lfkxaor.exe and salbhfd.exe

This one is rather fun.

It installs itself in C:\Program Files\Common Files\System\lfkxaor.exe and is packed with NSAnti.

Upon execution, another file is unpacked and installed in C:\Program Files\Common Files\Microsoft Shared\salbhfd.exe. Both files are hidden with attributes. Both process watches out for each other during execution, and renables if one is interrupted. Apart from installing typical run keys in windows start up, the virus creates many new entries in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ with a debugger key. Filenames associated would run the salbhfd.exe process.

salbhfd.exe appears to shut down any windows that may display it's filename. This makes cleaning troublesome. Those who have dealt with NSAnti, this also incorporates simple check for debuggers IsDebuggerPresent() and traverses the SEH chain to execute on exception - div by 0. Fun and games.

To prevent the device from starting in safe mode, various keys are removed from the safeboot registry. Rebooting in safe mode results in the dreaded Blue Screen of Death. It would appear System Restore is also corrupted.

New Keys are created under the registry hive

Software\Microsoft\Windows NT\CurrentVersion\Image File Execution with a debugger key. Filenames include

avp.exe, Ras.exe, nod32.exe, Rav.exe, 360Safe.exe, IceSword.exe, HiJackThis.exe and more.

To prevent boot up in safe mode, the following registrys are also removed SYSTEM\ControlSet001\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318} SYSTEM\ControlSet001\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318} SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318} SYSTEM\CurrentControlSet\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}

Windows updates are also removed to prevent patching.

Cleaning

To clean the machine, simultaneously kill all these process simultaneously including lfkxaor.exe, salbhfd.exe and explorer.exe. Use taskkill to achieve this with the Force option. Then commence cleaning without rebooting into safemode.

Rename the hidden system binaries.

> Posted by Karma on Sunday, 22 July 2007
Design Folks Logo

SECURITY

Trojan.Delf.ADS
 ifkxaor.exe and salbhfd.exe

 

CLIENT SECTION
Our Design Process
Helpful Tips
Helpful Resources


MISCELLANEOUS
Sketchy
Security
Dharma
Urban Buddha T-shirt

t: 02 9945 0229
m: 0414557110
Contact Us
or email us on info at designfolks.com.au