How does this VX2-based spyware/junkware work?
October 28, 2004 3:36 PM Subscribe
Spyware/Junkware question. I've just spent six hours trying to remove what seems to be a new parasite based on VX2. There's plenty of information, tools, tips and advice, but nowhere have I been able to find how this particular pest actually works. Does anyone know? [mi]
My real question is how does it run (under Windows)? There are generally only a few ways for a parasite to get itself run on startup - sit in the registry [HKLM\....\current version\run] or in one of the startup files (win.ini) etc. Then there are Browser Helper Objects which get started by Explorer. Usually that's it. A quick check of the usual suspects with the excellent Hijack This is enough. But not with this stuff. The removers, which seem to work, highlight and delete a whole string of .DLL files. Does anyone know what these parasites are doing and how they are doing it? There's loads of stuff on Google, but no answer to this basic query.
My real question is how does it run (under Windows)? There are generally only a few ways for a parasite to get itself run on startup - sit in the registry [HKLM\....\current version\run] or in one of the startup files (win.ini) etc. Then there are Browser Helper Objects which get started by Explorer. Usually that's it. A quick check of the usual suspects with the excellent Hijack This is enough. But not with this stuff. The removers, which seem to work, highlight and delete a whole string of .DLL files. Does anyone know what these parasites are doing and how they are doing it? There's loads of stuff on Google, but no answer to this basic query.
Any chance of a look at the HJT log? There are many recent variants of Transponder/VX2 so I don't really know which you're experiencing.
It's also entirely possible that it's being regularly reloaded by a third-party parasite - a lot of spyware makes money principally by installing other spyware. For example in the above example, 'AutoUpdater' is AproposMedia and couponsandoffers is TopMoxie/Coupons; both were definitely loaded by WildMedia/WildApp (of which the randomly-named lodcbsub.exe is a part).
> The removers, which seem to work, highlight and delete a whole string of .DLL files.
Are they called 6Xo4svc.dll, where 'X' is any letter except for 't' (6to4svc.dll being a standard Windows system file)? If so what you've got is Look2Me/Svc, a massively nasty recent variant I'm currently investigating, which is incorrectly identified as Transponder/VX2 by some anti-spyware apps.
In this case, it is hiding inside the 'Notify' key in HKLM\Software\MS\Windows NT\Winlogon, which means it gets started up first-thing with Windows even in Safe Mode, and runs constantly until shutdown. Unfortunately it also re-writes its Winlogon key constantly, so deleting it from there doesn't help either.
Until I've finished looking at it I'm not sure what might be the best way of killing it.. at the moment I'm deleting the file from a foreign OS, which is not really very practical for most people.
posted by BobInce at 6:41 PM on October 28, 2004
It's also entirely possible that it's being regularly reloaded by a third-party parasite - a lot of spyware makes money principally by installing other spyware. For example in the above example, 'AutoUpdater' is AproposMedia and couponsandoffers is TopMoxie/Coupons; both were definitely loaded by WildMedia/WildApp (of which the randomly-named lodcbsub.exe is a part).
> The removers, which seem to work, highlight and delete a whole string of .DLL files.
Are they called 6Xo4svc.dll, where 'X' is any letter except for 't' (6to4svc.dll being a standard Windows system file)? If so what you've got is Look2Me/Svc, a massively nasty recent variant I'm currently investigating, which is incorrectly identified as Transponder/VX2 by some anti-spyware apps.
In this case, it is hiding inside the 'Notify' key in HKLM\Software\MS\Windows NT\Winlogon, which means it gets started up first-thing with Windows even in Safe Mode, and runs constantly until shutdown. Unfortunately it also re-writes its Winlogon key constantly, so deleting it from there doesn't help either.
Until I've finished looking at it I'm not sure what might be the best way of killing it.. at the moment I'm deleting the file from a foreign OS, which is not really very practical for most people.
posted by BobInce at 6:41 PM on October 28, 2004
Response by poster: The hijack this logs don't show a thing (they're identical to those from a clean machine). That's why I'm puzzled. I don't just want to know how to get rid of it (although that's nice), I want to know, generically, how programs like this manage to run themselves in what appears to be a clean system. The particular infestation yesterday appeared related to 'My Fun Web' and 'Smiley Central' - the machine had a number of parasites installed, together with 'Virtual Bouncer', WildTangent and assorted toolbars, all of which looked like traditional BHOs. This infestation also appeared to crash Adaware, which wasn''t helpful. BobInce, no, the DLL names don't ring a bell and the machine was Win98 (at least that's simple). One clue, once loaded the rundll32 was still visible in the task manager (that's not normal). Apart from that everything looked fine, until the pop-ups began.
posted by grahamwell at 1:18 AM on October 29, 2004
posted by grahamwell at 1:18 AM on October 29, 2004
Response by poster: Oh, one other thing, the real giveaway. Whatever was present was continually re-creating a 'hosts' file. It was kind of comic, I'd delete it - no problem - type dir, and .. there it is again. Only a safe mode boot and creating a directory called hosts was able to stop this. But I couldn't see what process was doing this, or how. The task manager showed nothing out of the ordinary. Nothing odd was being loaded, Hijack This drew a blank. There's obviously some other way, some backdoor, into this system and I'd like to know what it is (so I can shut it).
posted by grahamwell at 1:23 AM on October 29, 2004
posted by grahamwell at 1:23 AM on October 29, 2004
Those DLLs register themselves as COM components. Various programs go out and see what appropriate components are available, load them and call their initialization routines. In the spyware case, the initialization routine just does whatever it wants instead of setting up a legitimate component. IE running Browser Helper Objects is one case of this, but I'm sure there are many others (Windows Media Player and who knows what else).
posted by mcguirk at 5:08 AM on October 29, 2004
posted by mcguirk at 5:08 AM on October 29, 2004
gw, it is definitely Look2Me/Svc. This does the Hosts file hacking too... actually it does it very badly, if you try editing the file at the same time it will corrupt it.
It turns out other names are used too, not always 6Xo4svc. What it does it find a system DLL in the System32 folder, and use its filename with one letter changed. If you delete it whilst it's running it regenerates with the letter changed to something else.
The trick I used to delete it in the end was to open regedit, find the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify, and disallow adding new keys to it. (right-click Notify->Permissions->Advanced->Add rule->Enter name 'Everyone'->Edit->Set 'Deny' for 'Create Subkey'.)
Because Look2Me/svc tries to recreate its trojan startup key inside this key all the time, it will successfully delete one of the subkeys, and then fail to recreate it; you should see one of the Notify subkeys disappear.
Reboot and you should be able to delete the trojan from System32. If you are not sure which file it is, look at the recently-modified ones, right-click-Properties and see if it's signed by 'NicTech Networks'. Remember to go back to the Notify key in the registry and remove the 'Deny' rule you added.
posted by BobInce at 2:38 AM on November 5, 2004
It turns out other names are used too, not always 6Xo4svc. What it does it find a system DLL in the System32 folder, and use its filename with one letter changed. If you delete it whilst it's running it regenerates with the letter changed to something else.
The trick I used to delete it in the end was to open regedit, find the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify, and disallow adding new keys to it. (right-click Notify->Permissions->Advanced->Add rule->Enter name 'Everyone'->Edit->Set 'Deny' for 'Create Subkey'.)
Because Look2Me/svc tries to recreate its trojan startup key inside this key all the time, it will successfully delete one of the subkeys, and then fail to recreate it; you should see one of the Notify subkeys disappear.
Reboot and you should be able to delete the trojan from System32. If you are not sure which file it is, look at the recently-modified ones, right-click-Properties and see if it's signed by 'NicTech Networks'. Remember to go back to the Notify key in the registry and remove the 'Deny' rule you added.
posted by BobInce at 2:38 AM on November 5, 2004
This thread is closed to new comments.
I have finally fixed this nuisance. I was able to remove this from my machine many times, but found that it came back after reboot. HijackThis found AutoUpdate.exe in Program Files, and lodcbsub.exe in WINDOWS\System32 and couponsandoffers in Program Files. I let HJT remove the registry keys for those, let Adaware and Spybot S&D get rid of VX2BetterInternet and now I'm clean. I have rebooted many times, and the files have not returned. Apparently, AutoUpdate.exe was redownloading the adware on reboot. Hope this helps anyone else that is also fighting this!
posted by jasper411 at 3:57 PM on October 28, 2004