This user received a spam complaint from her ISP suggesting that she was sending 1000s of spam emails per hour from her PC. User runs several Anti-virus products and they all scan CLEAN.
Sure enough, this PC is making outgoing SMTP (tcp/25) connections:
PID 0 68.117.194.xxx:2154 212.143.134.21:25 TIME_WAIT PID 0 68.117.194.xxx:2160 12.158.35.251:25 TIME_WAIT PID 1272 68.117.194.xxx:2167 130.183.70.10:25 SYN_SENT C:\WINDOWS\Explorer.EXE PID 1272 68.117.194.xxx:2169 63.240.161.100:25 SYN_SENT C:\WINDOWS\Explorer.EXE PID 1272 68.117.194.xxx:2171 65.54.166.230:25 ESTABLISHED C:\WINDOWS\Explorer.EXE PID 1272 68.117.194.xxx:2172 198.185.2.70:25 ESTABLISHED C:\WINDOWS\Explorer.EXE
One major problem, EXPLORER.EXE is one of the main Windows components...it's not malware (some would argue that)... so what's going on here.
We also see lots of unusal *inbound* connections to Explorer.exe:
PID 0 68.117.194.xxx:25043 69.56.200.90:3043 TIME_WAIT PID 0 68.117.194.xxx:25043 69.56.200.90:3458 TIME_WAIT PID 0 68.117.194.xxx:25043 69.56.200.90:3468 TIME_WAIT PID 0 68.117.194.xxx:25043 69.56.200.90:3471 TIME_WAIT PID 0 68.117.194.xxx:25043 69.56.200.90:3760 TIME_WAIT PID 0 68.117.194.xxx:25043 69.56.200.90:3897 TIME_WAIT PID 1272 68.117.194.xxx:25043 69.56.200.90:4163 ESTABLISHED C:\WINDOWS\Explorer.EXE PID 1272 68.117.194.xxx:25043 69.93.27.250:1396 ESTABLISHED C:\WINDOWS\Explorer.EXE
Looks like tcp/25043 is a proxy server that receiving the spam, then the above tcp/25 activity is the spam being relayed out through us..lets take a closer look at ALL the components hooked into the Explorer.exe process:
Modules loaded into PID 1272: "explorer.exe" / CmdLine: 'C:\WINDOWS\Explorer.EXE' BaseAddr 0x01000000, LastMod 8/23/2001 12:00 PM : "C:\WINDOWS\Explorer.EXE" BaseAddr 0x77F50000, LastMod 5/2/2003 5:03 PM : "C:\WINDOWS\System32\ntdll.dll" [snip] BaseAddr 0x5CD70000, LastMod 8/23/2001 12:00 PM : "C:\WINDOWS\System32\serwvdrv.dll" BaseAddr 0x5B0A0000, LastMod 8/23/2001 12:00 PM : "C:\WINDOWS\System32\umdmxfrm.dll" BaseAddr 0x70200000, LastMod 8/29/2002 2:14 PM : "C:\WINDOWS\system32\WININET.dll" BaseAddr 0x1A400000, LastMod 10/18/2003 1:15 AM : "C:\WINDOWS\system32\urlmon.dll" BaseAddr 0x70340000, LastMod 8/29/2002 2:14 PM : "C:\WINDOWS\System32\webcheck.dll" BaseAddr 0x74B00000, LastMod 8/23/2001 12:00 PM : "C:\WINDOWS\System32\stobject.dll" BaseAddr 0x74AF0000, LastMod 8/23/2001 12:00 PM : "C:\WINDOWS\System32\BatMeter.dll" BaseAddr 0x74AD0000, LastMod 8/23/2001 12:00 PM : "C:\WINDOWS\System32\POWRPROF.dll" BaseAddr 0x10000000, LastMod 12/7/2003 12:40 PM : "C:\WINDOWS\System32\child.dll"
There are nearly 150 DLLs hooked into the Explorer.exe process and there's no easy way to know which one is specifically responsible for the proxying activity shown above. Fortunately, the hostile ones are usually the more recent ones, so we just look for .DLLs with recent modification dates...'child.dll' stands out cold, less than a month old at the time of this writing. We also find the startup entry for it:
Entries for HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler:
{3F143C3A-1457-6CCA-03A7-7AA23B61E40F} = '', "C:\WINDOWS\System32\child.dll"
If we try to delete the above registry key, the (evil) 'child.dll' still running in the background re-writes it every few seconds. The only way to disinfect is to boot the system into safemode, then remove the registry key, then reboot again and delete the file.
Footnote: As of 2004-01-22 the three variants of 'child.dll' I have collected contine to scan negative with several major anti-virus products. My submission to Symantec's SARC was rejected as "known" and included in their beta definitions.