Ha! I bet that fooled you


Hi guys 'n gals, as i am typing this ; a piece of malware is attempting to install itself onto my PC! (isn't this exciting...an infection in realtime? .........might even be a first for the AO Forum? )

It has already downloaded itself, and from my initial research seems to be the latest member of the CoolWeb trojan/hijacker scumware family.

I was alerted to it by RegistryProt (http:\www.diamondcs.com.au) and also by WinPatrol (BillP Studios...sorry havent got a link to that to hand). They both went about it in different ways, which I find interesting, and a good example of why you should have multi-layered defences.

RegistryProt saw that it had tried to register itself as a service:

HKEY=KEY_LOCAL_MACHINE
SOFTWARE\MICROSOFT\WINDOWS\CURRENT VERSION\\RUN SERVICES\NAME=SVC SERVICE

The proggy is called "svcinit.exe"

WinPatrol reported the fact that I had a new program in my start up files the same "svcinit.exe"

I used Hijack This!, and confirmed that there was a new program trying to start...the same one.

I then hunted around for the payload, and found the following with about the right time/datestamp:

"tapicfg.exe" and "web.exe" which are in C:\, the root direcory. Svcinit is in C:\WINDOWS\SYSTEM\

They appear to be packed in UPX, so I could not make much of them at first glance..........I don't think I have my machine with UPX running at the moment (moved house recently).

I am not sure what bad elements it has, but it certainly wants to hijack, and to phone home I think.

The reason that I am making such a big deal of this is that when I "kill" something with RegistryProt or WinPatrol, that is usually the end of the matter. This thing has been bringing up warning messages about every 10 minutes for the past couple of hours!...so it has some sort of autoload running and IT IS STEALTHED!!!........I used Hijack This as well as Windoze, and could see NOTHING.

I also updated Spybot Search & Destroy, AdAware6 (last release October 2) and AVG 6.0, and they spotted nothing!

I checked out Merijn's site:

http://www.spywareinfo.com/~merijn/cwschronicles.html

He says that SpyBot does not get these WebCool b******ds, because they are too slippery and he has a separate tool for them. You can get it from the links at the bottom of his web page.

I don't know about you guys, but I was not even aware of this.........I thought SpyBot was the "full shilling" as we say in certain parts of the world.

The product is "CWShredder"..............I have just downloaded the latest version and will see what it can do. I will report back later.

I have captured the files that I can find (apart from the hidden process) for subsequent torture........oops I meant "analysis" and will send Merijn a copy of the installer, because it self deletes, so is a rare item (hey...maybe I should put it on eBay?).

Good Luck folks,

Cheers


Johnno