Home > Articles
See Also: Gromozon
The strange case of Dr.Rootkit and Mr.Adware
In the last few years, we've seen a dramatic change of infection
techniques. Years ago, malicious programs started as simple file
infectors, then progressed through macro viruses, worms, script
viruses, and now we are plagued in massive numbers by backdoors,
trojans, adware, and rootkits.
The skill set needed for writing malware has changed, and so have
the goals. The days when virus writers wrote viruses to show off
how good they are at making malicious programs have gone away, and
now all that the virus writers care about is making money by infecting
a lot of computers.
By using bot trojan horses, an attacker can remotely gain system
access. There are thousands of networks of zombie computers - machines
infected with backdoors that are ready to be used for anything the
bot controllers desires, ranging from sending spam emails to performing
Distributed Denial of Service (DDoS) attacks.
A lot of these virus writers are fueled by companies that have poor
moral values and bad advertising campaigns. A company that wants
to advertise a product to a million users by email would need to
send out all of those emails by themselves, which can get their
company blacklisted very quickly. Instead, all they would need to
do is pay a virus writer to write a virus that can remotely infect
a computer, turning it into a mail server. Companies make millions
of dollars a year due to spam emails.
A lot of infections also advertise locally on the user's computer.
Malware is frequently used to display messages about products on
people's computers by analyzing their surfing habits and sending
the user's information to the attackers server.
Terrorists are also using bot networks (botnets) frequently to attack
websites. For example, someone could digitally hold a company and
its website ransom, forcing them to send money or else the virus
writer would start a distributed denial of service attack. Some
computer terrorists have networks of hundreds of thousands of computers,
making the attacks powerful enough to take down even the largest
The last weapon in the attacker's arsenal is the rootkit - a technique
used to hide the malicious code in an infected computer so that
no software can see them. There are many techniques available to
attackers which can hide files and other components of viruses.
Many of these techniques have been discovered and counter-attacks
have been created by antivirus companies, but, as always, the virus
writers are one step ahead and have many ways to combat even the
most powerful antivirus and antirootkit software. Some months ago,
users started reporting about a rootkit infection that was totally
unknown to antivirus companies. This threat is still emerging and
evolving and is still widely undetected. On the following pages,
we are going to analyze this infection in detail.
In May, 2006, users started to report some strange behavior in Windows:
strange crashes at boot up, unusual reports of antivirus software
reporting heuristic detections of files they couldn't clean, and
odd files appearing on the hard drive. Italian users reported the
URLs of suspicious websites. When users visited these websites,
their CPUs spiked abnormally high and their systems slowed down.
After these first signs, people reported infections of rootkits
on their computers, discovered by some rootkit scanners. Removing
this infection, on the other hand, would turn out to be much more
difficult than expected. In August 2006, three months later, this
infection is still spreading widely - not only in Italy, but to
other countries as well. No security company has released an update
for their engine or found a solution which totally removes the
In the following pages, we will deeply analyze the infection to
better understand how it works. All of the information stated in
this document has been taken from myself, the web, and other researchers
around the world. For information on contributors and sources, I
have included a complete list at the end of the document.
PART ONE: SPREADING TECHNIQUES ANALYSIS
The infection starts from strange Italian websites that contain
Infected webpages look like the picture below:
Although there are many different malicious websites that look different,
each has a common aspect - a link the source code to a website that
this script isn't a trivial task. We can see a function that terminates
with an eval() function and another function that calls
the main function, passing a long obfuscated string. The eval()
function will return the decoded script, so, we can change the
eval() function into an alert() function, forcing
the script to show the decoded code rather than run the code. Using
this method provided yet more obfuscated code. The encryption used
has multiple layers.
Looking more deeply into the code, we can see the use of arguments.callee.toString().replace(/\s/g,'').length
function, that returns a value related to the function body
itself. The same function is used as a parameter for the obfuscation
of the code. By changing eval() to alert(), we incremented the number
returned by that function by 1. Changing eval() to alert() and incrementing
the values by 1 subtracted the function arguments.callee.toString().replace(/\s/g,'').length
we can easily deobfuscate the code.
We can now see in the script that the next website is http://td8eau9td.com
that 'appears' to be closed by the abuse team - but that is
a fake message.
