A Look at Look2Me Malware

We looked at killing off spyware before. That spyware was pretty mild. Let’s look at some really nasty stuff! Here is an installer for Look2Me. Note: DO NOT INSTALL THIS ON A PRODUCTION COMPUTER! Use Virtual PC or Vmware if you want to take a look at this spyware. The file is ZIPed, then RARed, so you’ll need WinRAR to unpack it. Before running INSTALLER.EXE, let’s start up Process Explorer. Upon launching INSTALLER.EXE, we notice that EXPLORER.EXE dies and then restarts itself. After this happens, a pop-up ad! Hmm! Looking at Process Explorer, we see nothing out of the ordinary:

The processes in blue were loaded after INSTALLER.EXE ran. Hmm….notice anything? All processes are digitally signed either by Vmware, Sysinternals or Microsoft. Where is the malware? RUNDLL32 allows programmers to run DLLs as programs. In order to find out the malware is, we have to go EXPLORER.EXE and click on the Threads tab:

The sRfrcdlg.dll is the actual malware DLL launching the pop up ads. Let’s kill all the DLLs out of memory. We locate sRfrcdlg.dll in C:\windows\system32. Attempts to delete the file fail. What is locking the file? EXPLORER.EXE! If we head back to Process Explorer and go to Find>Find Handle, you will see that EXPLORER.EXE still has a handle or lock into sRfrcdlg.dll. Highlight the entry, then go to Handle>Close Handle. It will warn about about doing so, but proceed. Now try to delete the file. The file still cannot be deleted! What gives?! If we do a DLL search we find this:

EXPLORER.EXE still has a lock on the file, even though sRfrcdlg.dll doesn’t appear to be running. To delete the program, we can use a nifty little program called Unlocker. This program is freeware and works very well! It installs itself as a menu extension, so all we have to do is locate the file in Windows Explorer, right-click on the file and pick Unlocker. Pick Delete and Unlock all and flush goes the file!

Now there’s only one thing left to do: delete it out of autostartup. If you look in all the familar places you won’t see it, but if you happen to look under Winlogin, there it is:

If you attempt to delete this key while Look2Me is running, it restores it! Whether you boot into Safe Mode or not, this key will always load and it loads even before you log into the system. Nasty! That’s why you have to delete the DLL from memory and the disk before you attempt removing it from the registry.

Another ingenious solution for deleting the file was posted over at the Sysinternals forum by bmccool2003. This involves setting the “Deny” NTFS permission on the file for the Everyone group (and removing SYSTEM and CREATOR OWNER from the rights section). When you reboot, the OS doesn’t have permission to use the file and thus you can login and take ownership of the file. This will then let you delete the file.

- Soli Deo Gloria

Published February 18, 2006

Filed in Spyware

One reply

Write comment | Trackback

Trackbacks/ Pingbacks

Pingback from How To Spot A Psychopath :: My Adware Adventure :: November :: 2006

You have to be logged in to post a comment

Adam Leinss' Tech Tips