Home > Uncategorized > Case of the Explainable – Malware on Windows Vista

Case of the Explainable – Malware on Windows Vista

The other day, I received a call from my father in law about
trouble with his laptop. Whilst not exactly a techie (whereas I am), he is not
stupid enough to install things without consideration, or asking for advice
first, which is why I was surprised when he told me he had an application
running he couldn’t close down.

The application in question calls itself ‘Microsoft
Performance Manager’ which is certainly not a product Microsoft has ever
produced, but it does look very Microsoft-y.
It has surfaced before under similar guises in the names of ‘Anti-Virus
2009’ and ‘Anti-Virus 2010’ and so on. This screenshot is of a similar ‘Windows
Performance Manager’, but all claim to be doing scans and so on, but of course,
will only clean the ‘infections’ it finds, by you handing over some hard-earned
money.

After talking through the symptoms, I was concerned, but
confident I could deal with it.

The application is very sneaky. It installs itself to the
%Appdata% folder with a random name. My version was called ‘Baycxe.exe’.  It wraps itself around explorer.exe,
controlling what .exe’s are allowed to run, closes programs down after a few
seconds, and prevents known AV programs like the installed ‘Microsoft Security
Essentials’ from running to detect and remove it.

This is what you see when you try and run Task Manager to
try and kill the process.

Oh, and the balloon down in the notification area is the
bogus program telling us we are at risk. Thanks!


You’ll notice that in safe mode, the application still runs,
and indeed my attempts to run msconfig.exe to disallow it on a selective boot
up, result in this:

Time to turn to skills learnt at TechEd in one of Mark
Russinovich’s sessions from his ‘Case of the Unexplained’. Using Sysinternals
tools, Process Explorer and Autoruns, I set about tracking down the
problem.

First, I downloaded autoruns onto another PC, as everytime
an application is run under this malware, it stops it, i.e. the browser in this
case, not giving enough time to download the file. So I copied Autoruns and  Process Explorer onto a USB stick, and then I ran
Autoruns.  This showed quite quickly the
root of the problem.

I actually had to run autoruns several times, as, remember,
apps are shut down after only a few seconds under the rogue exe.

In the list of applications that run at logon time, one
stood out. All other applications set to run, are from known publishers like
Microsoft, or Google. One had no such publisher, so a quick look showed the
path to be %appdata%\baycxe.exe.

I located and renamed the executable and restarted windows.
As it was looking for this, and it wasn’t there, and explorer.exe was now
essentially dependant on this, it failed to load the rogue program, but also
the normal desktop. Remember, we can’t load Task Manager, otherwise I would
have tried to load a new task of explorer.exe.

A reboot later, and file renamed back to original name, we
are back at square one, except we know what we are dealing with now.  Deleting or renaming the file is not enough
at this stage, until we can isolate, fence in, and destroy the program.

Unfortunately, the rogue program is not only aware of Task Manager,
but also procexp.exe, the executable for Process Explorer, and prevents it from
running. I had to rename this, so it bypassed what the program was expecting.
This worked!

By using process explorer (several loads later –see above
about closing apps!), I located the baycxe.exe process, and killed this.

Now I had bought time for my apps, I ran Autoruns again, and de-selected the rogue
program from the run list. Now it was stopped, not allowed to run again, so I
went in for the kill, and deleted the file from the hard disk.

A reboot confirmed that it didn’t run any longer, and normal
processes could resume.

Not quite.

My first instinct was to check there was nothing else amiss,
so I ran Microsoft Security Essentials.
This had been set to ‘off’ and an attempt to start it up found that the
service was set to disabled. I also noted UAC was turned off.  After some frustration at trying to find other
dependencies to re-instate (which I gave up on due to time constraints), I
ended up doing a system restore to a point earlier before the infection was
present.

This put the PC state back to a point 2 weeks before, but
allowed Security Essentials to update itself, and allow a full scan to be
performed. Any other residual registry data was also restored back by this
process to a previously healthy state.
This could have been run earlier in the investigation, but would have
still left the .exe on the system, so re-infection was likely.

I hope this helps someone in a similar situation, and it’s a
pity there’s no documentation of this anywhere on a Microsoft site I could
find.  I did report this, and raised a
ticket through the Security Essentials website,, and my initial forum post got
a reply to email or phone for help. An email yielded a reply with suggestions
like running an online based AV scan, or to run a scan with my locally
installed AV product.  I don’t think they
really read the problem, as I had explained already that I couldn’t run local
apps for more than a few seconds, and certainly not known anti-malware products
as they were not allowed to run at all.

So, the good news is, it’s all sorted, with a happy father
in law, but next week’s job is upgrading the laptop to Windows 7. No rest for
the wicked they say!

Advertisements
Categories: Uncategorized
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: