CnsMin Persistant Spyware Hooks RunDll32

[Kevin Davies]

I tried to provide a spyware report but it failed to submit.

CnsMin is a known Internet Explorer search bar modification
from China. Microsoft AntiSpyware detects it and tries to
remove it but fails as it re-appears. It seems that the
startup registry protection is bypassed using the following
Startup registry entry to load the DLL into the system.

Name CnsMin
String "Rundll32.exe C:\WINDOWS\downlo~1\CnsMin.dll,Rundll32"

The software then monitors its startup registry settings
and files for any modifications and fixes them instantly.
This is apparent when you rename the registry entry and it
immediately creates it again and also tries to add other
registry entries which are denied by MS AntiSpyware.

The files are stored in %windir%\Downloaded Program Files
but you cannot see them using windows explorer. No idea
why. The only way you can see the files is using dir on the
command prompt. If you rename them they are restored.

It appears the way remove this is to kill the monitoring
process but you cant find it because it is hidden from the
process list. I tried using process explorer from
Sysinternals.com and could not find any of the Cns*
processes although they do exist. When closing down the
system once it asked me if I wanted to "End Now"... CnsMain
so it shows it's running even though I cannot see it.
Looking at the properties of rundll32 in process explorer
I can see the CnsMin hooks into the rundll32 process.

So IMHO we need to monitor attempts to add registry entries
to the registry *when they are removed* by MS AntiSpyware
and permanently block those entries from being added in the
future. If after the reboot and software removal, they
continue to attempt to be added we need to track the
processes that are doing this and report this information
back to spynet.

Looking forward to an update that fixes this.

Regards

Kevin Davies

 

[Monitor]

Try again to send the report.

 

[Andre Da Costa]

Try doing a full system scan in safe mode, on the scan page, choose scan
options > full system scan (check the boxes below) click "Run Scan Now".

Restart in safe mode instructions:
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/boot_failsafe.mspx

 

[Guest]

Wow,

This bloody thing also installs a device driver
cnsminkp.sys. Its a driver that protects the spyware.
cnsminkp stands for cnsmin kill protect device driver.

You can tell windows how to stop loading device drivers
unless you are in recovery mode.

Ouch

 

[Steve Dodson [MSFT]]

Sounds a lot like rootkit behavior.

--
-steve

Steve Dodson [MSFT]
MCSE, CISSP
PSS Security

--

This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm

Note: For the benefit of the community-at-large, all responses to this
message are best directed to the newsgroup/thread from which they
originated.

 

[Bill Sanderson]

Have you tried Sysinternals RootKitRevealer, or F-secures Blacklight beta
product?

(I just got around to reading this thread, and agree with Steve Dodson.)

Microsoft Antispyware can remove some threats which behave in "rootkit"
ways. They are definitely in the target group--so don't lose hope.

You might also try the antivirus vendors for some help. TrendMicro's online
scanner: http://housecall.trendmicro.com was able to ID one of the triad of
executables that Aurora uses for me, which I could not see with Microsoft
Antispyware or other process explorers I used.

 

[Bill Sanderson]

The recovery console is an excellent way to deal with this mechanism.