"ABI Network - Aurora" Virus Removal

07-26-05
Recently, one of my machines started popping up adds whenever I was using Google. Since I know that Google NEVER does this, I knew that the machine had a virus.

Some people may complain that virus is too strong a term for this parasite, but, as explained below, this is one of the worst parasites I've seen so far.

This is definitely a virus.

No legitimate company would ever go to such extremes to make sure that infected computers can not be cleaned.

Damage to My System | Related Spam Sites | Relevant Registry Entries
Corporation ID | Uninstall | Cookies | Notes | References


Damage to My System

The infected system is running Windows XP Pro SP1 and TeaTimer (supposed to protect the registry ... not this time). The filename changes every few minutes - there are about 250 different names - a few are listed here so that google searches will find this page. Not only is the filename different, but the date and time are also different. Of course, the primary damage is caused by the popup adds that make using the computer very frustrating. In addition, the continuous registry modifications cause my registry modification protection software (TeaTimer) to popup every few minutes, significantly increasing user frustration.

In addition, the continuous registry modifications cause the registry to continuously grow (a known Windows design defect). As a result, the entire computer gets slower - Let me be clear, this virus causes every program on YOUR system to run slower.

Of course, unless you search the internet for the correct terms, there is no way to know how to uninstall this crap. (I eventually figured it out)


Related Spam Sites

These sites are associated with this parasite - there are many more I have listed these so that everyone will know.


Relevant Registry Entries

There are several sets registry entries


Corporation ID

ABI Network


Uninstall

You won't believe this, to remove this crap I don't think so Come on, how about simple instructions that I can do without trusting them.

Of course, I tried deleting the file, renaming the file, removing the registry entry, booting to Windows Safe mode. None of these methods work.

This is from their web site

Several forums have discussed this problem - basically, the fix does not work ... but it does slow down your machine (at least, that's what others say).

To repeat, I really don't trust criminals like this to uninstall their own virus.


Uninstall 2

This solves the problem.

When booting to safe mode, this registry key is processed - nail.exe carries the payload.

On a working system The solution is to create a text file and name it nail.exe. Then copy that file to C:\WINDOWS. (If you simply delete nail.exe, it is immediately re-created.)

An alternate approach is to open nail.exe in notepad, select all, delete everything, and save the zero byte file ... overwriting the original. (Actually, I'm surprised that this works.)

Then boot into safe mode and the virus will not run.

Now you can kill the rest of the virus.

Normally, I "disable" executables called via the registry by modifying the registry so that the files can not be found - I almost never simply delete the registry keys. For instance, search the registry for the exe (or dll) name and change it to something like Then windows won't be able to find it, and you'll have a record of the change.

If you reboot the system without disabling all 4 executables (including nail.exe), then the virus will reinstall itself, and you have to start over.


Problem Debug

I can reverse engineer most parasites well enough to git rid of them. However, because of the stealth techniques used, those methods did not work.

I could not have solved this problem without a few hints received from the internet. However, a significant amount of data was also wrong.

Actually, it appears that there was only one single source for the technical details, and that those details were copied many places (mostly in various forums and one *.bat file). I base this statement on the fact that certain errors are present in all the instances - specifically, the instructions suggest deleting 3 files that appear to be created by Microsoft. It is possible that this is intentional misinformation to make your system more vulnerable to future attacks.

The main hints that finally nailed this were that these files were involved (the comments are mine)

There were many additional files listed, but most of those were not on my system. I assume that this is because different variants use different files - that is one of the ways that the scum lords make it difficult to remove their crap.

Searching the registry for Aurora found an important executable (dllvoasrs.exe) and other information.

This string is from dllvoasrs.exe (MIDL is a Microsoft C compiler)

The original name of dllvoasrs.exe (the main Aurora exe file) is buddy.exe
If you search, you will find additional references to this.

Directories with traces of this virus can be found by searching your hard drive for

One reference said

Well, that actually worked. It allowed me to determine how this virus ran in safe mode.

In fact, that became a major part of the debug technique

In general, deleting any one problem file had no effect - it just came right back. The final trick was to get into safe mode with nail.exe disabled and then delete all the bad files. After that, no more problem.


Related Programs

I can not prove that these files are part of the Aurora parasite, but I found them while debugging. They are not on a clean machine ... so they came from somewhere.


dsr.dll

This is located inside the exe


dsr.exe

This is located inside the exe This program is suspicious because Additional checking found these - the data is actually based on Ad-Aware SE Build 1.06r1 traces


dinst.exe

C:\WINDOWS\dinst.exe 00F1D395-4744-40F0-A611-980F61AE2C59 Browser Helper Object


svcproc.exe

http://www.liutilities.com/products/wintaskspro/processlibrary/svcproc/
svcproc.exe is a hijacker which means it will intermittently change your Internet Explorer settings / Desktop to the link of it’s author’s sponsors.


Multimpp

I searched the registry for 4FB2E350-70A2-40FB-B9C4-EC7F5B997707 - found in the Aurora key. The search found which looks very similar to the aurora key - same structure, different names. Searching the hard drive for Multimpp.* found 58 files. This machine has obviously had related problems.

These are also related


Cookies

I mentioned above that the program reads all kinds of information from the registry.

Research (using FileMon) indicates that this data is encrypted and written to several cookies (even if cookies are turned off - this is possible because IE is not writing the cookie, the virus is).

It appears that these cookies (yes, it is plural) include information on which virus and spam protection programs are loaded on your machine.

If you then click one of their adds, then the cookie, with stolen information, is sent to the site.


Notes

I am still not able to determine how this crap got on my machine - the only clue is

The virus pops up several dialog boxes that look like they come from Microsoft. (In fact, Microsoft should sue them for it. It is very convincing.) Only the hidden icon gives it away - use alt-tab to see the virus icon (a circle with arcs on it).

Since WinFixer is provided by a known virus writer, it should be avoided at all costs. (Clicking either button or the x in the upper corner starts the download.)

This LOOKS like a cookie download warning - it is not. If you click ANY button, this parasite will try to download some program.

I apologize for repeating these warnings here (in a reduced font size) ... but the search engines don't index information inside html comment tags.

NOTICE: If your computer has errors in the registry database or file system, 
it could cause unpredictable or erratic behavior, freezes and crashes. 
Fixing these errors can increase your computer's performance and prevent data loss.

Would you like to install WinFixer 2005 to check your computer for free? (Recommended)

...

The Web site "www.tripreservations.com" has requested to save a
file on your computer called a "cookie." This file may be used to
track usage information. Do you want to allow this?


References


Author: Robert Clemenzi
URL: http:// mc-computing.com / Parasites / abi_virus.html