How do network guardians find and cure computer infections? The following true story of a compromised laptop shows how a few simple clues uncovered a sordid tale.

Our first sign of trouble was the laptop's repeated attempts to establish outbound communications over a suspicious channel. We isolated the laptop and noted several additional symptoms:

• Two basic processes (task manager and regedit) terminated as soon as they started

• The laptop was running two non-standard processes: kazaalite.exe and kaperskyav.exe

How serious was this combination of symptoms? Extremely!

First, termination of task manager and regedit suggested a “rootkit” - a set of tools designed to hide the malicious

tasks of the virus - had been installed. Second, neither kazaa or kaperskyav were installed on the laptop, the executables were in abnormal locations, and their names were inconsistent with the vendor-assigned names.

Further investigation revealed suspicious files in the laptop's root directory: install.exe, trofkg.reg, k.html, and staff.html. Fortunately, the laptop was running scanner software, which found a variant of the Sdbot trojan called bestfriends.scr. The Sdbot family is a widespread and versatile trojan. This was not good!

We transferred a copy of install.exe to a controlled environment where we could observe its behavior. The file revealed trofkg.reg, among others, which proceeded to modify the victim's registry, essentially melting Internet Explorer's security settings.

After that, Internet Explorer ran the code within k.html and staff.html, which downloaded known spyware called MediaTicketsInstaller. Then it redirected the browser to a separate location for prompt.php which, in turn, grabbed every scrap of information about the host machine and its browser settings, impersonated a Windows update session, and prompted the user to install "Windows updates."

Let's step back and examine our situation. We know install.exe caused everything discussed so far, but we still don't know how install.exe itself arrived on the system. It was there before Internet Explorer's settings were altered. It was there before the MediaTicketsInstaller and other spyware components. Did install.exe piggyback onto the laptop via another known vulnerability or was it invited by an unsuspecting user?

We found a signature string within K.html [ y E a K u T z ] - the author's alias or code name. Searching Google with the criteria “[ y E a K u K z ], x.bat, and trofkg.reg” revealed a common result: the "Bestfriends" virus. That's it! 

Several sources explained that Bestfriends spreads through AOL Instant Messenger (AIM) buddy lists and links to bestfriends.scr in profiles and away messages. The virus not only interferes with AIM, but is bundled with other malware that prevents task manager, regedit, and msconfig from staying open long enough to work.

Good to know. The laptop user had tried to install an AIM screensaver. Here, firewalls and even many anti-virus scanners are helpless. The user granted permission for an arbitrary executable to run. The executable did what he asked.

But what about install.exe? So far, there is no obvious correlation between bestfriends.scr and install.exe. If we believe that bestfriends.scr initially caused the infection, why not release it back to the wild under close supervision?

We un-quarantined the screen saver in our test environment and obtained an exact copy of the original file used to exploit the laptop. Then we watched events unfold.

The user signed onto AIM, clicked the link on a friend's profile, and agreed to install bestfriends.scr. This program quietly connected to a student's PC at Yale University, where it was instructed to fetch pz.x from angelfire.com and save it to C:\install.exe. The installer was executed and placed x.bat, k.html, staff.html, and trofkg.reg onto the file system. X.bat removed Internet Explorer's security settings with the data from trofkg.reg, then set off the two html files. The laptop accessed prompt.php, which downloaded over 100 infected programs.

Yikes!

Incidents like the above are unique, making them difficult to thwart. On average, one virus attacks an Internet-connected PC every 21 minutes. To help your network guardians, run virus scanning software and ask the experts before downloading applications from the Internet.

For more information about protecting your PC, please visit http://isc.sans.org.