HACK: "packs" Directory under \system32\drivers\etc

First, let me say: no warranties, etc. This is just a list of what I did to resolve the issues.

I found a ‘packs’ directory in C:\windows\system32\drivers\etc; my laptop had been hacked by an application that loads an FTP server. Normally, I’d follow this directory path to access the HOSTS files (which I was doing when I discovered this little bugger). I found this before any files were uploaded, so I cannot speak to content, but I suspect it to be a warez distibution site.

You might also find errors and references to "FireDaemon.exe". This supposed to be a friendly program, allowing EXEs to run as services, but its footprint is evidence of the hack. If your system has been hacked, you’ll see references to it on the \packs path in your registry.

Removal:
There are a variety of other files in the \packs path, start by deleting all you can, including the subdirectories. Some files cannot be removed as they’re in use. The leftovers include:

  • cygwin1.dll (legitimate POSIX Emulation DLL, but being used in a bad way).
  • dll32.exe (rundll32.exe is the real version; this looks familiar, but is a shell).
  • ldcd.dll (unknown).
  • svchost.exe (references "FTP Serv-U Daemon"; I suspect it has been renamed. McAfee tells us this popular FTP software has been exploited: http://vil.mcafeesecurity.com/vil/content/v_99901.htm).
  • cygregex.to_be_deleted (this gets created as you’re removing files, so something else is working).
  • ccdx.dll (unknown).
  • ig.dll (trojan downloader file).

To remove these pests:

  • Delete all registry entries referencing the path.
  • Open Windows Task Manager.
  • Kill process dll32.exe in task manager.
  • Navigate to C:\WINDOWS\Prefetch and remove references to DLL32.EXE-{numbers}.pf
  • With dll32.exe killed, you can now delete all but the false svchost.exe.
  • Return to Windows Task Manager and sort processes alphabetically.
  • Click on the first svchost.exe process that is running as ‘local service’ and click ‘end process’.
  • Try to delete the bogus svchost.exe file. Repeat the above step and this step until you can delete the file.

It’s not over yet. This hack also put a number of package delivery/deployment files in C:\WINDOWS\system32\drivers\etc. Delete them:

  • osql.exe (legitimate command line SQL tool).
  • unrar.exe (legitimate rar format file unpacker).
  • xp.rar (the package delivered by the hack).
  • xp.txt (command file to pull down the components).

Then:

  • Reboot to safe mode.
  • Confirm the directory hasn’t been recreated.
  • Search the registry for the \packs file path to ensure it hasn’t been recreated.
  • Check the registry: HKLM\Software\Windows\CurrentVersion\Run for any anamolies.
  • Reboot to normal mode.
  • Re-apply Windows XP Service Pack 2 (this should replace any legitimate file versions).

No warranty; use these steps at your own risk. Please add comments to the veracity of this solution, or additional steps you had to go through to remove the hack.

Advertisements

About Michael Coates
I am a pragmatic evangelist. The products, services and solutions I write about fulfill real-world expectations and use cases. I stay up-to-date on real products I use and review, and share my thoughts here. I apply the same lens when designing an architecture, product or when writing papers. I am always looking for ways that technology can create or enhance a business opportunity .. not just technology for technology's sake. My CV says: Seasoned technology executive, leveraging years of experience with enterprise and integration architectural patterns, executed with healthy doses of business acumen and pragmatism. That's me. My web site says: Technology innovations provide a myriad of opportunities for businesses. That said, having the "latest and greatest" for its own sake isn't always a recipe for success. Business successes gained through exploiting innovation relies on analysis of how the new features will enhance your business followed by effective implementation. Goals vary far and wide: streamlining operations, improving customer experience, extending brand, and many more. In all cases, you must identify and collect the metrics you can apply to measure your success. Analysis must be holistic and balanced: business and operational needs must be considered when capitalizing on a new technology asset or opportunity.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: