Infection by Virantix - braviax.exe

A user reported that she received an email message purportedly from Southwest Airlines, which contained an attachment. Since she had recently arranged travel to Chicago through Southwest Airlines for someone in her office, she assumed the message was a legitimate message regarding his flight. Unfortunately, it was not.

When she attempted to view the attachment, she received an "access denied" message, probably from the Symantec AntiVirus Corporate Edition client software on her system, but her system was still infected by malware. She said that her system rebooted and now she is seeing a message that her system is infected.

When I checked the status of her system with Symantec AntiVirus Corporate Edition on the server running the Symante System Center, it was reporting that it detected Trojan.Pandex as well as other malware [See SAV Virus History (CSV File)].

Symantec AV Detected Malware

When I connected to her system, I saw the following popup warning at the lower right-hand corner of her screen.

Fake Infection Warning

The fake warning message appearing on the system was as follows [Note: "prevent" is misspelled as "pervent"]:

Windows has detected spyware infection!

It is recommended to use special antispyware tools to pervent data loss. Windows will now download and install the most up-to-date antispyware for you.

Click here to protect your computer from spyware!

I brought up the Task Manager and clicked on the Processes tab to look for processes I didn't recognize. I saw braviax.exe. I didn't recognize it as a legitimate process on that system, so I searched for it on the hard disk to see where it was located. I found the file in C:\WINDOWS\system32. I then checked for the process ID of the process and killed that process.

C:\>dir /s braviax.exe
 Volume in drive C has no label.
 Volume Serial Number is D8B5-E4AE

 Directory of C:\WINDOWS\system32

09/09/2008  07:51 AM             9,216 braviax.exe
               1 File(s)          9,216 bytes

     Total Files Listed:
               1 File(s)          9,216 bytes
               0 Dir(s)  35,570,573,312 bytes free
C:\>tasklist /fi "imagename eq braviax.exe"

Image Name                   PID Session Name     Session#    Mem Usage
========================= ====== ================ ======== ============
braviax.exe                 1916 RDP-Tcp#4               0      4,684 K

C:\>taskkill /f /pid 1916
SUCCESS: The process with PID 1916 has been terminated.

When I checked the registry with regedit, I found the following key in HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

NameTypeData
braviaxREG_SZC:\WINDOWS\system32\braviax.exe

I deleted the registry entry. I also found it in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run. I deleted it there as well.

I uploaded the braviax.exe file to VirusTotal, which is a site which will scan suspect files with multiple antivirus programs, for analysis. Fifteen of the thirty-six programs it used reporated the file as malware [See VirusTotal Report or VirusTotal Compact Report].

The email message had passed through a Barracuda Spam Firewall, which uses ClamAV, undetected and wasn't stopped by the Symantec AntiVirus Corporate Edition 8.1 software on the user's system.

I decided to install Spybot Search & Destroy on the system. When I uninstalled the old 1.4 version of Spybot Search & Destroy already on the system in preparation for installing the 1.6.0 version, Symantec AntiVirus popped up a warning regarding an infected file detected on the system.

Scan type:  Realtime Protection Scan
Event:  Virus Found!
Virus name: Hacktool.Rootkit
File:  C:\DOCUME~1\JOANN~1\LOCALS~1\Temp\rdlA5.tmp
Location:  Quarantine
Computer:  J
User:  Jo Ann
Action taken:  Quarantine succeeded : Access denied
Date found: Tuesday, September 09, 2008  7:33:03 PM

I was prompted to reboot the system after uninstalling Spybot Search & Destroy 1.4, which I did.

When I logged into the system after rebooting, I saw the following message from Symantec AntiVirus Corporate Edition:


Scan type:  Realtime Protection Scan
Event:  Virus Found!
Virus name: Hacktool.Rootkit
File:  C:\DOCUME~1\JOANN~1\LOCALS~1\Temp\rdl3.tmp
Location:  Quarantine
Computer:  J
User:  Jo Ann
Action taken:  Quarantine succeeded : Access denied
Date found: Tuesday, September 09, 2008  8:05:44 PM

When I brought up the Windows Explorer, I saw the message below from Symantec AntiVirus (SAV):


Scan type:  Realtime Protection Scan
Event:  Virus Found!
Virus name: Hacktool.Rootkit
File:  C:\DOCUME~1\JOANN~1\LOCALS~1\Temp\rdl3.tmp
Location:  Quarantine
Computer:  J
User:  Jo Ann
Action taken:  Quarantine succeeded : Access denied
Date found: Tuesday, September 09, 2008  8:05:44 PM

When I closed the Explorer and reopened it, a similar message appeared only referring to C:\DOCUME~1\JOANN~1\LOCALS~1\Temp\rdlAA.tmp this time.

