the spotted blog

Tuesday, September 25, 2007

Human vs Virus

It's an age old battle. Full of heroism and valour. For centuries brilliant minds toiled against epidemics, risked their families to devise vaccines and what not. But this has nothing to do with them. This is far more trivial. It's not about humans against nature, it's war in its most perverse form, human versus human. This is about computer viruses.

You could say I was asking for it, I had checked the date of creation of the exe (16-Sept-2007 .. 5 days ago), and yet I decided to click on it. I guess too much faith on the Antivirus software running in the background did me in. It didn't mutter a word when I had unzipped the contents of the archive onto my hard-disk. It was minutes later when the windows explorer disappeared without a warning that realization finally set in. Infection.

Reboots, reaffirmed. The explorer won't come back. I was left staring at my wallpaper after each reboot. No desktop icons. No menu bar. Luckily the three fingered salute worked. Giving me a hole to work through. And so did the booting into console. From the console command menu, I was able to determine the last modified files were 3 system files in the C:\windows\system32 directory.

geedb.dll, yayayyv.dll and wpa.dbl

wpa.dbl turned out to be related to Windows Product Activation, maintaining the license and some configuration details. And is supposedly written at every shutdown. Anyway it had been created months ago. Dos command, dir /O:D /T:W, sorts based on latest written file. Whereas, dir /O:D /T:C, sorts based on time of creation. Also I couldn't find any legitimate reference for the other two files on the internet. So they were highly suspect.

If ever you find yourself in a situation where you feel that your system has just been infected due to something that you have done, I would recommend noting down the time right then. It helps to identify which files were modified at the instant.

I tried to relocate these files to a location where they would remain inert, but failed as windows was running and these DLLs were registered for a couple of processes, including winlogon.exe. Windows wouldn't let me do it, so I tried booting using my Ubuntu live CD, but alas my SATA drives weren't visible to ubuntu.

Further googling led me to the Process Explorer. In an instant it could show me that the aforementioned DLLs were not just relocated but were also packed to hide the code they contained. Those two were the only packed DLLs in the whole list, now in front of me...exposed because they tried to hide. :)

Process explorer also allows you to terminate certain threads of the process which caused particular DLL to be associated with it. Searching within all active processes for the references to particular DLLs is also possible. All in all its an awesome tool.

After terminating the relevant threads I could safely delete the two DLLs. And my system was restored to normal. I ran hijackthis as a confirmation. And found that yayayyv.dll had registered itself as a Browse Helper Object (BHO). Hijackthis could get rid of such registrations for me.

Now I am on the look out for a good live CD which provides rescue and security tools. Systemrescuecd looks like a good option.

1 Comments:

Blogger Unknown said...

"Those two were the only packed DLLs in the whole list, now in front of me...exposed because they tried to hide. :)" nice one!

10:25 AM  

Post a Comment

<< Home