Fun with SpyAxe

Normally I don’t hit by viruses. I’m very good with Windows Update and keeping the anti-virus signatures up to date on my machine. Thus, I was very surprised yesterday afternoon when I saw a blinking tray icon and a badly worded balloon message indicating that I had an “infection”.

 

A quick check showed that a program called “SpyAxe” had shown up installed on my system. What’s worse, I found two suspicious processes named MSSEARCHNET.EXE and NVCTRL.EXE running. Attempts to kill them using TaskMgr and Process Explorer (ProcExp) weren’t successful, as they kept re-spawning. Definitely virus behavior.

 

With this info in hand, I hit MSN Search and found that there was a recent upswing in activity related to SpyAxe “tool” (As well as the similar SpySherriff), staring around 12/28/05. Warning, I don’t claim to be a virus expert, nor claim to offer useful advice on helping others who get hit by this. What follows is just some of my observations. Your mileage may vary.

 

My first attempt to rid my system of this was to download the latest AV signatures from the corporate network. A full scan of my system later, no viruses detected, but I still definitely had badness on my system.

 

At this point I was starting to take off the gloves. Long time readers of my MSDN column know that I know a think or two about mucking around with processes. J

 

Early on I had noticed several files with current creation times in my \windows\system32 directory, including MSSEARCHNET.EXE and NVCTRL.EXE. I couldn’t delete any of them, as they were all “locked” by another process. Using one of my favorite tricks, Image File Execution Options, I was able to stop them from continuously re-spawning. After deleting the files, I thought I was done. A second check of \windows\system32 showed there was still a file: LDxxxx.TMP that was locked. (Where xxxx is four random numbers.)

 

Using ProcExp, I determined that this file was loaded by WinLogon.exe. A quick check of my wife’s machine showed that her WinLogon.exe had nothing similar going on. Hmm… badness. What’s worse, I ran my PEDUMP utility on the LDxxxx.TMP file, and found it calling functions like Process32First/Next, RegSetValue, and WININET.DLL functions. They were exactly the combination of functions you’d use to download files and inject bad code into unsuspecting processes.

 

Entering the phrase “WinLogon .TMP DLL” into MSN Search, I found that this is a well known exploit, and that the .TMP DLL actually adds registry values to this key:

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer

 

The added registry values redirect various DLLs loaded by Internet Explorer. Even worse, when I deleted those registry entries, at least one of them reappeared. Definitely evil behavior.

 

At this point I cranked up RegMon, deleted the offending registry values, then checked to see who was re-writing them. Turns out it was WinLogon.exe. Whoever’s responsible for this isn’t your garden variety kiddie hacker.

 

Question of the day: How would you stop this evil DLL from continuously resetting the key value back? Being brave (or foolhardy) I attached a debugger to WinLogon.exe. For the debugger, I chose PEBrowseInteractive because of its great breakpoint setting abilities.) My intent was to trap when the DLL called RegSetValue, and NOP out the code.

 

However, the breakpoint never appeared to get hit. At the same time, Explorer started acting very sick. I reset the machine to try the trick again, but when I rebooted, I saw no trace of the WinLogon LDxxxx.TMP DLL anymore. Not completely sure that I’d eliminated the malware, I dig a bunch more searching, verified a ton of registry keys, carefully examined each process, and at the moment it appears like I’m clean.

 

Just to be safe, I ran RootkitRevealer, and it came up clean as well.

 

Since then, I’ve been running IE at the “High” security level, and only adding well known sites to the trusted sites list.

 

Sorry if this post sounds like an ad for SysInternals and SmidgeonSoft, but there stuff is just good. Incidentally, be sure to read Mark R’s post on this same topic.

Comments

  • Anonymous
    January 03, 2006
    Just curious... are you running as a limited user or an administrator on your machine?

  • Anonymous
    January 03, 2006
    An easy way to get rid of processes that keep respawning themselves is to simply debug all of them simultaneously. That will cause them to all be suspended and can then just be terminated at will. In the case where one of them is something important, like WINLOGON, you would have to set a breakpoint at CreateProcess and remove the offending portion of code.

  • Anonymous
    January 03, 2006
    Actually I am more curious if you figured out where you got it at yet? Or How

  • Anonymous
    January 03, 2006
    The comment has been removed

  • Anonymous
    January 03, 2006
    Sadly, no idea where I picked it up.

    DEP apparently is only set for essential programs and services in XP SP2. I've toggled it to the more aggressive setting and will monitor how it works for me.

  • Anonymous
    January 04, 2006
    You could well have been hit by the WMF exploit, which as a Win31 developer you may find amusing; they use the SetAbortCallback() operation to set a callback on escaped printing; insert this into a metafile and then on playback time as soon as you Escape() in the doc it gets invoked.

    Any malicious image sent by spam or IM could have triggered it. just be grateful that they payload was a spyware+advertising, not something subtle like a keystroke logger.

    There is an "unofficial" fix at isc.sans.org, but as you have access to GDI32 source, you could patch it at origin. The fix comes with source for you to review and compile yourself incidentally.

    As an aside, I dont ever trust a machine that has had spyware on it. Clean build the bunny. You know it makes sense; your registry will love you for it. Then move to vmware hosted windows sessions which can be rolled back/destroyed more easily.

    -steve

  • Anonymous
    January 04, 2006
    The comment has been removed

  • Anonymous
    January 04, 2006
    The comment has been removed

  • Anonymous
    January 05, 2006
    The comment has been removed

  • Anonymous
    January 05, 2006
    The comment has been removed

  • Anonymous
    January 06, 2006
    I also did battle with SpyAxe on my lads PC, infernal thing. In the end these instructions did it for me:

    http://www.infopackets.com/channels/en/windows/nicks_computer_security/2005/20051220_remove_spyaxe_removal_instructions.htm

    Not sure its the wmf exploit -- I thought it was a December one: http://www.microsoft.com/technet/security/Bulletin/MS05-054.mspx

  • Anonymous
    March 31, 2008
    PingBack from http://collegefunfactsblog.info/under-the-hood-matt-pietrek-fun-with-spyaxe/

  • Anonymous
    May 29, 2009
    PingBack from http://paidsurveyshub.info/story.php?title=under-the-hood-matt-pietrek-fun-with-spyaxe