Never off duty when malware infects the weekend
A researcher recounts an all-too-familiar tale for many security professionals: a recent weekend afternoon spent trying to purge rogue anti-virus software from his brother's computer -- all before his daughter wakes up from a nap.
Ross Kinder, senior security researcher, Dell SecureWorks
If you are a computer professional, you know the phone call.
It usually comes on a Saturday afternoon and starts with small talk.
“So, how are you things going for you? Oh, really? That's great.”
Then there's the uncomfortable pause and real reason for the call.
“So while I've got you on phone, there's something strange going on with my computer.”
Recently, it was my dear brother who protests non-imposition: “If it's not too much trouble, could you take a look?”
I acquiesce; he is my brother, after all.
“There are security warnings popping up all over the place,” he tells me when he brings the computer over. Sure enough, there are.
Instinctively, I click “Start” and “Run” and type “cmd." Instead of the comfy white-on-black window, I see the “firewall alert.” I start to worry.
I remember that Task Manager has a “Run” option. I press "CTRL+ALT+DELETE" and launch taskmgr.exe. The task list appears, but the fake security blocks me again when I try to launch cmd.exe. Hmm…
The malware must be intercepting process creation, but how? When I double click a program, the shell is supposed to create the corresponding process. Instead, I get the fake security pop-up. But when I launch taskmgr, winlogon.exe creates the process, and it works correctly. Perhaps the malware is somehow hooking the shell?
I consider my options
- I could boot the infected system with a Linux CD. I don't have one handy, so I'd have to download and burn it, but I'm too lazy. Plus, I have to get this done before my daughter wakes up from her nap.
- I could change the shell. I seem to recall there's a way to change the shell program, but I can't remember how. And I'd need the Registry Editor, which I can't launch. Ugh.
- Maybe I could figure out a way to launch a process outside of the shell.
- Or, if it's a per-user problem, maybe I could create a non-infected account and use that account to fix the problem. (Full disclosure: I didn't think of this solution until later. Turns out this would've worked.)
I choose to launch the process outside of the shell. I remember that the Sysinternals PsExec tool can remotely create a transient service on the remote system. Since services are launched outside of the shell, it just might work. From my computer, I login to my brother's computer and use PsExec to launch “cmd.exe”.
Voila! I see an ugly black box with white text: “C:\WINDOWS\System32>." After a few self-congratulatory remarks and a quizzical look from my brother, I go straight to work. I can now launch processes without interference from the malware.
The gyw.exe process looks suspicious, so I double click. Sure enough, it is running from the local application data directory, and it claims to be Microsoft software, but is not digitally signed. Fishy. Maybe this is the malware.
I hear my daughter start to stir, so I make a copy of the malware for later analysis and delete the file.
I launch Sysinternals Autoruns and don't see references to gyw.exe anywhere. How is it starting? I open regedit, search for gyw.exe and find references to the file deeply buried in the registry. The shell examines the registry to determine which program should be launched when you double click a file.
Apparently, it's possible to change the association for .exe files! The malware has registered itself with the shell to be the program launched for a .exe. Clever. The key in question is “HKEY_CURRENT_USER\Software\Classes\.exe\shell\open\command” and it isn't on my computer, so I delete it from my brother's computer.
As I continue to search the registry, I notice that the malware has modified the registered web browsers. The default value of the following registry key points to the malware.
On my computer, the value exists and points to the browser executable. I correct the value on my brother's machine and feel proud of myself.
When I reboot my brother's computer, there are no more pop-ups. Normal checks come back clean, and I don't observe any unusual processes.
My daughter is now awake and asking for a snack, so my time is up. I preach a little bit about reinstalling from known good media, but here in the real world, the job is done.
One more thing. I'm supposed to warn you that mucking around with the registry could break your computer, although in this case the malware was already rendering it unusable. So if the talk of registry keys and processes here confuses you, request assistance from a knowledgeable individual.
Like your brother.