If you’ve recently received emails with the subject line “You’ve received a greeting ecard from a Friend!” then you’ve already made acquintance with a piece of malware known as Worm.Zhelatin. If you were to visit the linked site in the email and run the ecard.exe file, your system would be compromised by the Zhelatin trojan which uses a particularly sneaky way to load itself – one that no autostart viewer can detect.
When executed, ecard.exe copies itself to C:\Windows\spooldr.exe and drops a driver named spooldr.sys into C:\Windows\system32 (as usual, C:\Windows is used to represent your Windows folder – the path may differ on your system). It then infects the Windows file tcpip.sys in the C:\Windows\system32\drivers folder.
It also disables Windows File Protection and then infects the C:\Windows\system32\dllcache copy of tcpip.sys.
After doing all this, it goes dormant until the next reboot to further avoid detection.
The code patched into tcpip.sys is designed to load the spooldr.sys driver, which is the main rootkit component of the Zhelatin worm. Once active, spooldr.sys attempts to hide spooldr.exe, spooldr.sys.
Interestingly, the trojan disables a number of security utilities, such as F-Secure’s Blacklight rootkit detector and the ZoneAlarm firewall.
Manual removal procedure:
- Reboot Windows into Safe Mode (not Safe Mode with Networking!)
- Delete the following files:
C:\Windows\spooldr.exeandC:\Windows\system32\drivers\spooldr.sys - Reboot Windows into normal mode
- Go to Start -> Run…, type
sfc.exe /scannowand click OK - When prompted, insert your Windows CD to restore the corrupted tcpip.sys
Disclaimer: Follow the manual removal steps at your own risk! You should always back up all important data prior to modifying your operating system.
August 2, 2007 at 7:25 am |
Nice writeup. Just recd mail about yr new blog today. Look forward to some great stuff on it
andyk
http://www.winvistaclub.com
August 7, 2007 at 7:50 am |
Hmm, but I am stuck with a machine where this has turned up to be insufficient. Both the spool files and the spool.ini is deleted, the tcpip.sys has been replaced but still something is active that tries to manipulate with the registry (Ad-aware catches it if you don’t react on the warning from Ad-aware).
So it seems there is more to it than just this.
August 8, 2007 at 1:37 am |
I have this virus, I could not find these spool files to delete them. Also, it disables Spybot. What should I do?
August 9, 2007 at 2:34 pm |
[...] malware. Hence, I’ve beefed up the generic detection for TrojanHunter users. See the previous post for more information on this piece of malware, as well as a manual removal [...]
August 12, 2007 at 4:38 pm |
Can’t delete the spooldr.exe file, says access denied.
August 13, 2007 at 1:03 pm |
Resolved the problem. Deleted the exe file through dos. I had to copy the tcpip file from another computer. I had the file in my computer but it was corrupt. After I replaced the file I rebooted and everything was fine.
August 14, 2007 at 8:50 am |
spooldr.sys was in \windows\system32 on the computers I have looked at, not in \windows\system32\drivers
Also, I take tcpip.sys from somewhere like C:\WINDOWS\$hf_mig$\KB917953\SP2QFE if a CD is not available and I’m doing it over the phone with someone.
Thank you so much for this great explanation of the problem.
I should add a tip:
netstat -a -v -b -n will show if spooldr.exe is running and active. They forgot to rookit the netstat stuff
August 14, 2007 at 8:56 am |
Also, this worm causes the NOD32KRN service to fail to start, resulting in the NOD32 Control Centre splash screen sticking on the desktop upon startup. A good indication of infection, as is people complaining of slow/dead internet access for the whole network.
August 14, 2007 at 8:58 am |
Forgot to say, you must also overwrite the tcpip.sys in \windows\system32\dllcache if you are manually replacing the file (i.e. not using SFC /scannow).
Sorry for the multiple posts. Feel free to merge them. Thanks again.
October 4, 2007 at 3:33 am |
Just deleting the two files worked great for me. Thanks! Saved my friend $300 at geek squad ripoff patrol. And a HD format. To delete 2 files….
October 15, 2007 at 3:10 am |
Seems this worm has already mutated into something new, a driver with name: Otwo67.sys is infecting one of my systems, and is not being detected by: Trend Micro, AVG or Sophos rootkit remover(crashes), it is found by rootkitrevealer but cant be removed. When I can get into safe mode I’ll upload to virustotal and find out if anyone has seen this new variant.
October 15, 2007 at 3:15 am |
oops Oqto67.sys is the correct driver name, I havent found an associated exe just yet
October 15, 2007 at 10:43 am |
Ryan:
We’d love to look at the files – email them to submit@misec.net if you have access to any
January 30, 2008 at 10:51 pm |
Hey MATE!!!
Thanks for this incredible write up, Working in a IT repair centre, just had a machine come through with the same error and i thought it would have been either a mainboard issue but i stumbled across your write up thought there was nothing to loose and pretty much done what you said and it work FINE!!
Thank you soo much for this information really appreciate it =)