Pain in the a@se dll

[Andy]

Good evening.

Sorry for the harsh language.

I have been dealing with a virus/trojan/malware.

It's a dll. (

It blew thru a number of anti virus programs.

It stopped MSIE from starting among others.

I stopped it from loading, (I think so. )

Using Linux, I renamed it blank.dl? (pkiviewt.dl?)

I left off last character for security purposes.

When I tried to zip it, it would not let me.

Someone told that it may be hooking some things.

If it is doing this, is there a program that will show everything in memory ?

Can someone help me ?

Vielen Dank.

Andy

TIP for the day.

Check frequently in your C:\WINDOWS\system32 directory.

If you see a dll with a very new file date, become suspicious.

 

[Paul]

Good evening.

Sorry for the harsh language.

I have been dealing with a virus/trojan/malware.

It's a dll. (

It blew thru a number of anti virus programs.

It stopped MSIE from starting among others.

I stopped it from loading, (I think so. )

Using Linux, I renamed it blank.dl? (pkiviewt.dl?)

I left off last character for security purposes.

When I tried to zip it, it would not let me.

Someone told that it may be hooking some things.

If it is doing this, is there a program that will show everything in memory ?

Can someone help me ?

Vielen Dank.

Andy

TIP for the day.

Check frequently in your C:\WINDOWS\system32 directory.

If you see a dll with a very new file date, become suspicious.

Things you can do with your Linux CD:

1) Upload the pkiviewt.xxx file to virustotal.com for analysis.
That will give the malware a "name", and make it easier to fight.

2) Use a Linux program like 7z (from package manager), to get
the equivalent of 7ZIP. Actually, Linux has a whole raft
of odds and ends of that sort (zip and unzip). They won't
always be on the CD, but using the package manager you can
get them in less than a minute.

As for dumping memory, there is a trick that uses Firewire
ports to do that. But I don't really think that's your
intention. (You can do RDMA over Firewire.) It would be too hard
to find the thing, assuming you made a large file out of the
memory dump. What exactly would you look for ?

There are lots of tools out there. A free version of MBAM
(not the paid version).

http://en.wikipedia.org/wiki/Malwarebytes'_Anti-Malware

GMER for rootkits (I don't really know what tools are up
to date for that purpose - this is just an example).

http://en.wikipedia.org/wiki/GMER

Adwcleaner - is for adware. MBAM doesn't detect all of it.

http://www.bleepingcomputer.com/download/adwcleaner/

And the Kaspersky scanning disc, is a Linux distro with
a Windows AV scanner.

http://support.kaspersky.com/8092

Iso image of Kaspersky Rescue Disk 10 (237 MB)

It's not actually 237MB. They don't update the
size after each update. It's around 300MB now.
And it's just an AV, probably like the ones
you've already tried. The difference is, the
scan will be signature based, and an offline scan.
Windows isn't running when you use that one, because
you boot off that CD, and the CD contains Linux (Gentoo?).

Paul

 

[Andy]

Good evening.



Sorry for the harsh language.



I have been dealing with a virus/trojan/malware.



It's a dll. (



It blew thru a number of anti virus programs.



It stopped MSIE from starting among others.



I stopped it from loading, (I think so. )



Using Linux, I renamed it blank.dl? (pkiviewt.dl?)



I left off last character for security purposes.



When I tried to zip it, it would not let me.



Someone told that it may be hooking some things.



If it is doing this, is there a program that will show everything in memory ?



Can someone help me ?



Vielen Dank.



Andy



TIP for the day.



Check frequently in your C:\WINDOWS\system32 directory.



If you see a dll with a very new file date, become suspicious.

http://technet.microsoft.com/en-us/library/cc732261(v=WS.10).aspx

Thanks.

pkiview.dll is the correct file which is now back.(2003)

This has a version number, the other one that ended in t did not.

I sent it to virustotal.

Andy

 

[Andy]

http://technet.microsoft.com/en-us/library/cc732261(v=WS.10).aspx



Thanks.



pkiview.dll is the correct file which is now back.(2003)



This has a version number, the other one that ended in t did not.



I sent it to virustotal.



Andy

Just an update.

Virusinfo misidentified it.

It's been renamed and the file extension as well.

I am looking for some new tools to study it safely with something similar to a debugger or maybe a passive type of analyzer.

I also use Linux, but could not find anything that can debug Windows PEs or dlls.

Andy

Thanks.

 

[Paul]

Just an update.

Virusinfo misidentified it.

It's been renamed and the file extension as well.

I am looking for some new tools to study it safely with something similar to a debugger or maybe a passive type of analyzer.

I also use Linux, but could not find anything that can debug Windows PEs or dlls.

Andy

Thanks.

You upload a file to virustotal.com

It scans the file using AV signatures. The scanning list
will show they've run around 40 different AV programs
against the file.

If the file has been scanned before, the web page may name
some of the other file names used when it was uploaded.

Upload it again, then copy the URL of the virustotal.com
scan and post it here.

Paul

 

[Andy]

You upload a file to virustotal.com



It scans the file using AV signatures. The scanning list

will show they've run around 40 different AV programs

against the file.



If the file has been scanned before, the web page may name

some of the other file names used when it was uploaded.



Upload it again, then copy the URL of the virustotal.com

scan and post it here.



Paul

They mis-identified the program and I got no feedback from them.

Similar at another site.

I have set up a Virtual Box with XP as the O.S.

I found some excellent info on malware forensic analysis at

xxxx-http://fumalwareanalysis.blogspot.com/2011/08/malware-analysis-tutorial-reverse.html

I have set up a guest account to study the "rogue item" using Windows Debugger and some other tools.

Back to bug hunting and dissection,
Andy