kichik.net

I had some fun today trying to figure out why Banner likes to hang around with .NET so much so it wouldn’t even leave. I found out that while being destroyed, something tries to send messages to the main dialog. But the main dialog is busy with destroying the banner. I added exactly two iterations of the famous win32 message loop and everything started working. I still don’t know why those messages are sent or why it’s so important they’ll be answered before the banner is destroyed or even why it happens just with the .NET installer. And don’t even ask about different synchronization methods that make it tick. So far, I’ve found only smoke signals and the fire extinguisher won’t last much longer.

Of all the signals, I liked the message loop the most. It actually points to something I’ve done wrong. I’ve starved the main dialog’s thread while creating a modeless dialog as its child. That’s why I dug in further into those two iterations of the loop and those two messages that it processes. It turns out both of them had the same identifier - 0xc0c3. Now that’s no regular WM_ message… That’s a message registered with RegisterWindowMessage. But which message is it? That’s where the fun starts. There’s no GetRegisteredWindowMessage API available and nothing on the topic comes out on Google.

So with no leads to follow I started digging. Normally, to give a certain string a specific value in Windows, an atom is created. And indeed, 0xc0c3 is in the range of named atoms. To make things even simpler, in WINE, RegisterWindowMessage simply calls GlobalAddAtom, casts ATOM to UINT and returns. Great, then GetAtomName or GlobalGetAtomName should do the trick. Only reality isn’t as bright as WINE would like us to think. It turns out RegisterWindowMessage uses a different atom table for its messages. But which atom table and how can you even specify a table with GetAtomName?

To specify a table, a low-level access to RtlLookupAtomInAtomTable is required. But that function is deep inside ntoskrnl.exe. So, up one level and you get NtUserGetAtomName which uses the same atom table as NtUserAddAtom which is the function RegisterWindowMessage calls. But that’s inside win32k.sys… Luckily, user32.dll already handles that. It has a stub that calls NtUserGetAtomName at 0×7E41FA8E. Some playing around with the second parameter which turns out to be UNICODE_STRING and the atomic table is in hands’ reach.

Engines off, coding fingers down, digging complete and the message name is MSUIM.Msg.Private. That too gets little to none results on Google, but who cares… Debugging is fun

For any of you who’d ever want to convert a registered message into a readable name, here’s the NSIS code. Replace 0xc0c3 with the message identifier and 0×7E41FA8E with user32!NtUserGetAtomName and you’re good to go.

# the atom
StrCpy $2 0xc0c3
;System::Call user32::RegisterWindowMessage(t'test_message')i.r2
# create UNICODE_STRING
System::Alloc 1008
Pop $R0
StrCpy $R1 0
StrCpy $R2 1000
IntOp $R3 $R0 + 8
System::Call *$R0(&i2R1,&i2R2,iR3)
# call NtUserGetAtomName
System::Call ::0x7E41FA8E(ir2,iR0)i.r1?e
# parse UNICODE_STRING
System::Call *$R0(&i2.r4,&i2.r3,w.r0)
# print details
DetailPrint "user atom's name is $0"
DetailPrint "length is $4 (???)"
DetailPrint "NtUserGetAtomName returned $1"
Pop $1
DetailPrint "GetLastError() = $1"
# done
System::Free $R0

I don’t usually watch television, but in those short yet so satisfying fixes that I do score, there are always those pesky commercials. For the life of me, I don’t know why, but those are even more addictive. They always find new ways to grab your attention. While watching Friends the other day, a commercial for mortgage came up. It was pretend news cast staring miss I know best G. Yafit (sorry, Hebrew only). In her ever so nice voice, she recommended I get my mortgage done at some bank I don’t even remember. I think it had orange in its logo…

Like gorillas in the background, hands of a great card hustler, or new researches about how eating X will get you great Y, I’m all too used to ignore these commercials. But this particular commercial took me by surprise. Our dear old friend, Yafit, urged me to call right now and get my mortgage at 1-800-MORTGAGE. A toll-free number with letters after it! I was so shocked I had to wait for the second time the commercial was aired in the same short pause for commercials, just to see it again.

