Malware Infects Baseline Analysis

of 46
Name: Allen Galvan
Due: 27 October 2005
CSFI 214: Information Security Systems Analysis – Fall 2005
Lab #1: Malware
Last printed 10/26/2005 1:43:00 a10/p10 Page 1

of 46
Lab Report Instructions..........................................................................................................3
Report Observations and Findings.........................................................................................4
Baseline..........................................................................................................................4
Post-Baseline Firefox.....................................................................................................4
Post-Baseline IE.............................................................................................................4
Conclusions....................................................................................................................5
Baseline..................................................................................................................................8
B01.AutoRuns Baseline (Startup Programs)..................................................................8
B02.Current Installed Programs Baseline......................................................................9
B03.Processes.Baseline................................................................................................10
B04.Hijack This Baseline (Registry, for hacker activity)............................................11
B05.TCPView.Baseline (Data Error Capturing Data).................................................12
B06.TDIMon.Baseline.txt (Tcp/Udp activity).............................................................13
B07.Rootkit Revealer Baseline (blank page, no rootkit found)...................................14
B09.Process Explorer.Baseline.txt...............................................................................16
B10.RegMon.Baseline.txt (Applications accessing Registry).....................................17
B11.Add-Remove Programs Baseline..........................................................................18
Post-Baseline Firefox...........................................................................................................19
C01.TCPView Firefox Google (Data Error Capturing Data)......................................19
C02.TCPView Firefox Spyware Sites.txt....................................................................20
C03.Autoruns.Firefox.post-Baseline.txt.......................................................................21
C04.Currently Installed Programs Firefox Post-Baseline............................................22
C05.Processes Firefox Post-Baseline...........................................................................23
C06.Hijack This Firefox Post-Baseline.txt..................................................................24
C07.TCPView Firefox Post-Baseline.txt.....................................................................25
C08.TDIMon.Firefox.Post-Baseline.txt.......................................................................26
C09.Rootkit Revealer Firefox Post-Baseline.txt (blank page, no rootkit found).........27
C10.Process.Explorer.Firefox.Post-line.txt..................................................................28
Post-Baseline IE...................................................................................................................29
D01.TCPView.IE.Google.txt.......................................................................................29
D02.TCPView.IE.Spyware.Sites.txt............................................................................30
D03Autoruns.IE.Post-Baseline.txt (Startup Spyware).................................................31
D04.Currently Installed Programs IE post-Baseline.bmp (Spyware)..........................32
D06.Hijack This IE Post Baseline.txt...........................................................................35
D07.TCPView IE Post Baseline.txt (missing screen shot)..........................................36
D08.TDIMon IE Post Baseline.txt...............................................................................37
D09.Rootkit Revealer IE Post-Baseline.txt (blank page, no rootkit found).................39
D10.Process Explorer IE Post-Baseline.txt..................................................................40
D12.Add-Remove Programs IE Post-Baseline.bmp (Malware)..................................45
D13.Spybot IE Post-Baseline.bmp (unresolved Spyware)...........................................46

of 46
Lab Report Instructions
This lab has a series of questions that you will answer to demonstrate that you have done
the tutorial & understand the main concepts.
Each student will hand in a printed copy of the lab report next lab class with the answers to
each question.
The lab report will also be submitted electronically (E-mailed to the instructor – due on the
day of the next lab).
The main body of the lab report should be no more than 2 pages long (max).
• What are your observations?
• What are your findings?
• How does Firefox compare to IE?
• How is the Baseline used?
• What are the differences?
• Why are there differences?
All of the supporting data & screen shots should be placed in the appendix. This appendix
could be very long. Some output files could be very long. In the printed lab report, only
include the first few pages.
Each output file should be clearly labeled to indicate what it is.
Part-II
Verify that the Anti-Virus software is working. Use the EICAR test file. Download the
.TXT & .ZIP files.
• Any differences in behavior between the 2 file types?
Turn off the Anti-Virus software. Download the .TXT & .ZIP files.
• What happened?
• Any differences in behavior between the 2 file types?
Turn on the Anti-Virus software.
• Try opening one of the test files.
• What happened?

of 46
Report Observations and Findings
The purpose of this exercise was to find out what happens when one surfs the web in a
secure manner, and compare that with surfing the web in an insecure manner.
Baseline
The Baseline refers to the documentation of the original state of the system, as it was
before the surfing tests began. If variants to the system Baseline occurred, the prior surfing
behavior was noted, and likely conclusions were inferred.
• The “B02.Current Installed Programs Baseline” Screen (p. 8), and the “B11.Add-
Remove Programs Baseline” Screen (p. 20), both showed only 4 programs
installed.
• “B07.Rootkit.Revealer.Baseline” screen on page 15 indicated that no Rootkits were
installed.
• “B08.Spybot.Baseline” screen on page 16 indicated no Spyware was detected.
Post-Baseline Firefox
I surfed bad peer-to-peer web sites like www.Kazaa.com using Firefox off (means
what?), and the system integrity was maintained. No rootkits were indicated by
“C09.Rootkit Revealer Firefox Post-Baseline.txt” screen on page 31.
The “C04.Currently Installed Programs Firefox Post-Baseline” Screen (p. 23) showed only
4 programs installed. These results also did not differ from the Baseline observations.
There were no changes.
Post-Baseline IE
I surfed bad peer-to-peer web sites like www.Kazaa.com using IE on (means what?), and
the system got infected with Spyware as indicated on “D13.Spybot-IE Post-Baseline.bmp”
(p. 30), “D03.Autoruns.IE.Post-Baseline.txt” (p. 35), “D04.Currently Installed Program IE
post-Baseline.bmp” (p. 37), and “D12.Add-Remove Programs IE Post-Baseline.bmp” (p.
49)
Also, the computer started misbehaving in an unpredictable manner:
• Ads just popped up in the IE browser, without any user acitivity on the computer.
• When I tried to remove one of the programs that I did not install, the Add-Remove
screen froze, & I had to kill the process using Process Explorer to abnormally exit
the process. When I brought the Add-Remove screen back up, the program was
successfully removed.

of 46
• When I tried to remove another program that I did not install, it prompted me for a
code. This behavior was not normal. It never happened before.
Spybot found numerous Spyware infection as indicated on “D13.Spybot-IE Post-
Baseline.bmp” screen on page 30. When I tried to clean or remove the Spyware, some of
the Spyware instances, persisted, and could not be removed.
No rootkits were indicated by “D09.Rootkit Revealer IE Post-Baseline.txt” on page 44.
Conclusions
The control state of the computer is the Baseline state. It is regarding this control state,
from which the experiment compares changes and their impact on the integrity of the
computer system.
The Baseline showed only 4 programs installed, as indicated by “B02.Current Installed
Programs Baseline” Screen (p. 8), and the “B11.Add-Remove Programs Baseline” Screen
(p. 20). When I surfed using Firefox, the same programs were shown to be installed, (the
same as the Baseline), which was indicated by the “C04.Currently Installed Programs
Firefox Post-Baseline” Screen (p. 23). This indicated that surfing the web using Firefox
was secure.
However, other unauthorized programs were installed after using IE, as indicated by
“D04.Currently Installed Program IE post-Baseline.bmp” (p. 37), and “D12.Add-Remove
Programs IE Post-Baseline.bmp” (p. 49). This indicated that surfing with IE was insecure.
The evidence indicates that I was able to surf in a relatively secure manner using the
Firefox browser. “B07.Rootkit.Revealer.Baseline” screen on page 15 indicated that no
Rootkits were installed. “B08.Spybot.Baseline” screen on page 16 indicated no Spyware
was detected.
All the unauthorized activity occurred Post-Baseline IE.
• There was more unauthorized TCP/IP activity, indicated on
D02.TCPView.IE.Spyware.Sites.txt.
• There were more unauthorized processes and higher cpu activity indicated on
D03.Autoruns.IE.Post-Baseline.txt, D04.Currently Installed Programs IE post-
Baseline.bmp, D05.Processes IE post-Baseline.bmp, D10.Process Explorer IE Post-
Baseline.txt
• There were unauthorized programs that Spybot could not remove, as detailed on
page D13.Spybot IE Post-Baseline.bmp.
Also the evidence indicates that I was not able to surf the web in a secure manner using
Internet Explorer (IE), since Spybot found a number of installed Spyware programs. The

of 46
computer also began to act erratically. “C09.Rootkit Revealer Firefox Post-Baseline.txt”
screen on page 31 indicated no rootkits.
Ultimately, in no case did Rootkit Revealer indicate the existence of any rootkits. It
appears that this experiment did not install any rootkits. There is a possibility that there
may exist a rootkit that was hidden from Rootkit Revealer.
Based on the findings of this experiment, I would prefer and recommend to surf the web
using Firefox, as a more secure browser than Internet Explorer.
From personal experience, the McAfee Anti-virus software found the EICAR test virus to
verify it was working. McAfee did not find the EICAR test virus when it was zipped. The
McAfee anti-virus software scan did not find the Spyware that Spybot could not eliminate.
Anti-malware programs do not provide adequate protection.

