Wednesday, April 13, 2011

Malware Redirects Google Search Results

Encountered what appears to be malware with some javascript which caused Microsoft Security Essentials (MSE) to throw errors and almost, but not quite, infect a system.

Popup notifications appeared in the systray every few seconds, and the MSE process MsMpEng.exe was gobbling up 50%+ CPU trying to keep whatever was trying to infect this Windows XP service pack 3 PC under control.

MSE's log showed the following error at the top of the details:
Microsoft Security Essentials encountered the following error: Error code 0x800703e4. Overlapped I/O event is not in a signaled state.

It listed numerous instances of the following as the most recent triggers for the cleanup:

Interestingly, the malware kept triggering the alerts from a specific path on the system:
C:\Documents and Settings\User\Application Data\Sun\Java\Deployment\cache\6.0\14\3cb28b8e-3c71bd02->lort/cooter.class

Apparently lort/cooter.class is related to a family of malware dubbed JAVA/Exdoer, based on a log file I found posted here. The system's default browser (Firefox) was redirecting Google search results to various sites with advertising. While MSE seemed to be detecting and responding to whatever active component of this malware, freshly-updated installs of SpyBot, MalwareBytes, and PrevX did not detect it.

I decided first to try to simply close all browsers, then run a utility called GOOREDFIX.EXE as described in this forum post. It returned the following log info:
GooredFix by jpshortstuff (
Log created at 15:54 on 13/04/2011 (Jan)
Firefox version 3.6.16 (en-US)

========== GooredScan ==========

Deleting HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions\\{A1E5480F-729F-4237-AD8E-2C46BA793DFE} -> Success!
Deleting C:\Documents and Settings\User\Local Settings\Application Data\{A1E5480F-729F-4237-AD8E-2C46BA793DFE} -> Success!

========== GooredLog ==========

C:\Program Files\Mozilla Firefox\extensions\
{972ce4c6-7e08-4474-a285-3208198ce6fd} [18:53 08/03/2011]
{972ce4c6-7e08-4474-a285-3208198ce6fd}(2) [18:19 08/03/2011]
{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} [20:30 16/01/2010]

C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\c06n7342.User\extensions\ [01:37 14/03/2011]
{20a82645-c095-46ed-80e3-08825760534b} [01:08 27/12/2010]
{7b13ec3e-999a-4b70-b9cb-2617b8323822} [19:18 12/04/2011]
{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} [16:22 27/03/2011]

"{20a82645-c095-46ed-80e3-08825760534b}"="C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\" [20:46 30/09/2009]
""="C:\Program Files\Java\jre6\lib\deploy\jqs\ff" [20:30 16/01/2010]


However, something seemed to reactivate the malware upon reopening Firefox, and the MSE systray popups began again.

I closed the browser, ensured that neither firefox.exe nor any other suspicious executables were present among the running processes, reran GOOREDFIX.EXE, then simply deleted the following folder:
C:\Documents and Settings\User\Application Data\Sun\Java\Deployment\cache\

Upon reopening Firefox, no further MSE notification popups appeared, and after running a full scan with MSE, no threats in memory nor in the file system were reported. So far, at least, it looks like whatever this malware was has been eliminated, but we shall see!

No comments: