Recycler’s shellsrv.exe virus
Tuesday, September 23rd, 2008Symantec Antivirus is unable to detect it completely while McAfee detected only the autorun.inf file that it creates as generic!.atr trojan.
Loads on startup by adding the file symlssdb.exe to startup which will run as a hidden process.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“Symantec System DB”=”symlssdb.exe”
It disables registry edit & Task Manager (regedit.exe & Ctrl-Alt-Del won’t work), prevents Run command and CMD command prompt from running. It will also prevent malware removal tools like Combofix, Hijackthis, KillBox from running. To run any of these tools, rename them to a different filenames.
On more seriously infected systems, it will also auto-generates porn-related url links on the desktop & attempts to run it at random.
It will also infect removal drives by adding autorun.inf and shellsrv.exe into the Recycler folder. It may also generate/replace hosts file found in c:\windows\system32\drivers\etc with one that consists mainly of antivirus software vendors’ domains pointing them to an invalid loopback address of 127.0.0.1.
Downloading Killbox & deleting the process c:\windows\system32\symlssdb.exe on restart may be the only course of action that you need to take. Rename it to kb.exe after download before running it.
To restore registry editing, download unhookexec.inf from Symantec’s web site, save to desktop then right click and install it.
While at it, might as well open up the file with notepad & add the following lines & save before installing it so that Task Manager, CMD & Run can be restored as well.
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\System,DisableCMD,65537,0
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\System,DisableTaskMgr,65537,0
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoRun,65537,0
If you do not want to make changes to that file, run regedit after that, browse to [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System], enable registry editing tool and task manager by changing the values for the corresponding entries.
On some badly infected system, you may need to download and run Combofix which cleans it up easily.
Files associated with this infection;
C:\WINDOWS\onfwbsak.dll
C:\WINDOWS\rwlfsdmk.dll
C:\WINDOWS\eofn.exe
C:\WINDOWS\dfmlxbpkexw.dll
C:\WINDOWS\peltodgx.dll
C:\WINDOWS\faceback.exe
C:\WINDOWS\system32\symlssdb.exe
C:\WINDOWS\system32\winupdate.exe
C:\WINDOWS\system32\tdssservers.dat
C:\WINDOWS\system32\tdssl.dll
C:\WINDOWS\system32\tdssmain.dll
C:\WINDOWS\system32\tdsslog.dll
C:\WINDOWS\system32\tdssadw.dll
C:\WINDOWS\system32\tdssinit.dll
C:\WINDOWS\system32\tdssserf.dll
C:\WINDOWS\system32\wscmp.dll
C:\WINDOWS\system32\sex1.ico
C:\WINDOWS\system32\sex2.ico
C:\WINDOWS\system32\sex3.ico
C:\Documents and Settings\User\Desktop\BDSM galleries.URL
If there are traces of tdss*.dll files, a server service tdsserv.sys will also be running that requires to be removed. This file is located in C:\Windows\system32\drivers folder and in registry HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TDSServ, HKEY_LOCAL_MACHINE\SYSTEM\ControlSet*\Services\TDSServ & HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\legacy_tdssserv. Permission for the key TDSServ needs to be taken over before it can be deleted.
Deletion can only be done in Safe Mode or via remote registry editing.
This trojan will also install a copy of mxlivemedia ad program which needs to be uninstalled via Add/Remove program. Unfortunately, I cannot remember the exact name of the program but it starts with Ron.
There seems to be many fake antivirus and antispyware malwares related to this virus like Antivirus2009 which comes with AntiSpywareShield, SAV and Seekmo, all installed after tdssserv.sys service is started on an infected PC. Like all its other variants, this malware name its program files similiar to legit programs (SAV, etc) to avoid deletion and primarily serves porn on infected PCs.
It also adds schedule tasks to run some random file to load itself so that if it has higher chance of surviving removal attempts.