of 46
Appendix

of 46
Baseline
B01.AutoRuns Baseline (Startup Programs)
HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun
+ VMware Tools VMwareTray (Not verified) VMware, Inc. c:program filesvmwarevmware toolsvmwaretray.exe
+ VMware User Process VMwareUser (Not verified) VMware, Inc. c:program filesvmwarevmware toolsvmwareuser.exe
HKLMSystemCurrentControlSetServices
+ VMTools Provides support for synchronizing objects between the host and guest operating systems.(Not verified) VMware, Inc.
c:program filesvmwarevmware toolsvmwareservice.exe
HKLMSoftwareMicrosoftWindowsCurrentVersionShell ExtensionsApproved
+ Display Panning CPL Extension File not found: deskpan.dll
HKLMSystemCurrentControlSetControlSession ManagerKnownDlls
+ DllDirectory c:winntsystem32
HKCUControl PanelDesktopScrnsave.exe
+ (NONE) File not found: (NONE)

of 46
B02.Current Installed Programs Baseline
The above illustrates the programs that were initially installed, before any malicious
activity ensued.

of 46
B03.Processes.Baseline

of 46
B04.Hijack This Baseline (Registry, for hacker activity)
Logfile of HijackThis v1.99.1
Scan saved at 8:57:33 PM, on 9/6/2005
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 (5.00.2920.0000)
Running processes:
C:WINNTSystem32smss.exe
C:WINNTsystem32winlogon.exe
C:WINNTsystem32services.exe
C:WINNTsystem32lsass.exe
C:WINNTsystem32svchost.exe
C:WINNTsystem32spoolsv.exe
C:WINNTSystem32svchost.exe
C:WINNTsystem32regsvc.exe
C:WINNTsystem32MSTask.exe
C:Program FilesVMwareVMware ToolsVMwareService.exe
C:WINNTExplorer.exe
C:Program FilesVMwareVMware ToolsVMwareTray.exe
C:Program FilesVMwareVMware ToolsVMwareUser.exe
E:VMwareSharedautoruns.exe
C:WINNTSystem32taskmgr.exe
E:VMwareSharedHijackThis.exe
O4 - HKLM..Run: [VMware Tools] C:Program FilesVMwareVMware ToolsVMwareTray.exe
O4 - HKLM..Run: [VMware User Process] C:Program FilesVMwareVMware ToolsVMwareUser.exe
O4 - HKLM..Run: [Synchronization Manager] mobsync.exe /logon
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:WINNTSystem32dmadmin.exe
O23 - Service: VMware Tools Service (VMTools) - VMware, Inc. - C:Program FilesVMwareVMware ToolsVMwareService.exe

of 46
B05.TCPView.Baseline (Data Error Capturing Data)
ÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐ
ÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈ
ÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔ

of 46
B06.TDIMon.Baseline.txt (Tcp/Udp activity)
1 0.00000000 VMwareService.e: 8144AB28 IRP_MJ_DEVICE_CONTROL TCP:<none> SUCCESS IOCTL_TCP_QUERY_INFORMATION_EX
2 0.00031121 VMwareService.e: 8144AB28 IRP_MJ_DEVICE_CONTROL TCP:<none> SUCCESS
IOCTL_TCP_QUERY_INFORMATION_EX
3 0.00038301 VMwareService.e: 81375668 IRP_MJ_DEVICE_CONTROL TCP:<none> SUCCESS

of 46
B07.Rootkit Revealer Baseline (blank page, no rootkit found)
The above illustrates that the tool Rootkit revealer, is blank, because no rootkits were
found. Although there is a possibility that rootkits could still be installed, but Rootkit
Reveler didn’t find them.

