Recently I encountered the Narrator trojan for the first time. This baby was really challenging to my nerves, as it used some techniques that I hadn’t seen before. All the usual tricks of showing up in the Windows registry, or hiding out in the start menu were there, but I could have sworn that I cleaned them out. Yet every time the computer restarted, there they were – two instances of the trojan that I just couldn’t kill.
The first problem was that the filenames (one .dll and one .exe) were random. You’d see something like yknkoj.exe or ituked.dll. So I couldn’t just search on those names to find help on the internet. So I turned to Trend Micro, whose software I use in a number of places. Their virus encyclopedia is generally pretty good. But the search function on their site turned up nothing – even though the trojan was named in their software!
Anyway, that simply told me the regular stuff about hiding out in the registry – and I had already found those entries. Yet the blasted thing was still coming back! So then I took another tactic, and tried to delete the files myself. Didn’t work. They weren’t there. Even though they were listed as being found in particular locations, and I checked those locations after seeing that Trend couldn’t handle them, nothing. I ran spyware removal tools. I tried Trend’s online solution on the thought that the local version was out-of-date. Nothing.
I was about to scream, when I decided for some reason (divine inspiration, perhaps) to try to find the files myself. So I fired up the Windows search tool, which I don’t typically use because it’s slow and on a customer’s computer I often end up having to deal with that blasted dog, and entered the current name of the files. Bingo. It turns out that there was a file in the Windows prefetch folder that I hadn’t been able to find previously. I deleted this.
Then I searched for the name in the registry, and found another instance where the file was being loaded. It wasn’t in any of the typical run locations (and, in fact, I don’t recall where it was – sorry), and moreover it wasn’t even what I’d expect to see, as there was information appended to the end of the filename. For instance, instead of ukidoek.exe, it was ukidoek.exeCommonStartup or something similar. Probably a play on the ever-popular extension overloading issues suffered by Microsoft products.
Sure enough, after disabling these two instances by using msconfig, they stopped loading. I was unable to disable them myself because the entries weren’t in the normal locations, and it seems that the prefetch folder can actually load things even if they aren’t being called anywhere – as if these files are preloaded for you. A trojan or virus in there simply loads itself at boot time, no startup entry or registry entry or anything.
Once disabled, I was able to remove the files, and search again through the registry for the particular names that I deleted, and finally, wonder of wonders, everything cleared up. But it wasn’t easy. Seems that at least one trojan/virus writer has found some pretty nifty hooks into the Windows system. Hooks that aren’t among those usually found, and hooks that aren’t checked by at least Trend Micro. It detected the virus once running, but even an online scan with their latest product couldn’t remove the prefetch entries that were causing it to return over and over.