Overcoming The Malware “XP Internet Security”


Viruses, worms, trojans, and rogue antispyware software are getting pretty sophisticated.  As careful as I am, one caught me today, on a computer I don’t usually use.  Usually I use Firefox.  But I opened up Google Chrome, right clicked on a link, and open in new window.  Suddenly, I got one of those phony webpages telling me that I had a virus, and doing a scan.

Zone Alarm did not catch it, which is pretty disappointing.  I set it to deny, as I usually do, but it still executed.

ZoneAlarm and XCV.exe

And interestingly, it was actually looking at specific files on my computer, in the C:\cygwin directory.  Not many people have cygwin on their harddrive.  When I started Google again, I got strange webpages.

XP Internet Security Screen Shot

Google Chrome would not work.

Google Chrome and XP Internet Security

Internet Security came up and blocked Chrome from working.   Saying that it was trying to log key strokes.

XP Internet Security, stating that Google Chrome is acting as a keylogger

Then began a number of hours of analysis and figuring out how to get rid of it.

———————————

Determine The Culprit Process:

From Process Manager, I figured the culprit was xcv.exe.  I always have Task Manager running.  You get a sense over time of what is typically running.

———————————

I updated Zone Alarm, and did a full scan.  But it found no infections!  Is Zone Alarm useless?  Or did the malware disable it?

———————————

Search the registry for xcv.exe with regedit.

Note the directories that the XCV.exe is found in.

XP Internet Security, xcv.exe, and the Registry

———————————

Search for the files listing in the registry on the hard drives:

I tried to find these files in Windows Explorer.  But it was a hidden directory.  I then tried booting in Safe Mode, and logging in as Administrator.  But the computer owner didn’t have the admin password.   Too bad.

———————————

I’d installed cygwin, the Linux emulator, on this machine previously.  I use it for a number of things.  Searching. Network commands.  Using cygwin, search the hard drives for xcv.exe

cd /cygdrive/c

/cygdrive/c

$ find . -type f   2> /dev/null | grep -i “xcv”

./cygwin/bin/fixcvsdiff
./cygwin/usr/share/man/man1/fixcvsdiff.1.gz
./Documents and Settings/Rodger/Local Settings/Application Data/xcv.exe
./WINDOWS/Prefetch/XCV.EXE-1B5CE73A.pf

After I found the file, I could enter it the path in Windows Explorer, and find it.

C:\Documents and Settings\Rodger\Local Settings\Application Data\xcv.exe

———————————

Then, I took a look at the Windows properties of the file.

xcv.exe Windows Properties

————————————

With Cygwin,  Analyze, and Then Delete The Files:

When it comes to nasty files, cygwin is superior.  When files are deleted from Windows Explorer, they go to the recycle bin.  They aren’t really deleted.  When they are deleted with cygwin, they are really deleted.  You would need special software to recover them.

———————————

cd /cygdrive/c/WINDOWS/Prefetch/
rm XCV.EXE-1B5CE73A.pf

———————————

Delete All The Executable Files:

XP Internet Security doesn’t come in just one executable file. It comes in many executable files.

cd /cygdrive/c/Documents and Settings/Rodger/Local Settings/Application Data

$ ls -lrt
total 5717
drwx——+  2 Rodger         None         0 Mar 20  2008 Microsoft Help     /* directories */

drwx——+  3 Rodger         None         0 Apr 17 13:16 Apple Computer
drwxrwx—+  3 Administrators SYSTEM       0 Apr 17 13:17 Apple

-rwx——+  1 Rodger         None    348160 Apr 23 10:30 lfs.exe
-rwx——+  1 Rodger         None         0 Apr 23 10:30 gup.exe
-rwx——+  1 Rodger         None         0 Apr 23 10:30 fwa.exe
-rwx——+  1 Rodger         None         0 Apr 23 10:30 vdq.exe
-rwx——+  1 Rodger         None         0 Apr 23 10:30 pfs.exe
-rwx——+  1 Rodger         None    348160 Apr 23 10:36 fyy.exe
-rwx——+  1 Rodger         None    348160 Apr 23 10:36 lsd.exe
-rwx——+  1 Rodger         None    348160 Apr 23 10:36 ije.exe
-rwx——+  1 Rodger         None    348160 Apr 23 10:37 weh.exe
-rwx——+  1 Rodger         None    348160 Apr 23 10:37 dgu.exe
-rwx——+  1 Rodger         None   1930896 Apr 23 10:37 IconCache.db
-rwx——+  1 Rodger         None    348160 Apr 23 10:40 xcv.exe
-rwx——+  1 Rodger         None    348160 Apr 23 10:40 bep.exe
-rwx——+  1 Rodger         None    348160 Apr 23 10:40 jje.exe
-rwx——+  1 Rodger         None    348160 Apr 23 10:40 diy.exe
-rwx——+  1 Rodger         None    348160 Apr 23 10:40 bvg.exe
-rwx——+  1 Rodger         None      8574 Apr 23 14:33 66o44g3o5r78677gumnwu5t5by81l7l34xk27

