D
dysfunction
Guest
Watch out for this nasty thing....
Hey guys, if you have gotten that Surferbar crapware and are using NTFS (FAT32 can't do this) then you most likely have gotten a new strain of the AFlooder worm. As of this writing, virus scanners, Adaware, and Spybot do not pick it up, and the thing is ridiculously tenacious and uses some rather sneaky tricks to stay hooked into your system -- these are particularly a pain in the ass because the streams can't be removed easily. Here's what I've learned:
The new AFlooder is an irc trojan/spybot that uses worm techniques to spread to machines via web pages. It is apparently coded to have qualities of remote access trojans, IRC bots, keyloggers, and even seems to have the capability to carry out DDoS attacks if the owner orders it to. I just a few moments ago heard from a fellow at BOclean that it's a spambot too. It uses an exploit to write and execute its' injector program to machines without the user's acceptance or knowledge, then it uses NTFS's alternate file streams to hide itself where there's very little chance of finding it -- in the actual windows folder system32. On my system, the injector was made up of two files stored in Windows/system32, ezluu.exe and ezluu.dll. This may be randomly selected -- unfortunately I dumped them before I realized I was really infected. If anyone can clarify this, please let me know, and if you have copies of this, definitely let me know as I am collecting "evidence" of this worm at work.
You can determine whether your system is infected by either running Hijack This or by using regedit and navigating to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run. If you see an key with similar content to the below, you should also have one in RunOnce. Mind you, the letters can be any seven letter combination -- it's randomly selected upon infection and stays constant throughout.
QUOTE
rundll32 C:\Windows\System32:tywsmhd.dll,Init 1
A key containing data like this means that you have Aflooder. You may also notice a registry key in HKLM\SOFTWARE called AFlooder with a numerical value held within. I'm not sure what the numerical value means, but it seems to change. There will also be a file with no extension in your Documents and Settings\\Local Settings\Temp directory with the same 7 letters that you will notice is always in use, but no process seems to have it open. I believe this is an encrypted data file that is used to gather and send snapshots of your system to the virus propogators. Using Ethereal's wonderful packet sniffer (available on this web site) I determined that this is done via http port 80 and a cgi-bin interface on the owners' site. You can configure a software firewall to block these packets if you feel like it.
You may have tried to remove the keys from Run and RunOnce either manually or with Hijack This -- guess what? The program constantly checks every two seconds to make certain that the keys are exactly as they should be. If the program cannot find the keys as it should be, it readds them. Even if you force msconfig to not load the Run entry and boot into Safe Mode, the RunOnce entry will still ensure that the dll hidden in the system folder gets executed even in Safe Mode. Extremely sneaky.
I happened to by chance catch a process running that XP had to wait to shut down on one particular boot called "should not be seeing this" (all lower case) which I believe may be a hidden process used to ensure that the trojan keeps itself in Run and RunOnce.
Manual removal is, as I asid, a pain in the ass since you apparently cannot really affect the streams without deleting them completely, and you can't delete system32. But for some reason, the following message and instructions were embedded into the DLL:
QUOTE
If you read this, then this program was probably stolen from our laboratory.
Author of this software is not responsible for any harm that may be caused by
incompetent or malicious persons who use this software possibly running on your machine.
Therefore, please remove this software as soon as possible. Click the "Start" menu,
select "Run", enter there: rundll32 ,Uninstall and click "OK"
I can verify that this method DOES actually uninstall the trojan, but you must type the exact correct path for it to work and you must use the actuall DLL name that your system has. For example, for me, I typed:
QUOTE
rundll32 C:\Windows\system32:tywsmhd.dll,Uninstall
A little box will appear to tell you that it is Uninstalling AF. When you press OK, it should indeed be uninstalled, along with all evidence of it having been there. The temp file will be gone, the Run and RunOnce keys will be gone, and only the AFlooder registry entry will remain which you can kill at your leisure. Run Hijack This and look for anything else unusual, then reboot. That's it, you should be done.
Thanks to everyone who helped me with this, and no thanks to the at Surferbar who propogated this damned thing. I hope they die a horrible death and are deluged in hell with a nonstop rain of Enlarge your Penis ads. This sort of thing is criminal, and if it's not, it should be.