Malware hunting

One of Gibbs' Windows XP machines is acting up. Again. Looks like he's got a case of malware but it seems to be a little hard to find.

OK, about now my editor is going to be wondering where on earth this column is. It should have been in his hot, sweaty hands hours ago, but as I was beginning to write about a couple of searching tools my Windows XP SP2 machine started acting up. Again.

You might remember a few months ago the problems I had with deferred procedure calls. These recently returned in a minor and transitory way that may be related to my current annoyance, which is that Microsoft's Internet Explorer 7 is acting weird.

Here's what IE is doing: After the system has been idle for some random time, IE 7 is launched but without a window. It appears to be loading some Flash content (I can hear looped music and Japanese or Chinese speech) and running a script. The reason I know there's a script involved is it eventually drives utilization to 100% then, after some time, I get the script-running-slowly-do-you-want-to-kill-it warning.

According to Process Explorer, IE is being launched by the svchost process (described by Microsoft as "a generic host process name for services that run from dynamic-link libraries"). What I found after messing around for some time is that it is next to impossible to determine how the svchost launch is being triggered and what IE is actually doing.

What IE appears to be doing is opening HTTP connections to servers identified only by their IP addresses. Googling one of these servers, 60.28.250.102 (which resolves to what appears to be a proxy server), produces only two hits and the pages appear to be in Hungarian (which I don't speak).

The other address, 61.152.242.218, resolves to a Chinese Web server, smarttrade.cn, which, on a cursory search, doesn't appear to be used by the bad guys. Google only produces four hits for the IP address, which are all in the public cache contents listings of three university HTTP cache servers.

I tried using Process Monitor to see what was going on. Process Monitor is another free tool from the Microsoft SysInternals stable but that produces so much data that it's like looking for a needle in a haystack.

What I found is I appear to have a number of files laying around in the windows/system32 subdirectory that look like bits from various malware (files such as 0wiintemp.exe and 1wiintemp.exe), but much to my surprise, Lavasoft's AdAware  doesn't seem to care about them.

So, I looked around and in the Process Manager task list discovered something called taskmagr.exe was running. Nope, that's not the Windows task manager (which is actually named taskmgr.exe). A little research revealed that this file is a fairly new worm.

According to the security company Prevx, this malware was first seen on Nov. 23 this year, it is polymorphic, and registers a Dynamic Link Library file that is executed as a process in a new background service. It also has a whole slew of aliases and sizes (which you'd expect with it being polymorphic and all). In short, it appears to be very sneaky.

Why didn't my antivirus software detect it? Because somehow it had been disabled (I won't lie, I might have turned it off when I was doing some testing). So, I tried AVG Anti-Spyware and Prevx's CSI.

AVG concluded, incorrectly, that I had one case of generic adware (Advanced Systems Concepts' ActiveBatch is not adware) along with 184 tracking cookies (which are not, as such, adware at all).

Prevx CSI, which it claims on its Web site to be capable of scanning an entire system in "around 1 minute," found no problems in the 9,517 files it scanned in 15 minutes and 41 seconds.

So, now I have a complete mystery. Friends advise me to just wipe the offending system and reinstall, but I want to find out what's going on. Suggestions?

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2008 IDG Communications, Inc.

IT Salary Survey: The results are in