spyware using "super"-hidden files in Windows XP

Discussion in 'Security Software' started by John, Jul 8, 2004.

  1. John

    John Guest

    SUMMARY
    =======

    SUBJECT: CoolWWW spyware persistance and removal.


    PROBLEM: Anti-spyware programs (e.g., Spysweeper, Ad-aware Pro, PestPatrol) do not remove the cause (a "super"-hidden .dll program) but only remove symptom files and registry settings.

    From original posting by someone else: "This dll is loaded with very strange file permissions. It has all permissions but ‘copy’ denied to everyone, including administrators. This set of permissions makes the file completely invisible inside windows. You cannot see it using File explorer or DOS prompts like dir. It also can not have its attributes set so that you can see it."


    SOLUTION: Manual removal by using a revealing xfind.com error message, then by using the Windows XP Recovery Console.

    NOTE: the byte verifier patch does not protect against the latest variations (6/24/04-7/7/04) of CoolWWW.

    ===============
    MICROSOFT CULPABILITY

    (1) Microsoft allows by design or by flaw the creation of "super"-hidden files. FIX THIS MICROSOFT!!, then anti-spyware programs will be able to find and remove this stuff.

    (2) Also...Microsoft!! Fix the design flaws that allow anything to write to the registry and place files on the computer as users browse the web with IE. WHAT A JOKE!!! Guilty! Sentenced to 5 years of trying to remove Coolwww without xfind or a clean install.

    ===============
    INSTRUCTIONS

    Step 1
    Download xfind.com
    (Note: at least a few programs are named xfind, so do not just search the web and download any one of these. I did this and wasted time with xfind.exe, which is not a bad program but not the one needed for our task.)

    Download from here:
    http://home.mnet-online.de/horst.muc/int/find23.zip (direct download of zip file)
    or
    http://home.mnet-online.de/horst.muc/index.html (parent page of download; click the "Find" link then download [9k])


    Step 2
    Install xfind.com (simply unzip it; I prefer running it from the c:\, and so I dragged a copy of xfind.com to c:\, which is also called the "root" directory.


    Step 3
    (a) Run xfind.com in a command line window. Click Start, Run, type CMD (then click OK). A black window opens with a blinking white cursor. Type cd \ or cd\ (I forget which) then press enter. The cursor should now show "C:\" and not "C:\Windows."

    (b) type this:
    xfind "gibberishjdkfkd" c:\windows\system32\ *.dll
    (then press the "Enter" key on your keyboard).

    ("gibberishjdkfkd" can really be anything, but the results are clearer if you type something strange so it won't be found inside any legitimate files). We're hoping for an error message, not actually finding a file containing the search text.

    (c) Now wait.... If it comes back with a read error about a file, that's good! The file it complained about is the evil program (.dll file). WRITE the file name down EXACTLY as listed in the error message (for example, Mofohell.dll).

    From the original posting about this by someone else: "This dll is loaded with very strange file permissions. It has all permissions but copy denied to everyone, including administrators. This set of permissions makes the file completely invisible inside windows. You cannot see it using File explorer or DOS prompts like dir. It also can not have its attributes set so that you can see it."


    Step 4
    Prepare to remove the evil program. This can't be done in normal Windows nor in Safe Mode. Showing system and hidden files doesn't help. You must restart in a special mode called the "Recovery Console," which is not available until you install it separately.

    (a) Find a Windows XP Home or Professional installation CD. While still in Windows, insert the CD then exit any automatic window that appears.

    (b) Click Start, Run, type the following:
    d:\i386\winnt32.exe /cmdcons
    (then click OK) and follow the instructions to install the Recovery Console (click yes, ok, etc.). Restart the computer. (NOTE: if your CD drive is a different letter than "d" type your CD drive’s letter instead of "d.")


    Step 5
    Rename or delete the evil program from within the Recovery Console.
    (a) Restart the computer and press the F8 function key before Windows starts as if you're trying to get into Safe Mode.

    Choose "Return to OS Menu" where you will see at least two choices: “Windows XP Home� (or Professional) and “Recovery Console.� Use the arrow keys and Enter key to highlight and select "Recovery Console."

    (b) When prompted, select the choice listing the Windows directory your computer normally uses (usually "C:\Windows").

    (c) When prompted, type the Administrator password (which might be blank on your system) and press the Enter key.

    You're now in the Recovery Console and can control the evil program file.

    (d) Type cd \ (or CD\ -- I forget which), then cd windows , then cd system32 , then (to confirm that it’s present) type dir MOFOHELL.dll (but substitute the name of the evil program you found on your system). If it doesn't find anything, type this: attrib -h MOFOHELL.dll (and press Enter), then type this: attrib -r MOFOHELL.dll (and press Enter).

    (e) Rename or delete it. I renamed it to be really safe in case it was something good (doubtful). Type this:
    ren mofohell.dll harmless.btch (substituting the name of your evil program for mofohell.dll)
    (then press the Enter key).

    (f) type this:
    dir harmless.btch
    (then press Enter) to confirm it's there.


    Step 6
    Type this: EXIT (and press Enter) to reboot.
    Press F8 to enter SAFE MODE as Window starts.


    Step 7
    Use the registry editor to find the evil reference to the evil program, both of which were hidden before renaming the latter.
    (a) Click Start, Run, then type this: regedit (and click OK).
    (b) Use the up-arrow and scroll to the top then click once on "My Computer" then click the EDIT menu and click FIND. Type the name of the evil program (e.g., mofohell.dll ) and click find. Delete the entry on the RIGHT side of the window that contains the name of the evil program (e.g., mofohell.dll); click once on the evil name then tap the keyboard's DELETE key ONCE. Click the EDIT menu and click "FIND NEXT" and repeat. If it is not found, stop looking and exit the registry editor.


    Step 8
    Scan your entire computer using the anti-spyware programs you have (which you updated BEFORE all of this). I prefer running at least two (Spysweeper and Ad-aware Pro) -- one at a time, of course.


    Step 9
    Run HijackThis and delete any suspicious BHO entries and other known bad stuff.


    Step 10
    Empty every Temp folder, Temporary Internet folder and Cookie folder on your computer. Empty the Recycle Bin.


    Step 11
    Turn security up to high in the Internet Options control panel (HIGH for every category: Internet, Local Area Network, Trusted Sites [delete any trusted sites listed] and Restricted sites. Go to the Advanced tab and click the button "Restore Defaults" then modify individual check box items manually if you want; go to the Programs tab and click the button "Reset Web Settings" but uncheck the "reset home page prompt unless you like MS's default page. Click OK.


    Step 12
    Utter the phrase, "Oooo Ahhhh, devilware, be GONE!" then spit out of the window over your LEFT shoulder.


    Step 13
    Restart your computer.


    Step 14
    Go online and download other browsers to use for everything but Windows Update. Download Firefox from mozilla.org and Opera from opera.com and install both. They're safer than Internet Explorer (a.k.a., the Devil's Helper).

    To run Windows Update, first go to the Internet Options control panel, Security tab, click the Internet category icon, then click the DEFAULT button, then OK. Then run Windows Update. Afterwards, go back to the Internet Options control panel and slide the security back up to HIGH for the Internet category, then click OK, and continue using Mozilla's Firefox and/or Opera for web browsing.


    Step 15
    Delete the renamed evil program (e.g., harmless.btch), which Spysweeper will identify as coolwww even with its different name.

    It's as simple as that!
    As simple as 1,2,3ab,4abc,5abcdef,6,7ab,8,9,10,11,12,13,14,15!!!"

    Total elapse time: 45 minutes to 1.5 hr depending on the number of files your anti-spyware programs scan.


    Step 16 (optional)
    Buy a Mac, which doesn't have spyware problems, and throw away your vulnerable Windows PC.

    ================
    ================

    MICROSOFT CULPABILITY


    (1) Microsoft allows by design or by flaw the creation of "super"-hidden files. FIX THIS MICROSOFT!!, then anti-spyware programs will be able to find and remove this stuff.


    (2) Also...Microsoft!! Fix the design flaws that allow anything to write to the registry and place files on the computer as users browse the web with IE. WHAT A JOKE!!! Guilty! Sentenced to 5 years of trying to remove Coolwww without xfind or a clean install.


    ================
    ================

    NOTE:

    None of these solutions are mine. The fix of using xfind was from an online posting that a client found and emailed me. Here's the full text of that posting:

    "Coolweb is a 2 stage infection. This fix is not for inexperienced users. You need to understand how to use the recovery console and also the registry editor. Everything here is for a W2K install which is what I have. Should be similar for XP.

    First how the infection works:

    1) A small dll is loaded onto your machine in the \winnt\systems32 directory. I do not know the method of infection. My machine had the ByteVerifier patch so it wasn't through that backdoor.
    2) This dll is loaded with very strange file permissions. It has all permissions but copy denied to everyone, including administrators. This set of permissions makes the file completely invisible inside windows. You can not see it using File explorer or dos prompts like dir. It also can not have its attributes set so that you can see it.
    3) This little dll (resaf.dll on my machine, but proably different on each install) hooks itself to the HLKM/Software/Current

    Version/WindowsNT/Windows/AppInit_DLLs registry key. Of course you can't see the entry and searching for it will reveal

    nothing. Probably uses the same permissions trick but I was unable to verify this.
    4) Once this dll is running it can do whatever it wants. What it does is load a full set of secondary infection files. It

    creates a file in your temp directory call sp.html. This is the file that is displayed each time you start IE. It also creates a bunch of registry entries to enforce this as the start page.
    5) Next a second dll is loaded. This one you can see and remove. Of course it just comes back a few hours later. Not sure what this does.
    6) Latest cut of Adaware gets rid of all of the secondary infections, but is unable to find the primary infection. After about 2-3 hours the infection just keeps coming back.

    How to get rid of this.
    1) You need a tool to find the nasty dll. A tool called "xfind" ( find it here http://home.mnet-online.de/horst.muc/index.html) does a text serach for a string within all files in the \winnt\system32 directory. Run it from the command line as XFIND "anything" C:\winnt\system32\*.dll. It turns out that the string itself is unimportant, it is the fact that this utility is unable to open the file that reveals the dlls identity. The utility posts an unable to read reaf.dll notice. This is your first clue.
    2) Run adaware with the latest reference file and cleanup the secondary infection. Run it until no further infection is found. It may take a couple of passes.
    3) Now you know the name of the file we need a way to get rid of it. Not possible inside Windows that I can see. Tried killbox and other programs but they are not able to find it. Using your original windows cd, start the recovery console..

    This is done by booting from the cd and then when it finishes loading selecting R for repair and C for recovery console. Log in as requested and you are at a command prompt. The file can now be seen using dir. I just renamed it at this point in case I was wrong and it was a real windows file. I could then get it back if I needed it.
    4) Restart the machine in windows. Using regedit, search for the AppInit_DLLs key. The value will now be visible. Delete the value, not the key!
    5) The dll will now also be visible and can be deleted.
    6) Run adaware one more time to make sure all of the secondary infection is gone and your done.

    I would like to thank the dedicated folks at adawre I could not do without them. Also the kind folks who wrote the utilities I used to get this thing off. Good luck.
     
    John, Jul 8, 2004
    #1
    1. Advertisements

  2. John

    Robert Moir Guest

    (3) End User!!! Fix your idea that surfing !!!!! with Admin!strator
    permissions!!!!!!!!!!!!!!!! is a good! idea!

    (sorry if I didn't put in enough exclamation marks to fit in with the rest
    of the post. I tried my best but when you copy an artist's work sometimes
    you miss the finer details)
     
    Robert Moir, Jul 8, 2004
    #2
    1. Advertisements

  3. John

    John McGaw Guest

    PestPatrol) do not remove the cause (a "super"-hidden .dll program) but only
    remove symptom files and registry settings.
    strange file permissions. It has all permissions but 'copy' denied to
    everyone, including administrators. This set of permissions makes the file
    completely invisible inside windows. You cannot see it using File explorer
    or DOS prompts like dir. It also can not have its attributes set so that you
    can see it."
    then by using the Windows XP Recovery Console.
    variations (6/24/04-7/7/04) of CoolWWW.
    files. FIX THIS MICROSOFT!!, then anti-spyware programs will be able to
    find and remove this stuff.
    to the registry and place files on the computer as users browse the web with
    IE. WHAT A JOKE!!! Guilty! Sentenced to 5 years of trying to remove
    Coolwww without xfind or a clean install.
    web and download any one of these. I did this and wasted time with
    xfind.exe, which is not a bad program but not the one needed for our task.)
    click the "Find" link then download [9k])snip...

    So. We are supposed to go and download an executable file from an unknown
    source that YOU specify and run it on our machines to detect a magical
    invisible file that YOU say is there and causing unspecified problems? Yeah
    right...
    --
    John McGaw
    [Knoxville, TN, USA]

    Return address will not work. Please
    reply in group or through my website:
    http://johnmcgaw.com
     
    John McGaw, Jul 8, 2004
    #3
  4. PestPatrol) do not remove the cause (a "super"-hidden .dll program) but only
    remove symptom files and registry settings.
    I would never have an end user run this without supervision. There is too
    much room for something going wrong.

    1. There is no guarantee the file that it finds is the right one. We have
    seen in the past this method finds more than one file.

    2. You can then figure out which is the malicious file based on a few
    characteristics such as file size. This all depends on the particular CWS
    infection we are targetting.

    3. It is a good idea to cross check the file found in this method with
    locations in the registry where this file hides such as APPINIT_DLLS

    It is very important that users understand that trying to fix these
    infections on their own can lead to even more problems. The creators of CWS
    have put a lot of time and energy, and are skilled coders, in order to make
    it as difficult to remove as possible.
     
    Lawrence Abrams, Jul 8, 2004
    #4
  5. John

    Torrey Guest

    (4) App!e solved the problem!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Why CAN'T
    MICROSOFT!!!!!!!!!!!!!!!!!!!
     
    Torrey, Jul 8, 2004
    #5
  6. Not to be mean, but two quick reasons are:

    1. Apple isn't often a target. It isn't worth it for the meager market penetration.

    2. Apple always drops legacy support when they do something new. This kind of a
    support model could help MS drammatically in terms of security but MS actually
    tries to keep the customers working even if they are running software written
    back in the 80's.


    Just because you haven't heard of any insecurities on the news about Apple or
    seen a worm/virus on your Apple doesn't mean it is secure.
     
    Joe Richards [MVP], Jul 8, 2004
    #6
  7. John

    Robert Moir Guest

    Torrey wrote:

    What problem have Apple solved? Apple products still have security issues
    and bugs, by the way. I own a G4 iBook and I think it is a great laptop, I
    think OS X is a great OS, but I notice that there are still monthly security
    patches to download, just like in Windows.
     
    Robert Moir, Jul 8, 2004
    #7
  8. John

    *Vanguard* Guest

    John said in
    <snip>

    So what version of Windows (NT based) are YOU using? Advanced permissions for a file are:

    Full (everything below)
    Traverse Folder / Execute File
    List Folder / Read File
    Read Attributes
    Read Extended Attributes
    Create Files / Write Data
    Create Folders / Append Data
    Write Attributes
    Write Extended Attributes
    Delete
    Read Permissions
    Change Permissions
    Take Ownership

    So which of these permissions equates to your "Copy" permission? A user or process would need both Read Data and Write Data permissions to do something like your "Copy" permission. And Read Permissions would also have to be disabled to not allow the user to see them, but then an administrator can still take ownership and can always read those permissions.

    "This set of permissions ...". So could you please define just what *IS* that "set" of permissions so we know, too?

