Un-viewable, un-deletable virus exectaubles

[COB]

Hi,

I have been having a bit of bother removing the executable for a virus I was messing aroung with today. Here's how it goes.The virus is downloaded and disables AVG, it then writes a few registry entries to that it spawns whenever you open any programs or try to browse the web. It labels itself XP antivirus or XP security centre or something and has an executable which it keeps in the C:\Documents and Settings\USER\Local Settings\Application Data\ folder.

I managed to disable it fairly easily and then tried to delete the executable. Thing is the executable wasn't there when I checked using explorer (with hidden files viewable) or the command line. I restarted and kickstarted the virus using a registry key which I hadn't deleted and it reinstalled the virus and a load of registry keys whick also pointed to the location of the original executable. When I looked again it still wasn't there.

I ran malwarebytes and it detected the file in the Application Data folder. I browsed to the folder and couldn't view it and I also couldn't view it using the command line. I tried to delete it using the command line but was informed that the file does not exist.;

Anyone know how it manages to hide the executable like this?

Cheers,
Cathal

 

[TLE]

In situations like this I always boot into an external enviroment such as ERD commander,UBCD or Ubuntu and delete the file that way. That way any processes which are in place to keep the file hidden are removed from the equation.

 

[Ccomp5950]

It could be a rootkit, run tdsskiller from kaspersky to clean it, if it finds nothing run gmer to check for hooks in the kernel.

it could be the program is moving from folder to folder and you miss it. The registry just says where it was when the OS booted, it doesn't say where it's at when it's running.

Just some thoughts, I'd run tdsskiller before booting to a bootdisk and removing the file. Otherwise you could end up with a system that doesn't boot since the rootkit loads but the file it tries to manipulate is no longer there it hangs. If this occurs you can fix this by fixing the MBR from a bootdisk (or repair console if XP).

Good luck.

 

[COB]

Hi,

I figured it out - kinda. I rebooted into ubuntu and found that each virus executable was accompanied by a binary file which much have served some sort of cloaking function in explorer? I then retried examining the files using the command prompt in XP and they weren't there until I remembered to use the /a flag. Not sure why I didn't think if that before . I guess being a linux proponent I'm used to ls -a and wasn't sure that the same thing existed. Anyhow, that allowed me to see (and delete) the files using the command prompt.

It does lead me on to another question though. What purpose do the secondary files have? I'm assuming they cloak the executable in explorer, but how? When I have viewed them they tend to have long non-mnemonic names e.g. (m57fdda33432.........................etc) and appear as binaries in ubuntu.

Appreciate the help.

Cathal

 

[FoolishTech]

I realize this is a bit late but I'm just now seeing this...

Do you happen to have a sample of the virus you can send me? I like playing with them and this one sounds fun.

 

[COB]

Hi,

I have a copy of the installer alright. I was playing around with it in a VM. The virus launches an app called XP security 2011 I think. PM me your email address and I can send it to you.

Cheers,
Cathal

 

[dogskool]

Anyone know how it manages to hide the executable like this?....What purpose do the secondary files have? I'm assuming they cloak the executable in explorer, but how?

You might try investigating ads (alternate data streams)
http://www.forensicfocus.com/dissecting-ntfs-hidden-streams
http://www.windowsitpro.com/print/nfs/two-data-hiding-techniques

 

[COB]

Cheers,
Thanks for that. It might help me understand how this works and how to combat it better.
Cathal