"explorer.exe" Virus

On 02-24-08, I removed an "explorer.exe" parasite / virus from a machine protected with both Symantec and AVR - again proving that these programs provide only a false sense of security.

Actually, I am not sure how many parasites I removed ... it is possible that the information presented below applies to several ... all allowed on a "protected" system.

Symptoms

The infected system was running Windows XP and Symantec antivirus.

The previous week, the system would not let you type a url in the IE address field ... while typing, a different window would move to the top and what ever you had typed would be gone when you returned. I tried the standard System Restore, but that failed. That's right, after the reboot it said that the restore failed.

I wanted to fix the system, but was told that it was against policy to load software (I use ProcessExplorer, RegMon, and AgentRansack) and that the local IT department would repair the system.

During the week, the IT people came, updated Symantec antivirus, and added AVR ... that appeared to have fixed the problem.

Today, I was asked to see why it was still broken. After a boot, the computer was working normally. However, after a google search, the system would automatically search for the same terms using one of several other search engines.

I know that Symantec was still running because every few minutes it would popup and say that it had found some new virus in System Volume Information - the area where the system restore points are stored.

There was no way to determine if Symantec was broken by the IT department or the virus, but either way, it produced errors when shutting down the system.

Debug

Using RegMon, these entries were seen every few seconds

explorer.exe:3592  SetValue  HKCR\CLSID\{50ce3d24-5c4c-4ab2-80a0-02d3989c0225}\InProcServer32\(Default)
                              "C:\WINDOWS\Installer\{50ce3d24-5c4c-4ab2-80a0-02d3989c0225}\zip.dll"	
explorer.exe:3592  CreateKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
explorer.exe:3592  SetValue  HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\zip
                              "{50ce3d24-5c4c-4ab2-80a0-02d3989c0225}"

A google search found no hits for

{50ce3d24-5c4c-4ab2-80a0-02d3989c0225}

Ok, that was enough to identify the virus. (I tried with and without the curly braces.)

Using ProcessExplorer, I observed that 2 versions of explorer.exe were running

Property	Windows OS	Virus
Location	C:\WINDOWS\explorer.exe	C:\WINDOWS\system32\explorer.exe
Description	Windows Explorer	rt yi46 hgjgjhrt jghr
Company	Microsoft Corporation	rty iyr jhnfh t6uy 4tynbfgh
File Size	0.98 MB	36 KB
Text in File		http://www.carordriver.com/080213b/cpccpmqian.asp (This URL in China is associated with other viruses)

Every time cpccpmqian.asp is called, it returns another entry from a database. Apparently, the local program then fakes a click on an advertisement to generate revenue. Occasionally, a search page is displayed - presumably, these are due to errors in the database or because the URL is no longer available.

After opening (double clicking) a *.log file, I caught this running

"jyturtnhy.exe" C:\LGSInst.Log

I also found a couple of *.exe files that displayed a folder icon ... that's right, if you tried to "open" the folder, it would actually run the virus.

Whois Data

Domain name: carordriver.com

Registrant Contact:
   
   Sun Kang (admin@eisraeltravel.com)
   +1.6464697186
   Fax: 
   800 N Union St. Apt 801
   Bloomington, IN 47408
   US

It is a bit weird that (646) is a New York city area code ... perhaps a cell phone. The address is student housing (Campus View Apartments) at Indiana University.

This person is associated with several advertising schemes. However, it appears that he is not the source of the virus, but actually a victim. Apparently, one purpose of the virus is to generate "click through" advertising revenue.

On the other hand, that means that he knows (is sending checks to) the virus writer.

carordriver.com resolves to 124.133.18.151 which appears to be in China.

C:\WINDOWS\setupapi.log

Microsoft keeps track of certain updates in

C:\WINDOWS\setupapi.log

These are examples of relevant entries

[2008/02/04 14:00:59 3272.1]
#-198 Command line processed: c:\64d0245d6c3de1db7b180ceea6\wusetup.exe  /q /wuforce
#E099 Writing of "C:\WINDOWS\INF\wuau.adm" to "C:\WINDOWS\INF" can cause problems.

[2008/02/12 14:06:31 844.1]
#-198 Command line processed: c:\a96b3689cdcd91f73bd7\wusetup.exe  /q /wuforce
#E099 Writing of "C:\WINDOWS\INF\wuau.adm" to "C:\WINDOWS\INF" can cause problems.

wusetup.exe is a trojan installer that adds machines to a botnet. The criminals then use the botnet for anything they want ... basically, they have stolen your machine, your data, your internet access.

