Fixed New FystemRoot Rootkit Virus ( Worm? ) Trojan

[svasutin]

For the past few months i've been dealing with a new RootKit Virus. I'm not exactly sure what it's stealing or doing, but it's pretty bad. So far, i've found it only on XP systems. Surprisingly, no one detects it or has a solution out yet. The worst thing about this FystemRoot is once the virus is cleaned - AU and BITs needs to be repaired and permissions reset manually <- That's the bad part - people are clean, but their system is still corrupted.

* update * It seems the Task Scheduler is now being corrupted as well. Just came across this on a system * update *

I've tried McAfee, Kaspersky, Symantec, F-Force, MalwareBytes, Previx, ( zone alarm ), Spybot.... everything i could, but only Manually Cleaning fixes it. It defeats HiJack This from fully running, and combofix wasn't much help either.

If infected, 100% of the time

• System Event Log Shows DCOM errors about BITS not being able to be load.
  
• Trying to Set Automatic Updates or BITS through services.msc gives an error about permission or access
  
• Searching your registry for fystemroot yields a result
  

Yes, it is

F

ystemRoot not SystemRoot as it should be.

The rumor mill suggests it gets in through an IE exploit - but i'm not too sure about that, as the people i've found infected use either FireFox or Flock. I've seen this virus since about early February, could even be late January. I figured it was new and so the AV companies would include it soon, however - so far, there is just scattered talk in some forums.

Aside from not being able to fix WUAUServ or BITS, the other interesting feature about this is, it runs your other browser ( flock, opera, chrome, mozilla ) in a sandbox and forces IE as your default browser; it disables the always check feature. However, all links open up in whatever browser you are using and icons still show your browser of choice. Since something is going on with IE 6/7 Perhaps updating to IE 8 might be worth it

Safe Mode does not always clean it out, so the Recovery Console is sometimes required

To find the name of the infections is fairly easy. Through the registry ( independent registry editors have no effect ~ tried through cmd, regedit, wsh... ) go to

HKLM\SYSTEM\CurrentControlSet\Services

( yes, it exists in ControlSet00n as well )

Then one by one go through each service until you get an error message. Usually there are two ( most people however are suggesting only one ). Write the names down for keys which it cannot be read. Usually these are numbers or letters and numbers. The files typically live in ( this could change if the hacker updates their code )

%windir%\system32\drivers

Before going into the recovery console set

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole]
"SetCommand"=dword:00000001

If you're able to, as sometimes SR cannot be disabled

1. Clear ALL System Restore Points
   
2. Set the Size To the Minimum
   
3. Turn Off System Restore
   
4. Edit your boot.ini to start in the Recovery Console
   
5. Add another entry to start in Safe Mode with the Command Prompt
   
6. Disconnect from the web, reboot to the recovery console, and delete the <found names>.sys
   
7. Reboot into Safe Mode whilst Holding Down the Left Shift Key until you are at the cmd prompt and hdd activity has stopped
   

ALL Through the cmd prompt, navigate to and run Spybot and MalwareBytes. Between those two, it finds further infections - note the logs, and search your registry for them, and delete them. I've found, whilst file info is removed, the registry entries are not always removed.

Delete all restore points and turn off System Restore; yes i've found infections have been in the System Volume Information Folder

A further step i've used is in a batch file run from the root of your drive, something along the lines of:

for %%a in ( 1..9 ) do (
 dir %%a*.exe %%a*.sys /b /a /s >> c:\infctns.txt
)
for %%a in ( c:\infctns.txt ) do attrib -r -a -s -h "%%a"
for %%a in ( c:\infctns.txt ) do erase /f /s /q "%%a"

As of yet, i haven't found any legit programs which start with numbers and are exe's or sys files ~ opps forgot to mention the 1394 and 61883 files - you'll want to add an "if not part to it"

Running CCleaner ( for both files ~ uncheck the older than 48 hrs option ~ and registry ) is a good idea, as now the temp folders contain new items.

Open your registry editor, find and delete the keys of the names you found - including the ones we had to manually delete.

After all that, now you should be able to open up explorer. In your "documents and settings" folders, check the temps & start up folders for extra files which this has dropped. Don't forget the Default User

Run CCleaner

FIXING WUAU AND BITS AND TASK SCHEDULER

The final step is to reset the permissions for BITS and WUAUServ

Click Start | Run

Type in: dcomcnfg.exe

Click OK

Click your way from Component Services to DCOM Config and the BITS Set it to defaults. Do the same for Windows Update. Umm - Right-Click and Select Properties, btw

Enter your Registry and head towards HKLM\SYSTEM\CurrentControlSet\Services

For BITS, WUAUSERV, * update * Schedule * Update * Add/Give SYSTEM rights

Make sure it's set to %SystemRoot% and no longer %fystemroot%

Through Services, set BITS to Manual and AU to Automatic ( default settings ).

Clear your event logs, and reboot.

So far as i can tell, you should now be able to start XP in a normal environment, but still be disconnected, and hold down the Left Shift Key.

Connect up to Windows Updates and see if you are fine. Of course, check your event logs to make sure you are still safe. If you can't connected up to Windows Update, then i've removed the WU controls from IE, cleaned the registry of their references, and have had IE reInitialize the WU controls.

SPECULATION

Some of the other infections which seems to have appeared along with this infection, also seem to cause a Registry editor and or a command box to shutdown after a few moments. So if you are running syslean, or some other av/as, removal tool from a cmd, it simply will not run or complete. However, these other infections ( including Vondo ) do seem to be detected and removed by most anti-malware vendors. On some occasions, i have found references to a hidden file in the registry %windir%\system32\..\<random file name>.randomExtension ~ for example Wsj.dst. This hidden file appears to have further rootkit abilities - as once it's removed, i've found more infections.

Not specifically related to the fystemRoot, as it appears to be a launcher/transport/proxy, but check out parse AutoExec.bat settings, winlogon, wininit, as well as the win.ini file.

I have no idea if this infects your anti-malware s/w. Once i find an infection, i assume anti-malware products are rendered useless and uninstall the lot ~ as well as Java. I will say, i have noticed that av and as products do still detect infections, just not this one.

Alright - did i miss anything? Any mistakes or errors?

Keywords: %fystemroot% %systemroot% Cannot set Automatic Updates Background Intelligent Transfer Service Access Denied Permission Error Virus Trojan Worm RootKit HiJackThis HJT

Still with update issues? 1-866-PC-Safety <- that's msft's Windows Update Help Line

Edited June 7, 2009 by svasutin

[svasutin]

Save this as a text file called killIt, and replace the <infectedNameX> part; 6 edits and just 2 names

Don't forget to add the reg entry before going into the recovery console. Set or Create:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole]
"SetCommand"=dword:00000001

Inside the Recovery Console ( after logging in ), to run it, type:

Batch KillIt.txt

I included the exit to cause a reboot.

Highlight and save as: Killit.txt

SET AllowWildCards = TRUE
SET AllowAllPaths = TRUE
SET AllowRemovableMedia = TRUE
SET NoCopyPrompt = TRUE

CD system32
CD drivers

Attrib -c -r -s -h <infectedName1>.sys
Attrib -c -r -s -h <infectedName2>.sys

Delete <infectedName1>.sys
Delete <infectedName2>.sys

Disable <infectedName1>
Disable <infectedName2>

exit

Edited April 29, 2009 by svasutin

[JustinStacey.x]

Just because someone uses Firefox or Flock (or whatever) as their primary browser on the system does not mean that they are exempt from IE exploits. If IE is simply present on any Windows system then you are susceptible to any of its exploits regardless.

With regards to the permissions being screwed up, that is an unfortunate disadvantage of a filesystem capable of permissions. If permissions aren't set very strictly in the first place, then any piece of software can run riot and set its own permissions as it pleases. FAT32 doesn't have this disadvantage.

It is for this reason that I have lately begun to favour permissionless systems. Where there are permissions, there are flaws...

[Zenskas]

Just because someone uses Firefox or Flock (or whatever) as their primary browser on the system does not mean that they are exempt from IE exploits. If IE is simply present on any Windows system then you are susceptible to any of its exploits regardless.

