Bork Bork!
 FAQ  •  Search  •  Memberlist  •  Usergroups   •  Register  •  Profile  •  Log in to check your private messages  •  Log in
 Banninate a CLSID from the registry View next topic
View previous topic
Post new topicReply to topic
Author Message
Uty
Tang Soo Techie


Joined: 03 May 2003
Posts: 9583
Location: On a never ending quest to save my girlfriend

PostPosted: Fri Feb 13, 2009 10:13 am Reply with quoteBack to top

Anyone know how to do this? I'm having a fight with Vundo/Virtumonde. I have to hand it to this guy, he wrote a very clever virus.

The virus in a nutshell:
- Put a DLL on your box
- DLL does annoying things and slows you down
- DLL attaches itself to winlogin.exe and explorer.exe, so it can't be casually deleted
- DLL uses global hooks to monitor registry edits (self preservation)

The DLL's name is randomly generated but I have a scanner that can consistently identify Vundo DLLs. When a DLL appears, I boot my box from XP CD, enter the recovery console, and delete the DLL. Then I run my scanner again, which is then able to delete all the registry entries and whatnot.

There must be some backdoor or something in my box that I can't find. Vundo DLLs will pop back up once a week or so. These DLLs always have the same CLSID in the registry.

I could write an app that will (like the virus itself) use global hooks to monitor the registry and delete this CLSID as it appears. This would neuter the virus once and for all, I think. But there's probably an easier way to ban a CLSID from my box. So I'm very open to suggestions.

_________________
Roses are #FF0000
Violets are #0000FF
All my base
Are belong to you
View user's profileSend private messageSend e-mailAIM Address
BrianW
Court Jester


Joined: 02 May 2003
Posts: 7505
Location: Probably an ice rink in Newark

PostPosted: Fri Feb 13, 2009 3:50 pm Reply with quoteBack to top

That's incredibly clever. Is there anything on the f-secure blogs about it?

_________________
assert "It's going to be okay."; - xkcd.com
Hockey Schedule
View user's profileSend private messageSend e-mailVisit poster's websiteAIM AddressYahoo MessengerICQ Number
Uty
Tang Soo Techie


Joined: 03 May 2003
Posts: 9583
Location: On a never ending quest to save my girlfriend

PostPosted: Mon Feb 16, 2009 12:48 pm Reply with quoteBack to top

Nope, though there was some Vundo information that I didn't know on the blog ... so it was a worthwhile read for me.

I have a ntdll64.dll on my 32 bit system ... should have realized something was up sooner. XD

_________________
Roses are #FF0000
Violets are #0000FF
All my base
Are belong to you
View user's profileSend private messageSend e-mailAIM Address
Display posts from previous:      
Post new topicReply to topic


 Jump to:   



View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB © 2001, 2002 phpBB Group :: FI Theme :: All times are GMT - 5 Hours