wow.dll Virus / Trojan

Hmmm; Now isn’t this fun

Our IDS was tossing out the following message: ET TROJAN Tornado Pack Binary Request for one of the users, along with various others.

After some inspection; first running the local AV solution, and other solutions like Malwarebytes which did not locate the infection. I then loaded up Sysinternals Suite App, TCPView which showed several outbound connections to remote hosts. Using Process Explorer also by Sysinternals I was able to search the handle of the wow.dll discovered in TCPView. The process was bound to explorer.exe

My inspection took me to the following location: AppDataRoamingsrpetxnshntexqwow.dll where I found the virus .dll file and a config file ending in .ini with the the following contents:


This seems to be a control file for the virus.

For now the issue remains unresolved and the users computer is set for a new image. I will be playing with the virus more in hopes to learn more of what it does and how to quickly identify it in the future. I do however think this is a Troj/Mdrop* type of infection or some variant

Microsoft’s fight against Poison Ivy

Info of what is known: Poison ivy (Backdoor:Win32/Poisonivy.E) is a backdoor trojan that allows unauthorized access and control of an affected machine. It attempts to hide by injecting itself into other processes.

The following system changes may indicate its infection:
The existence of the following file: c:windows:svvchost.exe
The existence of the following registry entry: “StubPath” With data: “c:windows:svvchost.exe” in the subkey: HKLMSoftwareMicrosoftActive SetupInstalled Components<CLSID>

Microsoft has released a temp fix, while they work on final solution.

“We have received reports of only a small number of targeted attacks and are working to develop a security update to address this issue,” Microsoft stated in an official blog post. Microsoft has recommended that users download the Enhanced Mitigation Experience Toolkit which is designed to help prevent hackers from gaining access to your system.

The toolkit includes several pseudo mitigation technologies aimed at disrupting current exploit techniques. These pseudo mitigations are not robust enough to stop future exploit techniques, but can help prevent users from being compromised by many of the exploits currently in use. The mitigations are also designed so that they can be easily updated as attackers start using new exploit techniques.

For now it is the recommendation of many security experts to use browsers such as Chrome or Firefox.

Over 300,000 hit by Internet blackout

According to the FBI, on Monday July 9th over 300,000 computers will no longer be able to access the internet due to a malware infection known as “DNS Changer Trojan”. The internet outage for these computers is due to the FBI shutting down the ring of cyber-criminals responsible for creating the Trojan late last year

Over the past five years, a group of six Estonian cybercriminals infected about 4 million computers around the world with DNSChanger. Themalware redirected infected users’ Web searches to spoofed sites with malicious advertisements.

News Sources:  1, 2
More info on the DNS Changer Trojan here