7.7.7.0 Browser Hijack Virus

[Edvard]

OK, apparently this started around the middle of last month, and it's still happening. It's happened twice to my co-worker and I wonder if there's a definite fix as the AV companies apparently haven't nailed it down yet.
Here's what's happening...

All Google and Yahoo searches through IE and Firefox are being redirected through the address 7.7.7.0
When using Firefox, you'll notice "7.7.7.0" instead of "connecting to Google" in the status bar.
The subsequent search terms show relevant results in the text and all, but the associated links are horribly wrong.
When this happens, you will also find a file named wdmaud.sys and/or sysaudio.sys in C:\windows\system32.
Also there will be an associated registry entry at HKLM\Software\Microsoft\Windows NT\Current Version\drivers32
It will be a key named "aux" with a value of "wdmaud.sys"
The general consensus of opinions is that the attack vector is a tainted PDF that gets payloaded from a banner ad or hidden iframe, and it may also be a rootkit.

Have you come across this?
If so, did you get rid of it?
How?
Where did you find the most helpful advice?

Temporary fixes include turning off javascript, redirecting 7.7.7.0 to Google via a HOSTS file, all kinds of things.
The reality is that this is a new threat that needs to be dealt with quickly.

Read up:
http://www.google.co...h?q=7.7.7.0+redirect

Edit: Changed title of topic so folks know this about a virus, not just a personal annoyance.

[Edvard]

Here's a tool that may help:
http://www.techish.n...rector-malware-tool/

In the meanwhile, to prevent infections, there are a few things you can do.
Firefox: Use the NoScript extension.
Internet Explorer: Crank down your javascript permissions or disable it altogether in the "Internet Options" dialog
Adobe Reader: Turn off Adobe Javascript.
To do that, open Adobe Reader, and hit Edit > Preferences.
Then go to the Javascript entry and tick off the "Enable Acrobat Javascript"

Any other pointers?

[app103]

Foxit Reader:

Go to Edit>Preferences>Javascript

uncheck the box

[PhilB66]

Thanks Edvard for the heads up. There's a good discussion @ Browser Redirect to 7.7.7.0 - interesting - dslreports.com.

[f0dder]

This sounds nasty - good thing I don't have adobe pdf reader installed (I wonder if foxit et al are vulnerable, even with javascript support enabled).

NoScript + AdBlockPlus =

[Josh]

Or perhaps just admuncher + ......Nothing = 

[f0dder]

Whatever floats your boat - I'm personally not a fan of admuncher (probably works fine, but I only want adblocking in my browser, I don't like the idea of global winsock hooking). Besides, AM only blocks ads, right? You could get exploit-triggering outside of advertisement frames...

[Edvard]

Apparently, javascript delivered via PDF is the prime suspect in this case. So that means if your pdf reader supports embedded js, it is a vulnerability.
App's post reveals that Foxit does indeed support javascript, so make sure you've got that turned off.

lol from a poster on WoW forums:
"Send it securely to every anti-virus company. The one that sends you a fix the fastest is your new anti-virus."

[f0dder]

Apparently, javascript delivered via PDF is the prime suspect in this case. So that means if your pdf reader supports embedded js, it is a vulnerability.
App's post reveals that Foxit does indeed support javascript, so make sure you've got that turned off.

-Edvard (January 15, 2009, 10:18 AM)

There's javascript and there's javascript - you don't necessarily need to expose filesystem writing capabilities to the scripting engine.

That said, I don't know how much functionality Foxit Reader exposes, so it could be that it's vulnerable, and it might as well be that it isn't.

[app103]

That said, I don't know how much functionality Foxit Reader exposes, so it could be that it's vulnerable, and it might as well be that it isn't.

-f0dder (January 15, 2009, 10:23 AM)

But why take a chance? Can you see any reason NOT to turn it off?

[Edvard]

I have also seen a handful of reports that it interferes with anti-virus and anti-malware programs via the TDSSserv trojan.
See here: http://forums.cnet.c...rums06;posts#2926532

@f0dder: That's beyond what I can tell you. I'd be all for writing the author(s) of Foxit and ask the question just for your own peace of mind.

[f0dder]

That said, I don't know how much functionality Foxit Reader exposes, so it could be that it's vulnerable, and it might as well be that it isn't.

-f0dder (January 15, 2009, 10:23 AM)

But why take a chance? Can you see any reason NOT to turn it off?

-app103 (January 15, 2009, 10:24 AM)

Indeed - I don't have a use for JS in PDFs, so I might as well do that... except JS can't be turned off in foxit . Mailing them might be a good idea.

I don't use in-browser PDF anyway, so the exploit would have to be able to download+launch an external file - and it would have to be able to do that in spite of noscript+adblockplus.