of 46
B08.Spybot Baseline (Spyware Remover)

of 46
B09.Process Explorer.Baseline.txt
Process PID CPU Description Company Name
System Idle Process 0 100.00
Interrupts n/a Hardware Interrupts
DPCs n/a Deferred Procedure Calls
System 8
smss.exe140 Windows NT Session Manager Microsoft Corporation
csrss.exe 164 Client Server Runtime Process Microsoft Corporation
winlogon.exe 184 Windows NT Logon Application Microsoft Corporation
services.exe 212 Services and Controller app Microsoft Corporation
svchost.exe 384 Generic Host Process for Win32 Services Microsoft Corporation
SPOOLSV.EXE 416 Spooler SubSystem App Microsoft Corporation
regsvc.exe 496 Remote Registry Service Microsoft Corporation
mstask.exe 520 Task Scheduler Engine Microsoft Corporation
VMwareService.e 580 VMware Tools Service VMware, Inc.
lsass.exe 224 LSA Executable and Server DLL (Export Version) Microsoft Corporation
taskmgr.exe 692 Windows TaskManager Microsoft Corporation
explorer.exe 704 Windows Explorer Microsoft Corporation
VMwareTray.exe 760 VMwareTray VMware, Inc.
VMwareUser.exe 780 VMwareUser VMware, Inc.
autoruns.exe 844 Autostart program viewer Sysinternals - www.sysinternals.com
HijackThis.exe 852 HijackThis Soeperman Enterprises Ltd.
firefox.exe 672 Firefox Mozilla
procexp.exe 840 Sysinternals Process Explorer Sysinternals
Process: Procexp Pid: -2
Type Name

of 46
B10.RegMon.Baseline.txt (Applications accessing Registry)
1 1.96351099 Regmon.exe:836 OpenKey HKLMSoftwareMicrosoftWindows NTCurrentVersionFontSubstitutes SUCCESS
Access: 0x20019
2 1.96390235 Regmon.exe:836 QueryValue HKLMSoftwareMicrosoftWindows NTCurrentVersionFontSubstitutesTahoma NOT FOUND
3 1.96415102 Regmon.exe:836 CloseKey HKLMSoftwareMicrosoftWindows NTCurrentVersionFontSubstitutes SUCCESS
4 2.03640127 Regmon.exe:836 OpenKey HKLMSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer NOT FOUND
5 2.03652668 Regmon.exe:836 OpenKey HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer SUCCESS
Access: 0x1
6 2.03655314 Regmon.exe:836 QueryValue HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerNoNetHood NOT FOUND
7 2.03659463 Regmon.exe:836 CloseKey HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer SUCCESS
Access: 0x1
10 2.03669119 Regmon.exe:836 QueryValue HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerNoInternetIcon
NOT FOUND
12 2.03681421 Regmon.exe:836 OpenKey HKLMSOFTWAREMicrosoftWindowsCurrentVersionShellCompatibilityApplicationsRegmon.exe
NOT FOUND
Access: 0x1
15 2.03697419 Regmon.exe:836 QueryValue HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerNoCommonGroups
NOT FOUND
17 2.03710175 Regmon.exe:836 OpenKey HKLMSOFTWAREMicrosoftWindowsCurrentVersionShellCompatibilityObjects{20D04FE0-3AEA-
1069-A2D8-08002B30309D} NOT FOUND
18 2.03732586 Regmon.exe:836 QueryKey HKCUCLSID SUCCESS Name: REGISTRYUSERS-1-5-21-484763869-1085031214-839522115-
500_ClassesCLSID
19 2.03746939 Regmon.exe:836 OpenKey HKCUCLSID{20D04FE0-3AEA-1069-A2D8-08002B30309D}InProcServer32 NOT FOUND
20 2.03754115 Regmon.exe:836 OpenKey HKCRCLSID{20D04FE0-3AEA-1069-A2D8-08002B30309D}InProcServer32 SUCCESS
Access: 0x2000000
21 2.03766656 Regmon.exe:836 QueryKey HKCRCLSID{20D04FE0-3AEA-1069-A2D8-08002B30309D}InProcServer32 SUCCESS
Name: REGISTRYMACHINESOFTWARECLASSESCLSID{20D04FE0-3AEA-1069-A2D8-08002B30309D}InprocServer32
22 2.03777146 Regmon.exe:836 OpenKey HKCUCLSID{20D04FE0-3AEA-1069-A2D8-08002B30309D}InprocServer32 NOT FOUND
23 2.03802896 Regmon.exe:836 QueryValue HKCRCLSID{20D04FE0-3AEA-1069-A2D8-08002B30309D}InProcServer32(Default)
SUCCESS "%SystemRoot%system32shell32.dll"
24 2.03806305 Regmon.exe:836 QueryKey HKCRCLSID{20D04FE0-3AEA-1069-A2D8-08002B30309D}InProcServer32 SUCCESS
Name: REGISTRYMACHINESOFTWARECLASSESCLSID{20D04FE0-3AEA-1069-A2D8-08002B30309D}InprocServer32
25 2.03811383 Regmon.exe:836 OpenKey HKCUCLSID{20D04FE0-3AEA-1069-A2D8-08002B30309D}InprocServer32 NOT FOUND
26 2.03813267 Regmon.exe:836 QueryValue HKCRCLSID{20D04FE0-3AEA-1069-A2D8-08002B30309D}InProcServer32LoadWithoutCOM
NOT FOUND
27 2.03817320 Regmon.exe:836 CloseKey HKCRCLSID{20D04FE0-3AEA-1069-A2D8-08002B30309D}InProcServer32 SUCCESS
Access: 0x1
30 2.03830242 Regmon.exe:836 QueryValue HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerNoSetFolders
NOT FOUND

