Просмотр полной версии : Brief Description of Look2Me

03.12.2007, 20:22
Brief description of "Look2Me"
Look2Me Installs with the file Installer.exe, with a size of around 577KB, The installation is done silently. In the "Add/remove programs" section of Windows, there is no record created to allow deletion at a later stage. The DLL is located in %WINDIR%\system32 (From this point forward, %WINDIR% denotes the folder, where the Windows OS is installed) and registers itself under the key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify of the Windows registry. A CLSID is created and it is registered as an extension module of Windows Explorer (While the name of the element is not specified). The DLL has no description or copyright attached.
"Kaspersky Antivirus" detects the latest version of Look2Me as not-a-virus:Adware.Win32.Look2Me.ab.

Determining the presence of Look2Me on a system
The presence of Look2Me on a system can be confirmed through logs from HijackThis (HijackThis.log) and the system log generated by AVZ (avz_sysinfo.htm).
In the HijackThis log, there will be an entry which looks similar to this:

O20 - Winlogon Notify: arbitrary name - %WINDIR%\system32\arbitrary line.dll

In the AVZ log, in the list of processes, there will be 2-3 DLL's and/or file guard.tmp, registered in the folder %WINDIR%\system32, with a file size of about 228KB-231KB, and they will be missing any details in the "Description" and "Copyright" fields. These files are part of the trojan-program Look2Me

Removing the infection
There are a few methods for countering the infection, differing in their effectiveness.
Example treatment of Look2Me with the use of AVZGuard:
1. Close all running programs, run AVZ, and turn on AVZGuard.
2. Treat the computer, and when necessary, apply the “delayed file deletion” of Look2Me files.
3. If necessary, remove autorun Look2Me elements in the autorun manager and extension manager of Explorer
4. Exit AVZ, without turning off AVZGuard and reboot the computer
5. After rebooting if necessary, "finish off" the remaining files.

1. Booting from CD/DVD and checking using antivirus program
-Good method, when you have a LiveCD and antivirus on it.

2. Connecting the infected HDD to a clean PC and check using antivirus software.
-Good method, when you have a clean PC at hand, the HDD has a standard interface/connection, you can open the system and turn off the whole computer.

3. Correction of registry
(Tested on Windows 2000, on other versions the names may vary)
Run the program regedt32.exe, navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify. Select in the program menu "Security\Permissions....". Press on the button "Advanced", and in the window that appears ("Permissions" tab) click on "add", and select the user "All". After you have added it to the list of "Permission entries", "All" will appear, you must then select it and press on "Show/Edit". After this, a window will appear with title "Permission entry for Notify", in the "deny" column, put a tick for "Set value" and "Create Subkey". This blocks the creation of subkeys, but does not block their deletion- e.g. After this, you can delete the keys in Notify without leaving the registry editor, that link to Look2Me files. After this, it is necessary to reboot the computer.

4. Using antivirus "DrWeb".
It is necessary to install a trial version of "Dr. Web for Windows workstations" ( http://download.drweb.com/win/ ).
In settings of Spider (the right button on Spider): Settings-Scanning mode- Change from "Optimal" to "Other", put a tick next to "Start and open" and "Creation and write", Set "Deny mode extended protection" and remove "Check running programs and modules". After this, enter the section "Actions", select "Malicious programs" - "Advertising programs", there select "First action"- "Move to Quarantine" and then press "apply". After this, you must reboot your computer.

In compiling descriptions, materials by Oleg Zaitsev, and RiC have been used.


<<Translation by MAPKOBKA^^ from original located here: http://virusinfo.info/showthread.php?t=4481>>