Pendingfilerenameoperations


Recommended Posts

Using your idea, I think I was able to remove the trojan. I did these steps

1. I ran this command using the windows xp command line

process -s random_filename.exe

2. I deleted the entry from the registry manually located here

hklm\software\microsoft\windows\currentversion\run

I then used my python script to kill file on reboot. You can use any method that works for you

import win32api
import win32con

win32api.MoveFileEx("random_filename.exe", None, win32con.MOVEFILE_DELAY_UNTIL_REBOOT)

Link to post
Share on other sites

DISCLAIMER:

BE CAREFUL, WHILE I HAVE TESTED THIS SCRIPT AND IT SEEMS TO WORK WELL, IT MAY HAVE BUGS I AM UNAWARE OF. THIS SCRIPT WILL DELETE ANY FILE THE IS LISTED IN THE O4s THAT ENDS WITH ".exe r" AND IS ALSO IS IN THE SYSTEM32 FOLDER. ANY LEGETIMATE(IMPORTANT) FILE THAT MEETS THESE REQUIRMENTS WILL GET REMOVED. IT MIGHT NOT BE SMART TO RUN THIS

I love to script simple stuff with python. I was able to automate the removal of the epolvy trojan. This is not very practical, because you do need to have both python and process.exe installed on your system. Python can be made into an executable(no need to have python installed). I may do that some day.

Here is how the script works. First you need to run hjt and save a log file. you then need to place a copy of the hjt logfile in the same directory(folder) as this script. You also can just place the script in your hjt folder(since the hjt logfile is there).

the script reads the hjt log file and looks at all of the O4 entries. It then sorts all of the 04s that have A file in C:\windows\sytem32 and end with ".exe r". even though I think the trojan will only leave one infected file, this script will remove multiple files that meet this criteria. for example if these lines were in your log it would remove both in one pass

it will remove two instances(probably not nessesary)

O4 - HKLM\..\Run: [entrffi] C:\WINDOWS\system32\asqpno.exe r
O4 - HKLM\..\Run: [ddegfi] C:\WINDOWS\system32\fgjshy.exe r

here is the script

import os
import win32api
import win32con

# this code reads the hijackthis log and splits it into lines
logob = open( 'hijackthis.log', 'r' )
hijacksplit = logob.readlines()

# this code finds all 04s that contain an ".exe r" and are in the system32 folder
# it returns a list of tuples for each entry found. This tuple contains
# both the file name and the registry name

def parse_data():
myO4list = []
for i in hijacksplit:
if i.startswith("O4"):
if i.find("C:\\WINDOWS\\system32\\") != -1:
if i.find(".exe r") != -1:
regname = i.split("[")[1].split("]")[0]
filename = i.split("C:\\WINDOWS\\system32\\")[1].split(" r")[0]
myO4list.append((regname, filename))
return myO4list

myfiles = parse_data()

# this code first suspends the process, then deletes the reg key, then calls
# MoveFileEx to delete file on reboot
for i in myfiles:
# these two lines run the "process -s" command
command = "process -s %s" %i[1]
os.system(command)
# this line tells what registry key needs to be changed
key = win32api.RegCreateKey( win32con.HKEY_LOCAL_MACHINE, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run" )
#this line deletes the registry key value
win32api.RegDeleteValue(key, i[0])
# this line call MoveFileEx to delete at reboot
win32api.MoveFileEx( i[1], None, win32con.MOVEFILE_DELAY_UNTIL_REBOOT)

to finsh the process, a reboot is nessesary :-)

Edited by shanenin
Link to post
Share on other sites

I was thinking. A better way of doing this would be just to read the values in the key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run directly. thier is no reason to have to indirecty get this info from the hjt log.

Link to post
Share on other sites

Hi shane. Ok this is weird. You are doing the exact same method as myself, but yours is working, mine is not. That either means:

1. I worte the batch incorrectly

2. It doesn't work all the time.

We are currently testing again with an edited batch.

I was thinking. A better way of doing this would be just to read the values in the key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run directly. thier is no reason to have to indirecty get this info from the hjt log.

If I can figure out what I wrote incorrectly, do You know of a way to do this in batch?

I must admit, I was very very surprised when you posted back successful results. I did find a typo in one of my directory lines, which probably accounted for our failiers. Ill let you know the test results in a moment..

If I am unable to figure it out, I will post the batch source in programming for assistance.

Matt

Link to post
Share on other sites

I have no idea how to do it with batch.

the cool thing about python is it allows direct interaction with the win32 api. I don't think batch can do that. The huge negative to python is it needs to be installed on the system. That is where batch is a great method to use(everyone can run it). I wonder if the new windows powershell can access this win32 api?

