XP: Registry Keys, Malware

[Scott]

What role do registry keys play in malware? Is a registry key sufficient or
does there need to be a malware program on my computer?

Details.

I run Ad-Aware 2008 Free every week and on Aug 5 if found Virtumonde.
According to Lavasoft, this is in the top 5 of threats going around now.

File name: yacscom.dll in C:\Program Files\Yahoo!\Messenger

My notes do not mention that I checked to see if Ad-Aware also found
registry keys.

Before removing it, I tested AVG-Free, Spybot, and Yahoo Anti Spy and they
did not find Virtumonde. Microsoft Malicious Software Removal Tool did not
find anything with the July and August updates

Yahoo Anti Spy, however, did find 4 registry keys it identified as
hijackers.

One is ISTbar from a company called Internet Search Technologies:

hkey_local_machine \software\microsoft\windows\currentversion\internet
settings\zonemap\domains\contentmatch.net

Three were from Mirar. They had the exact form above but with different
domain names at the end: mirarseach.com, netnucleus.com, getmirar.com

Thanks for any info

Scott

Los Angeles

 

[David H. Lipman]

From: "Scott" <[email protected]>

| What role do registry keys play in malware? Is a registry key sufficient or
| does there need to be a malware program on my computer?

| Details.

| I run Ad-Aware 2008 Free every week and on Aug 5 if found Virtumonde.
| According to Lavasoft, this is in the top 5 of threats going around now.

| File name: yacscom.dll in C:\Program Files\Yahoo!\Messenger

| My notes do not mention that I checked to see if Ad-Aware also found
| registry keys.

| Before removing it, I tested AVG-Free, Spybot, and Yahoo Anti Spy and they
| did not find Virtumonde. Microsoft Malicious Software Removal Tool did not
| find anything with the July and August updates

| Yahoo Anti Spy, however, did find 4 registry keys it identified as
| hijackers.

| One is ISTbar from a company called Internet Search Technologies:

| hkey_local_machine \software\microsoft\windows\currentversion\internet
| settings\zonemap\domains\contentmatch.net

| Three were from Mirar. They had the exact form above but with different
| domain names at the end: mirarseach.com, netnucleus.com, getmirar.com

| Thanks for any info

| Scott

| Los Angeles



Questions like this SHOULD be asked in an anti malware news group such as;
microsoft.public.security.virus

The Registry loads software as well as provides information as how software should run,
its parameters and settings and a myriad of other pertinent information.

Example:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap

Relates to how Internet Explorer handles specifice Internet Domain sites such as; MSN.COM

Malware will modify such settings to allow it maximum exposure and security capabilities
to allow it to do what it wants.

Some keys such as;
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Will load software entered into its keys.

Other locations like...
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify

Will load DLL files into the Winlogon process.
Others will load into the Windows Explorer process (explorer.exe)

Now if a key loads a file and that file does not exist, it can load the payload.
Additionally, if a file needs a registry point tyo load and that registry point does not
exist in the registry then that file can't be loaded into the OS.

Thus the the registry plays an integral part of integrating malware into the OS.

A simple piece of malware mys jus run an EXE file from...
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

or a DLL via RUNDLL32 from the same location.

A more complex piece of malware may have many entries in the registry as in the following
example URL
http://vil.nai.com/vil/Content/v_143470.htm

 

[Stephen Harris]

What role do registry keys play in malware? Is a registry key sufficient or
does there need to be a malware program on my computer?

Details.

I run Ad-Aware 2008 Free every week and on Aug 5 if found Virtumonde.
According to Lavasoft, this is in the top 5 of threats going around now.

File name: yacscom.dll in C:\Program Files\Yahoo!\Messenger

My notes do not mention that I checked to see if Ad-Aware also found
registry keys.

Before removing it, I tested AVG-Free, Spybot, and Yahoo Anti Spy and they
did not find Virtumonde. Microsoft Malicious Software Removal Tool did not
find anything with the July and August updates

Yahoo Anti Spy, however, did find 4 registry keys it identified as
hijackers.

One is ISTbar from a company called Internet Search Technologies:

hkey_local_machine \software\microsoft\windows\currentversion\internet
settings\zonemap\domains\contentmatch.net

Three were from Mirar. They had the exact form above but with different
domain names at the end: mirarseach.com, netnucleus.com, getmirar.com

Thanks for any info

Scott

Los Angeles

Virtumonde is dangerous because some infestations manifest as a rootkit.
I had it removed except for one file which kept saying "access denied"
when I tried to remove it, even in safe mode. Some of these files need
to be removed from the Dos command prompt, C:\, before their process
starts, by booting into Recovery Console with the XP install CD. If
anyone doesn't have that (like just recovery disks) the workaround is,

http://aumha.net/viewtopic.php?f=62&t=31844 by an MS-MVP
[read the whole thing and do the registry fixes]

Remember to turn off System Restore before deleting this stuff, or
the malware will get replenished from files Windows backs up with.
I use more than one anti-spyware for running scans, but not the
active system protections for each one because they can conflict,
and also present hard to understand choices like Spybot's TeaTimer
for example. Firefox has Adblock Plus and NoScript, but none of
these programs provide very intelligent automatic protection.
Spyware Doctor seems to work fairly well, but slows the system.
Remember to turn on System Restore afterward. Before deleting
registry entries they warn you to backup the registry because in
some cases removing malware cripples the system.

Use ERUNT for full registry backups, Windows is not comprehensive.
www.winxptutor.com/regback.htm
I use mbrfix for backing up the mbr but BootitNG of Terabytes
has two good free programs.

I also like Acronis for doing complete backups, if you have a
large disk for a hidden backup partition. More than 4 DVDs is too
complex. A great way is too clone your hard drive to another
hard drive in the computer just after all the apps are installed
and it is pristine at about 12-16GB. That guards against hard disk
failure, you have another disk ready to go. I keep my data cable
unplugged rather than do incrementals to it. Email backups and
favorites/bookmarks I backup periodically to cds. For pictures
DVD data disks is fine.

Since May of last year Malware problems have gone up 407% and my
success rate and cleaning malware has gone from 85% success, to
about 20% success, mainly because much malware now have rootkits.

After a person loses his hard drive twice, it really brings home
the old adage, an ounce of prevention is worth a pound of cure.

Stephen

 

[Scott]

Thanks for the info and the links. I was not aware that there was another
group for this topic.

Scott
Los Angeles.

 

[Scott]

Thanks for the info and the links. Ad-Aware has not detected an re-infection
so I trust I am clean. That's bad news malware is using rootkits now.

Scott
Los Angeles

What role do registry keys play in malware? Is a registry key sufficient
or does there need to be a malware program on my computer?

Details.

I run Ad-Aware 2008 Free every week and on Aug 5 if found Virtumonde.
According to Lavasoft, this is in the top 5 of threats going around now.

File name: yacscom.dll in C:\Program Files\Yahoo!\Messenger

My notes do not mention that I checked to see if Ad-Aware also found
registry keys.

Before removing it, I tested AVG-Free, Spybot, and Yahoo Anti Spy and
they did not find Virtumonde. Microsoft Malicious Software Removal Tool
did not find anything with the July and August updates

Yahoo Anti Spy, however, did find 4 registry keys it identified as
hijackers.

One is ISTbar from a company called Internet Search Technologies:

hkey_local_machine \software\microsoft\windows\currentversion\internet
settings\zonemap\domains\contentmatch.net

Three were from Mirar. They had the exact form above but with different
domain names at the end: mirarseach.com, netnucleus.com, getmirar.com

Thanks for any info

Scott

Los Angeles

Virtumonde is dangerous because some infestations manifest as a rootkit.
I had it removed except for one file which kept saying "access denied"
when I tried to remove it, even in safe mode. Some of these files need
to be removed from the Dos command prompt, C:\, before their process
starts, by booting into Recovery Console with the XP install CD. If
anyone doesn't have that (like just recovery disks) the workaround is,

http://aumha.net/viewtopic.php?f=62&t=31844 by an MS-MVP
[read the whole thing and do the registry fixes]

Remember to turn off System Restore before deleting this stuff, or
the malware will get replenished from files Windows backs up with.
I use more than one anti-spyware for running scans, but not the
active system protections for each one because they can conflict,
and also present hard to understand choices like Spybot's TeaTimer
for example. Firefox has Adblock Plus and NoScript, but none of
these programs provide very intelligent automatic protection.
Spyware Doctor seems to work fairly well, but slows the system.
Remember to turn on System Restore afterward. Before deleting
registry entries they warn you to backup the registry because in
some cases removing malware cripples the system.

Use ERUNT for full registry backups, Windows is not comprehensive.
www.winxptutor.com/regback.htm
I use mbrfix for backing up the mbr but BootitNG of Terabytes
has two good free programs.

I also like Acronis for doing complete backups, if you have a
large disk for a hidden backup partition. More than 4 DVDs is too complex.
A great way is too clone your hard drive to another
hard drive in the computer just after all the apps are installed
and it is pristine at about 12-16GB. That guards against hard disk
failure, you have another disk ready to go. I keep my data cable
unplugged rather than do incrementals to it. Email backups and
favorites/bookmarks I backup periodically to cds. For pictures
DVD data disks is fine.

Since May of last year Malware problems have gone up 407% and my
success rate and cleaning malware has gone from 85% success, to
about 20% success, mainly because much malware now have rootkits.

After a person loses his hard drive twice, it really brings home
the old adage, an ounce of prevention is worth a pound of cure.

Stephen

 

[David H. Lipman]

From: "Scott" <[email protected]>

| Thanks for the info and the links. I was not aware that there was another
| group for this topic.

| Scott
| Los Angeles.

No problem Scott.

Note that there are also anti virus groups in the alt.* hierarchy as well.

 

[Plato]

What role do registry keys play in malware? Is a registry key sufficient or
does there need to be a malware program on my computer?

Malware can create registry keys, it's almost impossible to find a
program to remove them. Best bet in the future is NOT to install malware
of any sort.

 

[Plato]

| What role do registry keys play in malware? Is a registry key sufficient or
| does there need to be a malware program on my computer?

Questions like this SHOULD be asked in an anti malware news group such as;
microsoft.public.security.virus

Malware is not a virus. Since you are new to PC use here is the defn. of
a virus...

http://www.bootdisk.com/txtfiles/virus.txt

 

[David H. Lipman]

From: "Plato" <|@|.|>


| Malware is not a virus. Since you are new to PC use here is the defn. of
| a virus...

Actually, all viruses are malware.

There are NO "malware" news groups. The word malware was only added as a real word to the
dictionary this year.
When the original IBM PC was made, there were really only viruses. All the other
sub-catgerories of malware came later.

I certainly am on "new to PC", that's for sure!

 

[Scott]

Thanks for replying.

Yahoo Anti Spy found these registry keys and removed them. I don't know,
however, if they are associated with Virtumonde. I ran Yahoo Anti-Spy for
the first time when Ad Aware found Virtumonde.

I did not install anything that I thought was malware. The only two programs
I downloaded in recent months were the new Real Player, and The Weather
Channel desktop application provided a major update.

Scott
Los Angeles

 

[David H. Lipman]

From: "Plato" <|@|.|>


| Malware is not a virus. Since you are new to PC use here is the defn. of
| a virus...

| http://www.bootdisk.com/txtfiles/virus.txt

I don't understand this line...

"#4 is necessary to distinguish between viruses and worms, which do not require a host."

A worm is a virus that self replicates through network protocols such as NNTP, SMTP,
NetBIOS over IP, RPC, etc. and does require a host. The host is used to generate the
network activity to spread. For example a RBot may use TCP port 135 to send out packets
to another PC's TCP port 135 to exploit a vulnerability in RPC, RPCSS/DCOM and if so
infect that PC and if successful, the infected that PC to will also generate packets
attempting to explot other PCs who have this vulnerability.

I will also state that you contradicted youself in the reply of the post...
"Re: win32/adware.virtumonde and win32.privacyremover.m64"

Message:
"System restore does not get rid of viruses. Best bet in the future is
NOT to install the virus in the first place."

The person was NOT infected with a virus. The person was infected with a Zlob/FakeAlert
type Trojan.

I will state that a virus news group is the *best* place to discuss malware.

It was early this AM when I , in a haze of Morning, should have replied...
"I certainly am not "new to PC", that's for sure!"

 

[Gary S. Terhune]

Hey, newbie! Malware may not necessarily be a virus, but a virus is malware,
by definition.

http://www.techterms.com/definition/malware
http://en.wikipedia.org/wiki/Malware
http://www.google.com/search?num=10...:Malware&sa=X&oi=glossary_definition&ct=title

Here's the TinyURL in case your newsreader breaks that last URL and you
can't figure out how to put it back together again.
http://tinyurl.com/5ncdxp

If you're having problems with the concept of a newsgroup with the word
"virus" in the name being more broadly devoted to discussing malware in
general, then you need professional help of one kind or another. Remedial
English? Psychological counseling? Maybe just a good brawl at your local bar
to get your head straightened up.