TechTalkz.com Technology & Computer Troubleshooting Forums - View Single Post - Got injected web script while browser any website(what's the virus?)

23-11-2007, 07:30 AM

"Virus Guy" wrote:

> Absolutely no search hits for uuid.sys.

Not surprising because that is deleted immediately after being dropped
and loaded into memory. It's the initial rootkit component and is
likely not needed once the second binary is downloaded and installed.

> http://www.f-secure.com/v-descs/virus_w32_alman_a.shtml

That's an older version which behaves in a similar way. The
Bitdefender example is a closer description and has the correct URL
which the malware uses for further communication.

> It seems to be catagorized as a network worm and trojan, not as a
> rootkit - but perhaps it eventually downloads and installs a rootkit
> as a second stage of the infection.

It drops its own version of linkinfo.dll in the %windows% directory;
the genuine MS version being in %windows%\system32. I believe the
rootkit components are embedded in the dll. They appear to be:

IsDrv122.sys
RsBoot.sys
cdralw.sys

One or more will be launched from the registry entry:
HKLM\SYSTEM\CurrentControlSet\Services
with the service name DLANX.

These files are also created:

C:\setup.exe
\\.\DLUProc

Mutex names appear to be:

__DLU_INF__
PNP#DMUTEX#1#DLU
PNP#NETMUTEX#1#DLU

> There is some aspect of your system that wasn't patched.

I reckon ActiveX, anifile or Macromedia Flash.

> If you're sure that it's up to date (as far as Microsoft is
> concerned) then your Java JRE should be looked at.

In this case, Java had wasn't involved.

23-11-2007, 07:30 AM	#4
Ant Guest Posts: n/a	Re: Got injected web script while browser any website(what's the virus?) "Virus Guy" wrote: > Absolutely no search hits for uuid.sys. Not surprising because that is deleted immediately after being dropped and loaded into memory. It's the initial rootkit component and is likely not needed once the second binary is downloaded and installed. > http://www.f-secure.com/v-descs/virus_w32_alman_a.shtml That's an older version which behaves in a similar way. The Bitdefender example is a closer description and has the correct URL which the malware uses for further communication. > It seems to be catagorized as a network worm and trojan, not as a > rootkit - but perhaps it eventually downloads and installs a rootkit > as a second stage of the infection. It drops its own version of linkinfo.dll in the %windows% directory; the genuine MS version being in %windows%\system32. I believe the rootkit components are embedded in the dll. They appear to be: IsDrv122.sys RsBoot.sys cdralw.sys One or more will be launched from the registry entry: HKLM\SYSTEM\CurrentControlSet\Services with the service name DLANX. These files are also created: C:\setup.exe \\.\DLUProc Mutex names appear to be: __DLU_INF__ PNP#DMUTEX#1#DLU PNP#NETMUTEX#1#DLU > There is some aspect of your system that wasn't patched. I reckon ActiveX, anifile or Macromedia Flash. > If you're sure that it's up to date (as far as Microsoft is > concerned) then your Java JRE should be looked at. In this case, Java had wasn't involved.