Looking at the website's information:
Registration Service Provided By: ESTDOMAINS INC
Domain Name: TD8EAU9TD.COM
Austen Rando (email@example.com)
Conde St. 16 81
Creation Date: 08-Aug-2006
Expiration Date: 08-Aug-2007
As we can see, this website is registered at ESTDOMAINS, which isn't
surprising because a lot of spam and malware-related websites come
from them. The creation date is interesting because it looks like
there is someone who is trying to change domains quickly to prevent
being defeated by users who block everything from a specific domain.
If we try to connect to the webpage shown in the deobfuscated script,
we will find a complex PHP script which is loaded dynamically and
changes depending on the browser's user agent. This means that depending
on the browser, each user will receive a different type of infection.
We tested with Internet Explorer 5, Internet Explorer 6, Mozilla
Firefox 22.214.171.124 and Opera 9 user agents:
Internet Explorer 5 U.A = Mozilla/4.0 (compatible; MSIE 5.01; Windows
Internet Explorer 6 U.A = Mozilla/4.0 (compatible; MSIE 6.0; Windows
NT 5.1; SV1)
Mozilla Firefox 126.96.36.199 U.A = Mozilla/5.0 (Windows; U; Windows NT
5.1; en-US; rv:188.8.131.52) Gecko/20060508 Firefox/184.108.40.206
Opera 9 U.A = Opera/9.00 (Windows NT 5.1; U; en)
We caught four different webpages. The webpage loaded with Internet
Explorer utilized the highest number of exploits and similar types
OPERA 9 BEHAVIOUR
Surfing the webpage with Opera 9 loaded another .htm page which
if it is Win32, it then downloads an executable called
FIREFOX 220.127.116.11 BEHAVIOUR
Surfing with Firefox 18.104.22.168 loaded the same script as surfing with
Opera and it then asked to download the same executable. With Firefox,
The picture below shows the 1st layer unobfuscated code.
INTERNET EXPLORER 5 BEHAVIOUR
When surfing it with Internet Explorer 5, the webpage attempted
more attacks than with the other browsers. The webpage loaded 5
different iframes, and each iframe used a different kind of attack.
The first iframe load tries to automatically drop the same
was also obfuscated.
The second iframe tries to install a well-known Java exploit called
the exploit is loaded only after a check of installed software on
the PC. It checks the presence of antivirus software like:
Norton Antivirus (NAVCfgWizDll.NAVCfgWizMgr)
and so on, skipping the installation of the exploit if it one of
them is found.
(and patched) vulnerability in the createControlRange() function.
This vulnerability can be exploited by a malicious web site to corrupt
the memory in a way which allows to the program flow to be redirected
to the heap. Successful exploitation allows the execution of arbitrary
code. This bug is dated 2005-02-27 and reported by Microsoft as
if the surfer's platform is Win32 and then tries to install an ActiveX
control called FreeAccess.ocx.
This OCX is a library that will be copied under the System32 directory
<randomname>.dll with a size of 15648 bytes. This file is
Kaspersky Antivirus as Trojan.Win32.Agent.rl.
The fifth iframe tries to manually download the same executable
as the first iframe.
INTERNET EXPLORER 6 BEHAVIOUR
Internet Explorer goes to yet another different webpage than the
others. The first iframe is the same as the Internet Explorer 5
webpage, and tries to automatically load the www.google.com
The second iframe tries to exploit the well known WMF bug,
if an antivirus software is installed - similar to the check in
the IE5 paragraph above - and then, if nothing is found, tries to
load a file called img.tif. This is a malformed image that
exploits the WMF bug and tries to download a DLL from http://gromozon.com/d.php?10000_2
and saves it into the System32 directory as jvaa.dll,
with a size of 12288 bytes. This file is registered as a BHO.
The third iframe loads the ActiveX - FreeAccess.ocx, as
we saw for Internet Explorer 5.
The fourth iframe loads the same executable as the first iframe,
but this time asks the user to manually launch it.
PART ONE: FINAL THOUGHTS
at the beginning. That is the bridge from the normal websites to
this malicious server.
What is really impressive is the amount of work that is done by
and the links we've analyzed, caught by the webpage linked to the
link generated dies after a predefined time - about an hour. After
website, it takes a couple seconds to have the links generated and
visited by the user - all automatically, then the server removes
all of the links to prevent analysis and other random directories
are created for other victims.
In this analysis, we accessed http://td8eau9td.com as the
server that contains all of the scripts and malware. However, this
is only the last server changed, as we could see in the registration
date of the domain that it was created 8 August, 2006.
Before this server, others were the assigned server used to spread
these malwares - the most famous is gromozon.com, registered
as seen below:
Registration Service Provided By: ESTDOMAINS INC
Domain Name: GROMOZON.COM
Ladarius Mcgeary (firstname.lastname@example.org)
Pembroke Rd 80 79
Creation Date: 16-Feb-2006
Expiration Date: 16-Feb-2007
This is the first website caught during May 2006, the starting website
of this infection. As we can see, it is registered since 16 February
2006, and it is registered to ESTDOMAINS as well.
The other known domain is mioctad.com, registered under:
Registration Service Provided By: WNZ
Domain Name: MIOCTAD.COM
Vernon Dayton (email@example.com)
Avenue A 78 26
Creation Date: 03-Jun-2006
Expiration Date: 03-Jun-2007
This is the second server registered based on the creation date.
Why three servers? Changing the server often defeats attempts by
people to prevent infection by blocking the servers.
To prevent further infections, we can block these three servers,
but we know that the maintainer will just change the server another
time, as he did with
previous servers. The one thing that has stayed constant is the
Blocking access to this domain will prevent all infections even
if the webmaster changes the servers used to spread the malware
(as long as he doesn't change it also ;) )
PART TWO: INFECTION TECHNIQUES ANALYSIS
We've seen from Part One the names of the files that are installed
onto the victim's PC when surfing on that website.
Now we need to know more about the actual files that we have installed
on your PC so that we can know every aspect of this infection.
We've seen that the infection is different according to the browser
used to surf on the server. The common file for all of the browsers
is www.google.com which will be the last file we are going
With Internet Explorer 5/6 an unaware victim received:
- Java exploit Byte.Verify, easily detected by almost every
antivirus software (on Internet Explorer 5):
- An ActiveX called FreeAccess.ocx that needs user permission
to be installed;
- www.google.com on which we'll dedicate a full paragraph;
- img.tif, a WMF exploit that downloads some malware from
the server (in case you still need some more malware ;) )
We are going to analyze FreeAccess.ocx and img.tif.
When the browser asks to install this ActiveX and the user accepts
it, this OCX will drop a 15648 byte long dll with a random name
(in our case vcaa.dll) into the Windows System Directory (usually
After this, the dll is registered as a CLSID under:
This dll is recognized by Kaspersky Antivirus as Trojan.Win32.Agent.rl.
Very few antivirus companies currently recognize this sample.
This file is a WMF exploit and won't be loaded if the victim uses
an antivirus software that is checked by the script, as seen in
If the PC is unpatched and the script launches the exploit, img.tif
will download a 12288 byte file from http://gromozon.com/d.php?50310_2
and it will be saved into the Windows System Directory with
a random name and a dll extension. These sizes are the sizes currently
found as I am writing this article and they can arbitrarily change
as the author wishes.
This dropped file is also detected by Kaspersky Antivirus as Trojan.Win32.Agent.rl
and few other antivirus programs find this file.
This is the infamous file - the source of all evils coming from
the gromozon.com website. We need to ask yourself: Why the strange
The author is using an interesting form of social engineering
with this filename by tricking the user into answering 'yes' to
the "Do you want to download this file?"
message on a file that the user will think is coming from Google,
This file is definitely not a website - it is actually an executable
file with a .COM extension. 'COM' files are executed exactly
the same as .exe, .pif, .scr, .bat, .cmd and many other similar
file formats. The www.google.com file is a dropper which
installs more files into the user's computer.
Since May 2006, this executable has changed its source code many
times by using a type of server-side polymorphism. By not containing
a static malware body, the virus becomes more difficult to detect
by antivirus companies. To further evade detection and testing by
antivirus companies, the dropper doesn't work at all on a Virtual
After the file is launched on a real computer into the system, the
virus attempts to make so many changes that, in some cases, corrupts
the operating system and causes startup crashes - showing errors
caused by C:\WINDOWS\system32\SERVICES.exe.
