Febuary 19, Megasecurity featured an article about new spyware program making its rounds to the parents and bosses of america. I am firmly against this type of software, if we spy on everyday computers then why are spys who spy on governments treated harshly? It seems to me like there is some hypocritical beliefs going on somewhere there.
I took it upon my self to squeeze out all the information from this program. Hopefully today I can give you the hints and tricks of this program and how to monitor yourself as well as remove this program.
1.1 - Program information
1.2 - Preventing the program from running
1.3
- Programs startup methods
1.4 - Filenames/Registry key names
1.4.1 - File
information
1.5 - Prevention
1.6 - Programs used
1.7 - Misc 1.8 - Final
Thoughts
1.1 Program Information
Winwhatwhere, is a fully developed
spy program. It utilizes just about every feature a trojan has and then some.
I'd like to invent the word Corporate Trojan, beause this is exactly what
this program is. Among its arsenal of features are:
-Keylogging
-Screen
Capture (with the option of capturing the active window)
-Logging of internet
activity and chat room conversations
If this hasn't wet your appetite for
this program, there is more, among some of the new features are the ability to
rename its server files, and registry entries (I will point out some very
important and particular flaws in these methods see -> 1.4.1), some of the
real time features include alert via e mail, and keyword alert.
Lets think for a second, do we know any other "programs" that do this?? Errmmm I think sub7 is the first to pop into everyones mind. It can do all of the following without the active window capture and the keyword/alert functions but of course sub7 can e mail, or page you with information. Then again sub7 has a slue of features not in winwhatwhere.
1.2 Preventing the program from running
This section is
awfully short, Winwhatwhere requires vb run time files this is
pretty funny considering the "Corporate Trojan" part. But yes it appears
winwhatwhere was programmed in vb (winwhatwhere was e mailed regarding the
langauge in which their program was programmed in, they were e mailed 02.21.02
and hadn't responded by 2/22/2002 - 4:02 PM). What do we do to stop vb
programs from running?? Delete or move the runtime files. Winwhatwhere also
requires some .ocx files which will also prevent the program from running if not
found or installed correctly(I first installed this program with a slue of
problems one of which corrupted my c drive for a small amount of time). The
moving or deletion of run time files is a great way to see if any program is
starting up with out your knowledge, and if it is vb you will definetly know
about it.
1.3 Programs startup method
Surprisingly enough, this
program has only one startup method. This is obviously the HKLM and HKCU
\software\microsoft\windows\currentversion\run\
1.4 Filenames and registry key names
As stated above, the
program generates random file names so I can't help you out there really. But
below I have included as many names as I have come across. All have been in
\winnt\system32\
lln149t3.exe
vlm5hlrk.exe
sjsu2sek.exe
jiku15py.exe
qdgdy87h.exe
ugkj5dcn.exe
wvxejo0i.exe
odes7af9.exe
vnw26ykq.exe
That should give you an idea to look for.
Now comes the juicy part. As of 02.21.02 and their most current release, the
program will alternate registry entries. It will use the following
names:
JalsCo
OL Server
stdrnd
CMA Manager
SVCH
aa
stubpath
starter
DOM Controller
qwerty
windoc16
stubmgr
jtul
intal
LTO-WATA
nav078
systematic
startup
Some are capatilized in funny ways. I found this using Regmon(see
-> 1.6.1) the configuration or setup program tries to access everyone of
theses, its not clear why, but no i didn't infect myself a billion times to get
these names ;)
Finally the most consistent feature and easiest way to catch
the server files is the server icon. They may create random file names and semi
random registry keys but their server icons are always the same. Below is the
server icon both server files will have it.
It reminds you of my computer but it is
diffrent which makes it horribly easy to detect if you are infact infected with
this program. If your on winnt or 2k check winnt\system32, if your on a me/9x I
haven't tested it on those versions so let me know.
1.4.1 File Information
You maybe asking yourself "what else
is there about the files that I could want to know??" A legit question. Since
the filenames were random there was no real way to consitently get the right
file the first time. They how ever didn't bother to randomize the file
properties -> company, internal names etc.
company name - KPPJ
Internal
name - WinSDoc8
Orginal Filename - WinSDoc8.sys
Product name - WINSHDOC
company name - ProVeen
internal name - winsdoc32
original filename -
winsdoc32.sys
product name - WinSHDoc7
These are the only two I
*believe*... I've done a pretty good amount of testing, which makes me
come to this conclusion. Winwhatwhere will install two files, one which
communicates or interacts with the internet (this is also the bigger of the two)
then there is a smaller file which is the one called from the registry which
intern calls the bigger file.
1.5 Prevention
This is easier said than done. I recommend,
double checking your process and registry startup files regularly if you live in
fear of this. Also checking for open ports a tad bit, notice longer loading
these can all be due to hidden files running. If you notice you type a certain
word and then the mouse flickers that means that word is the alert keyword most
likely. I'm sure parents will use words like "sex" and words of that
genre.
To remove winwhatwhere officially run the invetigator config file
MSdfCng.exe it will say if invetigator is running. You click uninstall to remove
the files. Yes I believe it is that simple! 1.6 Programs Used
I used the following programs, to discover what I have
reported:
Lockdown
Generics(trial version) - This program monitors system.ini win.ini
autoexec.bat config.sys and your registry it shows you all the files that
startup. It will display all the files that use the internet and startup. It
will notify you a program is using the internet if it is run.
Lockdown Process
Monitor(trial version) - A great process monitor, you can terminate programs
or .dlls it shows you what programs use what .dlls etc.
Filemon - A superior
program, written by sysinternals.com This program will monitor all file calls
and folder calls. This is how you discover where files are being stored, by
running filemon then your program it monitors all calls and records what program
called what and the response it got. It allows for easy filtering a must have
for anyone doing program bashing.
Regmon 95- Another must
have this is great for trojan testing and program cracking. This program
monitors the registry for changes it shows what program accessed what key it
shows whether it was a write query or close. It is indespenciable I would give
up enterprise software for this tool.
1.7 Misc
This might be the miscellaneous section of the
paper. But it no means is it the unimportant section. Lets take a walk through
this. You have identified that their is this winwhatwhere deployed on your
computer. You have removed it from startup. But you want to know what was
recorded. Because VB is easy to encorporate with Microsoft Access, winwhatwhere
does just that. Lets use me as an example:
The directory in which the data is
recorded would be - c:\temp work\winwhatwhere\w3files\
There is a file called
ZW84.DAT it is actually in the format of an mdb file for microsoft access
database. So we then open it in microsoft access and see most of what was
recorded you will figure out from the database what options were selected, and
how long the program has been running.
You must now be asking how the hell do
i find the installation folder??? Well I have found no simple solution. Though
the solution is simple. Run filemonitor, type a few things or even run the
winwhatwhere investigator that will tell you where the files are installed, its
a shortcut. You will see calls to c:\(installation folder)\ it will access .dat
files and other files without extensions that is your clue that, that folder is
the installation folder. If that doesn't work then run the filemon then
investigator finally view reports it will call the folder where teh data is
because the program will summerize or place in the correct format all the data
it has collected.
If this is also too much work for you then just run the
investigator setup, there is an option where you can specify the installation
directory it will show you the current installation directory which is what you
are looking for. See there is always a simple solution for us lazy americans.
The program also appears to make some files to store specific things, most of
which are file names that have been run.
Here is an example of what they look
like these are my actual file names.
_il58082
_il57464
_il57340
They
have no extension! That makes them a lot easier to identify.
1.8 Final Thoughts
As long as their is spyware no one is
safe! Yet by spreading information about these programs and creating a working
archive of how these programs work we can greatly decrease this risk.
This
program itself could improve massivly there are hundreds of features they are
lacking, but we wont list them here ;)
No one is perfect if there is false
information or spelling and grammatical errors please e mail me and help me
correct them I am firmly against false information and have gone to great
lengths to verify everything mentioned
above -> E mail -> [email protected]
Thanks goes to the following people in no special
order:
Cyberfly, M_R, weed, #tnt, skuzlenuts, and ap0calaps. If you have been
forgotten I m sure I was having a memory lapse thanks to you too.
MegaSecurity.org