Jump to content
Cretemonster

Greets

Recommended Posts

Words from the southside,maybe old news here but old news is sometimes new news too! :wink:

For some this is old news but for me its very new and having a go at it proved most interesting.

This is gonna be short and sweet.

What the infection does.

It writes to 2 files found deep in the All Users folder

qmgr0.dat and qmgr1.dat,I havent gone in far enough to see if qmgr.dll is being modified but I did not see any obvious changes.

I can actually describe everything that happens but there is enough written to each file so when Windows Automatic Updates kicks in and BITS is called,tada,the buggered dat files make internet connections to a predefined url with a predefined set of commands,connecting to Russia Buisness Network Domains to download or update malwares.

It usually drops 3 files in Windows/Temp,read the link below

http://forums.anandtech.com/messageview ... erthread=y

BIT20DF.tmp, BIT20EF.tmp, BIT20??.tmp

Only one had data stored in it,not sure what others are for.

At this time,you can disable BITS and disable crash control(recovery) and this stops the infection.

TellTale signs:

User complains firewall keeps prompting for access from svchost

If the user had allowed svchost total access through firewall,user wont complain,will just get reinfected over and over. whistling.gif

Next one is:

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat

Equal roughly 17kbs each where as they should be:

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat

5 or 6 kbs

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat

6 or 7 kbs

Fix....heh....your on your own! hysterical.gif

I just grabbed my good copies from clean box and replaced the files in safe mode and all is well again.

Share this post


Link to post
Share on other sites

Thanks C for the support data :)

I've just been reading the background links supplied elsewhere....

Scarey stuff about BITS and firewall bypassing,at least WireShark caught the data flow for you and highlighted the unseen 8)

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×
×
  • Create New...