of 46
B11.Add-Remove Programs Baseline

of 46
Post-Baseline Firefox
C01.TCPView Firefox Google (Data Error Capturing Data)
ÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐ
ÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈ
ÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔ

of 46
C02.TCPView Firefox Spyware Sites.txt
svchost.exe:384 TCP vmware-afi1cid5:epmap vmware-afi1cid5:0 LISTENING
System:8 TCP vmware-afi1cid5:microsoft-ds vmware-afi1cid5:0 LISTENING
mstask.exe:520 TCP vmware-afi1cid5:1025 vmware-afi1cid5:0 LISTENING
firefox.exe:672 TCP vmware-afi1cid5:1029 vmware-afi1cid5:0 LISTENING
firefox.exe:672 TCP vmware-afi1cid5:1028 localhost:1029 ESTABLISHED
System:8 TCP vmware-afi1cid5:netbios-ssn vmware-afi1cid5:0 LISTENING
firefox.exe:672 TCP vmware-afi1cid5:1065 66.70.68.147:http ESTABLISHED
System:8 TCP vmware-afi1cid5:1080 cdn.fastclick.net:http TIME_WAIT
svchost.exe:384 UDP vmware-afi1cid5:epmap *:*
System:8 UDP vmware-afi1cid5:microsoft-ds *:*
services.exe:212 UDP vmware-afi1cid5:1026 *:*
System:8 UDP vmware-afi1cid5:netbios-ns *:*
System:8 UDP vmware-afi1cid5:netbios-dgm *:*
lsass.exe:224 UDP vmware-afi1cid5:isakmp *:*

of 46
C03.Autoruns.Firefox.post-Baseline.txt
+ VMware Tools VMwareTray (Not verified) VMware, Inc. c:program filesvmwarevmware toolsvmwaretray.exe
+ VMware User Process VMwareUser (Not verified) VMware, Inc. c:program filesvmwarevmware
toolsvmwareuser.exe
+ VMTools Provides support for synchronizing objects between the host and guest operating systems. (Not verified) VMware, Inc.
c:program filesvmwarevmware toolsvmwareservice.exe

of 46
C04.Currently Installed Programs Firefox Post-Baseline

of 46
C05.Processes Firefox Post-Baseline

of 46
C06.Hijack This Firefox Post-Baseline.txt
Running processes:
C:WINNTExplorer.exe
C:Program FilesMozilla Firefoxfirefox.exe
E:VMwareSharedTcpview.exe
E:VMwareSharedautoruns.exe
R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page = http://search.qsrch.com/
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} (Installer Class) -
http://www.ysbweb.com/ist/softwares/v4.0/ysb_1002245.cab
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. -
C:WINNTSystem32dmadmin.exe
O23 - Service: VMware Tools Service (VMTools) - VMware, Inc. - C:Program FilesVMwareVMware
ToolsVMwareService.exe
The above illustrates a clean system.

of 46
C07.TCPView Firefox Post-Baseline.txt
firefox.exe:672 TCP vmware-afi1cid5:1133 cdn.fastclick.net:http ESTABLISHED

of 46
C08.TDIMon.Firefox.Post-Baseline.txt
1 0.00000000 VMwareService.e: 81481928 IRP_MJ_DEVICE_CONTROL TCP:<none> SUCCESS IOCTL_TCP_QUERY_INFORMATION_EX
6 0.25028069 VMwareService.e: 814065E8 IRP_MJ_DEVICE_CONTROL TCP:<none> SUCCESS IOCTL_TCP_QUERY_INFORMATION_EX

of 46
C09.Rootkit Revealer Firefox Post-Baseline.txt (blank page, no rootkit found)
-Intentionally left blank, because no rootkit was found-

