ZHPDiag – Module O83 (SSS)

Some malwares use the Svchost feature to hide some diagnostics tools. This is particularly true of the Conficker worm, which has features of Backdoor Trojan horse.

Firstly it attacks to the coverage of the system by disabling the security software and their updates. It also disables the Windows updates. Then it connects to its server to take control remotely of the station. Finally it downloads and installs malware programs.

Specifically the malware service fits as given in the multiple value list «» NetSvcs «as in the example of the service «» nscpjapu "below :

AeLookupSvc,CertPropSvc,SCPolicySvc,LanmanServer,nscpjapu,gpsvc,IKEEXT,AudioSrv,…

At the same time the malware service is created on the basis of records of the key, and a malware resource is assigned to its value "ServiceDll" as example :
[HKLMSYSTEMCurrentControlSetServicesnscpjapu\Parameters]
« ServiceDll »= »c:\windows\system32\chfywi.dll«

Le module Search Svchost Services (SSS) permet de lister le groupe de services particuliers lancés par Svchost.exe. Ces services sont installés dans la donnée de la valeur de clé « NetSvcs » .

Research is carried out in the key Base of registers : [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost].

Chaque service de ce type est lancé par le biais de la commande « svchost.exe -k netsvcs« . Il exécute la donnée de la valeur « ServiceDll "the key :
[HKLMSYSTEMCurrentControlSetServices{NameService}\Parameters]


Trojan (Trojan)

The role of the trojan is to get this parasite on the computer and install it there without the knowledge of the user. The program content is called the "payload". It can be any type of parasite : virus, Keylogger, spy software.... It is this parasite, and alone, who will perform actions within the victim computer. The Trojan horse is nothing other than the vehicle, one who makes "Enter the Wolf in the fold". It is not harmful in itself because it does not perform any action, If it isn't to allow installation of the true parasite.

 

Overview ZHPDiag

—\\ Search for services that are started by Svchost (SSS) (O83)
O83 – Search Svchost Services: AeLookupSvc (AeLookupSvc) . (.Microsoft Corporation – Service Expérience d’application.) — C:\Windows\System32\aelupsvc.dll
O83 – Search Svchost Services: LanmanServer (LanmanServer) . (.Microsoft Corporation – DLL from the Server service.) — C:\Windowssystem32srvsvc.dll
O83 – Search Svchost Services: gpsvc (gpsvc) . (.Microsoft Corporation – Group Policy client.) — C:\WindowsSystem32gpsvc.dll

—\\ Search for services that are started by Svchost (SSS) (O83)
O83 – Search Svchost Services: AeLookupSvc (AeLookupSvc) . (.Microsoft Corporation – Service Expérience d’application.) — C:\Windows\System32\aelupsvc.dll [62464]
O83 – Search Svchost Services: LanmanServer (LanmanServer) . (.Microsoft Corporation – DLL from the Server service.) — C:\Windowssystem32srvsvc.dll [168448]
O83 – Search Svchost Services: gpsvc (gpsvc) . (.Microsoft Corporation – Group Policy client.) — C:\WindowsSystem32gpsvc.dll
[591360]

Example of detection

—\\ Search for services that are started by Svchost (SSS) (O83) (Unsigned case)
O83 – Search Svchost Services: TrkServer (TrkServer) . (…) — C:\Windowssystem32chfywi.dll [14336] =>Trojan.Conficker
O83 – Search Svchost Services: SSHNAS (SSHNAS) . (…) — C:\WINDOWSsystem32sshnas21.dll [0] =>Trojan.Downloader
O83 – Search Svchost Services: fxuuamsy (fxuuamsy) . (…) — c:\windowssystem32uhxhdjn.dll [0] =>Trojan.Downloader
O83 – Search Svchost Services: kdjqggia (kdjqggia) . (…) — C:\WINDOWSsystem32bwuppbn.dll [0] =>Trojan.Vundo
O83 – Search Svchost Services: ygwhngul (ygwhngul) . (…) — C:\WINDOWSsystem32dteekyl.dll [0] =>Trojan.BHO.H

—\\ Search for services that are started by Svchost (SSS) (O83) (Signed case)
O83 – Search Svchost Services: SSHNAS (SSHNAS) . (.ApexDC ++ Development Tea – EPA.) — C:\WINDOWSsystem32sshnas21.dll [247808] =>Trojan.Downloader

—\\ Search for services that are started by Svchost (SSS) (O83) (Case signed with an owner name spoofing legitimate)
O83 – Search Svchost Services: SSHNAS (SSHNAS) . (.Electronic Arts – Command And Conquer Generals World Builder.) — C:\WINDOWSsystem32sshnas21.dll [242176] =>Trojan.Downloader
O83 – Search Svchost Services: nmkjifcz (nmkjifcz) . (.Microsoft Corporation – WPD Tracing.) — c:\windowssystem32wdaqqaa.dll [88576] =>Trojan.Conficker

Action ZHPFix

O83 – Search Svchost Services: {NameService} ( {KeyService} ) . (…) — {FileName}

{Key} : The registry Base key [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost]
{NameService} : The value data of «» NetSvcs "the key {Key}.
{KeyService} : Under the key key [HKLMSystemCurrentControlSetServices].
{FileName} : The value data «» ServiceDll "the key [HKLMSystemControlControlSetServices{KeyService}\Parameters].

1) L’outil supprime le service malware {KeyService}.
2) The tool deletes the file {FileName}.

Report ZHPFix (Example)

Line seizure :
O83 – Search Svchost Services: SSHNAS (SSHNAS) . (.Electronic Arts – Command And Conquer Generals World Builder.) — C:\WINDOWSsystem32sshnas21.dll [242176]

Report of ZHPFix v1.12.3133 by Nicolas Coolman, Update of the 02/08/2010

= Key(s) the registry =.
O83 – Search Svchost Services: SSHNAS (SSHNAS) . (.Electronic Arts – Command And Conquer Generals World Builder.) — C:\WINDOWSsystem32sshnas21.dll [242176] => Key deleted successfully

= File(s) ==========
C:\WINDOWSsystem32sshnas21.dll => Deleted and quarantined

= Summary =.
1 : Key(s) the registry
1 : File(s)

Links

* How to remove the Conficker virus
* Downadup / Conficker
* How malware hiding in settling in service (Malekal)