19 October 2009

A trojan named unwise_.exe in Windows\Fonts

A virus with filename unwise_.exe have just went on rampage undetected (at least by task manager even by Process Explorer) on my windows. A new method of penetration?

In my experiment executing application under Fonts folder will normally listed by task manager, however if I kill the process the application itself won't die but task manager reported it as it was already died (not listed anymore) interesting huh!. Anyway due to the nature of special folder, any files that not a font files is never shown on explorer despite what you do to counter (set to show hidden files for  ex.).

The trojan seems break firewall policy through administrator account as confirmed by registry entries HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy. Then create services named Windows Hosts Controller which you could remove it later after terminating unwise_.exe by Sysinternal pskill (we can search the PID from [netstat /b]) then [sc delete "Windows Hosts Controller"] command for further deletion. In command box under Fonts folder: [attrib unwise_.exe -s -h -r]. Finally [del unwise_.exe].

The obvious impact of this trojan is causing a windows socket error which as long as trojan active, other activities like browser went defunct (unable to connect). Although from [netstat /b] command, its clear that unwise_.exe process was actively sending packets.

M$ never ceased us to end of worries lol

Ok.. shame on me.. I got infected with this virus again (8x actually) and certainly its came from internet. But how? I decide to do full analysis by self infecting the virus in VM.

Stunning, this trojan depend only to kernel32.dll.. could it be written in assembly? More, my two watchdog (regmon and filemon) didn't get any duplication routine other than in fonts folder and self deletion of its original source nor it harm/modify other windows file. Now thats strange...

Damn now I lose my only one specimen. Next time when I get infected, I will note its network activities as reported by netstat..

Hmm.. the trojan always has different filesize, and attack microsoft sites
OK.. finally I set deny "write" policy for administrators to fonts folder temporarily...

No comments:

Post a Comment