When I ran Spybot, it asked me if I wanted to uninstall 1100 temporary files. I chose "yes". It indicated it couldn't remove 276 temporary files, because they were in use. A second attempt to remove thos 276 files also failed.

Spybot found a lot of malware on the system [See HTML or TXT report]. For the malware for which Spybot could provide further details, I've included those details here. The braviax.exe file in C:\WINDOWS\system32 was associated with Virantix by Spybot. Spybot reported "no information available" for Virantix.

Spybot indicated for Premium Search that "The trojan horse also uses rootkit functionality to hide some of its parts. Removal of this trojan horse will require a reboot. After the reboot the explorer may not start anymore, this will require to open Spybot via the taskmanager and fix the remaining parts of PremiumSearch." Since I was running Spybot through a Remote Desktop Protocol (RDP) connection to the system on which I installed it, I was afraid I might not be able to get back into the system remotely after removing it, so I deselected it from the ones I would have Spybot fix. I also deselected Virtumonde, for the same reason. For it, Spybot stated "It also adds a randomly named dll to the Winlogon Notify, which will make it very resistable to removal. Removal requires the computer to be disconnected from the internet and restarted after first scan and fixing session."

When I had Spybot fix the other entries, I saw the following message:

Some problems couldn't be fixed; the reason could be that the associated files are still in use [in memory].
This could be fixed after a restart.
May Spybot-S&D run on your next system startup?

I chose "yes". Spybot indicated that CouponBar was the only one that was not fixed.

For Delf.Spool.cn, Spybot had the description below:

This trojan horse replaces the orignal spoolsv.exe with its own to get started by the system and run in background. Variants may also connect to a chinese website in background. After fixing with Spybot-S&D please restore the original spoolsv.exe from the c:\windows\system32\dllcache folder to the c:\windows\system32 folder.

When I checked c:\windows\system32\dllcache, I did not find any spoolsv.exe there. But Spybot didn't appear to have deleted the spoolsv.exe file in c:\windows\system32 either, thougn.

I then decided that I should be able to establish a SSH connection to the system even if there was problem with the GUI login, so I had Spybot remove Premium Search and Virtumode as well. It indicated that it fixed those without a problem. I then rebooted the system. When I logged in afterwards, Spybot indicated it found 275 temorary files. It stated it couldn't remove 271 of those, because they were in use. I then had it scan the system. It reported "Congratulations! No immediate threats were found!

Unfortunately, recently another support person had to install software on this user's system for a newly purchased Savin C6055 copier/printer/scanner to allow her to store documents scanned with the Savin C6055 in "file cabinets." Her system was the only one in the office on which this software was installed. For the others, I simply the C6055 "printer" from the server and had them connect to that shared printer to print to the unit. The copier support technician was not able to get the software to work under the user's account after it was installed under the local administrator account on the system. He said he believed the user's account had to be in the local administrator's group for it to work. Unfortunately, against my better judgment, I acquiesced and put her account in the local administrator's account. Which, of course, allowed the malware to install itself, since that account now had administrator privileges for the system.

When I questioned the copier technician about why the software should require administrative privileges to work, he told me that the software was developed for his company by a partner company of his company. Unfortunately, that developer apparently had no qualms about writing the software in such a way that it required the security of a system to be compromised in order for the software to work. In addition to the considerable amount of time spent disinfecting the system, I'll now have to try to figure out exactly what privileges and file and registry access the software actually needs to try and rectify that problem and allow me to limit the user account to the users group rather than have it in the administrators group. This is, unfortunately, not the first time I've run into this problem. I've encountered a similar problem with Intuit's QuickBooks softwaare, which, though it is designed specifically for business use, has, at least in versions I've installed, required more than normal user account privileges to be used under user accounts on the system.