Saving money thanks to some viruses
21 July 2006
I haven't had much to do with viruses in the last few years, working in a firewalled office being a very cautious user anyway. But when I travelled through South East Asia and used Internet cafés all to check my email and surf a bit I was hit by them. First time I recall this was in a Internet café in Saigon, Vietnam. I was using Windows Explorer and noticed a new folder on my IPOD when copying photos from my digital camera. I opened the folder but it doesn't open, odd. I also noticed the machine rebooted randomly when I try to do some work. I complained about the PC but the owners were clueless and said this had never happened before and they couldn't even reproduce it.
The next day I was less in a hurry and looked at this a bit closer. File Manager shows a new program in every directory of my Ipod with the same name as the directory and about 45 (or 83)k in size. In Explorer with hidden known extensions and the icon being the folder icon, you think it is a folder rather than an application. Of course it's actually a virus and every time a user tries to open that 'folder' the virus starts another instance. In task manager there is nothing odd to see, all well known process names here, but wait, why are there two services.exes and two lsass.exes? There should always be only a single one of those. Let's enable the username column and yes these processes are running under the currently logged on user account, they should always run as 'NT AUTHORITY\SYSTEM'. The treeview in Process Explorer makes the virus much easier to spot, they are not in the services.exe branch and their full file path isn't .../system32/ Very well hidden these guys I have to say, if you don't know a bit abouth the NT system processes, you won't spot them.
Lets kill these suckers. In task manager it doesn't work because it doesn't let you kill things like services.exe because it thinks it's a system process (they just do a name comparison). After a killed the first virus process in Process Explorer the box shuts down right away. I guess they other process monitor each other. After the reboot they are all back, so lets use Autoruns.exe to remove these programs from the autostart places in the registry. Even though this worked some time, newer versions or the virus know about autoruns.exe and msconfig.exe and reboot when your try to start them. They have a blacklist of program they consider dangerous to them and reboot as soon as any of these are starting. The list includes cmd.exe and regedit.exe, taskkill.exe which explains why my machine rebooted all the time when I first encountered this virus. Deleting the virus files doesn't work because they are in use. I wrote a small script to kill all viruses via WMI but as soon as it starts using cscript.exe, reboot.
Using a third party registry editor such as RegWorks may work but I didn't have one at the time, it's also a painful process to manually find all the places in the registry that have to do with startup applications. Other software such as Word or IE work fine, after all they want to keep the PC running and do their thing, and only reboot when someone is after them.
One idea I had was to use pskill.exe remotely from another machine to kill the viruses. This failed in most cases because the admin user had no password and pskill doesn't support empty passwords, also many machines had the SP2 firewall enabled and pskill or psexec don't work through it.
The solution that worked in the end is to write down the process Ids of all the viruses and create a batchfile with multiple pskill entries:
This kills them so fast that they can't initiate a reboot. Sometimes notepad.exe was in their blacklist (but never taskmgr.exe to get the process Ids). In these cases I wrote the batch file on another machine and then executed it from my USB drive.
There is a tool called DtaskManager which allows you to select multiple processes and kill them together, but it didn't work for me very well. In any case you need to know which processes are actually viruses to get their process Ids.
Finally I wrote a command (single line) to kill all user processes except explorer:
for /F "usebackq tokens=2 delims= " %%i IN (`tasklist /FI ^"USERNAME eq %USERNAME%^" /FI ^"Imagename ne explorer.exe^" /FI ^"Imagename ne tasklist.exe^" /FO LIST ^| find ^"PID^"`) DO c:\bin\pskill.exe %%i
Make sure you have pskill.exe on the machine and copy the line into the Start-Run dialog, It first runs tasklist to get a list of all processes except explorer.exe and tasklist.exe and then pipes the list into find to get all the Process Ids, for each entry in that list it calls pskill.exe.
After this you have a kill all the viruses and anything else for that matter but can now run autoruns.exe to clean the registry. You should also run a Virus scan to remove all the virus files or search for *.exe files with a size of 45 or 83k.
Some more points
- The command above doesn't work all the time (not sure why) but the manually created batch always worked.
- Some AntiVirus software didn't detect this virus, some were disabled. It seems the virus tries to disable any AntiVirus software.
- I never looked into what it actually does but sometimes the process used 100% CPU and pinged remote computers, other times it didn't do anything.
- I found this on at least a dozen machines in at least four different versions, some of them were SysInternals aware, but you can just rename the executables pslist and pskill. If you don't use 4NT as your command line, you need to rename cmd.exe before you can use it.
Another approach is to change the registry remotely from another
machine, this should work because it never executes anything on the
machine itself. I just never had a network were remote access worked.
- At the moment I can still manage to get rid of there processes but I'm sure it will get even harder in the future.
Why did I save money? Because if they staff in the Internet Cafe were smart enough to see the thread of viruses and I cleansed their machines, I could use their PCs for free for the next few days.