You can tell because all the file sizes are the same: 348160.  And the timestamp is pretty close.  Fifteen nasty files.  Tricky bastards huh.  If you catch the XP Internet Security virus, but can’t find xcv.exe is running in Process Manager, try looking for these other exe files found in the same directory.

————————————

With Cygwin, Check What These Malware Files Are:

Optional step, for the smart and curious computer jocks.

$ file *

66o44g3o5r78677gumnwu5t5by81l7l34xk27:    data
Adobe:                                    directory
Apple:                                    directory
Apple Computer:                           directory
ApplicationHistory:                       directory
DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini: Microsoft Installer
Downloaded Installations:                 directory
GDIPFONTCACHEV1.DAT:                      data
Google:                                   directory
Help:                                     directory
IconCache.db:                             data
Identities:                               directory
Microsoft:                                directory
Microsoft Help:                           directory
Mozilla:                                  directory
PassMark:                                 directory
Seven Zip:                                directory
Temp:                                     directory
Thunderbird:                              directory
WMTools Downloaded Files:                 directory

bep.exe:                                  MS-DOS executable PE  for MS Windows (GUI) Intel 80386 32-bit
bvg.exe:                                  MS-DOS executable PE  for MS Windows (GUI) Intel 80386 32-bit
dgu.exe:                                  MS-DOS executable PE  for MS Windows (GUI) Intel 80386 32-bit
diy.exe:                                  MS-DOS executable PE  for MS Windows (GUI) Intel 80386 32-bit
fusioncache.dat:                          ASCII text, with CRLF line terminators
fwa.exe:                                  empty
fyy.exe:                                  MS-DOS executable PE  for MS Windows (GUI) Intel 80386 32-bit
gup.exe:                                  empty
ije.exe:                                  MS-DOS executable PE  for MS Windows (GUI) Intel 80386 32-bit
jje.exe:                                  MS-DOS executable PE  for MS Windows (GUI) Intel 80386 32-bit
lfs.exe:                                  MS-DOS executable PE  for MS Windows (GUI) Intel 80386 32-bit
lsd.exe:                                  MS-DOS executable PE  for MS Windows (GUI) Intel 80386 32-bit
pfs.exe:                                  empty
vdq.exe:                                  empty
weh.exe:                                  MS-DOS executable PE  for MS Windows (GUI) Intel 80386 32-bit
xcv.exe:                                  MS-DOS executable PE  for MS Windows (GUI) Intel 80386 32-bit
{3248F0A6-6813-11D6-A77B-00B0D0150060}:   directory

————————————

Before deleting the files, I took a look the executable file.  What’s inside??  Also optional.

