Don’t Overlook Scheduled Tasks / AT when cleaning malware…
Technology Tagged defense, malware, Security February 1st, 2009One of our clients picked up some sort of infection over the weekend. The sucker was persistent, and after running the usual battery of utilities -- RootkitRevealer, SDFix, ComboFix, Stinger running inside a WinXP PE shell -- we got rid of the thing.
When I checked the post-infection System Event Viewer log, however, I got an interesting message:
Event Type:Error
Event Source:Schedule
Event Category:None
Event ID:7901
Date:1/31/2009
Time:9:00:00 PM
User:N/A
Computer:XXX03
Description:
The At46.job command failed to start due to the following error:
The system cannot find the file specified.
Huh? At46.job? I know the machine doesn't use the AT scheduler... let's see...
Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:\Documents and Settings\administrator\>at Status ID Day Time Command Line ------------------------------------------------------------------------------- 1 Each M T W Th F S Su 12:26 AM C:\WINDOWS\system32\Hi3TR1uq.exe 10 Each M T W Th F S Su 9:00 AM C:\WINDOWS\system32\Hi3TR1uq.exe 11 Each M T W Th F S Su 10:00 AM C:\WINDOWS\system32\Hi3TR1uq.exe 12 Each M T W Th F S Su 11:00 AM C:\WINDOWS\system32\Hi3TR1uq.exe 13 Each M T W Th F S Su 12:00 PM C:\WINDOWS\system32\Hi3TR1uq.exe 14 Each M T W Th F S Su 1:00 PM C:\WINDOWS\system32\Hi3TR1uq.exe 15 Each M T W Th F S Su 2:00 PM C:\WINDOWS\system32\Hi3TR1uq.exe 16 Each M T W Th F S Su 3:00 PM C:\WINDOWS\system32\Hi3TR1uq.exe 17 Each M T W Th F S Su 4:00 PM C:\WINDOWS\system32\Hi3TR1uq.exe 18 Each M T W Th F S Su 5:00 PM C:\WINDOWS\system32\Hi3TR1uq.exe 19 Each M T W Th F S Su 6:00 PM C:\WINDOWS\system32\Hi3TR1uq.exe 2 Each M T W Th F S Su 1:00 AM C:\WINDOWS\system32\Hi3TR1uq.exe 20 Each M T W Th F S Su 7:00 PM C:\WINDOWS\system32\Hi3TR1uq.exe 21 Each M T W Th F S Su 8:00 PM C:\WINDOWS\system32\Hi3TR1uq.exe Error 22 Each M T W Th F S Su 9:00 PM C:\WINDOWS\system32\Hi3TR1uq.exe
And so forth, with hourly jobs listed down thru job 72. (It kept adding duplicate schedules...)
You can see we got the infection eradicated before 9 PM, because the 9PM AT job show errors. 
For those of you who prefer a GUI, you can see the same thing in the Scheduled Tasks pane in Control Panel
So, don't overlook the AT scheduler as a place where infection might hide in an effort to replicate itself. This is the first time I've seen it there, and it will be a place I look at from here out...