    It is perfectly legit to let a user see that file exists but not to allow them to read and/or write to it. Even Unix does this (as I recall, you grant read permission on the folder but not on the file, but that allows listing every file in the folder rather than on a per-file basis). So the anti-spyware can see that a file by some name exists somewhere but cannot interrogate its contents to determine if it really is the bad file in its spyware list.

    And why do I have to reboot into Safe Mode or Recovery Console mode just to change permissions on a file so that it can be deleted? I can do that by logging in under an admin-level account and taking ownership to change the file's permissions (so I could then delete it which, by they way, still doesn't require read and/or write permission but just delete permission).

    I also have to ponder the safety of using a utility, xfind.exe, which is not available in the common and well-known download sites, like download.com, winsite.com, or tucows.com. If xfind is returning an error then it really sounds like xfind is poorly coded. Just because a file exists doesn't mean the user running xfind has the permissions to read the contents of the file. In fact, it seems like there would be lots of files a non-admin user should not be able to read, like all the files contained under another user's profile path (%userprofile%). Also, a user can remove Administrator and other admin-level accounts from permissions to read or write the user's files (because the user is the owner of the file) so xfind will error on those, too, although it was ran while logged on under an admin-level account. The admin account can still take ownership to change the permissions but it can't do that until it takes ownership.
     
    *Vanguard*, Jul 8, 2004
    #8
  9. John

    Torrey Guest

    They solved the average user running with admin pretty nicely.
     
    Torrey, Jul 8, 2004
    #9
  10. John

    Robert Moir Guest

    Microsoft solved that too. If you don't want to run as admin, don't.

    Tell me, have you ever used OS X?
     
    Robert Moir, Jul 8, 2004
    #10
  11. John

    Torrey Guest

    Yes. When you install patches it asks you for an admin password, even
    though my account has some admin privelages. The user and password is the
    same password I use to log on. A setup like this would go a long ways
    towards thwarting a lot of the crap that auto installs on the Windows user.
    But preach about market share and how others are insecure too, the fact is
    the candy gets taken from the baby because the baby is, well..., a baby.
     
    Torrey, Jul 8, 2004
    #11
  12. What the heck is that supposed to mean?
     
    Joe Richards [MVP], Jul 8, 2004
    #12
  13. John

    Robert Moir Guest

    My point exactly. Candy gets taken from the baby because its a baby. So our
    Mac users who know nothing about computers, but who know that when *that*
    box pops up they need to type their password...

    When something they download off the net because it claims to do something
    cool pops up and asks for the root password yet again are they going to
    think "now why would something simple like that _NEED_ root?" or are they
    just going to type it in like blind automations?

    Now as I said, I too own a Mac, I like it a lot, and I do think the BSD
    security model has some good points but lets not waste my time, your time,
    or anybody else's time pretending its perfect. It isn't.

    Like trying to use Windows as a non-admin to preseve security, it relies on
    you knowing enough to evaluate requests for admin rights in a proper,
    critical manner, and far too many people lack that ability. And those of us
    who have that ability are sometimes in too much of a rush to be as careful
    as we could be. I'll certainly admit to being guilty of that at times.

    I don't have any ideas yet myself about what we _should_ be doing instead,
    but I'm starting to become convinced that our current system of account
    access levels, passwords, etc, that work well enough in business are a total
    busted flush for home use for the reasons I outline above.

    To get back to my original point, surfing the web as an admin is a bad
    idea.... especially with a busted-ass browser like Internet Explorer as it
    is at the moment. Don't do it.

    I can't get away from that... the bad part is that the alternatives seem
    almost as painful to most users. Even the simple act of switching browsers
    seems like a lot of hard work to some people because they've never done it
    before and it seems scary. Of course, for me it's very worthwhile work to
    switch to Firefox because I can use the same browser on my Mac and my XP
    machine, but for the vast majority of people what we're talking about might
    as well be in an alien language here.