First of all we can hear hard disk working hard for some seconds,
but technically we don't see nothing, nothing appear. After the
dropper starts, we will hear the hard disk working intensely for
a few seconds, but we don't see anything. The dropper connects to
a remote server, 22.214.171.124, and drops some installers
that install an adware program, a rootkit, and a fake Windows service.
The droppers are downloaded into the C:\Windows\Temp\<randomname>1.exe
and C:\Documents and Settings\<user>\local settings\temp
(the %TEMP% directory).
We are going to analyze these three parts.
Immediately after the dropper is launched, a new - fake - user account
is created in Windows with a random name and a random password.
After the new user account is created, a directory under C:\Documents
and Settings\ with the same name as the new account is created.
After this, a new file is created under C:\Program Files\Common
Files\system (or sometimes under Microsoft Shared instead of
system). This file has a random name and random size. It is encrypted
using the Windows Encrypting File System (EFS) feature
so that only the fake account has rights to it, preventing any other
user from moving, reading, or deleting it. The file can be recognized
because it is marked with a green colour.
A new Windows service which is related to this file is then created
with a random name. We can recognize this fake service because of
its random name and the "Logon As" value is the name of
the randomly created account.
This service is detected by Nod32 as: Win32/Agent.VP
After the service is created, an adware with a random name is installed
to the C:\Windows\ directory. In our tests, this file is
called luijp1.dll and is 64671 bytes long.
The file is loaded as a BHO (browser helper object) under: HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser
This adware is hidden to the user by the rootkit. Adware LinkOptimizer
shows advertising on the victim's PC when surfing the web. Kaspersky
Antivirus detects this file as: not-a-virus:AdWare.LinkOptimizer.a
The most annoying part of this infection is the rootkit component.
After the dropper is launched, the rootkit is installed onto the
victim's PC. This is a usermode rootkit which is hard to remove
because it randomly make use of:
- Windows reserved names;
- Alternate Data Streams (ADS);
Microsoft Windows has a list of reserved device names that can't
be used for normal file naming. These names are:
It is impossible with normal file operations to delete or create
files with these names, but, if you use the \\.\ prefix, you can
delete and create these files easily with the command prompt.
If you have a file called:
and try to do
you will receive an error because you can't access this file as
it uses a reserved
name, but if you try to do:
you can bypass the check and fully delete the file.
The rootkit can also infect your system by copying rootkit code
into the Alternate Data Stream of a file or directory. This
method is only possible if the victim's file system is NTFS. Alternate
Data Streams (ADS) is a feature of the NTFS file system that can
fork file data into existing files without affecting their functionality,
size, and prevent traditional file browsing utilities from viewing
It is an alternative, hidden stream where a software can write to
and it will be hidden from most file browsing utilities and some
If you want to see the ADS features of the NTFS file system, you
can click on Start - Run and write this command:
Notepad will create a text file hidden in the ADS of the autoexec.bat
file. The ":" is used when you want to write to
This rootkit makes use of this feature, copying its code usually
into the ADS of the root drive C:\ (for example: "C:\:xchse.xmz")
or into the Windows System Directory ADS (for example
After the rootkit is loaded, it modifies the APPInit_DLLs key at
loading itself (with the \\?\ prefix if it is using a reserved name
and not the ADS method).
After it is fully loaded, the rootkit hides the APPInit_DLLs key
and hides the
LinkOptimizer adware by hooking the following APIs:
After this, the rootkit removes the SeDebugPrivilege privilege
to all Windows user accounts. This will prevent some anti-rootkit
programs from running - for example, the F-Secure BlackLight
The rootkit component is launched with fake user account rights
so that removing the ADS streams are even harder than removing the
The rootkit component is detected by Kaspersky as: Trojan.Win32.RKDice.a,
but not every variant is detected because there are a lot of different
variants. The newest versions of the rootkit appear to implement
a checksum scanner to prevent the execution of anti-rootkit
software like GMER, The Avenger and IceSword.
Modifying with an hex editor some bytes (for example strings values)
of the software "The Avenger" allowed us to fully run the software,
rootkit's checksum scanner.
PART THREE: Final thoughts
This paper has described what we actually know about this threat
that started spreading in Italy and then spread across the entire
There is no automatic solution for cleaning this infection, and
users can only use some programs together which can be difficult
for many users.
To remove the infection caused by W32/Agent.VP - the Windows service
- it is possible to use a cleaner developed by Paolo Monti which
is downloadable from http://www.nod32.it/cgi-bin/mapdl.pl?tool=Agent.VP
Otherwise, users need to go through a manual procedure. The standard
procedure is summarized here but this could be inadequate for some
variants of the infection.
1) To deactivate the rootkit, you need to understand that cleaning
the APPInit_DLLs key is the key to deactivating (deactivating is
different from removing - deactivated means that the file is still
in the system by is no longer directly harmful) the rootkit. You
need to deactivate the rootkit before being able to check the files
that are hidden by it. Download the www.gmer.net
anti-rootkit program and scan the system. If it finds a hidden
DLL in the C:\Windows folder and a strange file hidden, you
should take note of the full path of these two files.
2) Take note of the full path of where the Windows Service executable
is located (if it is present on the drive). Usually it is in C:\Program
Files\Common Files\System or C:\Program Files\Common
3) Take note of the name of the directory created under C:\Documents
4) Download a program called "The Avenger" from http://swandog46.geekstogo.com/avenger.zip
and unpack it to C:\, in a directory called tool (the name of
the directory isn't important, and a user can call it as he wants)
and launch the program called avenger.exe.
5) Click on "Input Script Manually" and then click the
magnifying glass icon. A window will open where you can write your
script. The user simply has to copy and paste the code below:
Registry values to replace with dummy:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows | AppInit_DLLs
Folders to Delete:
<here insert full path to directory with random name found>
Files to delete:
<here insert full path to dll hidden found>
<here insert full path to hidden file found if it isn't
hidden into ADS>
Users need to change the lines with those found in points 1, 2,
6) After the code is compiled, the user needs to click on the "Done"
button and then on the traffic light button. If everything goes
well, the software will ask to restart the computer.
7) If The Avenger returns some kind of error, close the software,
delete (if present) the folder C:\Avenger, and delete the
files error.log and avenger.txt from C:\ and rename
the directory where avenger.exe is located with another name and
restart from point 1.
8) After the computer reboots, if notepad.exe is opened with the
Avenger.txt file, everything should be going well (if the user copied
the right paths into the script) and the rootkit infection with
the adware and Windows Service should be gone.
9) If the rootkit is hidden into an ADS, there is no complete working
procedure, and you will need to talk with an expert who can help
The most important thing is to deactivate the rootkit - removing
all of the files is just a "bonus".
This is only a short guide and doesn't cover every case of this
infection, as we said at the beginning of this part. If you want
to follow a more advanced guide, you can read the full guide written
by the SuspectFile team at this address:
Prevx released a full automatic removal tool at the address below:
Link to the Prevx Press Release is:
-------- UPDATE: INSIDE WWW.GOOGLE.COM FILE -------
The executable file downloaded from gromozon.com website act as
It contains in its code a dll embeded, which is the real component
that download and install rootkit, adware and EFS-cripted file.
The Dll is firstly extracted under %TEMP% directory and, after that,
C:\WINDOWS\System32 directory as <random>.dll.
Then the dll tries to connect to a remote server to download remaining
I talked in the 2nd part about Virtual Machine check on www.google.com.
More deeply, the check is located in the dll embedded into the executable
and responsible of installing rootkit and other infection components.
Check routine used is a well known and old trick called by Joanna
Rutkowska as “Red Pill”.
Routine check where IDT (Interrupt Descriptor Table) is located
in memory, at which memory address.
Normally, a Windows-based pc locates IDT at address 0x80xxxxxx but
emulated machine locate it in different memory address spaces.
VMWare, for example, locates IDT at 0xffxxxxxx address whilst VirtualPC
locates it at 0xe8xxxxxx address.
So, routine checks if the IDT memory address is major of 0xDxxxxxxx.
If so, then dll is running on a emulated machine and stop its infection
The SIDT instruction stores the contents of the IDTR in a 6-byte
memory location. This instruction can be executed at ring 3 too,
because it isn't privileged in the Intel architecture.
