Carl’s Blog

I’ve just come across something concerning that I haven’t seen before.

Customer’s computer appears to be infected with something.

Banking websites such as rbsdigital.com , lloydstsb.com, hsbc.com , well, the website displays perfectly except that the security phrase box asks for the whole phrase instead of just particular characters from the phrase.

It’s as though something is intercepting and re-writing the page as it’s displayed (url and cert look fine, DNS of sites resolve fine).

Computer has various infections on it by the looks of it – twext.exe which I’ve come across enough times, and various random .dll’s fired up through rundll32.

What’s concerning me is how the page is modified in-line and the url and certificate are spot on.

Here’s the analysis results for the .dll, called through Run -> rundll32. Doesn’t look good for detection.
http://www.virustotal.com/analisis/9ec1b577f2bf5688597dc1c911bea47d

Here are the results for twext.exe, called through Winlogon -> Userinit.
http://www.virustotal.com/analisis/ae4eda13de80161b65b3a18122ead92f

c:\windows\system32\a.exe , doesn’t appear to be called from anywhere that I’ve noticed yet, but obviously suspect filename and file date. Same file as twext.exe.
http://www.virustotal.com/analisis/ae4eda13de80161b65b3a18122ead92f

c:\windows\system32\userinit32.exe , called via addition to Winlogon > Userinit, hidden from Windows API and only visable with icesword, but registry modification was re-creating itself after removal. File timestamp on this one is 2004-08-11 , same as most stock XP files.
http://www.virustotal.com/analisis/cf0b882c689a513443845f3edea5cb16
Microsoft Antivirus (whatever that is) misses this one.

c:\windows\usebexuyiruburu.dll – can’t remember where this was called from. Think it was HKCU -> Run, whereas others were HKLM -> Run
http://www.virustotal.com/analisis/4407b4eb1474268be3033b8268608877
Again Microsoft Antivirus does well while nearly all the other 38 antivirus programs fail.