Edited by shanenin
Link to post
Share on other sites

Funny I just realized something dumb I did with my code. I had the path set incorrectly to the file in system32, so innesence it is not getting deleted. But.... since I suspended the process, and deleted the O4 entrie from them registry the file is no longer getting started. So everytime I did a test, I have left behind one dormant copy of the infected file in system32. Without the registry starting this fie as a process it is not doing any harm. None the less, I don't like the idea of just leaving the file sitting there

Link to post
Share on other sites

I fixed my bug, so now no dormant(unregistered) file is left behind. i also worte the script to read the registry directly, so you do not need to use a hjt log file. This code seems much cleaner. I left lots of comments to show wha tis happening

import os
from win32api import *
from win32con import *

#this line opens the registry key so changes can be accessed
key = RegCreateKey(HKEY_LOCAL_MACHINE, "SOFTWARE\Microsoft\Windows\CurrentVersion\Run")

# this loop reads all values in the registry key, it parses out the O4 fiel that is malware
trojanval = None
for i in range(100):
try:
info = RegEnumValue(key, i )
if info[1].startswith("C:\\WINDOWS\\system32\\") == True:
if info[1].endswith(".exe r") == True:
trojanval = info
except:
break

# this sets the variable of the name of the process. ex. "djfjfj.exe"
processname = trojanval[1].split("system32\\")[1].split(" r")[0]

#this varible sets the name of the registry value, used to delete the value
valuename = trojanval[0]

# this variable sets the full path to the infected file, used my MoveFileEX
filelocation = "C:\\WINDOWS\\system32\\"+processname

# these lines run the "process -s" command
command = "process -s %s" %processname
os.system(command)

# this line deletes the registy value
RegDeleteValue(key, valuename)

# this line calls MoveFileEx to delete file at reboot
MoveFileEx(filelocation, None, MOVEFILE_DELAY_UNTIL_REBOOT)

# this closes the registy object
RegCloseKey(key)

Link to post
Share on other sites
I wonder if the new windows powershell can access this win32 api?

No need. It looks like the Microsoft.Win32 namespace in the .NET framework includes all of the important features of the registry API. If anything is missing it's easy to bring it in using P/Invoke.

Edited by jcl
Link to post
Share on other sites

FWIW, a PowerShell version of the above Python script. The .NET File API doesn't seem to provide the delayed delete operation, so that bit isn't implemented. It also kills instead of suspending the target process; I don't know if that matters.

$runKeyPath = "software\\microsoft\\windows\\currentversion\\run"
$runKey = [Microsoft.Win32.Registry]::LocalMachine.OpenSubKey($runKeyPath, $true)

foreach ($name in $runKey.GetValueNames()) {
$value = $runKey.GetValue($name)
if ($value -imatch "(C:\\WINDOWS\\system32\\.*\.exe) +r") {
$filePath = $matches[1]
# XXX: Untested from here...
$proc = ps | where {$_.MainModule.FileName -ieq $filePath}
if ($proc) {
$proc.Kill()
}
# Delete file somehow
# ...to here
$runKey.DeleteValue($name, $false)
}
}

$runKey.Close()

Link to post
Share on other sites

That is pretty cool. Is power shell gutted out of vista?

It also kills instead of suspending the target process; I don't know if that matters.

My weak understading of what is needed to suspend a process could be accomplished by suspeneding all of the threads the process uses. Maybe a way to do it would be to figure out what threads the process uses then use the win32 api method for suspending them(all the threads).

Edited by shanenin
Link to post
Share on other sites
That is pretty cool. Is power shell gutted out of vista?

No idea.

My weak understading of what is needed to suspend a process could be accomplished by suspeneding all of the threads the process uses.

D'oh. I knew that. Still not seeing an obvious way to do it.

I am curious about how the trojan evades the kill. All I found on Google was a mention of Epolvy being resurrected by Nail, which seems easy enough to dodge unless they do the Robin Hood and Friar Tuck trick.

Edited by jcl
Link to post
Share on other sites
That is pretty cool. Is power shell gutted out of vista

It also kills instead of suspending the target process; I don't know if that matters.

My weak understading of what is needed to suspend a process could be accomplished by suspeneding all of the threads the process uses. Maybe a way to do it would be to figure out what threads the process uses then use the win32 api method for suspending them(all the threads).

yes its gutted from vista, but is in the beta for server 2007 (to be called longhorne, or at least that wast the dvd sasy thet we recived at Tech-Ed)

powershell is really cool but way too powerfull, they wanted ot out do bash (that is a direct quote from the "Fixing your problems with PowerShell" class at Tech-Ed) but if ever compermised Powershell should allow a hacker into every part of the OS. by using signed Keys placed in the key folder (writable to everyone..bad plan) you can place a Public key and sign your script as admin and it will run from limited user as admin.

Its off by default in 2007, you have to turn it on..

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...