Goodbye Spybot, Hello MSSE? Part IX

---

In a continuing analysis of Microsoft Security Essentials, see previous posts, running a Full Scan while Process Monitor from SysInternals as a background process, produced more or less the same results as with the Quick Scan. The Full Scan, as with the former, is limited only to Documents and Settings, Program Files and Windows directories.

Moreover, some NTFS hidden-system metadata files were also read, such as Master File Table [$Mft], Cluster Allocation Bitmap [$BitMap] (Kozierok, 2001), $MapAttributeValue ^[1], and Security Settings Database [$Secure] (NTFS, 2010).

Hereunder are the summary of the Full Scan results and analysis:

In Documents and Settings, the contents of the following folders were scanned: Administrator, All Users, {UserName}, Guest, LocalService and NetworkService. Furthermore, most .exe, .dll, .sys files in Program Files were inspected including .chm, icc, .txt, .flt, among others. In the Windows folder, most system executable files and direct link libraries were scanned, including those in the root Windows directory and even the hidden folders, such as $NtServicePackUninstall$. Interestingly, in Windows\Fonts sub-directory only a handful of the installed fonts were scanned: framd.ttf, marlett.ttf, micross.ttf, tahoma.ttf, tahomabd.ttf and trebucbd.ttf!

Furthermore, Microsoft Security Essentials’ Full Scan tried to search for files with double extensions, e.g., explorer.exe, which could also exist as explorer.exe.bat, explorer.exe.cmd, explorer.exe.com, explorer.exe.exe, explorer.exe.lnk or explorer.exe.pif. If these double-extension files are present in a system, it is an obvious sign of malware infection.

In total, Process Monitor generated about 32,000 unique entries of NAME NOT FOUND (19,072), PATH NOT FOUND (7902), BUFFER OVERFLOW (3081), NAME INVALID (1721), and NO SUCH FILE (207).

The NAME NOT FOUND and PATH NOT FOUND resulted from MSSE’s search of such double-extension files, i.e., legitimate filename and regular extension plus an additional extension like .bat, .cmd, .com, .exe, .lnk or .pif and the associated directories created by malwares.

BUFFER OVERFLOW, according to Wikipedia, can be «triggered by inputs that are designed to execute code, or alter the way the program operates. This may result in erratic program behavior, including memory access errors, incorrect results, a crash, or a breach of system security.» So, probably memory access errors but surprisingly majority of these entries were generated while accessing, or in Process Monitor’s parlance IRP_MJ_QUERY_INFORMATION, initialization files [.ini] and files residing in C:\Program Files\Common Files\microsoft shared\ and C:\WINDOWS\system32\. For more information about IRP_MJ_QUERY_INFORMATION, refer to MSDN Library.

The NAME INVALID resulted from MSSE’s search of some files using the wildcard question mark [?] such as: winantivirus pro 20?? or C:\Program Files\virusheat ?.?. One such search, C:\Program Files\Windows Media Player\wmplayer.exe \prefetch:9 \Open is interesting because Windows XP cannot use the colon [:] to name a directory folder. Another was a search for
耄D.bat. In Windows XP,
cannot be used in a filename.

For NO SUCH FILE, MSSE’s Full Scan tried to search for Shortcut Links [.lnk] again using a series of wildcard character, question mark [?], such as: C:\Documents and Settings\Administrator\Start Menu\virusheat ?.?.lnk

---

Similar to the previous start-up scan and Quick Scan, the results of Microsoft Security Essentials’s Full Scan shows almost similar results for the System Registry:

MSSE’s Full Scan inspected most Shell Extensions [ShellEx], Class Identification [CLSID], Type Libraries [TypeLib] and Root Interface in Classes Root [HKCR]; most keys in Current User [HKCU] Software\Classes, including particular keys in Software\Microsoft such as Active Setup, Internet Explorer, Windows NT and Windows\CurrentVersion. In Local Machine [HKLM], Software\Microsoft sub-keys were scanned including: Active Setup, Code Store Database, Cryptography, Internet Explorer, Microsoft Antimalware, OLE, Windows NT\Current Version\ and Windows\Current Version. Moreover, most System\CurrentControlSet\Services keys were inspected. In the Users [HKU], most sub-keys in .Default, S-1-5-19, S-1-5-20 and S-1-5-21, specifically in the Control Panel and Software\Microsoft nodes, were scanned. Moreover, the same with the start-up and Quick scan, the Current Configuration [HKCC] was not scanned.

The Full Scan also searched for about a 600 pseudo-security applications and other malwares ranging from 1 Active Amok to Zipclix Search! Most of the generated NAME NOT FOUND in the Full Scan of the Registry were the Shell Extensions [ShellEx] handlers, Software Classes [CLSID] (about 7,165 keys in HKCR), Application Identification [AppID] (about 85 entries in HKCR, 70 keys in HKU, 48 keys in HKCU), installation and uninstallation strings of executable files and associated services of these pseudo-security applications and other malwares.

The Application ID [AppID] and executable files in the Registry found by MSSE’s Full Scan particularly in HKU\.DEFAULT\Software\Classes\, HKCU\Software\Classes\, HKU\S-1-5-19_CLASSES\ (Local Service), HKU\S-1-5-20_CLASSES\ (NetworkService), HKU\S-1-5-21-…-500_CLASSES\ (Administrator) and HKU\S-1-5-21-…-501_CLASSES\ (Guest):

∇{03F8822F-8877-4002-8BCD-B532D53D8471}, part of Ad-ware/Spy-ware, Claria.Weatherscope

∇{38061EDC-40BB-4618-A8DA-E56353347E6D}, {A9722A0D-365F-47D2-B70B-37D046316D99} and {84C3C236-F588-4c93-84F4-147B2ABBE67B}, PUP Ad-wares known as AdShot or Sky Banners from SmartAdsSolutions/EZLife

∇{8B0FEF15-54DC-49F5-8377-8172DE975F75}, GreenScreen.099 Trojan from Kazaa or Sharman Networks Ltd.