In some later versions, the dll doesn't show anymore this routine
explicitely, instead it's written immediately in a opcode way, in
a attempt to obfuscate it.
-------- UPDATE: NEW SERVER AND TRICKS ADDED -------
Since the first version of this paper I have observed no significant
changes in the infection routines.
Gromozon team refined a bit website infection, adding new infection
servers and adding another bridge server together the old js.gbeb.cc.
New bridge server is js.pceb.cc, which uses a new way to infect
reading a referrer parameter from the starting website.
Another different thing is the change on starting websites. There
isn't anymore direct link to the bridge server, but another obfuscated
Then Gromozon team added more infection servers. This list is taken
post in Wilders Security Forum, done by user TNT:
Good thing is that at least Google is trying to filter these decoy
---------------------- UPDATE: CHANGED AGAIN ----------------------
Since the last time I've updated this document, a lot of things
have changed with the infection routine of this rootkit. Starting
from spreading websites, going thru dropped files and looking what
a user sees in his infected pc, almost everything changed a bit.
We're going to see what happened during these weeks.
First of all, list of websites that are spreading this infections
is increased a lot and can be resumed in the list below (even if
incomplete and not exact, because as far as we know there could
be other new websites ready to start spreading infection again):
To prevent access to these websites you could modify your HOSTS
file – under C:\WINDOWS\System32\drivers\etc\ - adding these
websites as shown below:
Remember that the first line of HOSTS file must always be: 127.0.0.1
When visiting infected websites with Internet Explorer, as explained
in one of the first pages of this document, an ActiveX installation
is asked. This is anymore the same name of ActiveX control, instead
gromozon team changes it continuously, so it's almost useless to
list down every new name found.
Even the dropped file www.google.com isn't anymore the same but
name changed continuously, but it always has the same structure:
www.<some name strange>.com.
So you can find: www.music.com, or www.play.com, or something else.
If it's asked to download a file with this filename structure, this
is almost surely a gromozon related file.
Even the file structure of the dropper and the dll dropped into
System32 directory is almost changed.
They changed packer, FSG instead of UPX, and changed ways to protect
dll from curious eyes. We talked before about anti-emulating routine
(Red Pill), now it includes antidebugging routines (SoftIce check)
and anti-logging tools, like Filemon and Regmon.
More interesting is the new version of the rootkit installed by
the dll. New rootkit features include file check and website check.
In fact, rootkit blocks access to that websites that could give
information on how to remove gromozon infection from pc.
Some of blocked websites are:
www.pcalsicuro.com (my website)
This list is not still complete, more websites are blocked. Moreover,
the rootkit tries to block removal tools developed to remove the
An incomplete list of blocked tool is below:
Prevx Gromozon removal tool;
Symantec Fix LinkOptimizer;
Actually, as far as we know, our removal tool works if main executable
is renamed with a random name choosed by user. Manual removal tool
shown before in this paper is now useless with latest versions of
rootkit. After we removed the rootkit, then it's useful to manual
removing remaining files.
Last “funny” trick used by Gromozon team is defaming
my name and Prevx company name as virus authors.
In fact, a message box appears when trying to run a blocked software,
as shown here below:
Now the tactics followed by gromozon team is clear: trying to accuse
me to be gromozon author. Looking at this infection, it looks like
that I wrote the rootkit with the goal of blocking other security
tools to make money through my website (on which, by the way, there
isn't a Paypal link through which donate money).
In fact, think this: would be really so smart adding my name into
the message box and, moreover, adding NOW this messagebox when this
infection is spreading since May 2006?
This paper is a cumulation of a lot of sleepless nights filled with
work from me and many other researchers during the past months.
Users need to understand how to defeat this threat and, if antivirus
companies still haven't written a full report, this could help them
(and other users) to understand what is happening to thousands of
infected people that are reporting strange infections to forums
This paper will be updated as soon as more information becomes available.
If you think to have more information that need to be added here
or you think there is some kind of error, feel free to write me.
I hope you will all appreciate my work.
Hardware Upgrade Editor
[ a t ] email [ d o t ]it
Reproduced with kind permission of Marco Giuliani.