[Edvard]

Also, read the responses on the DSLReports link: http://www.dslreport...interesting~start=40

Some folks have tracked down individual sites that are either infected and spreading this, or are the culprits themselves.
Also finding out exactly how the infection happens. Interesting read.

[app103]

Indeed - I don't have a use for JS in PDFs, so I might as well do that... except JS can't be turned off in foxit . Mailing them might be a good idea.

I don't use in-browser PDF anyway, so the exploit would have to be able to download+launch an external file - and it would have to be able to do that in spite of noscript+adblockplus.

-f0dder (January 15, 2009, 10:31 AM)

What do you mean it can't be turned off? I told you how:

Foxit Reader:

Go to Edit>Preferences>Javascript

uncheck the box

-app103 (January 14, 2009, 05:29 PM)

7.7.7.0 Browser Hijack Virus

[f0dder]

It's not present in the 2.2 version I use - perhaps it's time to upgrade

[Edvard]

@f0dder: I just downloaded Foxit version 3 and confirmed app's fix.
If version 2.2 isn't bugging you and for all you know it doesn't do the javascript, you may be safe with it.
Also installed SumatraPDF to test for js capability and it has no way to set preferences, so who knows?

[app103]

Also installed SumatraPDF to test for js capability and it has no way to set preferences, so who knows?

-Edvard (January 15, 2009, 10:42 AM)

Sumatra is pretty no-frills, so it's probably not likely that it even supports js.

[Edvard]

If you do install Foxit 3, use the custom installation. In there, you can tell it whether to install the Firefox plugin.
If you use Firefox, it would probably be smart to say 'no' to that one...

[f0dder]

Edvard: 2.2 has Javascript, but no option to turn it off. I like Sumatra because it doesn't have the insanely-slow-rendering-on-x64 that FoxIt (at least 2.2) has... but it's been too unstable for me, unfortunately. And yeah, definitely no browser plugins for me, I hate having various document types render in-browser.

[app103]

This might be a good idea for anyone, whether they have plugins in their browser to view PDF files in-browser or not. One of my favorite browser plugins.

PDF Download

Available for both IE & Firefox, whenever you come across a pdf file, it asks you what to do with it.

options are:
1. view in browser
2. convert and view as html (much better than google's view as html option)
3. download

(it also turns web pages into pdf files, if you want, preserving links quite well)

[Nod5]

@app: I didn't know that Foxit had JS activated by default. Deactivated now. Thanks!

edit:
Edvards first post states that a symptom of the problem is if sysaudio.sys or wdmaud.sys exists in C:\WINDOWS\system32\

It is then best to add that files with those names exist in the C:\WINDOWS\system32\drivers\ , at least on my (supposedly clean) Win Xp Pro system. The files with the MD5 values below passed the test at http://virusscan.jotti.org/ a minute ago:

C:\WINDOWS\system32\drivers\sysaudio.sys
8b83f3ed0f1688b4958f77cd6d2bf290

C:\WINDOWS\system32\drivers\wdmaud.sys
6768acf64b18196494413695f0c3a00f

I also have a registry entry very similar to the one Edvard talks about at HKLM\Software\Microsoft\Windows NT\Current Version\drivers32
But the difference is that my (again supposedly clean) computer has a "aux" key with the value: "wdmaud.drv" (NOT "wdmaud.sys")

I guess it is yet an example of the common practice for malware to have deceptively similar names and locations as legit Windows files. A good way to counter that is to post and check file hashes.

[Edvard]

The ones in C:\WINDOWS\system32\drivers\ are fine. It's always if they are found in the c:\WINDOWS or system32.
If your registry says wdmaud.drv it should be fine as well.

[Edvard]

OK, some instructions for removing this thing have been posted at http://www.myantispy...e-trojan-dnschanger/

The best thing is to NOT get infected in the first place, but if you do, there's some sound advice.

I've also seen a lot of reports that it prevents Malwarebytes' Anti-Malware program from running. I'd say that's as good as an advertisement of MBAM's effectiveness in removing malware.
Apparently it is freeware as a scanning tool but a paid registration gives you "Realtime Protection".
Has anybody had any experience with this tool?

@Nod5: Here is the MD5 for the "bad" wdmaud.sys.
63453ec7d65a333a0a645cc50195990a

Also, the bad one is only about 17K where the real one is 74 or 82k

[Stoic Joker]

Malwarebytes' Anti-Malware = Yes

When dealing with end user/client machines 90% of the time Spybot Search and Destroy works for me, the other 10% requires Malwarebytes.

...Okay, 5% of the time I just flatten the box... But Malwarebytes is an excellent utility which is also (highly) MS MVP recommended.

[Zedar]

Just a quick note I'll add to the discussion after dealing with this today.  I run Win XP 64 bit edition - and the wdmaud.sys file can be found in the C:\windows\syswow64 folder. 

After doing a search for the file, the infected version has a description of "Meikiemos Rules" in the tooltip description.