Parasites - RootKits
PurpleHaze - 85.195.93.243 infector

In March 2012, I was using MS Vista with an up-to-date Windows Defender, but no other antivirus programs.

We had missed a TV program from the previous day, so

After the boot was complete, we tried to go back and watch the program. Google appeared to work ok, but clicking the link returned a 404 not found error.

It took a few minutes to realize that some links were returning 404 errors and that others were being redirected to ad sites. When I manually entered the url's in the browser's address bar the sites displayed as expected. The only "obvious" problem was that the Google links were no longer working.

Using various tools (described below), I was able to determine that all requests to Google and all clicks on the search results were being sent to a site in Germany.

18 hours later, the virus was gone (thanks to TDSSKiller) and the system was working correctly. (Well, its Windows .. so I just have to assume it was ok.)

Background | Initial Attempt | Agent Ransack | Windows Defender | TCPView | File Locking | TDSSKiller | Notes


Background

Like I said above, I wasn't doing anything unusual. Just a search and a click on the link to a trusted site. Even today, I don't know how this virus got on my system. It was running Vista 64 (which I don't suggest for anyone), an up-to-date Firefox browser, and an up-to-date Windows Defender. When using IE to browse the web, there are a lot of cache files stored in various places and these make it relatively easy to reverse engineer a virus attack. However, with (the super-cool, everyone loves it) Firefox, the downloaded files are placed in a proprietary database and, so far, I don't have the tools that allow me to do basic reverse engineering when problems like this occur. (There are lots of reasons I think Firefox sucks .. but that is not the focus of this page.)

At any rate, the automatic re-boot took an extremely long time. My initial analysis found that over 7,800 files were created during the reboot. It is possible that these were created by the Microsoft Search Indexer (a parasite that has no way to turn it off). But there is no way to know for sure. I was surprised that many of the "files" actually listed the files in various sub-directories.

The system started producing a number of error boxes similar to the following

Since that was a new error, I tried to locate it on the hard drive - no such file. (It was also not found on Windows XP systems.)

Using Process Explorer, I noticed that one of the svchost.exe processes (there are several) kept starting and stopping .. and that it was running winrscmde. When I searched for a file named winrscmde, it also did not exist on the drive. This (fake) version of svchost.exe was being run by the Task Scheduler Engine associated with network access.

I looked in the Task Scheduler (via the Control Panel), but was not able to determine how this was scheduled.

However, there was another "weird" - svchost.exe is normally located at

but this one was located at (This data can be seen just by placing the mouse cursor over the filename in ProcessExplorer.)

Not only that, when I looked (via Properties in Windows Explorer) its internal name was winrscmde.


Initial Attempt

Once I knew there was a problem, the first thing I tried was a System Restore (failed to fix it) followed by booting to Safe Mode (also had no effect). The rest of the trouble shooting occurred in Safe Mode with network access enabled.

When booting to Safe Mode (press F8 before the Windows logo is displayed), there was an option to restore the system to an earlier state. When I selected that, the following error was displayed

After another reboot, I got to Safe Mode and ran System Restore again .. it worked (completed), but it still did not fix the system.

After the problem was fixed (see below), booting to Safe Mode no longer provides the same menu options. Specifically, the system restore option is not available. I assume (but do not know) that the virus somehow change the Safe Mode options.


Agent Ransack

When a virus attacks, I use Agent Ransack to determine what changed in the last few minutes. I use this tool quite a bit, and basically know what to expect. I did not expect to find over 7,800 new files. A review of the files found some interesting/questionable info, but no indication of what was causing the problem.

(I later discovered that Agent Ransack has a recursion problem with certain Vista directories. I consider this to be a Vista design problem and not a problem with a legacy program that functioned without failure on Windows XP.)

The newer versions of Agent Ransack allow you to limit searches by either date changed (the default) or the date created (available via the Date tab). (This is perhaps the best, if not only, reason to upgrade.) When I filtered the search by creation date, it located

Unfortunately, Agent Ransack did not provide any other useful information.


Windows Defender

I also reviewed the Event Logs via There was a yellow warning triangle for Windows Defender just before the virus initiated reboot. (The following is edited to just the essentials.)

So .. Windows Defender found

but allowed it to run anyway. Microsoft refers to this as (What an understatement!)

This was no trojan. I did not download and run some software. All I did was to use a web browser. (Yes - I know that these download and run javascript programs, but that is not the definition of a trojan.) At any rate, Microsoft provides explicit details on the Win32/Alureon family of bad software. I went through all the suggested changes - none of those applied to my system.


TCPView

Most of the modern viruses try to steal information off your system. Passwords. Credit cards. Whatever. As a result, I usually unplug the network connection while debugging the problem.

To debug this, I booted into Safe Mode (mainly so that all the other crap would not be running) and ran TCPView (by System Internals) to see what ip addresses the system was connecting to. I discovered that requests to Google were going to

an address in Germany.

At this point, I modified my router to permanently block that address. Now, none of the computers on the local network can get to that address.

On the router, under Setup / Advanced Routing, I set all accesses to 85.0.0.0 / 255.0.0.0 to redirect to one of my local machines. (The router would not let me redirect the accesses to the real Google server.) This completely blocked all access to the foreign server. (It would have been smarter to just block 85.195.93.243 / 255.255.255.255) I was able to verify the block using ping.

Attempts to search Google for that IP address (on a separate machine) returned little information - lots of other people were having similar problems, but there were no solutions. One of the infected systems was running Ubuntu 12.04.


File Locking

While debugging, I renamed to svchostxx.exe. It was almost immediately replaced. Since this is fairly typical of a virus, I looked farther. I was able to determine that some program (I don't have notes on which program) was copying (which has a file description of winrscmde) to (I think I found this by using Process Monitor and searching for the program that was creating c:\windows\svchost.exe. However, it might have been found by using Agent Ransack to search for files that contained the string - winrscmde. I just don't remember which it was, and both methods should have found it.)

At this point, I replaced c:\windows\svchost.exe with a different program with its ReadOnly attribute set. The system was no longer able to replace the file, the replacement file was never executed, and the other problems did NOT go away.


TDSSKiller

Since I was not able to make any more progress, I downloaded and ran TDSSKiller - a free root kit disinfector. It found Rootkit.Boot.Pihar.b - aka PurpleHaze. I selected the option to quarantine the files because that would allow me to see what was found. One of the related files was phdx - file size 22016 - which is exactly the same size as and The report indicated that the master boot record was replaced, and there were a number of other files that could not be seen using the Windows Explorer interface. In other words, using only the software provided by Windows Vista, none of the infected files could be seen or removed. Only through special software, such as TDSSKiller, was it possible to repair the system.

Since this virus had infected the Master Boot Record, this crap was loaded before Windows started. As a result, it had complete control of the system. That might also explain how a Ubuntu (Linux) system could become infected.


Notes

I eventually determined that winpeshl.exe is used to install windows and is (apparently) not used after that. The fact that this error was occurring indicated a serious problem.

When 404 errors were not returned, some of the clicks went to the following sites.

I assume that there would be others.

Yes, we changed all the passwords of everything. I hope we did it before any damage was done.

Remember - your systems are vulnerable. It does not matter if you are running virus protection or not. Knowledge and perseverance are your only protection.


Author: Robert Clemenzi
URL: http:// mc-computing.com / Parasites / RootKits.html