'XP Internet Security' corrupts '.exe' file associations.

Not interested in my musings? Just want removal instructions?
Click here to jump to Removal Instructions

We've got something new and interesting in the world of viruses today folks, and its proliferating like gang-busters judging by the three infections that made their way into the shop this week. The front end of the virus is calling itself "XP Internet Security," though there's nothing new about that.

We've long been plagued by "Internet Security" and "Personal Antivirus" (PAV) variants: Flashy viruses that throw up messages from the taskbar and open 'Scan result' styled windows telling you you've been infected with two or three dozen nasties and that the only way to get rid of them is to Click here, enter your credit card numbers, etc. Nope, there's nothing new or interesting about any of that. It's old hat! What is new and interesting about this latest "XP Internet Security" infection is the method by which the virus starts up.

Rather than squeeze into the boot sequence circa msconfig or attach itself to the winlogon or write itself into an AppInit_DLL statement, or a thousand other things I see three times daily every day of the calendar year, this new-styled "Internet Security" infection is hijacking the ".exe" file extension association. By prepending the path of the virus executable to .exe associations in the registry the virus gets an opportunity to start up every time any executable on the machine is called. And the best part of it - from the virus' perspective, anyway - is that this method of initialization, simple as it is, isn't monitored by the tools of the industry. In other words, Hijackthis doesn't look for registry changes there. (yet)

Thankfully this piece of malware came out a tad under-ripe. Had the developer spent a little more time with it, it might have really been a barn-burner. Had they integrated a method of masking the executable from detection, randomized the file name and hidden it in the system32 directory, it might have been all-but invisible! But the early release has doomed it to one-hit-wonder status.

Hijackthis doesn't detect the startup entry but it does see the executable running - it does tell us the path to the virus - and that's enough information to put this one to bed. You can run a Hijackthis scan, open the log, see the path to the virus, track it down, and simply delete it. (Or rename it as I usually do.)

But wait! Removing the virus is one thing. Undoing the damage to the registry is another. For once you quarantine or delete this virus, you'll immediately find that none of your programs open up anymore. Due to the way the virus had infected the .exe file extension, your machine has forgotten how to open executables!

This is where I pause to applaud the developer. That, my friend, is a thing of beauty. Kudos.

Anyway, its all fixed easily enough. The virus overwrites standard calls to executables, but it didn't modify the "Run as..." registry entries for them. So to start any program you need only right click it, select "Run as..." from the drop down menu, uncheck "Protect my computer and data..." and there you are; Bob's your uncle; program's running.

With that bit of information in hand you can navigate to the \Windows folder, (Explorer.exe, and therefore File Explorer, is unaffected by the extension corruption) pop into 'Regedit' and search the registry for references to the virus executable, repairing the infected associations as you go. That'll get your .exe's opening again.

Then it's just a matter of some incidental cleanup. The infection knocks out all the detection and notification features of the Windows Security Center and it also turns off the Windows Firewall, so you'll want to set that right as well.

I'm impressed with this virus because defeating it required a departure from my methodology. I don't usually need anything but Hijackthis and Sophos Anti-Rootkit to detect and defeat everything, and I suppose I didn't really need anything more than that here either. But for a minute there, this one left me scratching my head -- looking at a perfectly clean HJT scan and no indication of a rootkit. That's good! Then I remove the virus and discover these executable errors popping up like penalties imposed on me for killing the virus. That's really good! Then there's the joyful process of reverse engineering it and coming to understand how and where it was able to start up without being detected by a Hijackthis scan.

That's a worthy opponent! That's a satisfying day's work, there.

Removal Instructions

CAUTION: These instructions are not written so that just anyone can follow them. They are not written for you. You don't know what you're doing. You'll mess it up and it will be really bad. Don't read this. Don't try this. Call a computer repair guy, you cheapskate. You have everything to lose.

Locate the Virus
The variant described here installs itself to "C:\Documents and Settings\<User Account>\Local Settings\Application Data\av.exe". Other variants may install elsewhere. To detect them, download and install HijackThis. Select "Do a system scan and save a log file." In the log file, search the "Running Processes" area for suspects.

Show the Virus
Open "My Computer" and navigate to the location of the file. It is a system-hidden file so it will probably not appear. To see the file click Tools>Folder Options>View and uncheck the "Hide protected operating system files" box. Click yes when prompted with the warning and then click OK to close the Folder Options dialogue.

Kill the Virus
Delete the file "av.exe" or quarantine it by renaming it to "av.exe.quarantined". Go back into Tools>Folder Options>View and re-check the "Hide protected operating system files" box. Restart the computer.

Open Regedit
You will not be able to run .exe files regularly because the virus corrupted the registry. Open "My Computer" and navigate to C:\Windows. Locate Regedit.exe and right-click it. In the drop down select "Run as..." Uncheck the "Protect my computer and data from unauthorized program activity" box and click "OK."

Clean the Registry
Make sure "My Computer" is highlighted in the left pane of the Registry Editor and press CTRL+F to bring up the "Find" dialogue. In the search field type the file path to the virus. ("C:\Documents and Settings\<User Account>\Local Settings\Application Data\av.exe")

[UPDATE: Since writing I've found it beneficial to search the registry like so: .exe" /START. More recent versions of the infection I've just seen will install under multiple system accounts like 'LocalService' and 'NetworkService,' and with mutliple files like 'av.exe' and 'ave.exe' so being less specific may discover more infected registry entries.]

Click "Find Next." When you find a key with a value like this:

"C:\Documents and Settings\<User Account>\Local Settings\Application Data\av.exe" /START "%1" %*

...double click the value to edit it and delete the path to the virus along with the /START command from the beginning of the key, leaving whatever remains after it. In this case you would delete "C:\Documents and Settings\<User Account>\Local Settings\Application Data\av.exe" /START and you would leave "%1" %*. Then press the F3 key to continue searching the registry for more instances of the virus path.

You will probably also find a key for iexplore.exe that has the virus path followed by the path to iexplore.exe. Just delete the virus path and the /START portion from any keys you find - this one included - while retaining whatever follows, as described above.

You will find other keys that are just pure references to the virus. They are easy to distinguish from the previous kind if you pay attention. You can just delete those.

When you reach the end of the registry, close regedit. You can now run .exe files again. That is, unless you jacked it up. In which case you can always download the "EXE File Association Fix" at http://www.dougknox.com/xp/file_assoc.htm and merge it with the registry to get things running again. ...Unless you can't. In which case: I told you not to try this in the first place, man. What the hell were you thinking?

Re-enable Windows Security Center and Windows Firewall
The virus disables Windows Security Center features and the Windows Firewall. To put these in place again, open Control Panel>Security Center. Under Firewall click Recommendations. Uncheck "I have a Firewall Solution I will monitor myself...", click the "Enable Now" button, and click OK.

Under Virus Protection, click Recommendations. Uncheck the "I have an antivirus program that I'll monitor myself..." box and click OK.

In the left column of the Security Center click "Change the way Security Center alerts me" and put a check in all the boxes there. Click OK.

You are done. Good work. Hit the showers.


Post a Comment