dans la fenêtre noire, tapez la commande : netsh winsock reset catalog
• Un message doit vous indiquer que l'opération a réussi et vous invite à redémarrer l'ordinateur
• Fermez toutes les fenêtres et redémarrez l'ordinateur.

[Malekal_morte]

et le palme du pack de malwares revient à Internet Security 2010 avec aux programmes :

• Le trojan Zbot/Zeus
• Trojan Microjoin
• Bredolab avec la variante amdk7.sys
• Rootkit.TDSS variante Cx.tmp / x.tmp

Les lignes HiJackThis :

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\winlogon86.exe,C:\WINDOWS\system32\sdra64.exe,
O4 - HKLM\..\Run: [lsass] C:\WINDOWS\lsass.exe
O4 - HKLM\..\Run: [winupdate86.exe] C:\WINDOWS\system32\winupdate86.exe
O4 - HKLM\..\Run: [odbny] C:\WINDOWS\odbn.exe
O4 - HKLM\..\Run: [amoumain] C:\WINDOWS\amoumain.exe
O4 - HKLM\..\Run: [servicelayer] C:\WINDOWS\servicelayer.exe
O4 - HKLM\..\Run: [ctfmon] C:\WINDOWS\ctfmon.exe
O4 - HKLM\..\Run: [wdmon] C:\WINDOWS\wdmon.exe
O4 - HKLM\..\Run: [netx] C:\WINDOWS\svx.exe
O4 - HKLM\..\Run: [vlc] C:\WINDOWS\vlc.exe
O4 - HKLM\..\Run: [netw] C:\WINDOWS\svw.exe
O4 - HKLM\..\Run: [netc] C:\WINDOWS\svc.exe

Code : Tout sélectionner

1262561432.156   1790 192.168.1.26 TCP_MISS/200 1239912 GET http://urlnewhome.com//load.php?spl=mdac - DIRECT/217.23.10.68 application/octet-stream
1262561445.998   2762 192.168.1.26 TCP_MISS/200 4045 GET http://discoverany.cn/11223/cfg3.bin - DIRECT/85.133.206.115 application/octet-stream
1262561455.604    885 192.168.1.26 TCP_MISS/200 17739 GET http://downloadavr25.com/dfghfghgfj.dll - DIRECT/193.104.110.50 application/x-msdownload
1262561457.435   1979 192.168.1.26 TCP_MISS/200 2086744 GET http://www.fuchs-hof.de/images/buttons/7.exe - DIRECT/81.169.145.68 application/x-msdownload
1262561461.530   2696 192.168.1.26 TCP_MISS/200 3056977 GET http://plugininput.com/123.exe - DIRECT/217.23.10.68 application/x-msdownload
1262561470.590  14984 192.168.1.26 TCP_MISS/200 1114402 GET http://downloadavr25.com/cgi-bin/download.pl?code=0000093 - DIRECT/193.104.110.50 application/octet-stream
1262561487.164  36173 192.168.1.26 TCP_MISS/200 767695 GET http://204.12.242.226/applicationdata2.bin - DIRECT/204.12.242.226 application/octet-stream

[Malekal_morte]

Juste pour signaler la présence du fichier C:\WINDOWS\system32\smss32.exe

Process:
Path: C:\Documents and Settings\Malekal_morte\Local Settings\Temporary Internet Files\Content.IE5\MK0Z9QK6\install_flash_player[1].exe
PID: 888
Information: KFBTW JDktyWAAAa (JDktyWAAAa)
Registry Group: Machine AutoRun
Object:
Registry key: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Registry value: smss32.exe
Type: REG_SZ
Value: C:\WINDOWS\system32\smss32.exe

C:\WINDOWS\system32\smss32.exe charge le fichier HTML qui Hijack le fond d'écran

Process:
Path: C:\WINDOWS\system32\smss32.exe
PID: 1192
Information: KFBTW JDktyWAAAa (JDktyWAAAa)
Registry Group: IE Settings
Object:
Registry key: HKCU\Software\Microsoft\Internet Explorer\Desktop\General
Registry value: Wallpaper
New value:
Type: REG_EXPAND_SZ
Value: %SystemRoot%\system32\warning.html
Previous value:
Type: REG_SZ
Value:

smss32.exe C:\WINDOWS\system32\IS15.exe qui lance Internet Security 2010 :

Parent process:
Path: C:\WINDOWS\system32\IS15.exe
PID: 928
Information: Internet Security (Internet Security)
Child process:
Path: C:\Program Files\InternetSecurity2010\IS2010.exe
Information: Internet Security (Internet Security)
Command line:"C:\Program Files\InternetSecurity2010\IS2010.exe" DELC:\WINDOWS\system32\IS15.exe

Fichiers ajoutés :

c:\WINDOWS\system32\41.exe
Date: 1/20/2010 3:28 AM
Size: 0 bytes
c:\WINDOWS\system32\helper32.dll
Date: 1/20/2010 3:28 AM
Size: 19 968 bytes
c:\WINDOWS\system32\smss32.exe
Date: 1/20/2010 3:27 AM
Size: 25 600 bytes
c:\WINDOWS\system32\warning.html
Date: 1/20/2010 3:27 AM
Size: 2 931 bytes
c:\WINDOWS\system32\winlogon32.exe
Date: 1/20/2010 3:27 AM
Size: 25 600 bytes
c:\Program Files\InternetSecurity2010\IS2010.exe
Date: 1/20/2010 3:28 AM
Size: 1 383 936 bytes

Les lignes HiJackThis :

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\winlogon32.exe
O4 - HKLM\..\Run: [smss32.exe] C:\WINDOWS\system32\smss32.exe
O4 - HKCU\..\Run: [Internet Security 2010] C:\Program Files\InternetSecurity2010\IS2010.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\helper32.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\helper32.dll

[Malekal_morte]

Le faux site de crack keygen.name (et ses acolytes) installent cette infection avec le Bredolab avec la variante amdk7.sys

Code : Tout sélectionner

1265329190.704   8127 192.168.1.26 TCP_MISS/200 156190 GET http://get.serdb01.com/keygens/steinberg_cubase_sx-keygen.exe - DIRECT/59.53.91.102 application/octet-stream
1265329210.585    436 192.168.1.26 TCP_MISS/200 26439 GET http://for-sunny-smile.com/dfghfghgfj.dll - DIRECT/193.104.153.98 application/x-msdownload
1265329214.627   3116 192.168.1.26 TCP_MISS/200 1488158 GET http://for-sunny-smile.com/cgi-bin/download.pl?code=0001405 - DIRECT/193.104.153.98 application/octet-stream
1265329215.646  12272 192.168.1.26 TCP_MISS/200 791759 GET http://96.9.183.149/app21.bin - DIRECT/96.9.183.149 application/octet-stream

Code : Tout sélectionner

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\winlogon32.exe
O4 - HKLM\..\Run: [smss32.exe] C:\WINDOWS\system32\smss32.exe
O4 - HKCU\..\Run: [smss32.exe] C:\WINDOWS\system32\smss32.exe
O4 - HKCU\..\Run: [Internet Security 2010] C:\Program Files\InternetSecurity2010\IS2010.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\helper32.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\helper32.dll
O15 - Trusted Zone: http://*.buy-internetsecurity10.com
O15 - Trusted Zone: http://*.buy-is2010.com
O15 - Trusted Zone: http://*.is-software-download.com
O15 - Trusted Zone: http://*.is-software-download25.com
O15 - Trusted Zone: http://*.is10-soft-download.com
O15 - Trusted Zone: http://*.buy-internetsecurity10.com (HKLM)
O15 - Trusted Zone: http://*.buy-is2010.com (HKLM)