∇{D6BE4255-97C9-4D5C-9801-91DADDA92D81}, part of DownloadWare Trojan Horse

∇{E0DC5CC4-25A5-4BC7-A3AA-3525733DC796}, part of CasinoClient Adware

∇{F6BDB4E5-D6AA-4D1F-8B67-BCB0F2246E21}, Ad-ware known as AdMess

∇adm.EXE, Signing Module.EXE and {99A8E2B2-3405-4C0D-9110-131C14CAAF62} of Altnet Download Manager

∇atltoolbar.dll, {11BAF79B-530C-4200-A33D-48BE83FC75BE}, {5FB747F9-320C-47B4-9CE8-545FB4F3BA81}, a Loki Adware IE toolbar.

∇bookedspace.dll from BookedSpace.com

∇CtxPopup.DLL, a BHO from unknown publisher.

∇DailyToolbar.DLL and {951B3138-AE8E-4676-A05A-250A5F111631}, a utilitybar from authorizedsearchagents.com

∇dhbrwsr.EXE and dhsvr.EXE, an Ad-ware from DealHelper.com

∇DMServer.EXE {BAC984C9-78C8-4105-9E97-1675A4052686}, Xupiter.Orbitexplorer Trojan from Gator

∇ezulabootexe.exe {8A044397-5DA2-11D4-B185-0050DAB79376};
ezulamain.exe {C0335198-6755-11D4-8A73-0050DA2EE1BE}, EZULA Advertising and Revenue Network Ad-ware.

∇hbsrv.exe {B701A705-F828-11D4-A466-00508B5BA2DF}, Wallpaper.DLL, WeatherOnTray.EXE from HotBar.

∇HP.EXE and {C81CFF28-6DF1-402F-B78C-D9493EF59882}, a Trojan known as WebSearch/Look2Me.

∇hungryhands.DLL, a Browser Helper Object for a porn site.

∇Hyperbar.DLL, HyperbarSS3.DLL, and {C4AC1481-6C39-433E-BD39-2A05FBF45BA7}, an IE toolbar.

∇iconhandle.DLL, a Trojan/Backdoor Henbang.A

∇IEAddon.DLL {C0E56AC2-9F72-436E-B6E7-AEC28AF9E4EB}, part of Desktop Defender 2010 (rogue antispyware)

∇iebhos.DLL {3B99F202-145A-4E5A-AC7B-88A36910BF5E}, part of E2Give BHO.

∇LoaderX.EXE, part of IROffer.303b malware.

∇MediaGateway.EXE {735C5A0C-F79F-47A1-8CA1-2A2E482662A8}, an Ad-ware from 180Solutions.

∇MyDailyHoroscope.EXE {6E0AFB50-AB22-477C-B16A-AA155937791C}, an Ad-ware.

∇nhelper.DLL {710BCB5B-8C6C-483E-A4F5-FAF083B13184}, part of NavExcel Hijacker.

∇pblib32.DLL, Probot’s commercial computer surveillance program.

∇pllib.DLL {B0ED4726-5BC8-4E22-A7A8-3074A73CE64E}, part of Power Antivirus-2009.

∇QualitySuperBrandingSystem.DLL {6339581C-7838-64EE-63A9-D48B0E3D5F2E}, an Ad-ware, Play MP3.

∇Saristar.DLL {90A52F00-64AC-4DC6-9D7D-4516670275D0}, a BHO associated with sarb.exe, a porn dialer.

∇Search.DLL, part of WhenUSearch Helper
∇SearchBar.DLL Ad-ware from PopMonster

∇SearchHelp.DLL, Ad-ware known as Search.Assistant from BlazeFind.

∇SiteLoader.DLL and ListenerBHO.DLL, a toolbar/BHO from BrowserVillage.com.

∇cnform.exe {118A2BFA-5AC7-4D29-BEB9-D68F4D2CCCAB},
winnet.exe {AE6DDEB6-5683-4F5D-AD53-0F93B02A3F93}, installed by CnBabe IE plugin.

∇x0ff.DLL {D137514C-FFFA-492A-933B-D29145B7A468}, part of RiverSoft/ClearStream Accelerator.

∇XPlugin.DLL {AC3F36D4-F905-4FE9-A926-EB937E66F591}, a Hijacker used by CoolWebSearch.

---

Notes:

^[1] I have done an on-line search to clarify what $MapAttributeValue means or C:\$MapAttributeValue, but both instances to no avail. The closest the search engines returned was Attribute Definition [$ATTRDEF] and one engine declared: Did you mean to search for C:\$Map AttributeValue, instead! back to text

Kozierok, Charles M. (2001). NTFS System (Metadata) Files. On-line: The PC Guide, April 17, 2001. back to text.

NTFS.com (2010). NTFS System Files. On-line: NTFS – New Technology File System, 2010. back to text.

Disclaimer: These posts do not necessarily represent any organization’s positions, strategies or opinions; refer to this blog’s self-imposed rules: A New Year; New Rules. Unless otherwise expressly stated, posts are licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 3.0 License. Comments are moderated to keep the discussion/s relevant and civil. Readers are responsible for their own statement/s.