Jump to content


f0r0r demystified

  • Please log in to reply
No replies to this topic

#1 Jackb



  • Retired Staff
  • Pip
  • 10 posts

Posted 10 June 2004 - 06:48 PM

F0r0r has kept the security community for some while, now that I have completed it's analysis I can post some information regarding it's payload.

Apparently, f0r0r spreads mainly through the LSASS vulnerability (MS04-011), using one of it's components, more on that later.

Upon infection, the trojan drops an installation executable in the %SYSTEMDRIVE%\TEMP directory, the file is always named d0r1t1s.exe. Then, the file is


Here starts the second phase in the infection process, which is in fact a collection of worms. The virus files are placed in the %SYSTEMROOT%\SYSTEM32\f0r0r

directory. First the worm installs HXDEF (HackerDefender), this is done to harden the process of analysis and removal of this virus. Here's how HXDEF works:

The f0r0r variant of HXDEF is installed by a file named dorod.exe in the f0r0r directory. It is installed following a virus rule set which is defined in the

file dorod.ini, which will later become invisible too. This INI file has all the information HXDEF needs in order to complete its installation and serve

the parent virus.

HXDEF then, provided the information in the INI file, renders predefined folders, files, registry keys, registry values, and services invisible. This goal

is achieved through a complex root-kit system, involving a system level driver. Here's how that's achieved:

1) Allocating a memory pool inside a host process, and injects viral handler functions into this pool.
2) Collecting a list of API functions to infect.
3) Placing a jump instruction n the beginning of each API function, in order to hook it - the purpose of this jump function is to hand over the control over

a hooked function to hxdef, so when the API hands back the handler function, hxdef executes it's filtering routine in order to conceal the predefined folders, files, registry keys, registry values, and services.

After I could isolate the .ini file for the f0r0r variant, I have examined it. Here is the highlight of this examination:

Hidden directories, files, processes: f0r0r, temp, dorod* ; This reflects that any file/folder/process possessing one of these names will be hidden. In order to prove that, you can attempt to create a directory with one of these names on an infected machine, it will disappear instantly. the "*" character at the end of "dorod" is a wildcard, meaning that each file, folder, or process starting with "dorod"' and no matter what next to it will be hidden.

Hidden service: HackerDefender* ; This reflect that any services starting with "HackerDefender" will be hidden (again, using "*" as a wildcard).

Hidden registry keys: HackerDefender100, LEGACY_HACKERDEFENDER100, HackerDefenderDrv100, LEGACY_HACKERDEFENDERDRV100 ; This reflects that any registry key possessing the above names will be invisible. In this particular case these names represent driver registry settings, and this is done in order to sabotage any attempt of locating these registry keys and disabling them, and thus disabling the driver.

There are four other options in this ini file, but they are not activated in f0r0r. They stand for hiding registry values (note the difference between a registry value and a registry key), placing hidden objects in the system startup, manipulating disk free space, and hiding TCP/IP ports.

There are some other settings in this ini file such as: Password (probably a password for root kit management), Driver name (dordodrv) and driver file name: dordo.sys

An interesting point is that whenever the driver file is being accessed by the user, it is reported to be 0 bytes in size, even when the root kit is inactive (Clean DOS Book Disk). This is probably a deceiving technique which implemented within hxdef to harden the analysis of its driver. So to speculate, the root kit automatically voids the driver after it's loaded in memory, so the SYS file is no longer required for this session. Each reboot the driver is loaded into the memory, and then it's SYS file is voided.

Returning to the API functions, here's the list of the hooked API's:

1) Kernel32.ReadFile
2) Ntdll.NtQuerySystemInformation
3) Ntdll.NtQueryDirectoryFile
4) Ntdll.NtVdmControl
5) Ntdll.NtResumeThread
6) Ntdll.NtEnumerateKey
7) Ntdll.NtEnumerateValueKey
8) Ntdll.NtReadVirtualMemory
9) Ntdll.NtQueryVolumeInformationFile
10) Ntdll.NtDeviceIoControlFile
11) Ntdll.NtLdrLoadDll
12) Ntdll.NtOpenProcess
13) Ntdll.NtCreateFile
14) Ntdll.NtLdrInitializeThunk
15) WS2_32.recv
16) WS2_32.WSARecv
17) Advapi32.EnumServiceGroupW
18) Advapi32.EnumServicesStatusExW
19) Advapi32.EnumServicesStatusExA
20) Advapi32.EnumServicesStatusA

Other yet unknown API functions may also be hooked.
This list reflects that hxdef is operative only under Windows NT-based platforms, although the only infections I have seen to date were under Windows XP. Again, this trojan may infect other NT-based platforms as well.

HXDEF has weaknesses, many of them. We'll not discuss all of them here, but just one, because the information is too advanced to provide in this article. One can only guess that these weaknesses will be exploited in attempts to create a permanent solution for the hxdef virus.

The weakness to point here is the inability of hxdef to stop the classic DOS "CD" command (Change Directory). This may be explained by the fact that the CD command doesn't use any hooked API in order to change directory, so the virus fails to lay it's impact on it. Attempt to run CMD (command prompt) on an infected machine, and using the "CD" command in order to get inside the f0r0r directory, you'll succeed.

So long the HXDEF part of this article. Here we move to the other elements of f0r0r:

(*) PPI.EXE: an executable of the W32.MotivFTP backdoor trojan horse, this executable allows anonymous FTP access to the infected computer's data through an FTP server at port 21. That means that every infected computer acts as an unrestricted FTP server, allowing any procedures to be done on the infected computer's hard disk. Also modifies some lines in WIN.INI file to compromise the security of the infected computer. the WIN.INI file will have to be restored to it's original state in order to remove the security threat. This executable file is compressed with UPX.

WEXP.EXE: A remote exploit backdoor (W32.RPCLsa) for the MS04-011 vulnerability, it might act as a scanner in order to infect other computers, in the same fashion as the infamous W32.Blaster and W32.Sasser viruses. This executable file is compressed with Cexe.

VAN32.EXE: A HackTool.HideWindow executable, used in order to hide windows of malicious programs (in this case the components of f0r0r). This executable is compressed with FSG.

CALCU.EXE: A non-malicious file, in fact it's a legitimate process viewer (PRCVIEW) written by Igor Nys (http://www.teamcti.c...iew/prcview.htm), this executable is probably placed in order to allow the exploiter to see some information about the infected system, however, this file is not malicious. This executable is compressed with UPX.

(*) DIROTE.EXE: A non-malicious file, in fact it's an executable of the mIRC version 6.03 chatting program (www.mirc.co.uk). It is used to connect to predefined servers in order to receive commands from the exploiters.

KOLDER.EXE: Additional window hiding utility, similar to VAN32.EXE. This executable file is compressed with UPX.

KLTYE.EXE: A legitimate program, Sysinternals PsExec (http:// www.sysinternals.com/ntw2k/freeware/psexec.shtml). A "light-weight telnet- replacement", as the authors say. Probably placed in order to gain privileges on the infected system. This file is compressed with UPX.

DIR32.EXE: An additional instance of a window hiding tool. This executable file is compressed with Cexe.

ROMTO: Probably a system infection log, indicating the time and date at which the system infection took place [e.g.: %infecttime DAY xx/xx/xxxx xx:xx:xx].

ICHAT.BAT: Not a real batch file, but a list of IRC channels - probably for connecting to the worm control point by its authors.

DORDO.SYS: HXDEF system driver.

DEMO.XT: A word list container, probably (but not limited to) placed in order to assist in peforming dictionary attacks on password protected network shares.

REDROSES: A regular mIRC .ini file, manipulated to serve the virus's interests. Set to connect to a predefined IRC server.

NIMAX: A malicious mIRC script file.

SOUNDS and LOGS directories: Regular mIRC directories, created by mIRC, they are empty and non-malicious.

(*) = Processes are active in memory, upon system initialization.

As we can see, f0r0r is just a bunch of worms put together in order to grant it's creators complete control over a victim's computer. This trojan strain,
probably by the same authors, is also known as W32.Aladinz/W32.Randon. This time, escorted by hxdef in order to make analysis and removal harder.


For now, the only safe way to remove this worm from an infected system is to perform the following actions:

1) Boot using windows CD-ROM.
2) Enter the recovery console.
3) Delete the f0r0r folder located in the %SYSTEMROOT%\SYSTEM32 directory, using the RD command (e.g.: rd f0r0r).
4) Boot back to windows.
5) Locate and delete the %SYSTEMDRIVE%\TEMP folder (in most cases C:\TEMP, unless your system drive is not drive C:\).
6) Check whether the f0r0r directory exists in the %SYSTEMROOT%\SYSTEM32 directory, and if positive delete it once again.
7) Restore win.ini from a backup copy, or manually undo the changes made by W32.MotivFTP - delete any text that links to PPI.EXE.
8) Download Hijackthis (www.spywareinfo.com/~merijn), execute it, opt out any strings pointing at PPI.EXE and DIROTE.EXE, and select "Fix".
9) Reboot your computer.
10) Scan your computer with your anti-virus software of choice. If you don't have an Anti-Virus program, you could obtain a free copy of "AVG Free Edition" at www.grisot.com.


Finally, solutions for quick hxdef removal are being currently worked on by many individuals, as mentioned before hxdef has many weaknesses and it's only
a question of time when such a solution will be published. For now, the only safe way to remove f0r0r is the above one. Stay tuned for developments.

Sincerely Yours,
A Spyware Expert

Member of UNITE
Support SpywareInfo Forum - click the button