of 46
C10.Process.Explorer.Firefox.Post-line.txt
System 8
smss.exe140 Windows NT Session Manager Microsoft Corporation
csrss.exe 164 Client Server Runtime Process Microsoft Corporation
winlogon.exe 184 1.56 Windows NT Logon Application Microsoft Corporation
services.exe 212 Services and Controller app Microsoft Corporation
SPOOLSV.EXE 416 Spooler SubSystem App Microsoft Corporation
mstask.exe 520 Task Scheduler Engine Microsoft Corporation
lsass.exe 224 LSA Executable and Server DLL (Export Version) Microsoft Corporation
VMwareTray.exe 760 VMwareTray VMware, Inc.
Tcpview.exe 500 1.56 TCP/UDP endpoint viewer Sysinternals
firefox.exe 288 Firefox Mozilla
Type Name

of 46
Post-Baseline IE
D01.TCPView.IE.Google.txt
System:8 TCP vmware-afi1cid5:1199 localhost:1198 TIME_WAIT
IEXPLORE.EXE:836 UDP vmware-afi1cid5:1223 *:*

of 46
D02.TCPView.IE.Spyware.Sites.txt
istsvc.exe:892 TCP vmware-afi1cid5:1204 vmware-afi1cid5:0 LISTENING
istsvc.exe:892 TCP vmware-afi1cid5:1204 216.127.33.119:http CLOSE_WAIT
The program istsvc.exe is a new program that indicates possible unauthorized acitivity.

of 46
D03Autoruns.IE.Post-Baseline.txt (Startup Spyware)
+ BullsEye Network c:program filesbullseye networkbinbargains.exe
+ Internet Optimizer c:program filesinternet optimizeroptimize.exe
+ IST Service c:program filesistsvcistsvc.exe
+ Power Scan PowerScan v1.1 c:program filespower scanpowerscan.exe
+ SurfAccuracy c:program filessurfaccuracysacc.exe
+ ugclljcm c:winntsystem32ugclljcm.exe
+ VMware Tools VMwareTray (Not verified) VMware, Inc. c:program filesvmwarevmware
toolsvmwaretray.exe
+ VMware User Process VMwareUser (Not verified) VMware, Inc. c:program filesvmwarevmware
toolsvmwareuser.exe
+ Z9GwE c:winntflswcpje.exe
+ VMTools Provides support for synchronizing objects between the host and guest operating
systems.(Not verified) VMware, Inc. c:program filesvmwarevmware toolsvmwareservice.exe
HKLMSoftwareMicrosoftWindowsCurrentVersionExplorerBrowser Helper Objects
+ ADP UrlCatcher Class ADP Module (Not verified) eXact Advertising c:winntsystem32msbe.dll
+ BAHelper Class BrowserHelperObject Module c:program filessidefindsfbho.dll
+ BHObj Class DyFuCA_BH Module c:winntnem220.dll
HKLMSoftwareMicrosoftInternet ExplorerToolbar
+ È|Ûwÿÿÿÿåf ¤ƒÛw@ YourSiteBar c:program filesyoursitebarysb.dll
The initial conditions of this test regarding the only authorized installed programs were
Mozilla Firefox, Sybot, and WMware Tools. All other activity is unauthorized. This
means that all the other programs shown above were installed without the authorization of
the user.

of 46
D04.Currently Installed Programs IE post-Baseline.bmp (Spyware)
the user.
For example, the above programs and program ISTsvc is a new program that indicates
possible malicious or unauthorized activity.

of 46

of 46
D05.Processes IE Post-Baseline.bmp
the user.
Istsvc.exe, flswcpje.exe, SAcc.exe are all examples of process shown above that were
installed without the user’s authorization.

of 46
D06.Hijack This IE Post Baseline.txt
Running processes:
C:WINNTExplorer.exe
C:Program FilesISTsvcistsvc.exe
C:WINNTflswcpje.exe
C:Program FilesSurfAccuracySAcc.exe
C:Program FilesInternet Optimizeroptimize.exe
C:Program FilesBullsEye Networkbinbargains.exe
C:WINNTSystem32ugclljcm.exe
R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page = http://search.qsrch.com/
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:WINNTnem220.dll
O2 - BHO: BAHelper Class - {A3FDD654-A057-4971-9844-4ED8E67DBBB8} - C:Program FilesSideFindsfbho.dll
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:WINNTSystem32msbe.dll
O3 - Toolbar: YourSiteBar - {86227D9C-0EFE-4f8a-AA55-30386A3F5686} - C:Program FilesYourSiteBarysb.dll
O4 - HKLM..Run: [IST Service] C:Program FilesISTsvcistsvc.exe
O4 - HKLM..Run: [Z9GwE] C:WINNTflswcpje.exe
O4 - HKLM..Run: [SurfAccuracy] C:Program FilesSurfAccuracySAcc.exe
O4 - HKLM..Run: [Internet Optimizer] "C:Program FilesInternet Optimizeroptimize.exe"
O4 - HKLM..Run: [BullsEye Network] C:Program FilesBullsEye Networkbinbargains.exe
O4 - HKLM..Run: [Power Scan] C:Program FilesPower Scanpowerscan.exe
O4 - HKLM..Run: [ugclljcm] C:WINNTSystem32ugclljcm.exe
O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:Program FilesSideFindsidefind.dll
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} (Installer Class) - http://www.ysbweb.com/ist/softwares/v4.0/ysb_1002245.cab
O16 - DPF: {99410CDE-6F16-42ce-9D49-3807F78F0287} (ClientInstaller Class) - http://www.180searchassistant.com/180saax.cab
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:WINNTSystem32dmadmin.exe
O23 - Service: VMware Tools Service (VMTools) - VMware, Inc. - C:Program FilesVMwareVMware ToolsVMwareService.exe

of 46
D07.TCPView IE Post Baseline.txt (missing screen shot)
-Intentionally left blank. Missing screen shot-

of 46
D08.TDIMon IE Post Baseline.txt
6 0.51692408 VMwareService.e: 814065E8 IRP_MJ_DEVICE_CONTROL TCP:<none> SUCCESS
10 0.51713668VMwareService.e: 814065E8 IRP_MJ_DEVICE_CONTROL TCP:<none> SUCCESS
21 0.51802031VMwareService.e: 81481928 IRP_MJ_DEVICE_CONTROL TCP:<none> SUCCESS

of 46

of 46
D09.Rootkit Revealer IE Post-Baseline.txt (blank page, no rootkit found)
-Intentionally left blank. Missing screen shot-

of 46
D10.Process Explorer IE Post-Baseline.txt
System 8
smss.exe 140 Windows NT Session Manager Microsoft
Corporation
csrss.exe 164 Client Server Runtime Process Microsoft
Corporation
winlogon.exe 184 Windows NT Logon Application Microsoft
Corporation
services.exe212 Services and Controller appMicrosoft Corporation
svchost.exe384 Generic Host Process for Win32 Services Microsoft
Corporation
SPOOLSV.EXE 412 Spooler SubSystem App Microsoft
Corporation
svchost.exe444 Generic Host Process for Win32 Services Microsoft
Corporation
mstask.exe504 Task Scheduler Engine Microsoft Corporation
lsass.exe 224 LSA Executable and Server DLL (Export Version)
Microsoft Corporation
VMwareTray.exe 760 VMwareTrayVMware, Inc.
istsvc.exe 892
flswcpje.exe 908
SAcc.exe 940
optimize.exe 1000
bargains.exe 1096
ugclljcm.exe 972
Type Name
the user.
Above shows unauthorized processes.

of 46
D11.RegMon IE Post-Baseline.txt
1 0.97014344 istsvc.exe:892 CreateKey
HKLMSoftwareMicrosoftWindowsCurrentVersionRun SUCCESS
Access: 0x2
2 0.97070354 istsvc.exe:892 SetValue
HKLMSoftwareMicrosoftWindowsCurrentVersionRunIST Service
SUCCESS "C:Program FilesISTsvcistsvc.exe"
3 0.97090244 istsvc.exe:892 CloseKey
HKLMSoftwareMicrosoftWindowsCurrentVersionRun SUCCESS
4 0.97159195 istsvc.exe:892 QueryValue
HKCUSOFTWAREMICROSOFTWindowsCURRENTVERSIONInternet
SettingsEnableAutodial SUCCESS 0x0
5 1.00403678 Regmon.exe:1100 OpenKey
HKLMSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer
NOT FOUND
HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer
SUCCESS Access: 0x1
7 1.00429749 Regmon.exe:1100 QueryValue
HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerNoNetHood
NOT FOUND
8 1.00463104 Regmon.exe:1100 CloseKey
SUCCESS
NOT FOUND
SUCCESS Access: 0x1
HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerNoInternetIc
on NOT FOUND
SUCCESS
HKLMSOFTWAREMicrosoftWindowsCurrentVersionShellCompatibilityApplic
ationsRegmon.exe NOT FOUND
NOT FOUND