$ strings  xcv.exe | wc
945  1870 19174 XCV.txt

strings xcv.exe

i<Gh
oj>=
\y$L
MTUk
0z>g
f-eS(c
src\..\src\MXF\SDK\GenericContainer\Wave\SampleAlignmentVector.cpp
multipleDescriptor != 0
Expecting a MultipleDescriptor in the SourcePackage.
protected\MXF/SDK/GenericContainer/EssenceAnalyzer_impl.h
canChangeEditRate_ || waveExtendedReader_ -> compressionType () == WAVE_FORMAT_UNKNOWN
Edit rate must be set before calling preload or nextEditUnit
src\..\src\MXF\SDK\GenericContainer\Wave\WaveEssenceAnalyzer.cpp
impl_ -> waveExtendedReader_ -> hasWaveInfo ()
WaveEssence analyzer not initialized.
numberOfEditUnits > 0
Value must be higher then zero
formatChunk -> size () >= sizeof (FormatMPEG1Chunk)
Wave file Format MPEG chunk is shorter than expected
src\..\src\MXF\SDK\GenericContainer\Wave\WaveExtendedReader.cpp
Wave file contains unknown format essence
formatChunk -> size () >= sizeof (FormatExtensibleChunk)
Wave file Format Extensible chunk is shorter than expected
chunkLength >= sizeof (BExtChunk)
Wave file BEXT chunk is shorter than expected
bad cast
true
false
0123456789abcdefABCDEF
ios_base::eofbit set
ios_base::failbit set
ios_base::badbit set
raB3G
bad locale name
invalid string position
string too long
bad allocation
$+vx
+v$x+v$xv$+xv+$xv$+x+$vx+$vx$v+x+$vx$+vx+v $+v $v $+v+ $v $++$ v+$ v$ v++$ v$ +v
:Sun:Sunday:Mon:Monday:Tue:Tuesday:Wed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday
:Jan:January:Feb:February:Mar:March:Apr:April:May:May:Jun:June:Jul:July:Aug:August:Sep:September:Oct:October:Nov:November:Dec:December
%.0Lf
Access violation – no RTTI data!
Bad read pointer – no RTTI data!
Attempted a typeid of NULL pointer!
Bad dynamic_cast!
Unknown exception
!”#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
LC_TIME
LC_NUMERIC
LC_MONETARY
LC_CTYPE
LC_COLLATE
LC_ALL
HH:mm:ss
dddd, MMMM dd, yyyy
MM/dd/yy
December
November
October
September
August
July
June
April
March
February
January
Saturday
Friday
Thursday
Wednesday
Tuesday
Monday
Sunday
am/pm
e+000
GAIsProcessorFeaturePresent
KERNEL32
CorExitProcess
mscoree.dll
runtime error
TLOSS error
SING error
DOMAIN error
R6028
– unable to initialize heap
R6027
– not enough space for lowio initialization
R6026
– not enough space for stdio initialization
R6025
– pure virtual function call
R6024
– not enough space for _onexit/atexit table
R6019
– unable to open console device
R6018
– unexpected heap error
R6017
– unexpected multithread lock error
R6016
– not enough space for thread data
This application has requested the Runtime to terminate it in an unusual way.
Please contact the application’s support team for more information.
R6009
– not enough space for environment
R6008
– not enough space for arguments
R6002
– floating point not loaded
Microsoft Visual C++ Runtime Library
Runtime Error!
Program:
<program name unknown>
InitializeCriticalSectionAndSpinCount
kernel32.dll
040a
1252
040b
1252
040c
1252

380a
1252
3c0a
1252
Paraguay
Uruguay
Chile
Ecuador
Argentina
Peru
Colombia
Venezuela
Dominican Republic
South Africa
Panama
Luxembourg
Costa Rica
Switzerland
Guatemala
Canada
Spanish – Modern Sort
Australia
English
Austria
German
Belgium
Mexico
Spanish
Basque
Sweden
Swedish
Iceland
Icelandic
France
French
Finland
Finnish
Spain
Spanish – Traditional Sort
united-states
united-kingdom
trinidad & tobago
south-korea
south-africa
south korea
south africa
slovak
puerto-rico
pr-china
pr china
new-zealand
hong-kong
holland
great britain
england
czech
china
britain
america
swiss
swedish-finland
spanish-venezuela
spanish-uruguay
spanish-puerto rico
spanish-peru
spanish-paraguay
spanish-panama
spanish-nicaragua
spanish-modern
spanish-mexican
spanish-honduras
spanish-guatemala
spanish-el salvador
spanish-ecuador
spanish-dominican republic
spanish-costa rica
spanish-colombia
spanish-chile
spanish-bolivia
spanish-argentina
portuguese-brazilian
norwegian-nynorsk
norwegian-bokmal
norwegian
italian-swiss
irish-english
german-swiss
german-luxembourg
german-lichtenstein
german-austrian
french-swiss
french-luxembourg
french-canadian
french-belgian
english-usa
english-us
english-uk
english-trinidad y tobago
english-south africa
english-nz
english-jamaica
english-ire
english-caribbean
english-can
english-belize
english-aus
english-american
dutch-belgian
chinese-traditional
chinese-singapore
chinese-simplified
chinese-hongkong
chinese
canadian
belgian
australian
american-english
american english
american
Norwegian-Nynorsk
Program:
A buffer overrun has been detected which has corrupted the program’s
internal state.  The program cannot safely continue execution and must
now be terminated.
Buffer overrun detected!
A security error of unknown cause has been detected which has
corrupted the program’s internal state.  The program cannot safely
continue execution and must now be terminated.
Unknown security failure detected!
(8PX
700WP
`h““
ppxxxx
(nullW
ZgSh
joTQhb
Yhi9
rAYRh
]T]t
Rh}]
PsMRSj
aCW3
d)|$
X>[h
z)D$