Ladies and gentlemen, this is an historic event. For the first time in my life, I’ve seen letters used in a phone number in Israel. We have reached the 90’s! And not just any plain old letters, they were actually in Hebrew (משכנתא). The future is here and I can’t be any more thrilled. Cars, color TVs and maybe even 8mb SDSL are just around the corner. Oh, joy!

I’m a big fan of shortcuts. I meet them everywhere and greet them nicely. On Internet Relay Chat, Instant Messaging, signs on the road and of course Short Message Service. The name already suggests it. The entire system was designed for short messages, so acronyms and other shortcuts are a must. There’s a limit on the number of characters you can send and when you cross that limit, you pay more. It’s understandable why users would want to cut back on characters and even words. Still, I find myself repeatedly writing full sentences.

That’s why I like T9 so much. Not only does it allow me to write messages faster, but due to its somewhat broad acceptance, I also receive messages with what I’d qualify as semi-understandable content. Shiny as it may be, there’s always a glitch. The revered triple dot combo… The two first dots are displayed accurately, but by the third dot it decides a different character was typed that’s not even remotely related to the key clearly marked with the number 1. So instead of receiving the glorious triple dot combo, I get the double dot confusion bomb. Was it an accidental double dot? Was it the combo? It can completely flip the meaning of the message! How can I tell if it was “No…” as in “No, sorry…” or “No.” as in “No way!”. Am I to reply as the combo suggests a continuation is in place or am I missing an abrupt stop of the conversation? This, of course, brings us to the mystery of the ever elusive exclamation mark, but that’s a whole other story.

Yet another reason to just call…

The other day, I found myself holding the N key in guidgen, trying to exhaust all 340282366920938463463374607431768211456 GUIDs. I didn’t count, but I think I got to around a 1000 GUIDs so far… I was just that bored. I guess I was hoping for a cool “OUT OF GUIDS” BSOD or something.

I tried looking for a newer version of NSIS Media by visiting their latest update server. I came out empty handed, which was bad news for my research but great news for the rest of the world. Just to make sure I got it right, I visited the old update server once again. I was in for a surprise when it served me b10.bin for downloading. As you may recall from one of the earlier posts, I originally downloaded only [ab][1-9]. Seeing as it suddenly served b10.bin, I upgraded my download script and found some more evil files.

atixim.dll
avirpa.dll
javadsa.dll
kbdicp.dll
msabdx.dll
msrrwvb.dll
schuu52e.dll
xmlfef32.dll

I’ve updated my NSIS Media Remover to detect and remove those as well. I’ve also updated the samples archive, though it still doesn’t contain any of the old version DLL files.

I’ve assembled everything I’ve learned the past few weeks about NSIS Media into one simple and effortless application that should completely remove it. NSIS Media Remover removes installed files and registry keys.

• 93 101 known DLL files installed into the system folder
• C:\Program Files\Common Files\NSIS folder
• Firefox nsis.jar extension
• Many registry keys
  • CLSIDs
  • Shell extensions
  • txtfile context menu handler
  • Overlay icon handlers
  • Software\NSIS\Media
  • Software\IAN
  • Add/Remove entry

NSIS Media Remover is provided without any warranty. Its source code is available in the tool itself. Hit the View Source Code button to get it.

Download NSIS Media Remover

md5:  7778c19e9df725d20a30fe42f425589d
sha1: 9eb42afbf75fd97555cc5260b3d24f33a6dec622

While creating this tool, I’ve found more exciting new facts about this pest. One of which is that apparently, CNET were fooled into serving the downloads on download.com. The installers check to see if the computer belongs to download sites, anti-virus companies and even Cydoor prior to installing the pest.

Update: version 1.1 was released on January 13th, 2007 with 8 more files missed in the original research.

While searching for the complete list of registry keys used by NSIS Media, I found yet another update server for an even older version. Only this server seems a bit different, it’s for removal of NSIS Media. Its output contains a URL for an installer that removes a lot of files and registry keys I haven’t ever seen.

auole4.dll
aviprope.dll
brwe042.dll
cabext32.dll
cagt041.dll
cryptdbe.dll
direjmod.dll
dobj01e.dll
dspmode.dll
dsq052e.dll
edk052.dll
iccext.dll
icmmext.dll
mail052e.dll
msgetm.dll
msgsple.dll
msmsgre.dll
mssfdr.dll
ntext052.dll
ntfssetx.dll
prtmde3.dll
shllimgd.dll
slpube03.dll
splsrv4.dll
syncmte.dll
tragte.dll
vidcpl2.dll
vlcx052.dll
wint042e.dll

Expect a complete NSIS Media remover very soon…

I just found another list of DLL files used by NSIS Media. The script used in their updated installers first removes the old DLL files. It renames them to temporary names and deletes all of their registry keys. Along with the previous list, I believe this makes a complete list of all DLL files used by NSIS Media.

bsdeff32.dll
java52e.dll
krnsvr32.dll
mkdesk32.dll
mkdesk32.dll
mscron32.dll
msidext.dll
msrvdrv.dll
msscsi.dll
mssvide.dll
msxmlu.dll
mtxcdru.dll
netstrap42.dll
nvrssid.dll
odbcpc32.dll
oleac32.dll
olescope.dll
uuiedes.dll
windexserv.dll
winsdev.dll
winsdrv.dll
wmbmd.dll
wmddsb.dll
wmdmb32.dll
wmidext.dll
wmproxt.dll
wmsql32.dll
wmudrv.dll

~fdgar.tmp
~fdgdr.tmp
~fdger.tmp
~fdgfr.tmp
~fdgir.tmp
~fdgor.tmp
~fdgpr.tmp
~fdgqr.tmp
~fdgrr.tmp
~fdgsr.tmp
~fdgtr.tmp
~fdgur.tmp
~fdgwr.tmp
~fdgyr.tmp
~isdat.tmp
~isddt.tmp
~isdet.tmp
~isdft.tmp
~isdit.tmp
~isdot.tmp
~isdpt.tmp
~isdqt.tmp
~isdrt.tmp
~isdst.tmp
~isdtt.tmp
~isdut.tmp
~isdwt.tmp
~isdyt.tmp

Our good old friend, NSIS Media, comes back for a second ride. As you know, the first ride is always free. It’s good for business. Nothing like a good promotion to draw new customers. But when you come over for a second ride, it won’t be cheap.

Right after I finished writing the last post, I was greeted with a nice pop-up suggesting I should get a green card. I was quite surprised I was infected with NSIS Media, because I only opened the installers on a Virtual PC. After a little meditation, mainly to cool myself, but also to dig in my memories, I recalled I opened one of the installers to take a screenshot. Foolishly, I assumed it’d only install this malware along with the program itself. How deep was my mistake to think they’d actually be that nice. The malware installed itself even before the first wizard page showed up. All doubt was removed. This software is pure evil.

I’ve taken several routes to bring this internet atrocity to an end. So far, the most fruitful route was based on a friend’s advice. I contacted Software Freedom Law Center to get their help sending a cease and desist letter to NSIS Media. In the process, I found out a lot interesting facts about NSIS Media. Like Openwares, they are located in Vanuatu, a Melanesian island which is, of course, outside of the USA. This means a cease and desist won’t affect them and so further research is required. This also raises the intresting question of NSIS Media’s owner. Both companies are based in Vanuatu and are hosted with aplus.net. As clearly stated in Openwares’ RSS and many other places, Openwares is owned by Opensoft Corporation which is making the web more interesting since 2001. It won’t be too far fetched to assume NSIS Media is also a part of this corporation, if not at least its best partner.

This corporate deserves a lot of credit. It has ripped off many open source programs and has plauged the web with Cydoor and NSIS Media malwares. A very paritial list follows.

• Openwares - distributing malware infected packages on download.com.
• Turbo Torrent - G3 Torrent rip off containing NSIS Media, but claiming to be adware free.
• Foxie - CCleaner rip off, Firefox look alike designed to fool people into thinking it’s the new Firefox everyone is talking about. There have also been reports of it packing NSIS Media, but I cannot confirm that. They claim to be based in Israel, however they are hosted on aplus.net, are linked from every Opensoft website and have Opensoft listed in their license as a contractor.
  

  U.S. Government Information Use, duplication, or disclosure by the U.S. Government of the computer and software documentation in this package shall be subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.277-7013 (Oct 1988) and FAR 52.227-19 (Jun 1987). The Contractor is Opensoft Corporation, Vanuatu.

• MP3 Shield - another Opensoft venture which is currently offline. Probably packed with NSIS Media as well and most probably a rip off.
• Startup Mechanic - calims to protect your PC but installs NSIS Media.

Now that we’ve gotten to know them, lets dig in and see how NSIS Media works. As I’ve previously said, NSIS Media “enhanced” installations include two DLL files installed into the system folder. The names vary, but the goal is always the same. The first, written using MSVC, leeches on just about every process in the system and loads the second. It is also responsible of installation and removal, according to strings that show up in it. The weird thing about this file is its PDB path which is always under c:\Cydoor_shell_project. Cydoor are reportedly out of this evil business, so I don’t quite know what to make of this. All DLL files have timestamps dating back to 2001, so it might be an old Cydoor DLL used to wrap NSIS Media. On the other hand, Opensoft claims to have established on 2001, but I doubt they still use the same DLL files.

The second DLL is far more interesting. It’s built using VB6 and contains an HTML page with the title Advertisment (typo in source) as resource. But there are no references to the C:\Program Files\Common Files\NSIS directory, nsis.jar, HKLM\Software\NSIS\Media or NSIS Media at all. The third DLL, miraculously installed into Common Files\NSIS along with an uninstaller contains no code. It only contains a resource named IID_NSIS which holds an unknown GUID. The uninstaller, as you might have guessed, doesn’t do much. It creates a new value called OptOut in HKLM\Software\NSIS\Media, unregisters the third DLL and finally deletes it along with the uninstaller. It also deletes a shell hook, according to the GUID found in the clsid value under its registry key.

So where does all the evil come from? I started digging in the second DLL, the VB6 DLL, looking for a URL. I found one string that raised my suspicion - @CDOQSAO:=ARB:ACPF:FQE@:QCE@=DSCBFR@. It was stored in Unicode and used in what seemed to be a key function in the code. However, it was not a URL. Notice how the colors repeat themselves and how many characters are in each block they separate. It’s a GUID. The distance between a colon and a hyphen is 13. Subtract 13 from each character and you get 367BDF4B-04E5-46C9-9D83-D68307F659E3. One Google search later and you see you’ve hit the jackpot. That GUID belongs to NSIS Media.

So I have a GUID, but what’s that good for? Lets try decoding the entire file and see if more shows up. That struck oil. In the decoded files, I found URLs, advertisement categories, registry paths, file paths, HTML and even JavaScript. There was also a list what seems to be potential hostile programs including Ewido, Grisoft, NOD32, Norman, Symantec, Panda and even Cydoor. Another list contained wildcards matching common advertisement servers like DoubleClick, probably so their ads can be replaced with NSIS Media ads.

But the most interesting list was the URL list. One URL in particular had most to tell. Its response contained my country code and another URL for a file located on msserv.net, another one of Opensoft’s websites. The name of the website and the content it tries to serve suggests it tries to make users believe it’s non other than Windows Update. Windows Update’s URL, by the way, is also listed in the second DLL. But it’s the file that’s hosted on msserv.com that I enjoyed the most. http://www.msserv.net/src/b3.bin is an installer, better described as an updater, containing two new NSIS Media DLL files. The two DLL files seem to share the same common pattern of the regular NSIS Media DLL files, but appear to be of a newer version, at least by examining the file sizes. Going to the original URL again, you get another installer name. I quickly saw the pattern is [ab][1-9].bin and downloaded them all.

Following is the complete list of NSIS Media’s new version DLL files along with their MD5 sum, for your malware removal needs. They are also available for download, but be careful with those.

