Personal Antivirus and msxmlm.dll

Personal Antivirus (PAV) is a piece of spyware that's been going around for a while now in various forms. It's one of the many pieces of malware that tries to look like an anti-malware tool. It scams you by telling you that you've been infected (true enough) and that to get rid of the infection you should click here... buy this... enter your credit card numbers now... that kind of thing.

It's standard stuff; not too creative in it's implementation... Hell, you can kill the bulk of it just by deleting/renaming its folder under the Program Files directory. But two or three times now it has caught me looking. And that's maddening!

Even after I've checked every possible load point, cleaned and confirmed them all, I'll still end up with an 'about:blank' hijack in internet explorer that displays PAV's "you could be infected" malarky. And it drives me up the wall, thinking there's something about this uninspired little piece of junkware that is able to hide itself from my methods.

Well, I finally enumerated the culprit today. Mind you, I've always gotten rid of the infection in the past, but I never took note of how. I would simply get to that point of frustration where you throw everything you've got against the wall until one thing or the other snaps.

Now I know, and it's the simplest thing! A BHO (browser helper object) calling itself &Helper, I think, filename "msxmlm.dll". It was always there in my hijackthis reports, staring up at me innocently enough, hiding a dirty little secret.

I've looked at so many hijackthis reports in the last four years that I've grown to leave the work to my eyes. Anything they don't recognize is almost certainly evil. But c:\windows\system32\msxmlm.dll is such a reasonable file path; it's blends so well with the million other ms*.dll files in XP's library; and &Helper is such a familiar word-shape to see in a report, that my eyes skip it every time.

It's funny, because for years now I've been saying that these malware developers are fools to use randomly generated filenames, executables, and the like - all which stick out like a sore thumb in a start-up list - and that it would make it that much more difficult for the human eye to lay hold of them if they made a concerted effort to blend in with the regular expressions and operations of the OS.

Somebody heard me, I guess. And to my credit I was right. Give me a rootkit any day of the week. They're as easy to detect as flamingos on the moon. One little dll with an unambiguous filename tucked into the BHO list will foil me all the quicker.


Post a Comment