=”bax
b Qe
U J&
K!Pn}
L9.E%
;s0o
AdjustTokenPrivileges
ChangeServiceConfigA
CloseServiceHandle
ControlService
CryptAcquireContextA
CryptCreateHash
CryptDestroyHash
CryptGetHashParam
CryptHashData
CryptReleaseContext
LookupPrivilegeValueA
OpenProcessToken
OpenSCManagerA
OpenServiceA
QueryServiceStatus
RegCloseKey
RegCreateKeyA
RegCreateKeyExA
RegDeleteKeyA
RegDeleteValueA
RegEnumKeyExA
RegEnumValueA
RegFlushKey
RegOpenKeyA
RegOpenKeyExA
RegQueryInfoKeyA
RegQueryValueExA
RegSetValueExA
StartServiceA
ADVAPI32.dll
CloseHandle
CompareFileTime
CompareStringA
CreateDirectoryA
CreateEventA
CreateFileA
CreateMutexA
CreateProcessA
CreateThread
DeleteCriticalSection
DeleteFileA
DuplicateHandle
EnterCriticalSection
FileTimeToSystemTime
FindClose
FindFirstFileA
FindNextFileA
FindResourceA
FlushInstructionCache
FormatMessageA
FreeLibrary
FreeResource
GetComputerNameA
GetCurrentProcess
GetCurrentProcessId
GetCurrentThreadId
GetDateFormatA
GetFileAttributesA
GetLastError
GetLocalTime
GetModuleFileNameA
GetModuleHandleA
GetPriorityClass
GetPrivateProfileIntA
GetPrivateProfileStringA
GetProcAddress
GetProcessHeap
GetShortPathNameA
GetStartupInfoA
GetStringTypeExA
GetSystemDefaultLCID
GetSystemDirectoryA
GetSystemInfo
GetSystemTimeAsFileTime
GetTempFileNameA
GetTempPathA
GetTickCount
GetTimeFormatA
GetUserDefaultLCID
GetVersionExA
GlobalAlloc
GlobalFree
GlobalHandle
GlobalLock
GlobalUnlock
HeapAlloc
HeapDestroy
HeapFree
InitializeCriticalSection
InterlockedDecrement
InterlockedIncrement
IsDBCSLeadByte
LeaveCriticalSection
LoadLibraryA
LoadLibraryExA
LoadResource
LocalAlloc
LocalFree
LocalReAlloc
LockResource
MulDiv
MultiByteToWideChar
OpenEventA
OpenProcess
QueryPerformanceCounter
QueryPerformanceFrequency
ReadFile
ReleaseMutex
ResetEvent
ResumeThread
RtlUnwind
SetEndOfFile
SetErrorMode
SetEvent
SetFilePointer
SetLastError
SetPriorityClass
SetUnhandledExceptionFilter
SizeofResource
Sleep
SystemTimeToFileTime
TerminateProcess
TerminateThread
UnhandledExceptionFilter
VirtualAlloc
VirtualFree
WaitForSingleObject
WideCharToMultiByte
WriteFile
WritePrivateProfileStringA
lstrcatA
lstrcmpA
lstrcpyA
lstrcpynA
lstrlenA
lstrlenW
KERNEL32.dll
BitBlt
CreateCompatibleBitmap
CreateCompatibleDC
CreateDCA
CreateDIBSection
CreateFontIndirectA
CreatePalette
CreatePen
CreateRectRgnIndirect
CreateSolidBrush
DeleteDC
DeleteObject
ExtTextOutA
GetDeviceCaps
GetMapMode
GetObjectA
GetStockObject