04022272675cc56f1e68faa3fa2558b8 avtmskii.dll
0ff0930bb2ff743b212210471c725bc8 odbvgie.dll
15e63b822a0efede397ba9e7c8dbd02f usrwsh.dll
179164804cee71d62cd0f60d8f31735b kbdtdu2.dll
21e5ab0214714983584031e78c763aae wkcajax.dll
2c7b28b24cf717d8204b89a51a43c52d ftsash.dll
2dd9d642eb71eb541f51950c6ae0e5f5 nvritf.dll
2de5a9a086d0878abbd5259fe4f31787 rsvuaac.dll
2e3a6d1f71317faa094f2e7b427bb202 coltea.dll
2e7024c9f3dc91862e1b719d74e9f78f wshpwd32.dll
362b234f82ab4847ea14fcfe0bc07b33 nmmvti.dll
4322dbd9a120b0b6531a6d2c25bcbed3 mtxme2k.dll
5007f06b93defe72ff41c035cbaadc4a kbdrpo.dll
523a7424f94db5be34b33aecd2db32c5 nvredd.dll
59ecae29bdcccae85e8aff5718e55f2f dmubsi.dll
5aa56093a1e568c11a38264be0f4db7a wmiv3p.dll
5b850d909455d3062422f199c44445f2 mspksp2.dll
5fcbef5a137ee8ce3f5f615cb2e2d743 msjmme.dll
661f98df2ed0d7ba9997322248f01f46 ir4axb.dll
854b515f539f125fe4c9f4cdb01277f0 usrflx32.dll
8b4169f654be67be6f874a721c3919da avwmdm.dll
a27e788246ebb3fb59173594d314fd33 dsaoms.dll
a59bc64fb9f97934d20bccdbf346bce4 mswbst.dll
a8a1bb4bf6a67df2a2a24791b0605703 dspvfx.dll
a94db9a1ed0cfe9d807bec7407bef85a cfgsle.dll
aecc2a0fc2e9efa22f979f93ad3b5820 ieaean.dll
b1bbd68d3472ae8bb242f7fa6de00f76 ncxpri.dll
bd9cd45321c46cb7565553a1869ba19a wpdccmo.dll
c2e811707d1898d00a897802bea144ee atmkmsa.dll
c57b55771515280a8e93fabfea00928d adsusv32.dll
cac34a21c3957f118cff2fc4f43b555d lochsh32.dll
da4987053dc52f7ee9b1e70c62f7daa0 actsdr.dll
db69afb5e34af7aba15c2984bd582a31 mfctsa.dll
dd6ec5013c437ac0e86d17ab66e37854 audes2e.dll
e4b4747e461d39695722d07154dbdbb2 swpxa52u.dll
f3ee10c331a81188385e47e851ae3079 minsv32.dll

So what have we learned today?

1. NSIS Media and Opensoft are pure evil.
2. Cydoor might still be up to no good.
3. kichik still doesn’t make 1000$ a day

I’ve been providing support online for a few years, mainly for my projects. Someone asks a nice challenging question, you dig in a little, possibly find a bug and fix it, give the user his answer get a nice little thank you and you’re on your way to the next question. Sadly, that ideal is far from being the reality for most questions. Most of the time questions repeat themselves, lack any challenge, lack too much information or asked in an irritable manner. Inspired by the effective bug reporting and smart questions guides, I decided to write my own version. Initially, I wanted to go with the ten commandments, but I didn’t quite see how I could fit “honor your father and mother” in. So, without further ado, I hereby present the seven deadly sins of questioning.

Lust

Moms are smart, that’s a known fact. However, they’re not always right. Especially on so called facts that contain the notorious pair of words “most important”. Breakfast is not the most important meal of day as it’s usually aimed at herbivores and you are not the most important person in the world. Nothing you ask is urgent unless other lives are at stake. There’s nothing to get passionate about. Nothing will happen if you don’t get your answer right away. Armageddon will continue lingering and your mom will still be there for you with her “most important” slogans. So chill. “Urgent” questions and vivid descriptions of how amazing your question is will not get you an answer faster.

Gluttony

Ideally, when stumbling upon an issue, you look around a bit before asking a question. You seek the solution, try to find out what’s wrong, collect as many details as you can until two or more click and you find the solution. Nothing clicks? Time to ask someone else? Don’t skimp on the details, add as many as you can. Gathering them all and then keeping them to yourself doesn’t help anybody and most certainly doesn’t help you. At the very least, describe a method of reproduction of the issue. Even the most talented support champion can’t help you with an issue that can’t be seen or described in words. Even Don Quixote had his windmills to fight.

Greed

Knowledge is power, everybody knows that. It’s only reasonable to keep it to yourself, to keep your prestigious stand. So, if after asking a question, you find the answer yourself, why bother sharing? In fact, why not ask a lot of questions and then come back later to say you solved them all by yourself? Instant self-proclaimed hotshot. Power overwhelming. Guru.

So why ask in the first place? Why be a burden? If you’re going to frustrate people by answering yourself before they get a chance or even while they’re trying to politely answer your question, at least share your findings. Even if all it took was that little search you were too lazy to do, share it so your question will rise up from its cyberspace waste status. You may even get a better solution from a true guru, or the average curious John Doe who simply knows better on your specific issue. If you don’t share, why would anyone want to share with you? P2P networks has a lot to teach us in this case.

Sloth

Time is money. Asking for something that can be easily obtained, like questions from a FAQ or searchable questions wastes your time while waiting for the answer and the other side’s time while searching for you. Search engines have been invented for a reason, FAQ pages were not written in vein and documentation files may rot, but shouldn’t be abandoned.

Even if the search comes out empty, there are other ways. Show a bit of self competence, try solving the problem yourself. Isolate the problem, test on different platforms, observe differences that cause the problem to appear, broaden your search and guess a little. You can’t expect the other side to do all the work for you. At the very least, your tests will help the other side finding the solution faster. Lazy questions inspire lazy answers.

The most annoying type of sloth is the ever so lazy request of “do it for me”. Some ask it right out, occasionally attaching a job half done, a very lacking description of things that don’t work, usually with a very descriptive “not working” text. Some simply refuse to understand the solution until it comes in the form of a full fledged example. Then, seeing as their laziness has paid off, they’ll move on to the next issue and once again stumble upon a great obstacle they can’t possibly overcome without yet another example.

Wrath

Raging and screaming won’t help you get your answer faster. It’ll only get the other side angry and unwilling while wasting your time on being calmed down. Frustrated? Upset? Furious? Leave the computer. Go meditate or something… Come back after you’ve found nirvana and everything will look better. You might even find the problem on yourself, now that you have more blood running into your brain instead of your fists.

Envy

Been waiting a while? Someone got an answer before you? Forget about the green monster. Go get some tea, sit back and relax. Posting your question in more places where “others got an answer” will only get others annoyed and confused. Which post is the newest? Where do I want to answer? Do I even want to answer and encourage this guy to post his question a zillion times and litter my beautiful piece of heaven? You should spend your time on trying to get more details for your problem instead of getting upset and confusing others.

Pride

Until proven otherwise, you don’t know best. If the computer, application or programmer’s fault is in your axiom list, you’re doomed. You’ll never find your answer by assuming it’s not your fault. Even if the problem you’re seeing is caused by a bug, you’ve triggered this bug somehow. Assuming the fault lies solely outside your reach will only get you frustrated and get you farther from redemption.

Have a little modesty, just as you’d except the other side to have. Pride is an epidemic. It rapidly infects all parties and consumes all hope of a solution, sending your time right down the drain. Declaring you know best right of the start, stating exactly what’s a right and what’s wrong, will force the other side into a defense from which you’ll have a hard time getting your answer.

Still think you know it all? Found the bug that no one else found? Do you really think such a huge bug would go unnoticed by so many people? If you are so certain, you must have a lot of information to back your claim. Post that information or face the immanent failure of finding a solution.