Page 1 of 3 123 LastLast
Results 1 to 15 of 38

Thread: thekeys.ws virus (don't know what it is)

  1. #1

    thekeys.ws virus (don't know what it is)

    Hi,
    I'm nearly a complete newbie in malware analysis, however I know a little bit about RCE
    I tried analyzing some malware by myself, and came across this website: thekeys.ws (all files contain trojans)
    Checking one of the trojans (an auto-downloader), even for me it was an easy task to analyze
    however i assumed the other file coming with it was an easy and boring exe, but turns out it was a virus

    Dissassembling it in ida got me infected
    By checking out a few infected exes, I found out bping on kernel32.CloseHandle until reaching popad will come to oep (the virus is not packed, it inserts some code)
    some other stuff I found was it polymorphs, modifies winlogon, modifies host file to get access to internet and download some other malware

    I don't know what this is, and have no idea how to remove it

    Searching on google i can't find anything, and have no tool for removal, so I'm asking for some help

    thank you all

    the virus infected itself

    pass: thekeys.ws
    Attached Files Attached Files
    Last edited by simonzack; March 12th, 2009 at 07:17.

  2. #2
    virus name=win32.vitro
    installing an av should able help you to remove it
    esther


    Reverse the code,Reverse Your Minds First

  3. #3
    Thanks for the info
    the virus finally hijacked winlogon (bsod, I think the virus errored because of unexpected exit_process which virus calls if something in it fails) and i can't log on anymore
    which av should i use so i can repair the files instead of removing them?
    i think such a tool should exist cause i don't think repairing the files is that hard, since virus contains original code of stolen oep unencrypted
    i would need a free av/tool
    some suggestions?

    anyway to log on at all?
    the windows recovery disk is fucking stupid
    it can't detect any hard drive, so denies repairing windows
    i'm lost on what to do


    the virus killed safe mode too with modifying winlogon
    Last edited by simonzack; March 13th, 2009 at 01:54.

  4. #4
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,154
    Blog Entries
    5
    Hi

    In doing a quick search of this new Virut variant, as identified by esther, it looks like most of the IT guys are tearing their hair out over this one. The recommended solution seems to be a complete reformat/repartition/reinstall.

    The problem with running an AV on it, for the few that might be able to deal with it at this point in time, is that the infected files will be deleted or moved to quarantine, not repaired, including all infected system files. Run the AV once and you can't even reboot.

    All things considered, and the fact that you're dealing with the very advanced Virut family, I would simply bite the bullet and do a complete reformat/reinstall. That is, if you want to sleep at night.

    Since it's been mentioned to also infect html and pdf files, I wouldn't keep any of those old files around either:

    http://community.ca.com/blogs/securityadvisor/archive/2009/02/09/infectious-virut-on-the-loose.aspx


    Some of the Virut strains are reported to infect the MBR, I think the recommended method in that case is to POWER OFF the computer completely after deleting the partitions, BEFORE creating the new partitions and reinstalling the OS. See here for example:

    http://www.bleepingcomputer.com/forums/index.php?showtopic=200801&view=findpost&p=1130216




    Let's back up a minute. What do you mean by "Dissassembling it in ida got me infected"?

    Infection from a static disassembly should be impossible. Unless you were actually debugging it and it got away from you.

    I don't mean to admonish you, but to start with, you should NEVER NEVER NEVER analyze a malware outside of a VM/Sandbox. There are several threads in this particular forum, as well as google of course, with links or information on setting up and properly using such a system.

    Even handling an exe file for Static disassembly in IDA (on your main system), it's usually safer to rename the *.exe extension so you never have to worry about accidently double clicking on them. (I usually rename them to *.dll files so they are still easily opened by other tools).
    All live analysis MUST be done in a VM!


    Good luck,
    Kayaker

  5. #5
    @kaykayer:
    thanks for the info
    however i wonder why you need a complete format
    I checked the exe files (while the computer was still alive)
    and seems the oep is really clear to find, it should be simple to disinfect them, and the rest of the exe is not touched except appended virus section, so to keep them I guess I just need to repair and change oep (only a few bytes)
    this sounds very different to your description, I'm guessing it's not the new strain?
    I did analyze the virus in vmware, however I didn't bother to install ida in it
    so I run ida on my physical machine and got infected
    I don't know how it got infected either--I never debugged it, nor did I double-click on it
    The problem then might be from a deobfuscate plugin? (I'm not sure if it executes the exe)
    It's true i have no experience in malware, thanks for advice

    btw I really don't want a repartition
    that'll remove all my rce stuff when I started,
    all of it

    with html/pdf i guess i'll copy and zip them in external hard-drive
    i did boot using windows recovery disk
    one of the posts says the virus deletes the partitions!
    plz let that not happen
    Last edited by simonzack; March 13th, 2009 at 02:26.

  6. #6
    If you did install vmware tools ,I suspect that virus during debugging,it "runs" out of vmware and infect your physical machines,just my 2 cents


    virut variants are nasty stuff,your best bet is reinstall windows now.
    esther


    Reverse the code,Reverse Your Minds First

  7. #7
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,154
    Blog Entries
    5
    Quote Originally Posted by simonzack View Post
    btw I really don't want a repartition
    That's the spirit! It's strange that you can't boot the computer, a virus shouldn't kill its host (unless it was designed to do that). It should instead exist symbiotically like the Goa'Uld.

    So here's a good opportunity to do some reversing, reinstall Windows if you can and see if you can manually clean the system. Let us know if you have any success.

    When you find out it's infected your MBR as well, THEN you can repartition and do it all over again

  8. #8
    Registered User
    Join Date
    Mar 2003
    Location
    NetsVille
    Posts
    30
    Hi simonzack,

    Do you know of www.virustotal.com ? useful place to find out a little more about suspious files and like what was said above, 61% of the scanners reported it as a Vitro/Virut variant, but of course these scanners are only useful if they know about such things

    Darren

  9. #9
    Howdy,

    Do not copy or save any files to any other form of media.
    Re installation will just put the virus right back on your box.

    You need to make sure the MBR is clean or you are just wasting time.

    Woodmann

  10. #10
    Hi,
    You can load BartPe on your cd,delete System Volume Information folder,Program Files,windows directory,Document and Settings,then try reinstall windows

    update:
    This variant doesn't infects mbr,my "research",it only infects some windows system files
    Last edited by esther; March 14th, 2009 at 00:32.
    esther


    Reverse the code,Reverse Your Minds First

  11. #11
    I'm not sure if it has infected mbr, since the windows recovery disk can't detect the hard-drive (is that intentional by the virus?)
    Do not copy or save any files to any other form of media.
    I'm not sure how I can do this since windows is stuck at winlogon, thus cannot start up (I think safe-mode uses that program too, I think this is not intentional, but virus bug, like some others at the forums you mentioned suggested), can you provide some suggestions? (it CAN still boot up, pre-start-up AV scan can run)

    Bart-PE: that'll be most convenient, I'm not sure if this laptop can burn (it's quite old), I'll check

    My original plan was to get some kind of external hard-drive enclosure to transfer my files to another computer, with no-execute mode (not sure how to do that yet), then to statically compare virus with uninfected file (I have a few places where I can compare these), then disinfect the file (all exes)

    I hope with bartPE i can change this a bit and only operate on my infected computer (it'll prevent further possible infection)

    I don't really plan to study the virus yet, since I think it's easier to disinfect files first
    the last step would be to remove stuff in html
    then I would copy these disinfected files to external hard-drive (my files only)
    then re-zero hard-drive, reinstall windows, then copy stuff back on
    I think this will kill the virus

    My av has warned me many times the virus is infecting winlogon, but I had no idea this will be the result (thought it was just infecting another exe)

    virustotal: thanks , i'll check that out
    Last edited by simonzack; March 14th, 2009 at 03:12.

  12. #12
    Musician member evaluator's Avatar
    Join Date
    Sep 2001
    Posts
    1,524
    Blog Entries
    1
    i uploaded decrypted-body-virus;
    where can be MBR-like code??
    but @404000 are some group of crypt-bytes

    pass: virus
    Attached Files Attached Files

  13. #13
    Musician member evaluator's Avatar
    Join Date
    Sep 2001
    Posts
    1,524
    Blog Entries
    1
    ahm, it is also downloader!
    it downloaded other-brothers, and one of them drops 2007 year made
    E-Worm.Mydoom.bj.1 MD5=ee1df61226033d18d0ed64820b41fe15

    pass: virus
    Attached Files Attached Files

  14. #14
    yeah, i kinda decrypted it too, and analyzed just a bit further then that until place of ZW functions and virus poly (i think)
    i have not a clue about zw functions, and kernel stuff is this somehow related to file infection?
    relating to mbr: i think it might have changed it, since windows recovery disk can't recognize hard-drive, thus can't really use that to fix mbr
    Umm... does bartpe transfer control to mbr? if it does, i hope it won't get virus running again (i hope nothing is run on harddrive using bartpe)
    Do you think this virus can be cleaned quite easily?
    Last edited by simonzack; March 15th, 2009 at 10:11.

  15. #15
    Musician member evaluator's Avatar
    Join Date
    Sep 2001
    Posts
    1,524
    Blog Entries
    1
    at my opinion, before thinking about virus-cleaning, you need to take back control on partition.

    after that, view on drive every exe-dll-sys, if anyone looks packed-crypted, move to some choosen directory.
    if system-partition is NTFS... lamest thing.. just hope, no stream infection was or cure it

    edit: but some virus-sys are not crypted & this case is here in
    E-Worm.Mydoom.. "protect.sys"
    Last edited by evaluator; March 15th, 2009 at 13:50.

Similar Threads

  1. Compromised by a virus
    By TempoMat in forum Malware Analysis and Unpacking Forum
    Replies: 7
    Last Post: May 27th, 2011, 09:11
  2. Parite.B virus
    By randy in forum Malware Analysis and Unpacking Forum
    Replies: 1
    Last Post: April 14th, 2010, 23:55
  3. Got a virus - please help analysing
    By unix in forum Malware Analysis and Unpacking Forum
    Replies: 2
    Last Post: June 19th, 2009, 02:10
  4. Inside Parite.B virus
    By LaptoniC in forum Malware Analysis and Unpacking Forum
    Replies: 2
    Last Post: June 29th, 2008, 18:31
  5. New virus targets IDA
    By gabri3l in forum Off Topic
    Replies: 5
    Last Post: May 12th, 2007, 13:02

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •