First of all, there are a few tools that I’ve used in the past to show me files that certain processes have opened up. One such tool is Process Monitor by SysInternals. Windows XP Professional comes with a command-line tool called openfiles.
What is openfiles?
Enables an administrator to list or disconnect files and folders that have been opened on a system.
By default (I think) it’s doesn’t track open files so you will need to enable it by issuing the following command (this does add some performance overhead):
openfiles /local on
After you issue that command you are required to reboot and once you’re back in windows, execute the command without any flags:
openfiles
You’ll have an output similar (well, depending on the processes you have open) to what I have here:
ID Process Name Open File (Pathexecutable)
===== ==================== ==================================================
12 explorer.exe C:\Documents and Settings\Rich
72 explorer.exe C:\..6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83
120 explorer.exe C:\..6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83
152 explorer.exe C:\..6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83
156 explorer.exe C:\..6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83
168 explorer.exe C:\..6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83
204 explorer.exe C:\..6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83
368 explorer.exe C:\..6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83
372 explorer.exe C:\..6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83
560 explorer.exe C:\Documents and Settings\Rich\Desktop
568 explorer.exe C:\..6595b64144ccf1df_1.0.2600.5581_x-ww_dfbc4fc4
584 explorer.exe C:\Documents and Settings\All Users\Desktop
592 explorer.exe C:\..Application Data\Microsoft\CD Burning
748 explorer.exe C:\..6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83
Files Opened Remotely via local share points:
---------------------------------------------
INFO: No shared open files found.
You can learn more about it by issuing openfiles /? and openfiles /disconnect /?
For now, I’m still a fan of Process Monitor but this is nice when I’m in a hurry and for some reason don’t have my flash drive that has Process Monitor on it.
free - lists available disk space
dfdb - lists dbspaces on the system. use ifxksh to initialize the ifx environment first
who -b - displays last date system was rebooted
oslevel - lists the version of the operating system
bootinfo -r - lists total amount of real memory installed (divide by 1024 to get MB)
startjs - starts the job server
stopjs - stops the job server
startvlink - starts any interface link procedure incling Misys Vision/Optimum Charge Daemon
stopvlink - stops any interface link procedure incling Misys Vision/Optimum Charge Daemon
Physical Volume
lspv - lists harddisks on the system and the volume groups they are attached to
lspv -l hdisk# - lists logical volumes on the file systems
mount - displays currently mounted file systems
lspv physvolname - displays information about the physical volume 'physvolname'
lspv -p physvolname - lists physical partitions associated with this physical volume 'physvolname'
lsps -a - lists paging space associated with physical volume Note: if Used=75%, you need memory
Volume Group
lsvg volgrpname - lists details about the volume group (such as PP size, #free)
lsvg -p volgrpname - displays name and status of physical volumes for volume group
Miscellaneous
lsdev -Cc memory - lists all installed memory cards
lsdev -Cc adapter - lists all interface cards installed on the system
date - shows system date and time
errpt | more - displays error log entries in a one-line-per-entry format
errpt -a - displays error log in same format as the Utility menu option
Terminal
penable tty# - directs UNIX to reset a disabled terminal
pdisable tty# - takes terminal off-line, resets terminal settings
Spooler Commands
lptstat - shows status of all spooled printers
lptstat -pSPxx - shows status of a specified printer
qcan -pSPxx -xJOBx - cancels JOB#
qcan -X - cancels all print jobs
cancel JOB# - cancels JOB#
stopsrc -s qdaemon - stops qdaemon
startsrc -s qdaemon - starts qdaemon
ps -ef | grep qdaemon - checks to see if qdaemon is running
qmov -m SP## -8 - moves job #8 to SPxx
qmov -m SP## SP## - moves all jobs from SP## to SP##
qmove -u userID -m SP## - moves all jobs for userID to SP##
qhld 8 - puts job #8 on hold
qhld -P SP## - puts all jobs for SP# on hold
qhld -r 8 - releases held job #8
qhld -r -P SP## - releases all held jobs for SP##
qadm - USP## - takes the specified queue to an up status
qadm -DSP## - takes the specified queue to a down status
Printing and Viewing Files
lp SP## filename - prints contents of file to a specific printer
cat filename | more - prints contents of file to the screen one page at a time from the beginning of the file
more filename - prints contents of file to the screen one page at a time
tail -# filename - shows last # of lines of file
tail filename - shows last 10 lines of file
printout filename - Misys print command alias. After typing this command, the system prompts to select a printer.
UPDATE (9/29/2011 9:15AM EST) I have corrected the link to the 7770finder.exe file. This still detects the original strain of this piece of malware. To fully innoculate and protect yourself, I recommend downloading Malwarebytes’ Anti-Malware software:http://www.malwarebytes.org/. It’s FREE for personal use!
UPDATE (1/19/2009 6:30PM EST)
I’ve been getting a lot of email questioning why my tool did not remove found infected files. This tool does NOT remove any infected files. It is up to you to remove them. This tool also does not support directory recursion; e.g., it ONLY scans %SystemDir% files, no subfolders. Sorry.
UPDATE (1/15/2009 12:51PM EST)
I have been able to successfully re-infect myself and I can confirm this is being distributed via PDF JavaScript as I was monitoring processes and my system32 directory as I visited a known vulnerable site. I also saw ~.exe process start up during my monitoring after I saw Acrobat.exe and acrotray.exe start up. Once infected, the processes (Acrobat, Acrotray) terminated.
To help prevent infection take the following actions:
Adober Reader: Disable Adobe JavaScript functionality (Edit -> Preferences, go to JavaScript entry and untick “Enable Acrobat JavaScript”)
Foxit Reader: Edit -> Preferences -> JavaScript (Uncheck the box)
Tips thanks to Edvard and app103 over at DonationCoder
UPDATE (1/14/2009 11:17PM EST)
Update your PDF application and disable JavaScript.
UPDATE(1/14/2009) Malwarebytes is able to detect the malware. Interestingly enough, it only detects it if it’s in c:windowssystem32drivers folder. I’m not sure what’s up with that. Update the applications to ensure you’re using the latest definitions. If you know of any other Spyware/Malware/AV software that is detecting this, leave a comment.
AVG supposedly detects this threat (posted by: Peter Liu)
Please let me know of any other software that detects this.
Here’s what I know about this lovely little malware that hijacks Google, MSN Live, and I’m sure a few other popular search engines by injecting javascript in the header:
1) Redirects searches to 7.7.7.0
2) Displays what appear to be normal results, but in fact are linked to many other malware centric sites
3) Kaspersky (as of this writing) is the only application to detect the presence of this malware on your PC (and yes I’ve tried Malware Bytes, Spybot S&D, AntiVir, SuperSpyware)
4) The culprit file resides in c:\windows\system32\wdmaud.sys and should be removed, or renamed. Don’t remove the file from c:\windows\system32\drivers\wdmaud.sys.
5) After deleting/renaming the file, restart your browser(s) and you’ll be OK. Note: This affects IE and FF, I have not tested Opera, Netscape or Safari.
Here’s an example screenshot of what Google results look like when you are infected. Notice the Google links (green links) on the results page.
What I’d like to know is what that file has to do with the browser. The WDMAUD.sys file (the real one) deals with Windows High Definition Audio. Could this file have been placed there via Flash vulnerability? I know I was on YouTube the night prior to me being invaded.
I ran ProcessMon from SysInternals and saw that Firefox and IE both called for wdmaud.sys but in the c:\windows\system32 directory, not in the drivers subfolder. Here’s a screenshot of that. If I move the file (the infected file) out of system32 the redirection stops. If I put it back in the infection is back. My question that is burning me is HOW did it get there? What put it there?
Process Monitor highlighting the search request for wdmaud.sys
Removal Instructions
So far, the infection is in c:\windows\system32\wdmaud.sys (or c:\winnt\system32\wdmaud.sys). Simply delete the file and restart any open web browsers.
Detection Tool
If you do not find the wdmaud.sys file, or are unsure what to even look for, you may download a tool that we created that will investigate all the files in the Windows system directory. It doesn’t just specifically look for the wdmaud.sys file, but it looks for the signature in every file within that directory.
Compatible with: Windows XP (all SPs), Server 2000/2003/2008, and Vista.
Your use of this software indicates that you agree to the attached terms of service.