GetSystemPaletteEntries
GetSystemPaletteUse
GetTextExtentPoint32A
GetTextExtentPointA
GetTextMetricsA
LPtoDP
LineTo
MoveToEx
PatBlt
RealizePalette
RestoreDC
SaveDC
SelectObject
SelectPalette
SetBkColor
SetBkMode
SetMapMode
SetTextColor
SetViewportOrgEx
SetWindowOrgEx
StretchBlt
GDI32.dll
AdjustWindowRectEx
AppendMenuA
BeginDeferWindowPos
BeginPaint
CallWindowProcA
CharLowerA
CharNextA
CharToOemA
CharUpperA
CharUpperBuffA
CheckDlgButton
CheckMenuItem
CheckRadioButton
CloseClipboard
CopyAcceleratorTableA
CreateAcceleratorTableA
CreateDialogParamA
CreateWindowExA
DefWindowProcA
DeferWindowPos
DeleteMenu
DestroyAcceleratorTable
DestroyIcon
DestroyMenu
DestroyWindow
DialogBoxParamA
DispatchMessageA
DrawEdge
DrawIconEx
DrawTextA
EmptyClipboard
EnableMenuItem
EnableWindow
EndDeferWindowPos
EndDialog
EndPaint
EqualRect
ExitWindowsEx
FillRect
FindWindowA
FindWindowExA
FrameRect
GetClassInfoA
GetClassInfoExA
GetClassNameA
GetClientRect
GetCursorPos
GetDC
GetDesktopWindow
GetDlgCtrlID
GetDlgItem
GetDlgItemTextA
GetDoubleClickTime
GetFocus
GetForegroundWindow
GetIconInfo
GetKeyState
GetLastActivePopup
GetMenu
GetMenuItemCount
GetMenuItemID
GetMenuItemInfoA
GetMessageA
GetMessagePos
GetParent
GetScrollPos
GetSubMenu
GetSysColor
GetSysColorBrush
GetSystemMenu
GetSystemMetrics
GetTopWindow
GetWindow
GetWindowLongA
GetWindowPlacement
GetWindowRect
GetWindowTextA
GetWindowTextLengthA
InSendMessage
InsertMenuA
InsertMenuItemA
IntersectRect
InvalidateRect
InvalidateRgn
IsChild
IsDialogMessageA
IsDlgButtonChecked
IsWindow
IsWindowEnabled
IsWindowVisible
KillTimer
LoadAcceleratorsA
LoadBitmapA
LoadCursorA
LoadIconA
LoadImageA
LoadMenuA
LoadStringA
LoadStringW
MapWindowPoints
MessageBeep
MessageBoxA
ModifyMenuA
MoveWindow
MsgWaitForMultipleObjects
OffsetRect
OpenClipboard
PeekMessageA
PostMessageA
PostThreadMessageA
PtInRect
RedrawWindow
RegisterClassA
RegisterClassExA
RegisterWindowMessageA
ReleaseCapture
ReleaseDC
RemoveMenu
SendDlgItemMessageA
SendMessageA
SendMessageTimeoutA
SetCapture
SetClipboardData
SetCursor
SetCursorPos
SetDlgItemTextA
SetFocus
SetForegroundWindow
SetMenuItemInfoA
SetParent
SetRect
SetTimer
SetWindowLongA
SetWindowPlacement
SetWindowPos
SetWindowRgn
SetWindowTextA
ShowWindow
SystemParametersInfoA
TrackPopupMenu
TrackPopupMenuEx
TranslateAcceleratorA
TranslateMessage
UnionRect
UpdateWindow
WinHelpA
wsprintfA
USER32.dll
PlaySoundA
mixerClose
mixerGetControlDetailsA
mixerGetDevCapsA
mixerGetID
mixerGetLineControlsA
mixerGetLineInfoA
mixerGetNumDevs
mixerOpen
mixerSetControlDetails
mmioAscend
mmioClose
mmioDescend
mmioOpenA
mmioRead
mmioSeek
waveInAddBuffer
waveInClose
waveInGetDevCapsA
waveInGetNumDevs
waveInOpen
waveInPrepareHeader
waveInReset
waveInStart
waveInUnprepareHeader
waveOutClose
waveOutGetDevCapsA
waveOutGetNumDevs
waveOutOpen
waveOutPrepareHeader
waveOutReset
waveOutUnprepareHeader
waveOutWrite
winmm.dll
WSOCK32.dll
CreateToolbarEx
ImageList_AddMasked
ImageList_Create
ImageList_Destroy
ImageList_DrawEx
ImageList_ReplaceIcon
InitCommonControlsEx
PropertySheetA
COMCTL32.dll
CLSIDFromProgID
CLSIDFromString
CoCreateInstance
CoInitializeEx
CoRegisterClassObject
CoRegisterMessageFilter
CoRevokeClassObject
CoTaskMemAlloc
CoTaskMemFree
CoTaskMemRealloc
CoUninitialize
CreateOleAdviseHolder
CreateStreamOnHGlobal
IsAccelerator
OleInitialize
OleLockRunning
OleRegEnumVerbs
OleRegGetMiscStatus
OleRegGetUserType
OleSaveToStream
OleUninitialize
StringFromCLSID
WriteClassStm
ole32.dll
OLEAUT32.dll
StrChrA
StrCmpNIA
SHLWAPI.dll
SHGetFileInfoA
SHGetMalloc
SHGetPathFromIDListA
SHGetSpecialFolderLocation
ShellExecuteA
Shell_NotifyIconA
SHELL32.dll
CertCloseStore
CertCreateCertificateContext
CertEnumCertificatesInStore
CertFindCertificateInStore
CertFreeCertificateContext
CertGetIssuerCertificateFromStore
CertGetSubjectCertificateFromStore
CertNameToStrA
CertOpenStore
CertOpenSystemStoreA
crypt32.dll
Netbios
netapi32.dll
sqmapi.dll
SqmAddToAverage
SqmAddToStream
SqmAddToStreamDWord
SqmAddToStreamString
SqmAddToStreamV
SqmCleanup
SqmClearFlags
SqmCreateNewId
SqmEndSession
SqmFlushSession
SqmGetEnabled
SqmGetFlags
SqmGetMachineId
SqmGetSession
SqmGetSessionStartTime
SqmGetUserId
SqmIncrement
SqmIsWindowsOptedIn
SqmReadSharedMachineId
SqmReadSharedUserId
SqmSet
SqmSetAppId
SqmSetAppVersion
SqmSetBits
SqmSetBool
SqmSetCurrentTimeAsUploadTime
SqmSetEnabled
SqmSetFlags
SqmSetIfMax
SqmSetIfMin
SqmSetMachineId
SqmSetString
SqmSetUserId
SqmStartSession
SqmStartUpload
SqmSysprepGeneralize
SqmSysprepSpecialize
SqmTimerAccumulate
SqmTimerAddToAverage
SqmTimerRecord
SqmTimerStart
SqmUnattendedSetup
SqmWaitForUploadComplete
SqmWriteSharedMachineId
SqmWriteSharedUserId
GGGZ
=ccc#
heee”
hhh”
lkk”
mno”
_qv}”
.uy}”
0  D
www#
5″”G
lll$
ooo5
TEEE
&;;;
{0
&LLL
ccc_
iiic
jjjb
kkkb
kkkb
lllb
nnnb
ooob
qqqb
rrrb
tttb
uvwb
O44`
{{{f
…’
wwwX
Dooo’MMM
&888
3HHH
S0


