Windows Tutorials - Herong's Tutorial Examples - v5.62, by Dr. Herong Yang
rundlll.dll - Winsock 2 LSP Spyware Trojan
This section describes a generic Winsock 2 LSP spyware trojan reported by McAfee. It uses a trojan file rundlll.dll to replace Microsoft mswsock.dll in the LSP registry entry.
When I was looking Winsock 2 LSP spyware trojan examples, I saw this one reported by McAfee at http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=141764. Here is a summary about this trojan.
Name: Generic LSP
Method of Infection: Double clicking malicious email attachments or malicious web page links.
Installer File - ucx.exe (18 KB, MD5: 2BD1D3C42EFC95CD5CEC4A7829E5EF9C): Added to the system folder temporary folders. It will be executed to make other changes to Windows systems.
LSP DLL File - rundlll.dll (102 KB, MD5: 7A3CF9893E1169AB37AEEF6DE10DC1EB): Added to the system folder. It will be used to replace mswsock.dll as the basic service provider in the LSP stack.
Registry Key Value: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run - "remotecontrol"="C:\WINDOWS\system32\UCX.EXE": Added to run the trojan installer ucx.exe as a startup program.
Registry Key Value: HKLM\SYSTEM\CurrentControlSet\Services\WinSock2 \Parameters\Protocol_Catalog9\Catalog_Entries\000000000001 "PackedCatalogItem"=hex:43,3a,5c,57,49,4e,44,4f,57,53,5c,73,79,73,74,65,6d,33, 32,5c,72,75,6e,64,6c,6c,6c,2e,64,6c,6c,00,6c,00,00,00,...: Modified to link the Winsock 2 basic service provider entry to the trojan file, rundlll.dll. This entry was originally linked to Microsoft's mswsock.dll.
Table of Contents
Introduction to Microsoft Windows
Introduction to Windows Explorer
Introduction to Internet Explorer
"Paint" Program and Computer Graphics
GIMP - GNU Image Manipulation Program
JPEG Image File Format Quality and Size
GIF Image File Format and Transparent Background
"WinZip" - ZIP File Compression Tool
"WinRAR" - RAR and ZIP File Compression Tool
FTP Server, Client and Commands
"FileZilla" - Free FTP Client and Server
Web Server Log Files and Analysis Tool - "Analog"
Spyware Adware Detection and Removal
IE Addon Program Listing and Removal
Vundo (VirtuMonde/VirtuMundo) - vtsts.dll Removal
Trojan and Malware "Puper" Description and Removal
VSToolbar (VSAdd-in.dll) - Description and Removal
Spybot - Spyware Blocker, Detection and Removal
Setting Up and Using Crossover Cable Network
Home Network Gateway - DSL Modem/Wireless Router
Windows Task Manager - The System Performance Tool
"tasklist" Command Line Tool to List Process Information
"msconfig" - System Configuration Tool
Configuring and Managing System Services
Windows Registry Key and Value Management Tools
Startup Programs Removal for Better System Performance
►Winsock - Windows Sockets API
What is Winsock (Windows Socket) API
mswsock.dll - Microsoft Windows Sockets 2.0 Service Provider
"netsh winsock show catalog" - Showing Winsock 2 LSP
Winsock 2 LSP and Spyware Trojans
►rundlll.dll - Winsock 2 LSP Spyware Trojan
Winsock 2 LSP Stack Registry Corruption