January 3rd, 2008 by Andrew Chen
My laptop infected a vicious malware recently. The first symptoms I saw infecting this malware was that my anti virus software became disable. I was using spybot and Norton on my laptop and some executable files of spybot and Norton were deleted secretly. I tried to reinstall spybot and Norton but I could not do so.
I was thinking probably the only way to get rid of the malware or virus was to do a clean installation of the whole system. But I have decided to spend sometime to look into it. I thought there must be something running on the system to delete the anti virus program. I checked windows task manager. I did fine some weird processes. Wintems.exe was one of them and there was a process named with random number like 2348787.exe. I did a search and found 2348787.exe in a folder in the system directory,”c:\window\system32\drivers\down”. In fact I found tens of random number.exe executables under that folder. The malware kept cloning itself. Really scary!!
I killed the two processes in task manger and deleted that directory and wintems.exe. But I still could not install the anti virus software. When I did the above experiment again the result was the same. I ran a process scanner and all processes running were good. I was not the only one experienced that and I found on the internet that if malware use rootkit to hook to the system it will get notified whenever files are created. The malware then can look at the name of the file created and if it is in its database of anti virus executables it will delete it. Really scary!!!
I download a rootkit detecting tools and found that hldrrr.exe was the process to delete my anti virus executables and it uses a driver srosa.sys. This process somehow can hide itself from being viewed in taskmanger. Even more vicious was that after you deleted hldrrrr.exe and srosay.sys it will re-appear. I spend a long time to find out the pattern of how they re-appear. It turns out that whenever I open internet explorer these two file are created and then wintems.exe and the random number executable will be re-created again.
In order to find which process create hldrrr.exe and srosa.sys I used a process monitor to see which process created them but whenever I open internet explorer I got a pop up box saying I have a monitoring software running and I need to close it in order for program to continue running. The pop up box title was named “Themida”. I ran process monitor on a clean system and IE didn’t give me that pop up box. So I Google “Themida” and found it is a company providing anti cracking technology. However its technology was used by malware writer to package malware and virus so that they can by pass any analysis and anti virus program.
Finally I decided to uninstall all the IE tool bars because they may be the only components IE will initialize at start. That was working. After I removed all IE tool bars I didn’t see hldrrr.exe and srosa.sys again. Hopefully they don’t come back anymore.
Sorry, the comment form is closed at this time.