Sunday, May 5, 2019

Malware Removal 101: Facebook Worm

I think you are familiar with this post.


Virustotal

Your PC would only be affected if you do the following:
  • You clicked and downloaded the file.  (The sample I got is video_68080.bz.  Note that filename may vary)
  • You extracted or clicked on the archive and launch the file (play_29732727.mp4.com)

Correction:  It's a .com file.



Running the worm creates the following files.


Starts with Windows via registry entry.


What it does is post Wow videos post in different Facebook groups without the user's knowledge.

Other changes in the registry:

Keys added: 
HKLM\SOFTWARE\Microsoft\Tracing\play_29732727_RASAPI32
HKLM\SOFTWARE\Microsoft\Tracing\play_29732727_RASMANCS
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations
HKU\S-1-5-21-628660338-905938160-2927024020-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Associations
HKU\S-1-5-21-628660338-905938160-2927024020-1000\Software\Unzip

Values added: 
HKLM\SOFTWARE\Microsoft\Tracing\play_29732727_RASAPI32\EnableFileTracing: 0x00000000
HKLM\SOFTWARE\Microsoft\Tracing\play_29732727_RASAPI32\EnableConsoleTracing: 0x00000000
HKLM\SOFTWARE\Microsoft\Tracing\play_29732727_RASAPI32\FileTracingMask: 0xFFFF0000
HKLM\SOFTWARE\Microsoft\Tracing\play_29732727_RASAPI32\ConsoleTracingMask: 0xFFFF0000
HKLM\SOFTWARE\Microsoft\Tracing\play_29732727_RASAPI32\MaxFileSize: 0x00100000
HKLM\SOFTWARE\Microsoft\Tracing\play_29732727_RASAPI32\FileDirectory: "%windir%\tracing"
HKLM\SOFTWARE\Microsoft\Tracing\play_29732727_RASMANCS\EnableFileTracing: 0x00000000
HKLM\SOFTWARE\Microsoft\Tracing\play_29732727_RASMANCS\EnableConsoleTracing: 0x00000000
HKLM\SOFTWARE\Microsoft\Tracing\play_29732727_RASMANCS\FileTracingMask: 0xFFFF0000
HKLM\SOFTWARE\Microsoft\Tracing\play_29732727_RASMANCS\ConsoleTracingMask: 0xFFFF0000
HKLM\SOFTWARE\Microsoft\Tracing\play_29732727_RASMANCS\MaxFileSize: 0x00100000
HKLM\SOFTWARE\Microsoft\Tracing\play_29732727_RASMANCS\FileDirectory: "%windir%\tracing"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations\LowRiskFileTypes: ".exe"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ggle Updater: "C:\Users\Arnel\AppData\Roaming\Arnel\app.exe"

Files added: 
C:\Users\Arnel\AppData\Roaming\Arnel\7za.exe
C:\Users\Arnel\AppData\Roaming\Arnel\app.exe
C:\Users\Arnel\AppData\Roaming\Arnel\background.js
C:\Users\Arnel\AppData\Roaming\Arnel\config.json
C:\Users\Arnel\AppData\Roaming\Arnel\files.7z
C:\Users\Arnel\AppData\Roaming\Arnel\manifest.json
C:\Users\Arnel\AppData\Roaming\Arnel\update-x64.exe
C:\Users\Arnel\AppData\Roaming\Arnel\update-x86.exe

Folders added: 
C:\Users\Arnel\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low
C:\Users\Arnel\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5
C:\Users\Arnel\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\2LXBY3LA
C:\Users\Arnel\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\2YQU29T2
C:\Users\Arnel\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5KFJB9OR
C:\Users\Arnel\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\ZL3SUC12
C:\Users\Arnel\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized
C:\Users\Arnel\AppData\Local\Temp\Low
C:\Users\Arnel\AppData\Roaming\Arnel


Note:  I got this error message because I don't have chrome on my PC.  Plus I have to turn off my antivirus because the worm is detected by McAfee Internet Security and never got pass the extraction stage.


Removal Instructions:


Terminating the running process:



Note:  Since I am testing this malware, I'll be terminating the file I've run.  Terminate app.exe instead since it's the file that starts with Windows..

Let's use CCleaner to remove the worm.

  • Launch CCleaner
  • Goto Tools | Startup
  • Highlight Ggle Update
  • Right Click and Select Open Containing Folder
  • Still on CCleaner, click on Delete button on the right



At Explorer, select all files and delete.


Restart your computer.

On boot scan with an updated antivirus.

POST:  Clean your temps

I'll try to run this file on Windows 10 and report the changes it made on this OS.

All content ("Information") contained in this report is the copyrighted work of WinXPert: Virus and Malware Removal.

The Information is provided on an "as is" basis. WinXPert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, WinXPert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise. 
Copyright © 2019 WinXPert. All rights reserved. All other trademarks are the sole property of their respective owners.

To GOD be the glory!
Posted by at
Labels: , , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)