Case Study: New Malware Hiding in Task Scheduler

Today I was called out to a clients house because their computer was getting popups even if they weren’t surfing around the internet. This is the type of job I have done hundreds of times before and its usually because someone installed something they shouldn’t have such as a free screensaver or free toolbar. However, this job was a little different.

When I arrived to the clients house I booted up the computer and broke out my two trusty computer repair programs. Process Explorer and Hijack This!. I started Process Explorer and looked for any strange processes running. There was the standard essential processes that Windows needs to run, a few other processes to drive the printers but nothing that could potentially be a virus or malware.

After looking at Process Explorer and verifying it was clean, it was most likely that this infection has attached itself to Internet Explorer itself as a DLL or something (similar to how toolbars attach themselfs to IE). Hijack This! excels at this kind of job so I opened it up and let it do a scan. There was nothing potentially malicious there either, the only things that were listed there was the basic set of dlls that comes installed with Windows.

I thought this was strange because in the past Process Explorer and Hijack This! have caught 99% of all viruses/malware I have delt with. Recently, I have heard that some new viruses and malware unload themselfs when they see that Process Explorer or HijackThis has been launched and therefor go undetected. I renamed the .exe file of both of the tools and tried them again. Still nothing.

I decided to do a full system virus scan of the computer for good measure, perhaps it will pick up something I missed. About 10 minutes later it came up clean however the popups were still appearing every 5 minutes.

Running out of options I tried another tool I use occasionally called Autoruns which, according to the Microsoft website, “shows you the currently configured auto-start applications as well as the full list of Registry and file system locations available for auto-start configuration. Autostart locations displayed by Autoruns include logon entries, Explorer add-ons, Internet Explorer add-ons including Browser Helper Objects (BHOs), Appinit DLLs, image hijacks, boot execute images, Winlogon notification DLLs, Windows Services and Winsock Layered Service Providers. Switch tabs to view autostarts from different categories.”

I flipped though the tabs showing the various auto startup categories (dlls, registry, boot.ini etc..) but they came up with the same results as Hijack This!. I then switched to the Task Scheduler tab which showed the jobs that are set to run and noticed that there is an entry there. A strangely named .dll file would start itself every 5 minutes and then almost immediately unload itself.

Aha! This appears to be our culprit. I deleted the Task Scheduler job, rebooted the computer and the popups didnt show up anymore. I then proceeded to delete the .dll file accociated with it. Problem solved.

So why was this not detected in Process Explorer and Hijack This?

It never launched an executable nor had a parent executable to launch it. Only Internet Explorer would launch every 5 minutes to show us the popup but it never showed what launched it. Therefor it bypassed Process Explorer.

This malware wasn’t launching at startup either. It wasnt attached to Internet Explorer, it wasnt being told to launch though the registry, boot.ini or startup folder and therefor it bypassed Hijack This!

This may have been a once off or this may be becoming a new trend to hide malware. So all your computer techies out there, be sure to look in the Task Scheduler for malware!