Results 1 to 7 of 7

Thread: injecting browser helper objects remotely =?

  1. #1
    Banned shakuni's Avatar
    Join Date
    Aug 2007
    Posts
    24

    injecting browser helper objects remotely =?

    Some system monitoring program gave me this message
    A new startup program has been detected
    D:\windows\system32\jkhfd.dll,c
    which means that it is executing the function whose name is c which is exported by jkhfd.dll

    I dissassembled the file(jkhfd.dll) and found the following list of exported functions-
    c
    DllCanUnloadNow
    DllGetClassObject
    f
    InitSecurityInterfaceWLsaApCallPackage
    LsaApCallPackagePassthrough
    LsaApCallPackageUntrusted
    LsaApInitializePackage
    LsaApLogonTerminated
    LsaApLogonUser
    LsaApLogonUserEx
    o
    s
    SpInitialize
    (the function c, as I suspected, is exported)

    Some sysinternals tools told me that the above dll is there(injected?) as the browser helper objects
    HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
    {B2CEFDCD-4318-4FD1-B87F-3E28D54ECF8D} d:\windows\system32\jkhfd.dll
    From the above list of exported functions, most are implemented by the dll creator herself. But the win32 function(s) like LogonUser(which attempts to logon,probably remotely) has aroused my suspicion.

    My questions-
    What's the prefix LsaAp means ?
    Since the dissassembler can't locate the functions in the dissassembly, please suggest some other way of reversing the dll ?
    Any further info on this method of attack, that is, how can someone remotely inject BHOs(browser helper objects) ?

  2. #2
    Senior Member
    Join Date
    Oct 2003
    Location
    MA
    Posts
    1,052
    LSA =Local Security Authority but i dont know what the ap means..

  3. #3
    Senior Member
    Join Date
    Jul 2002
    Location
    Texas
    Posts
    168
    If I remember correctly to the machine I was cleaning 2 days ago.... That is the latest incarnation of the virtumonde trojan. If so, your gonna have fun cleaning it out as safe mode isnt enough. It makes copies of itself to programs. ie ccapp.exe would be infected and running but ccapp .exe is the original and not running. Notice the space.
    Sysinternals helps to root these out with process mon and autoruns

    Before i forget, there should be an exe file with the same name as that dll hiding somewhere probably another dll and its exe too.
    Run a virus/spyware scan.
    <chsh> I've read more interesting technical discussion on the wall of a public bathroom than I have at AO at times

  4. #4
    Junior Member
    Join Date
    Jun 2006
    Posts
    8
    its trying to get your login passwords to root your system.

  5. #5
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    From what I have seen "Ap" generally means "application"

    Here is some more information about your malware:

    http://www.prevx.com/filenames/10879...JKHFD.DLL.html


    I looks as if Darksnake is right and this is a new variant that has just surfaced.

    I believe that it actually tries to protect itself against dissassembly, which would explain the results you got?

  6. #6
    Senior Member Cemetric's Avatar
    Join Date
    Oct 2002
    Posts
    491
    A co-worker of mine cleaned his portable by connecting to it with another PC, because as previously mentioned, it doesn't help by doing it in safe mode. Normally this co-worker wouldn't bother, but he was intrigued on how this happened to him.
    Back when I was a boy, we carved our own IC's out of wood.

  7. #7
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    Hi Cemetric,

    From what I saw it was looking for network drives?

    I would not really want to connect that to another machine............ I guess I would try something like the UBCD as a first shot?..............unless I was using a linux distro on the cleaning device?

Similar Threads

  1. creating Browser Helper Object
    By karavay in forum Microsoft Security Discussions
    Replies: 3
    Last Post: August 13th, 2006, 12:53 AM
  2. Opera announces Voice Oper. Browser
    By mikem0327 in forum AntiOnline's General Chit Chat
    Replies: 0
    Last Post: March 24th, 2004, 04:36 AM
  3. Multiple browser timed document.write cross domain policy vulnerability
    By Szafran in forum Miscellaneous Security Discussions
    Replies: 1
    Last Post: September 7th, 2003, 09:41 PM
  4. 2002 Â* Linux Web Browser Review
    By E5C4P3 in forum Product / Book / Training / Conference Reviews
    Replies: 2
    Last Post: March 3rd, 2002, 03:24 PM
  5. Anonymoity Tutorial
    By ac1dsp3ctrum in forum The Security Tutorials Forum
    Replies: 8
    Last Post: February 13th, 2002, 12:36 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •