Saturday, September 09, 2006
Sadie Good, Briz Bad
I took Sadie with me yesterday, to get her desire to “go” out of her system. I needed to look at a computer with an apparent malware affliction, pick up a check, mess with servers a little, and I wanted to do a trial install of Outlook 2003 on one workstation that could be messed up without mattering.
It turned out the malware affliction was a variant of this lovely thing. I had a certain amount of fun, because I located the files that contained the user’s recent web browser keystrokes, including his webmail URL, name and password, and all the most recent actions, including what I had done in the registry and such since sitting down. I’d heard of viruses or spyware designed to log keystrokes and transmit the info, but I’d never encountered one or seen direct evidence that’s what it was.
When I hit the registry, the most recently modified key was now blank “run once” under HKCU (hkey_current_user), so obviously something had been planted there and had a chance to deploy and clear on reboot. The run key under HKLM (hkey_local_machine) had five items, only one of them legit. One of them was winlogin. It and one other put themselves back as soon as they were cleared.
The file I recognized as not right in processes was ieredir.exe, which I was able to get rid of. Searching on it later told me this was Briz-F or a variant and allowed me to learn more.
The symptoms he was having were that Firefox would not run at all. Double-click and it goes away instantly. Internet Explorer would run but not work. Other things started hanging and not working, including eventually Word.
Fishing through files on the system, I found it was apparently spoofing explorer.exe with its own version, which would explain a lot. Ugly.
He went home. I left it for today, filled with joy at having that much extra to do this weekend. A cleanup of that sort could take hours. Afterward I looked at proxy server logs and found since about 10:00 AM the machine had periodically talked to a suspicious sounding .info URL and a URL ending in .org that otherwise sounded like it could be a credit union site. The latter appears to make you think that it is doing a windows update.
So, remember I had Sadie with me? She is so good! It’s as if she has a built-in sense of decorum. The whole time I worked on that computer, she hung out in that office quietly, chewing on a big pretzel the lawyer gave her and waiting patiently for me. Periodically one of her admiring public would come to the door to say hi to her.
Then we went over to the server room, which is more of a closet. She sits in there with me and touches nothing she shouldn’t. This in a place where she could easily reach out and rip the spaghetti of little phone wires from their contacts. There’s a toolbox she uses as a chair, and someone left a doorknob kit on the floor next to the door, so she plays with the pieces of that.
Then she got a big purple lollipop from the receptionist on our way down to my office, and for the little while we were there she ate the lollipop and played with her computer and a couple of small toys that live there.
She was sooooo good! I know she is generally, but it still amazes me. I still couldn’t take her for a whole day of intense work in the client’s offices, but it’s nice that I can take her for a couple hours or more and not have to worry much.