csrss.exe and SYSTEM.EXE mysteries...

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
Hi gang,

I have a dual boot 98SE Lite and XPSP3 system. I use 98SE Lite
99.9% of the time. (Let's not get into a discussion of this,
please.)

Two peculiar things happened recently on my XP partition and on
my external USB drive, seemingly unrelated except that they
happened about 10 days apart and I have only gotten one other
infection in over 20 years of doing this.

I should mention that I have the XP partition although I hate XP
and almost never use it. I have it ONLY because of a piece of
hardware which only has XP drivers. Also, another advantage of
having it is that I can run MBAM.

A few days ago I thought it might be time to do an MBAM scan, so
I did. As usual, it found a few minor things (like the fact I
have the Windows Firewall off and do not wish to be informed of
this every time I boot into XP), and one which was not at all
minor - 3 copies (well, it actually listed 3 "memory processes")
of a file called csrss.exe in "Documents and Settings" - NOT the
file which is in the System32 directory. MBAM said it was a
"Trojan.Agent", I let it delete the file and that was that. No
ill effects were observed.

Specifically, the report says, 3 times with a diff. #:

Memory Processes Infected:
e:\documents and settings\admin\application data\csrss.exe
(Trojan.Agent) -> 1336 -> Unloaded process successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Shell (Hijack.Shell.Gen.A) -> Bad:
(Explorer.exe "E:\Documents and Settings\admin\Application
Data\csrss.exe") Good: (Explorer.exe) -> Quarantined and deleted
successfully.

The date of this file was July 14 2011.

There was also this:
HKEY_CURRENT_USER\SOFTWARE\VB AND VBA PROGRAM
SETTINGS\Micronsoft (Malware.Trace) -> Quarantined and deleted
successfully.

and

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
\MSWUpdate (Trojan.Agent) -> Value: MSWUpdate -> Quarantined and
deleted successfully.

(Since I never go on the net with XP, I have auto updates turned
off, I don't know what else to say about this.)

I Googled for Micronsoft and got almost nothing except for a
tiny Indian site with some desi actress photos and a few semi-
nasty programs (a crack downloader, etc.) which I have never
seen before.

HOW the csrss.exe file got into the XP partition is a mystery,
since I do not go on the net with XP and I have not installed
anything (let alone a cracked program from a suspicious source)
on the XP partition in months. The main drive with its C
partition with the trusty 98 SE Lite was fine - nothing found.

As usual, I did not bother scanning the other partitions with
MBAM since they only contain data and since I work with them all
the time I would have probably noticed anything strange.

OK, that was more or less "normal", although a little baffling
(as in "where did it come from since I do nothing on that
drive"). I suppose I /did/ do /something/ but never noticed
anything wrong and forgot whatever it was that I did.

Now for the really strange part.

After doing the above, I rebooted into 98SE and switched on my
external USB drive. (It is actually just a regular drive I've
had for several years which I recently put into a $15 USB box. I
use it mainly for data storage/backup, and do not switch it on
every time I use the computer. It works fine. It actually works
better under 98SE Lite than under XP - in XP it gives me one
partition twice, and the partition order and letters are always
totally messed up. Whatever. XP /is/ better, right?)

Everything was fine.

However, when I switched on my USB drive yesterday, I instantly
noticed that EVERY PARTITION on the USB drive had two new files
in its root:

Autorun.inf
SYSTEM.EXE

Both with hrs attribs, and both dated July 23, 2011. I am
99.9999% sure they were not there when I was in XP and ran MBAM
on that day.

The contents of the autorun.inf file are as follows:

[autorun]
shELlexEcUtE=sYStEM.EXE
;
ICON=%WInDir%\SYsTEM32\sHeLl32.DLl,4
;
actioN=Open folder to view files Using explorer
;
shelL\OpeN\coMMAnd=SYSTEM.EXE
shELL\explore\COmmaNd=SYSTEM.EXE
UsEautOPLaY=1

Rather than booting into XP just to see what would happen ;-) I
thought I'd take the cowardly way out, and removed the hrs
attributes of all the files (I have 11 partitions on that drive,
so 22 files total - let's not get into a discussion of
partitions, please), and deleted them. No problem.

I scanned the files with ESET and it informed me that SYSTEM.EXE
was a variant of Win32/Injector.HTF trojan. I also looked at
"properties" as well as inside the file and it contained the
name "jgk.exe" as the original file name, and a few other
things, like the author's name, which I have a feeling may not
be authentic ;-) (it's "Riordan Barton", FWIW).

While nothing /really/ happened, I am curious as to how these
two files got onto my external USB drive which is only used
occasionally ***while NOTHING happened to the main drive inside
the computer***.

And, of course, where they came from in the first place.

I think I may have booted into XP for about ten minutes on the
23rd, I'm not sure.

