After reading the front page story
about the latest IE malware, the next time that I started up my computer at home, I got several popups for (among other things) spyware detection/removal. This motivated me to download the BHODemon utility which was mentioned by one of the posters in the article. Sure enough, I had a rogue Browser Helper Object. So I used BHODemon to disable it. Within a minute or so, it had re-enabled the entry. Still executing in memory. So I took a look at the file, C:\Windows\System32\lpaebe.dll. No version information - always a dead giveaway that the file is not part of the OS. I used Process Explorer (http://www.sysinternals.com
) to figure out where it was running. As expected, it was attached to each IE process, but it was also attached to the shell process (explorer.exe). So I tried the first trick - rename the DLL, then restart the shell (log off/log on worked in this case). This worked, so I used BHODemon to again disable the BHO entry. This time it stayed disabled. So the first step was complete.
The other clue that I had an infection was that my home page was changed. And, when I restored it, it was changed back (to about:blank). When I removed the BHO, that stopped the change back to about:blank. Since I had physically disconnected from the Internet as soon as I figured out what was going on, my correct home page should have led to an error page. However, it sent me to a search page, one that was nothing like the normal Microsoft default search page. With a little work, I discovered that this page was another component of the infection. It was a file called SP.HTML, which was dropped in my temp directory. Had I been connected to the net, I think that it would have restored the BHO infection.
At this point, I went to another computer to dig up some information about this infection. Using the size of the BHO dll, I searched several virus information sites, as well as using Google to search the web in general. McAfee has a pretty good description
of what was going on with my computer.
I had noticed that the BHO dll and the infected search page had pretty much the same timestamp. Being fairly paranoid (and not trusting McAfee to be complete), I decided to look around and see what else might have happened at the same time. So I searched the entire machine for files that had been modified the same day (as close as I could get with the crummy WinXP search tool). I noticed another file, wink.dll, as well as the fact the something had been messing with Notepad and WMPlayer at the same time. At this point, I decided that a real virus scan was required. I used the free edition of AVG. I did a whole-system scan with the latest virus definitions (over 230,000 files, about 60 minutes to do the full scan), and it found the virus as "BackDoor.Agent.BA" (as well as three others that I had saved for dissection in the past). However, it could not remove the file, or move it to its "Virus Vault". I decided that I would give it another chance, and tried my trick of renaming the DLL and restarting the computer. No dice - Windows would not let me rename the file, and AVG still could not remove it. So I used Process Explorer to try and figure out where it was running. No result - as far as Process Explorer could tell, it was not in memory. But I still could not delete or rename it. The AVG resident scanner was repeatedly telling me that the virus was detected, but AVG could not fix it.
Back to the internet for more information. The result was disappointing. None of the virus sites that I tried had any information on a WINK.DLL. WINK.EXE was apparently part of the payload of the Klez worm, but WINK.DLL was unknown. Google gave me a single hit, for a security forum. Someone had the same problem that I did. They gave him some advice, but I do not have the tool that they were using, and I could not quickly figure out how to get it. Back to the computer.
Reasoning that the DLL would probably have to be somewhere in the registry, I used regedit to search for "wink". After many hits for unrelated items having to do with digital ink, I found what I was looking for in HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Windows. Under that key, there was a named value "AppInit_DLLs" with the string value "C:\Windows\System32\wink.dll". Jackpot! Apparently, this key causes the named DLL to be run every time an application is started. This explained the large number of warnings that I was getting from the AVG resident scanner. Also why AVG bluescreened about 50% of the time when I logged in. So I changed the value so that it did not point to the virus DLL. Within a few seconds, it was changed back. Hmmm. I thought about changing the value and restarting before it changed back, but the frequency of restoration was fast enough that I thought that I would not be able to shut down fast enough to beat the change. So I thought a bit, and then realized that I could set permissions on the registry key. So I changed them so that only the Administrator account had the authority to change the key and its named values (I was logged in to my account at the time). I switched over to the administrator account and changed the value. This time it stayed the way that I put it. Back to my account, log off and restart. First good sign: the repeated alerts by the AVG resident scanner no longer occurred. Back to C:\Windows\System32. Attempt to rename the file. "Access denied". Attempt to delete the file. "Access denied". Hmmm... Go to the command line, and check the file permissions. Execute only. Well, that makes sense, I guess. I then used CACLS to give myself full control over the file (though this could likely have been done through the Security tab of the Properties dialog in Windows Explorer). Rename the file. Success. Rescan the directory with AVG, which found and removed the virus file.
Now, for Notepad and WMPlayer. I normally use Metapad for text editing, and WinAMP for media, so this was not a terribly threatening infection. AVG shows both files as clean, though their timestamps have been altered to the same time as the two infection DLLs and the SP.HTML file. I copy a clean version of each from another system, and they compare as identical (using WinDiff). To be safe, I replace each file with a clean copy, and delete the Notepad.exe.bak, Notepad.exe.tmp, WMPlayer.exe.bak, and WMPlayer.exe.tmp files that had been created at the same time. I don't know if the infection attempt failed, or if it was interrupted, because all of the files scan as clean and compare to the originals as identical.
Finally, I deleted the bogus search page and reset the registry entries pointing to it. I left this for last, as it would have let me detect if the infection had gone active again. I then plugged the LAN cable back into the hub, and re-enabled the connection. Clean connection, but another spyware popup. I close it, and check for syspicious files, but there is nothing. As it is now 1:00 am, and I need to be up at 5:45, I decided to postpone any further investigation.
Conclusion: switch to Firefox or Opera in the very near future. Install Adaware if necessary. Leave AVG running. I have never before left a virus scanner running continuously, but this sort of thing is not something that one can prevent by being careful. I can get infected just by visiting an infected site, and I can't depend on them to be patched up to date, or to have their web server (IIS was probably the infection vector in this case) secured. So I have to pay CPU cycles for their inattention. Irritating. But I'm relieved to have the virus gone.
Another interesting fact. This is apparently a combination of several viruses that have been seen in the past, quite possibly an effort by the same author as the Klez worm. None of the several virus information sites that I visited (including Symantec, McAfee, CA, and Grisoft) had complete information on this infection. Which is why I am posting it here, so that it is accessible in some form.