Ah just searched my registery and no sign. But I removed IE with nLite before I installed XP so I'm pretty safe in that way.

[svasutin]

Sorry for the late response - busy trying to stay a float*...

Very very true on the browser choice - it just appears as, whatever or however this infection is getting in, once it does, it uses IE. My thinking is, IE 8 hopefully with its updates and new security measures ( turn off crash protection & compatibility** ) might block it.

I do believe last year Firefox had something like 6 times the number of security issues as IE, and as for Flock - i have no clue about it. As for permission-less, i can go either way on it - depending upon the number of users and type of system ( SOHO, LOCO, Family ). Usually for me, it's not a choice though as i'm working on other peoples' systems :-s

If anyone does find a name and a removal tool for this infection, please post it.

The post will only be accepted should you provide the name given to this infection.

** btw, if you're using, for example, Spybot's/Spyware Blaster Immunizations, then you have to disable them for IE 8. IDK what Msft did, but using immunizations ( block/kill bits/host ) with IE 8 slows the system to a crawl. I mention Spybot & SpywareBlaster only because of it's popularity - not citing them as the source/cause.

* In other news, i've found some detectable infections are starting to replace the Windows Service Pack Info. This was/is a good idea on the hackers part - it got me. Once everything was cleaned and i went to check Windows Update to see if anything was missed, turned out the system was still running Service Pack 2, but everything read Service Pack 3.

Hence, check a few version numbers for their service pack level before just replacing/repairing files ( sfc )... took me forever to figure out why some discs didn't work and/or over replacing some files caused system issues - lol

[BigTex71]

svasutin - thank you for the info in this thread. I came across this same rootkit yesterday on an XP computer and found this thread when searching for fsystemroot.

Before finding this thread, I had noticed that the .SYS file in the drivers folder was visible, but couldn't be removed while in windows. Rt/Click properties on the file didn't have all of the normal NTFS tabs. Once I found that it was a rootkit hidden service, I was able to get it stopped and removed. Thank you. I'm working on this remotely, so I didn't have recovery console access to it.

BUT . . . Upon inspecting the system with some rootkit tools, I found a second one with the name "SKYNET <random chars>.sys" running on the system as well. I wasn't able to get this one stopped and removed through remote tools. Looks like I'm going to need hands on recovery console access to this one.

I do know that the person opened an .EXE email attachment last week to start the infection. Symantec called the attachment W32.SillyFDC.

ThreatExpert gave it this report: http://www.threatexpert.com/report.aspx?md...074dfdaa7a53f3b

[chrispm]

I don't know if this is going to help anyone, but I have actually fixed a machine with this running on it, although it was NOT easy and I needed to use a fair few tools to get it going.

My first point of call was to run RootAlyzer (from the SpyBot website) - this highlighted some files that were hidden from Windows (use the deep scan option for best results). You could not unhide them in any way, shape or form. So I booted from a Linux Live CD and sure enough, I was able to find and remove the offending files.

Another package I used was Process Master 1.1 (Trial) - it highlighted a hidden process that was running, and told me where the file was located - again, I could not delete this - even in Safe Mode, so another boot into Linux Live sorted that out.

I was then able to run the normal spyware tools (Combofix, Malware Bytes, SuperantiSpyware etc) - all of the tools found something, but they are all clear.

I found an extra entry for 127.0.0.1 in the hosts file, and checking the Internet Options found a proxy apparently running locally on IP 127.0.0.1 on port 7171.

From there on in, I used Regedit to find all instances of %fystemroot%.

I re-enabled Windows Updates and Background Intelligent Transfer and can download updates.

Finally, Kaspersky is now finding nothing on the PC....

[Erik57]

Stumbled upon your remarks after having fixed the same problem:

Windows Update not working but no Virus found by NEP or One Care, tried a lot but nothing worked until I discovered %fystemRoot% in Registry entries for Intelligent Updater and Wuauserv under HKLM\SYSTEM\CurrentControlSet\Services

Managed to clean them in normal environment but had turned off automatic updates, and deleted CatRoot2 and let Combofix do its work.

After that, ran WinUpdate again manually which worked, turned it to automatic after the first 7 updates and now it is still working.