PowerGREP 3.5.5

Details:



Program Name: PowerGREP 3.5.5

Release Date: September 6, 2009

Author: Just Great Software

Website: http://www.powergrep.com/



Files:



PowerGREP_3.5.5_setup.exe

PowerGREP_3.5.5_screenshot.png



~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



This torrent is a ***CLEAN RE-POST*** of http://thepiratebay.org/torrent/4347444/JGSoft_PowerGrep_3, which contains a malicious rootkit. I extracted the *REAL* setup program from the wrapper executable, so this version should be (and is, to the best of my knowledge) CLEAN and VIRUS-FREE.



Contrary to what a number of commenters on the original torrent claim, the original torrent DOES contain a rootkit, and I have the screenshots to prove it (see below). My computer became infected after running the original setup program, and it literally took 51 different virus/malware scanners and utilities to finally track the nasty little son-of-a-bitch down. NONE of the major programs caught it. The one tool that finally found and removed it was Hitman Pro 3.5, a program I HIGHLY recommend if you have a rootkit that evades detection by all other programs.



After I finally got rid of the rootkit on my system, I spent the next two days trying to figure out where the hell it came from and how it works. Here's what I found:



DISCLAIMER: I am NOT a security professional! I'm just a geek who got really, really pissed off and decided to spend some quality time hunting this bitch down. This information is, to the best of my knowledge, accurate, but since I'm not a security expert any or all of it could be wrong.



The virus file *looks* like a setup program for PowerGREP 3, but it's not - it's a wrapper executable that contains the actual setup program, as well as several virus files that install rootkits in various places across the system. These places include (but are not limited to) the %TEMP% directory and the %WINDOWS%System32DRIVERS directory.



Once you run the fake setup program, you're basically fucked: it extracts the rootkit files to the %TEMP% directory, places a shortcut to them in the Startup folder, and reboots the system within a few minutes - whether you actually install PowerGREP or not.



As far as I can tell, the rootkit downloads additional virus files from malicious servers in France and Germany since it exhibits different symptoms every time I run it. One of the many programs it installed was the infamous "Internet Security 2010" virus. Joy.



I set up a VMware Virtual Machine running Windows XP Professional with Service Pack 3 and installed a number of free virus/malware scanners. I then went through the rootkit installation process step-by-step to learn how it works. Here are some screenshots:



Rootkit Installation: http://bayimg.com/kaJjLAaco

Legitimate Installation: http://bayimg.com/lajjIAaCo

Executable Comparison: http://bayimg.com/LajjbAaCO

Background Process: http://bayimg.com/KAJJnAAcO

Wireshark Capture: http://bayimg.com/lAjJfaaCo

Hitman Pro Scan: http://bayimg.com/LAjJdaaCO



As you can see, I'm definitely not making this up. But the good news is that the infected .exe extracts the *real* setup program to the %TEMP% directory, so I was able to simply copy that sucker and run it independently to verify that it was not infected as well. I noticed that the extracted setup program contains a valid digital signature (security certificate), but the wrapper executable does not.



Anyways, I hope someone finds this useful. Please let me know in the comments if you have any questions about this bad boy.



- drsquirlz