Based on many entries like these, this system has been infected repeatedly since 2005.

This page indicates that, as of 03-12-2006, most antivirus programs did not flag this problem.

Relevant Registry Entries

These registry keys are related to the problem.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
 "74b319c7" = "rundll32.exe \"C:\\WINDOWS\\system32\\wlrqxpmf.dll\",b"
 "IESet"    = "IExplorer.dll                                                              .dbt"
                           0123456789 123456789 123456789 123456789 123456789 123456789 12345 
                                     1         2         3         4         5         6

The numbers were added to show that this person tried to hide the actual extension by adding 62 spaces.

jyturtnhy.exe is one of the exe files that had a folder icon.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\  shell noRoam cache
  C:\WINDOWS\jyturtnhy.exe = rt 67ikhmnhfg h

The following entry causes browsing/editing all text type files - txt log ini bat reg - to reinstall the virus.

HKEY_CLASSES_ROOT\txtfile\shell\open\command
  @="jyturtnhy.exe %1"

This is how it should look (ie, how it looked after I fixed it)

HKEY_CLASSES_ROOT\txtfile\shell\open\command
  @ = "notepad.exe %1"

These entries show how the virus gets even deeper into the system

HKEY_CLASSES_ROOT\Applications\jyturtnhy.exe\shell\open\command
  @ = "jyturtnhy.exe %1"


HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.log\OpenWithList
  "a"       = "jyturtnhy.exe"
  "MRUList" = "a"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.log\OpenWithProgids
  "txtfile" = hex(0):

The *.dbt extension was added by the virus ... the references suggest that this file is used to store keylogs and other stolen data.

HKEY_CLASSES_ROOT\DBTFILE\shell\open\command
  @ = "jyturtnhy.exe"

However, using the key above, the following key (and the identical HKLM key above) will automatically reinstall the virus every time the system boots. This works because windows will automatically call the key above when the system tries to Open the *.dbt file.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
  "IESet" = "IExplorer.dll                                                              .dbt"

Other Bad Files

These are additional files that are known to be viruses that had about the same date on them. I do not know for sure if they are all related ... but they appear to be.

c:\windows\svchoost.exe	20 KB	2-14-08	Notice the "oo"
c:\windows\quit.exe	20 KB	2-14-08
c:\windows\jyturtnhy.exe	40 KB	2-15-08	Had a folder icon, Run for text files - txt log ini bat reg
c:\windows\gsdfwerjhg.exe	40 KB	2-14-08
c:\windows\system32\explorer.exe	36 KB	2-25-08
c:\windows\system32\fadgsd.exe	40 KB	2-15-08	Had a folder icon
c:\windows\system32\rgyaotwe.dll	91 KB	2-16-08
c:\windows\system32\wineva32.dll	24 KB	2-11-08
c:\windows\system32\winijp32.dll	24 KB	2-11-08
c:\windows\system32\yqeptvus.dll	86 KB	2-17-08

C:\WINDOWS\Installer\{50ce3d24-5c4c-4ab2-80a0-02d3989c0225}\zip.dll  38 KB 02-12-08

References

On 02-25-08, I searched Google for

{50ce3d24-5c4c-4ab2-80a0-02d3989c0225}   no hits
carordriver.com                          8 hits - 2 are useful
cpccpmqian                               9 hits
rt yi46 hgjgjhrt jghr                    1 hit - do data
124.133.18.151                           1 hit - DISOG

Well, this is why I thought it was necessary to write this page.

References

DISOG reports a similar problem (in March 2007) involving 124.133.18.151, carordriver. com and cpccpmqian.asp.
ThreatExpert has details on an infection related to http://www.carordriver. com/071225/xia.exe. (space added so copy and paste will not accidentally take you to that site) The site indicates additional registry modifications that I had not considered. In particular - txt, ini, bat, reg - were hijacked so that attempting to edit any files of this type will cause their parasite to run. I had no problem editing txt files, but when I edited an *.log file, new instances of the virus ran. When I check my system, similar registry modifications had been made.
Trojan-Clicker.Win32.VB.sd - according to Kaspersky, this related Trojan has been around since Aug 2007.

Author: Robert Clemenzi