of 46
SUCCESS Access: 0x1
HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerNoCommon
Groups NOT FOUND
SUCCESS
HKLMSOFTWAREMicrosoftWindowsCurrentVersionShellCompatibilityObject
s{20D04FE0-3AEA-1069-A2D8-08002B30309D} NOT FOUND
19 1.00554395 Regmon.exe:1100 QueryKey HKCUCLSID
SUCCESS Name: REGISTRYUSERS-1-5-21-484763869-1085031214-
839522115-500_ClassesCLSID
20 1.00571191 Regmon.exe:1100 OpenKey HKCUCLSID{20D04FE0-
3AEA-1069-A2D8-08002B30309D}InProcServer32 NOT FOUND
21 1.00576580 Regmon.exe:1100 OpenKey HKCRCLSID{20D04FE0-
3AEA-1069-A2D8-08002B30309D}InProcServer32 SUCCESS Access:
0x2000000
22 1.00579965 Regmon.exe:1100 QueryKey HKCRCLSID{20D04FE0-
3AEA-1069-A2D8-08002B30309D}InProcServer32 SUCCESS Name:
REGISTRYMACHINESOFTWARECLASSESCLSID{20D04FE0-3AEA-1069-
A2D8-08002B30309D}InprocServer32
3AEA-1069-A2D8-08002B30309D}InprocServer32 NOT FOUND
24 1.00593376 Regmon.exe:1100 QueryValue HKCRCLSID{20D04FE0-
3AEA-1069-A2D8-08002B30309D}InProcServer32(Default) SUCCESS
"%SystemRoot%system32shell32.dll"
25 1.00597394 Regmon.exe:1100 QueryKey HKCRCLSID{20D04FE0-
3AEA-1069-A2D8-08002B30309D}InProcServer32 SUCCESS Name:
REGISTRYMACHINESOFTWARECLASSESCLSID{20D04FE0-3AEA-1069-
A2D8-08002B30309D}InprocServer32
3AEA-1069-A2D8-08002B30309D}InprocServer32 NOT FOUND
27 1.00605774 Regmon.exe:1100 QueryValue HKCRCLSID{20D04FE0-
3AEA-1069-A2D8-08002B30309D}InProcServer32LoadWithoutCOM NOT
FOUND
28 1.00609851 Regmon.exe:1100 CloseKey HKCRCLSID{20D04FE0-
3AEA-1069-A2D8-08002B30309D}InProcServer32 SUCCESS
NOT FOUND

of 46
SUCCESS Access: 0x1
HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerNoSetFolder
s NOT FOUND
SUCCESS
NOT FOUND
SUCCESS Access: 0x1
HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerNoControlPa
nel NOT FOUND
SUCCESS
HKLMSystemCurrentControlSetControlSession Manager SUCCESS
Access: 0x1
HKLMSystemCurrentControlSetControlSession
ManagerAdditionalBaseNamedObjectsProtectionModeNOT FOUND
HKLMSystemCurrentControlSetControlSession Manager SUCCESS
HKLMSYSTEMCurrentControlSetControlSession Manager
SUCCESS Access: 0x20019
HKLMSYSTEMCurrentControlSetControlSession
ManagerCriticalSectionTimeout SUCCESS 0x278D00
HKLMSYSTEMCurrentControlSetControlSession Manager
SUCCESS
HKLMSOFTWAREMicrosoftOLEAUT NOT FOUND
HKLMSOFTWAREMicrosoftOLEAUTUserEra NOT FOUND

of 46
45 1.00841975 Regmon.exe:1100 QueryKey HKCU SUCCESS
Name: REGISTRYUSERS-1-5-21-484763869-1085031214-839522115-
500_Classes
3AEA-1069-A2D8-08002B30309D}InProcServer32 NOT FOUND

of 46
D12.Add-Remove Programs IE Post-Baseline.bmp (Malware)

of 46
D13.Spybot IE Post-Baseline.bmp (unresolved Spyware)
Spybot couldn’t eradicate the above unauthorized activity.

Malware Infects Baseline Analysis

Recommended

Recommended

More Related Content

Viewers also liked

Viewers also liked (6)

Similar to Malware Infects Baseline Analysis

Similar to Malware Infects Baseline Analysis (20)

Recently uploaded

Recently uploaded (20)

Malware Infects Baseline Analysis