    --
    --
    Rob Moir, Microsoft MVP for servers & security
    Website - http://www.robertmoir.co.uk
    Virtual PC 2004 FAQ - http://www.robertmoir.co.uk/win/VirtualPC2004FAQ.html

    Kazaa - Software update services for your Viruses and Spyware.
     
    Robert Moir, Jul 8, 2004
    #13
  14. John

    Jeff Cochran Guest

    Apple solved it by ditching the entire OS and "borrowing" BSD. :)

    Jeff
     
    Jeff Cochran, Jul 10, 2004
    #14
  15. John

    wportre Guest

    I think you are being a bit high-handed. CWS has some VERY clever behaviours
    that you have not fully accounted for. I had an infection on a FAT32 XP
    installation and it hid not only its dlls but also files such as the
    installation file of cwshredder and other removal tools.
    CoolWWWSearch.SmartSearch (v1/v2) MiniRemoval? Lunch. HijackThis! was removed
    immediately by the version I had. Reinstalling it "blind" was a nightmare.
    HJT would run from a command line even though hidden but its logfile was
    deleted on creation (had to be saved under a non-standard name with use of
    lightning fingers.) The point is that noe of the "hidden" files were visible
    under any aspect of XP nor with any set of permissions. I was eventually able
    to get rid of the thing ONLY because the system is dual boot (lots of non-XP
    compatible programs) and the files appeared in WIN98. Defragging the C: XP
    system-only partition made them "float" to the end. I know roughtly what I am
    doing in Windows and I really think that I would still have this on a
    single-boot system. So it's Firefox for me from now on.

    "End User!!! Fix your idea that surfing !!!!! with Admin!strator
    permissions!!!!!!!!!!!!!!!! is a good! idea!" Well: given that XP forces you
    to have one admin account (I actually work round that, but still , that's the
    idea). I think that is not a fair comment: clearly that account is going to
    belong to someone.

    The Mt. Olympus approach is not good, IMO: this thing is a bad infection and
    not sharing at least some of the responsibility is not a helpful approach.
     
    wportre, Sep 11, 2004
    #15
  16. John

    wportre Guest

     
    wportre, Oct 2, 2004
    #16
  17. Improvements to the LUA (Least-privileged User Account) user experience
    are currently under development for Longhorn. In the meantime, Aaron
    Margosis has put together a very useful set of tips and tricks around how to
    successfully run with a LUA daily account on WinXP or Win2K:

    "The Non-Admin blog - running with least privilege on the desktop" -
    http://blogs.msdn.com/aaron_margosis

    Jenni

    --
    Jenni A. M. Merrifield
    User Experience PM -- Application Security -- Windows Core Security
    Designing to Requirements and walking on Water is EASY. . .
    .. . . So long as both are Frozen.
    --=+=--
    E-Mail & WinIM: [jennim AT microsoft DOT com]
    Blog: [http://blogs.msdn.com/strawberryjamm]
     
    JenniM [MSFT], Oct 3, 2004
    #17
  18. John

    wportre Guest

    Very interesting. Glad to see that I am not the only one struggling to run
    as LUA. From the linked Aaron Margosis blog: " We [MSFT people] are not
    leaders when we run as root all the time. Comrades: you need to run as
    “User�, and your customers need to see you doing it. If you run into issues,
    don’t add yourself back to the admins group – file a bug against the
    offending product. Customers: if you see any MS sales, MCS, Premier, PSS,
    etc., doing web or email as admin, please tell them, “You’re not setting a
    very good example. I am disappointed.�"

    So yes, please go to it in Longhorn: for now, it is a PITA. (eg just had to
    give myself Admin privileges to log in for this reply, although that is
    probably a transient thing as I reinstalled XP in the backwash from a recent
    hardware failure.) Meanwhile I'm off to build an XP-based home media centre
    which should be a challenge with Windows XP Media Center Edition limited to
    OEMs... CWS interruptions not welcome. Really: how does it <i>do</i> that to
    HJT? Shakes head wonderingly and exits stage left..
     
    wportre, Oct 24, 2004
    #18
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.