Do Software For Fun

Last week I was infected by a worm via a USB pen (UFO.EXE).

This is a variant of many similar backdoors/worms, these instructions
can be useful to understand how that attacks work.

These are the steps I made to remove the worm and related malwares
loaded from that backdoor.

1) first of all: disconnect the infected PC from any network
and internet connection. 



The malware loads viruses and updates from internet sites 
during your browsing:

cn911.org, , obutan.com, baidu8.com, 222.122.45.146, 
eu.logon.worldofwarcraft.com, us.logon.worldofwarcraft.com
Try to block these sites with your firewall!



2) clean the USB pen 
delete UFO.EXE (hidden file)
delete autorun.inf (hidden file that load the ufo.exe worm)
this files are created from infected PCs anytime you boot a USB pen 
or removable harddisk
After you need create a fake empty autorun.inf file with READ-ONLY property
to block the loading of ufo.exe from a infected PC 
3) removal actions 
- Run the "process explorer" of Mark Russinovich (www.sysinternals.com)
and kill the svchost process at root level (It is the process that create 
the UFO.EXE/AUTORUN.INF files any time you insert a removable disk)

- with regedit remove just the string ",C:\WINDOWS\system32\secpol.exe" 
from the key 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\WinLogon
C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\secpol.exe, 


need to be (don't remove the userinit.exe!):
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\WinLogon
C:\WINDOWS\system32\userinit.exe

- delete the secpol.exe file from C:\WINDOWS\system32

- with regedit remove the fsmgmt key from
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\WinLogon\Notify 


- delete the fsmgmt.dll file from c:\windows\system32 
Note: the product name shows: "Microsoft? Windows? Operating System" 
- delete any files from the locations:
C:\Documents and Settings\<user>\Impostazioni locali\Temporary Internet Files 
and
C:\Documents and Settings\<user>\Impostazioni locali\Temp 


That's all. I removed also some unknown users *S-1-5-21..... from security policies. 



Credits : I'd like to sincerely thank the folks at Sysinternals 

The TalkTogether screenshots displayed via a Silverlight slide viewer application (a mix of XAML/Javascript/Ajax)

A peer to peer voice/text chat.

A mix of technology: XAML, WPF, ClickOnce, Web Service. You need to have installed NET framework 3.5.

http://www.livehome.faberc.com/

Application architects often struggle with two important but competing goals. They want to write a Windows-based rich client application that runs on the desktop because that provides the best stateful, interactive experience for the user.
However, they also want to minimize the effort required to deploy and update their apps—a goal best accomplished using a thin client model. Users care about applications that are easy to use and that will not interfere with other apps on their machine.

ClickOnce, part of version 2.0 of the NET Framework, allows you to deploy Windows-based rich client apps to a desktop by placing the application files on a Web or file server accessible to the client and providing the user with a link.

Take a tour here: http://www.clickoncetoggle.faberc.com

Usually you move the window tracking the caption bar. To move the window within any client area you need to a bit of subclassing:

Private Const WM_NCHITTEST As Integer = &H84
Private Const WM_ACTIVATEAPP As Integer = &H1C
Private Const HTCAPTION As Integer = 2
Private Const HTCLIENT As Integer = 1

Protected Overrides Sub WndProc(ByRef m As Message)
  ' let the base form process this message
  MyBase.WndProc(m)

  Select Case m.Msg
       Case WM_NCHITTEST
            ' if on client area, make Windows believe it's on caption
            If m.Result.ToInt32 = HTCLIENT Then
              ' the only way to assing an IntPtr
              m.Result = New IntPtr(HTCAPTION)
            End If
  End Select
End Sub

We can embedded a resource, like a txt file, forcing the property Build Action=Embedded Resource.

To access programmatically a text file called foo.txt from inside an Assembly whose default namespace is WindowApplication1 you need to write this code:

Dim resFile as String = "WindowApplication1.foo.txt"
'Get a reference to the current assembly
Dim asm as Reflection.Assembly = Reflection.Assembly.GetExecutingAssembly()
Dim str as Stream = asm.GetManifestResourceStream(resFile)
Dim reader as New StreamReader(str)
Dim txt as string = reader.ReadToEnd()
reader.close

For a bitmap, sample.bmp, the code should be:

Explicitally setting the main procedure to start-up the Application you can have two important features:
- to enable the XP visual styles
- to set unique handlers for any uncatched exception without (or before) to abort the Application
  (these can be defined also in the form.load event of main form)

This is an example:

Module MainModule
  <STAThread()> _
  Sub main()
      Application.EnableVisualStyles() 'the controls need to be set with FlatStyle=System
      Application.DoEvents()

      ''install the global event handler for uncatched exceptions
      AddHandler Application.ThreadException, AddressOf (CallbackApplicationErrProc)      

      AddHandler AppDomain.CurrentDomain.UnhandledException, AddressOf (CallbackErrProc) 


      Application.Run(New Form1)
  End Sub

  Sub CallbackApplicationErrProc(sender As Object, e As ThreadExceptionEventArgs)
  Dim ex as Exception = e.Exception
      ''log the error and show user friendly msgbox or
      ''use Application.Exit to quit it!

  End Sub 

 Sub CallbackAppDomainErrProc(sender As Object, e As System.UnhandledExceptionEventArgs)
  Dim ex as Exception = e.ExceptionObject
      ''log the error and show user friendly msgbox or
      ''use Application.Exit to quit it!

  End Sub

End Module

Usefull link: http://blogs.msdn.com/winformsue/archive/2006/02/08/527941.aspx