Jump to content


Photo

VX2 Identification


  • Please log in to reply
3 replies to this topic

#1 reedprigmore

reedprigmore

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 12 January 2005 - 05:15 PM

Hi guys!

I've been haunting SpywareInfo for a while. I have rarely posted as I am the only guy handling this problem in my company. (Read as ~1500 systems/users) This keeps me REALLY busy.

I have worked out a process that will give you control of your system in most cases in about 30 minutes. It is easy, realitively speaking, and not harmful. If anyone is interested I can pass this information along. (Like I won't hear about this one. [:-)

However, my biggest problem is determining a VX2 "infection" and squashing it. I've been toying with a few tools to help and I have successfully removed these things from systems completely. (As near as I can determine.) What I need is an easier way to find them.

I am aware of the normal tools and have used them. The system I just finished with had a new variant that was not being detected. However, I knew it was there as one of the files kept reappearing. To make matters worse it was also in a rootkit form.

During the removal process I accidentally destroyed to of the files but I have the remaining ones intact. I have not determined the original installation file and probably never will.

Would anyone have some additional information on this nightmare?

Thanks for letting me rant!
Reed

#2 Tuxedo Jack

Tuxedo Jack

    Creator of TuxPE, a Cat5-o'-9-Tails, Etherkillers, and more

  • Expert
  • PipPipPipPipPip
  • 1,758 posts

Posted 12 January 2005 - 07:59 PM

The only way you can identify it, usually, is by the entries in the hosts file, or if you have one of the older strains, the entries in the LSP chain.

Let me guess - the Narrator key didn't show up in HJT until a few hours of nuking with DLLCompare and FindIt went by?
Signature file is under revision. This will be back shortly.

#3 reedprigmore

reedprigmore

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 12 January 2005 - 08:52 PM

Among several other tools. I eventually ended up with a bunch of files that I was able to replace with System/Read Only 0 byte files in the Repair Console and some registry keys I was able to remove when that was done. Of course, I had to do this several times and monitor the file and registry traffic to get them.

On the lighter side, huh, I just found the second system in our environment with exactly the same one. Some of the file names were the same others were obviously random. I may snag the drive for further testing and comparison.

I would LOVE to get my hands on the actually install file so I can track it on a virgin system.

Edited by reedprigmore, 12 January 2005 - 08:53 PM.


#4 Tuxedo Jack

Tuxedo Jack

    Creator of TuxPE, a Cat5-o'-9-Tails, Etherkillers, and more

  • Expert
  • PipPipPipPipPip
  • 1,758 posts

Posted 13 January 2005 - 08:06 AM

You may want to consider joining the Boot Camp here, where malware is discussed and removal methods are disseminated. VX2 3.0 is one of these, and the thread about this is rather long.

There's an application in the Open Forum.

You can surf around the web on a virgin XP VMWare installation and find TONS of malware - just surf free porn sites and Google for MP3 downloads of popular artists. You'll come across the strain fairly quickly.
Signature file is under revision. This will be back shortly.




Member of UNITE
Support SpywareInfo Forum - click the button