I don't know if this has anything to do with the fake csrss.exe
file which, according to MBAM,  appeared on my system a few days
earlier (and is dated about 9 days earlier).

Since I was unable to find anything on the web, I thought I'd
post this story here. I would welcome any comments and
hypotheses, etc.

I have both files saved (renamed) if anyone wants to examine
SYSTEM.EXE or possibly even run it in Sandboxie or however you
guys play with these things.

(I apologize for the length of the post. I try, but I can not be
concise.)

Re: csrss.exe and SYSTEM.EXE mysteries...


Quoted text here. Click to load it

All that you posted were malware.  No doubt about that with the last being an
AutoRun
worm.

No execxutables should be in %appdata%.  They are there because you have full
rights to
write there rather than limited rights (using LUA) in the %windir% folder.

I'll be glad to look at ant file you have;  http://www.uploadmalware.com/ and
report back
my findings.


--
Dave
Multi-AV Scanning Tool - http://multi-av.thespykiller.co.uk
http://www.pctipp.ch/downloads/dl/35905.asp



Re: csrss.exe and SYSTEM.EXE mysteries...



<snip>

Quoted text here. Click to load it

I realize that, I just can NOT figure out how I got it. And the
USB drive getting all infected and NOTHING happening to the
internal drive with the 2 OSs on it?

Quoted text here. Click to load it

I have 2 other LUAs, but the way XP is a completely different
machine for each user is one of the things driving me crazy, and
since I hardly ever boot into it, I just go as admin. Also, it
never connects to the internet.

Quoted text here. Click to load it

Sure, if you feel it worth your while, take a look at
"system.exe" and see what it does. csrss.exe is gone, I had MBAM
delete it before it occurred to me to save it.

I will upload it as system.bmp unless there is another option on
the site.

Thanks for the reply.

Re: csrss.exe and SYSTEM.EXE mysteries...


Quoted text here. Click to load it

Received, analyzed and report sent to you.


--
Dave
Multi-AV Scanning Tool - http://multi-av.thespykiller.co.uk
http://www.pctipp.ch/downloads/dl/35905.asp



Re: csrss.exe and SYSTEM.EXE mysteries...


With permission ...

http://www.virustotal.com/file-scan/report.html?id=e6df43471fe12d21c0b0f130df25092c87c203dbae6d04a077b082e0a98612dd-1311718898

AntiVir 7.11.12.128 2011.07.26 TR/Agent.368640
Avast 4.8.1351.0 2011.07.26 Win32:Regrun-GW [Trj]
Avast5 5.0.677.0 2011.07.26 Win32:Regrun-GW [Trj]
AVG 10.0.0.1190 2011.07.27 Dropper.Generic4.MJB
BitDefender 7.2 2011.07.27 Gen:Trojan.Heur.VP.wm1@aythGgei
Emsisoft 5.1.0.8 2011.07.26 Trojan.Win32.Ircbrute!IK
F-Secure 9.0.16440.0 2011.07.27 Gen:Trojan.Heur.VP.wm1@aythGgei
Fortinet 4.2.257.0 2011.07.26 W32/VBKrypt.EEQS!tr
GData 22 2011.07.27 Gen:Trojan.Heur.VP.wm1@aythGgei
Ikarus T3.1.1.104.0 2011.07.26 Trojan.Win32.Ircbrute
Jiangmin 13.0.900 2011.07.26 Trojan/Generic.ikvd
K7AntiVirus 9.108.4950 2011.07.26 Riskware
Microsoft 1.7104 2011.07.26 Worm:Win32/Vobfus
NOD32 6327 2011.07.26 a variant of Win32/Injector.HTF
Sophos 4.67.0 2011.07.27 Sus/VB-CHMB
TrendMicro 9.200.0.1012 2011.07.26 TROJ_GEN.RC1C2GL
TrendMicro-HouseCall 9.200.0.1012 2011.07.27 TROJ_GEN.RC1C2GL
VIPRE 9974 2011.07.26 Trojan.Win32.Generic!BT
VirusBuster 14.0.140.0 2011.07.26 Trojan.Injector!soGi5fnPD2w


Goes to;
http://www.maxmind.com/app/locate_my_ip

To get the infected computer's GEO IP

Connection:
h4o.no-ip.info TCP:1052

Drops...
C:\Documents and Settings\USER_NAME\Application Data\smss.exe

http://www.virustotal.com/file-scan/report.html?id=8f933d44f0fa16e54f4f66636ba785737d4b0d0f584690a31da1b16f9d397150-1311720176

added to load via
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
MSWUpdate = C:\Documents and Settings\USER_NAME\Application Data\smss.exe

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
shell = Explorer.exe "C:\Documents and Settings\USER_NAME\Application
Data\smss.exe"

Executes:

netsh firewall add allowedprogram C:\Documents and
Settings\USER_NAME\Application
Data\smss.exe CityScape Enable

C:\Documents and Settings\USER_NAME\Application Data\smss.exe /d C:\SYSTEM.exe


NOTE:  USER_NAME = User logged in account name



--
Dave
Multi-AV Scanning Tool - http://multi-av.thespykiller.co.uk
http://www.pctipp.ch/downloads/dl/35905.asp



Re: csrss.exe and SYSTEM.EXE mysteries...

David H. Lipman wrote:
Quoted text here. Click to load it
http://www.virustotal.com/file-scan/report.html?id=e6df43471fe12d21c0b0f130df25092c87c203dbae6d04a077b082e0a98612dd-1311718898
Quoted text here. Click to load it
http://www.virustotal.com/file-scan/report.html?id=8f933d44f0fa16e54f4f66636ba785737d4b0d0f584690a31da1b16f9d397150-1311720176
Quoted text here. Click to load it

Was it "C:\" or "%userprofile%"?

His "E:\" should be an indication of what OS was running when the
infestation occurred if an environment variable was used. Sure looks
like he was running in XP not 98.


Re: csrss.exe and SYSTEM.EXE mysteries...


Quoted text here. Click to load it

I don't know what it did on his PC and the software used for analysis doesn't
use implicit
variables, it expresses them as explicit paths.


--
Dave
Multi-AV Scanning Tool - http://multi-av.thespykiller.co.uk
http://www.pctipp.ch/downloads/dl/35905.asp



Re: csrss.exe and SYSTEM.EXE mysteries...


Quoted text here. Click to load it

<snip>

Quoted text here. Click to load it

I didn't notice it at first, but it should be E where it says C.
There seems to be a bug (for lack of a better word) in the
report software - it appears to assume the OS is always on the C
partition.

As we all know, there IS NO "Documents and Settings" in 98SEL,
and thank god for that. Nor is there an smss.exe or csrss.exe in
the windows dir, etc.

Re: csrss.exe and SYSTEM.EXE mysteries...


Quoted text here. Click to load it

It wouldn't be a "bug" as it reported exactly where the file was written to
based upon the
way it is setup.

I can reanalyze the file under Vista and Windows 7,  However, there is no test
VM for
Win9x/ME.


--
Dave
Multi-AV Scanning Tool - http://multi-av.thespykiller.co.uk
http://www.pctipp.ch/downloads/dl/35905.asp



Re: csrss.exe and SYSTEM.EXE mysteries...


Quoted text here. Click to load it

<snip>

Quoted text here. Click to load it

As I said, C: has no "documents and settings", etc.

In the "2nd part" of this virus event, there was nothing written
to the internal drive (partitions c-j and 3 virtual drives and
CD drive), but ALL the partitions of the USB external drive (l-
y) had autorun.inf and system.exe written to it. THAT is the
most baffling part of this business. The fact that it started
with me /somehow/ getting a malware csrss.exe - which, btw, I
can not find any info on - into E's (XP) 'documents and
settings' "just happened", I guess, like things do when you
somehow get infected. I'll never know how it happened, and I
don't really care, but the 2 files written about 10 days later
to all 11 partitions on an external drive which wasn't even
turned on most of the time of the is a mystery. And ESET was
running all the time.

Quoted text here. Click to load it

Probably not worth it. I have had about half a dozen things
happen to me in 20 years which were absolutely inexplicable
(although in at least one case, could be duplicated on another
machine!).
 
Some of them took 2 months to resolve, some 2 days, and a few
never did get resolved. So, nothing new. Computers are our
friends.

Re: csrss.exe and SYSTEM.EXE mysteries...



Replies are inline...

Quoted text here. Click to load it

Right.  That is YOUR computer.  Not the WinXP VM this test was run under which
does have a
..
"C:\Documents and Settings" folder tree.  The test is for what the malware does
not
emulate what it will do on someone elses platform based upon their particular
setup.  We
note what files it drops, what modifications it makes to the system and we note
who it
communicates to and what is communicated.  The overarching concepts with soem
details.


Quoted text here. Click to load it

Malware will write to the areas it is programmed to write to.  As FTR noted it
could be
based upon a variable.  For example %WINDIR%  which could point to c:\windows ,
d:\windows
or c:\winnt  depending on what the variable is set to.  As I have expressed, the
VM Test
doesn't show implicit variables but explicit locations.  They arfe all based
upon the test
box and its setup.  From there you can only generalize.


Quoted text here. Click to load it

They are ?

Some people seemd to serve them rather computers serving people.

{ OK Max, you can post a Linux instead of Windows reply here - LOL }


--
Dave
Multi-AV Scanning Tool - http://multi-av.thespykiller.co.uk
http://www.pctipp.ch/downloads/dl/35905.asp



Re: csrss.exe and SYSTEM.EXE mysteries...


Quoted text here. Click to load it

<snip>

Quoted text here. Click to load it

I realized that a short while after posting. I was influenced by
what someone in the thread said about C and E, and only
afterwards I realized that the computer you ran the test on
WOULD of course have "Docs & Sett." on C, as almost every PC in
the world does.

<snip>

Quoted text here. Click to load it

Well, then this must have been malware which targets all
partitions of any storage device connected via USB, or any
secondary (etc.) storage device, since nothing happened to the
internal HD.

I wish I could understand the description of its activities
which you provided better (thank you very much for taking the
time to run the tests, BTW), but I suppose what matters is that
I am (apparently) rid of the problem, the autorun and system.exe
files have NOT returned to the USB HD, and you got to test
another piece of malware.

<snip>

Quoted text here. Click to load it

I was being sarcastic. I actually greatly miss the pre-computing
and pre-cellphone days.

Quoted text here. Click to load it

Well, one could argue that already by now, 2011, almost everyone
in the technologically highly developed parts of the world is to
a greater or lesser extent a slave of the computers. Only some
individuals "serve them" directly, but all of us pay the dues.

<snip>

Thanks again for your time.

Re: csrss.exe and SYSTEM.EXE mysteries...


Quoted text here. Click to load it

NP.  It was my pleasure.


--
Dave
Multi-AV Scanning Tool - http://multi-av.thespykiller.co.uk
http://www.pctipp.ch/downloads/dl/35905.asp



Re: csrss.exe and SYSTEM.EXE mysteries...

thanatoid wrote:
Quoted text here. Click to load it

My point in bringing it up was that it shows what environment the
malware was running in when it wrote to the drive. Whether it used a
relative path from the "user" directory or an environment variable it
would have to have been the XP environment not the 98 lite one.
Otherwise it could not have known that 'documents and settings' was on
the e: drive.

The infection might have happened (partially) within 98 and the
autorun.inf vector carried it to the XP non-networked environment.

Sorry for any confusion.


Re: csrss.exe and SYSTEM.EXE mysteries...


Quoted text here. Click to load it


Oh, please, no apologies are necessary. I may have been doing
this for 20 years, but I have some very basic gaps, and things
like %whatever% still confuse the hell out of me.

I suspect that the csrss.exe which somehow ended up in E:\docs
and sett created the 11 sets of autorun.inf and system.exe files
on the USB HD. It is very peculiar that nothing happened to the
internal drive, and that csrss.exe was as easy to get rid of
with MBAM as it was, and it is also peculiar that just removing
the rhs attribs and deleting the 22 files appears to have been
all that was necessary to get rid of the whole problem. IOW, it
could have been a lot worse.

I tend to be curious about how things work, and I was hoping
someone might have actually had experience with something
similar, but I suppose considering th number of malware and its
variations, that was rather unrealistic. And like I said, I have
had far worse experiences (not with malware, just in computing).

Thanks, and to others who contributed the thread as well.

t.

Re: csrss.exe and SYSTEM.EXE mysteries...


Quoted text here. Click to load it

Do you have a router?

You've already stated that you have the xp firewall off, and
are not applying updates.

If you are not behind a router, and the network connection has
been set up in xp (even if you don't use it), the computer is
vulnerable to attack.

Regards, Dave Hodgins

--
Change nomail.afraid.org to ody.ca to reply by email.
(nomail.afraid.org has been set up specifically for
use in usenet. Feel free to use it yourself.)

Re: csrss.exe and SYSTEM.EXE mysteries...


Quoted text here. Click to load it

Yes.


XP doesn't even have the XP network drivers installed. It can
NOT connect to the internet. That's the way I want it. As stated
in the original post, I ONLY installed it because of a stupid
piece of hardware with no pre-XP drivers.

Quoted text here. Click to load it

The network connection, like everything else, was set up in
98SEL. I wouldn't even *KNOW* how to go about setting it up in
XP for it to work in 98, even though I assume you know more than
I do, and that it CAN be done, somehow.

Thanks for the reply - your point is very valid, just not in
this case.

Re: csrss.exe and SYSTEM.EXE mysteries...

thanatoid wrote:
Quoted text here. Click to load it

[...]

Just out of curiosity (or it may be relevant) did you use NTFS at all or
were your intentions to use FAT32 so you could access your XP filesystem
with 98?

Re: csrss.exe and SYSTEM.EXE mysteries...


Quoted text here. Click to load it

If it ain't broke, don't fix it. FAT32 all the way.

FWIW - I've been using it since 95 came out and I have **never**
had (nor heard of anyone I personally know that did) a problem
with that file system.


Site Timeline