sssc
OOOt
III
xxxu
bbb1
xxxe
<?xml version=”1.0″ encoding=”UTF-8″ standalone=”yes”?>
<assembly xmlns=”urn:schemas-microsoft-com:asm.v1″ manifestVersion=”1.0″>
<trustInfo xmlns=”urn:schemas-microsoft-com:asm.v3″>
<security>
<requestedPrivileges>
<requestedExecutionLevel level=”asInvoker” uiAccess=”false”></requestedExecutionLevel>
</requestedPrivileges>
</security>
</trustInfo>
<dependency>
<dependentAssembly>
<assemblyIdentity type=”win32″ name=”Microsoft.Windows.Common-Controls” version=”6.0.0.0″ processorArchitecture=”x86″ publicKeyToken=”6595b64144ccf1df” language=”*”></assemblyIdentity>
</dependentAssembly>
</dependency>
</assembly>

I’ve posted this in case it is of use to anyone.  It looks like it was written with  Microsoft Visual C++ Runtime Library.  Multiple language capability.  Uses Windows built in functionality.

————————————

$ cat IconCache.db | wc
10652 1930896

cat IconCache.db


B?B?B?B?B?B?c              ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ??Bÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?  ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ??Bÿ?ÿ??B?B?B?B?B?B?B?
c              ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ??Bÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?  à?à?à?à?ÿ?  ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ??Bÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ??c  à?à?à?à?à
?ÿ?  ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ??Bÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ??c  à?à?à?à?à?à??B?cÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ??Bÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ??cÿ?  à?à?à?à?à?à??B  ÿ?ÿ
?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ??B?B?B?B?B?B?B?B?B?B?B?Bÿ??c  à?à?à?à?à??c?Bÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?  à?à?à?à?à?  ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ
?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?            ÿ?ÿ?ÿ?  à?à?à?à?  ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?  à?à?à?à?  ÿ?ÿ?ÿ?  à?à?à?à?  ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ
?ÿ?ÿ?ÿ?ÿ?  à?à?à?à?  ÿ?ÿ?ÿ?  à?à?à?à?  ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?  à?à?à?à?à?      à?à?à?à?à?  ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ??cà
?à?à?à?à?à?à?à?à?à?à?  ?cÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ??B?cà?à?à?à?à?à?à?à?à??c  ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ??B  à?à?à?à?à
?à?à?    ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ??B          ?Bÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ
?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ
?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?sJxV2F?Bÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?1
Fßwßw?o?_µRï=?>ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÖVß{ß{ßwßwßwßwßwoZ2F?>1Fÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?ÿ?œsß{ß{ß{ß{ßwx

————————————

$ cat fusioncache.dat
[Fusion]
CacheLocation=C:\Documents and Settings\rodger\Local Settings\Application Data\assembly\dl2\CV0VCCXQ.7VR\1GOKZ7MV.JDJ

Look for this directory that the file lists, but I can’t find it.  It looks like a temporary installation directory.

————————————

C:\>cd C:\Documents and Settings\rodger\Local Settings\Application Data\assembly
The system cannot find the path specified.

$ file 66o44g3o5r78677gumnwu5t5by81l7l34xk27
66o44g3o5r78677gumnwu5t5by81l7l34xk27: shell archive or script for antique kernel text

————————————

$ strings 66o44g3o5r78677gumnwu5t5by81l7l34xk27
rSy&
jK)<
W?1T
Io<gx
`C5p
2ceP
bKXw
(VG#
oN);
{X,i
X\w
dE00
EsA{:
/4%A
^L\9
LaGa
$Dq4
e>aF
Ag4op
o/>X
bC06
,}xZ
#-g70
9*:_

————————————

Delete the files:

With cygwin, try to delete all the files, with one command.

rm lfs.exe gup.exe fwa.exe vdq.exe pfs.exe fyy.exe lsd.exe ije.exe weh.exe dgu.exe IconCache.db bep.exe jje.exe diy.exe bvg.exe  66o44g3o5r78677gumnwu5t5by81l7l34xk27

————————————

ls -lrt

-rwx——+  1 rodger         None   348160 Apr 23 10:40 xcv.exe
-rwx——+  1 rodger         None     8590 Apr 23 14:43 66o44g3o5r78677gumnwu5t5by81l7l34xk27

————————————

With Task Manager, Kill the Process, xcv.exe

————————————

With cygwin, delete the remaining files:

rm 66o44g3o5r78677gumnwu5t5by81l7l34xk27
rm xcv.exe

————————————

So, that’s how I did it.  Lots of analysis.  Lots of Thinking.  Knowing what cygwin, and windows commands can do.  Playing trial and error with your mouse isn’t going to cut it, in fact, it might make things worse.

About these ads

One Response to Overcoming The Malware “XP Internet Security”

  1. rodgersnotes says:

    As a follow up, this link has some good information:

    http://www.prevx.com/filenames/2670195530137463485-X1/XCV.EXE.html

    File Behavior

    XCV.EXE has been seen to perform the following behavior:
    The Process is packed and/or encrypted using a software packing process
    The Process is polymorphic and can change its structure
    Writes to another Process’s Virtual Memory (Process Hijacking)
    Can communicate with other computer systems using HTTP protocols
    Executes a Process
    This process creates other processes on disk
    Injects code into other processes
    Performs DNS look ups to resolve URL IP addresses

    XCV.EXE has been the subject of the following behavior:
    Added as a Registry auto start to load Program on Boot up
    Executed from Temporary Folders
    Created as a process on disk
    Executed as a Process
    Has code inserted into its Virtual Memory space by other programs

    Associated Malware Groups

    The unsafe files using this name are associated with the malware groups:
    Worm
    Virus

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: