[rkhunter]

MD5: 3e50b76c0066c314d224f4fd4cbf14d5
SHA1: 8284814c5c5cb0f37fe200b918b65ef89c259a0a

Worm:Win32/Pushbot.VR
https://www.virustotal.com/file/8cd1438 ... /analysis/
MS told that this is fresh version:

Detection initially created:
Released: Jun 18, 2012

In my case:

Copies itself to:

C:\Documents and Settings\root\Local Settings\Application Data\lxopab.exe

Runs from:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\nkdxrrl

Contains process list:

msnmsgr.exe
msmsgs.exe
opera.exe
skype.exe
firefox.exe
iexplore.exe
calc.exe
jusched.exe
explorer.exe

List of domains:

Code: Select all

shuurl.com
shurl.net
shrvl.com
shrunkurl.com
shrt.st
shrinkster.com
shrinkomatic.com
shrinkify.com
shredurl.com
shoxt.com
shoturl.us
shortn.me
shortlinks.co.uk
shortify.wikinote.com
shorterlink.com
shortener.net
shorten.ws
shortar.com
shortadress.com
short.to
short.la
short.ie
shorl.com
shiturl.com
sh0rt.com
s3nt.com
s3dl.com
twurl.cc
twitt.at
twitpwr.com
twitclicks.com
twisturl.com
twirl.at
twi.bz
tw3.it
turo.us
tubeurl.com
traceurl.com
tra.kz
trim.li
tr.im
to.ly
tnij.org
tinyurl.com
tinyup.net
tinylink.com
tiny.cc
tii.li
tighturl.com
thurly.net
thnlnk.com
thinfi.com
takeme.to
t1ny.net
lilipala.com
tintiurl.net

GUIDs inside:

Code: Select all

{E525B997-4A1A-425a-84B7-5D98AF7F902A}
8039E777-0E21-4ce6-A6A1-299E1BDD1303
C7D35FE1-E3DE-4ccc-9713-F7430EBBE57B
DEE2ECDD-B4E7-4259-8FE9-F2CE5B2CEB9C
4F3FF089-D782-41ca-8E51-D936AD7F9574
{5BD81296-61C1-4c64-BB8A-8B815F37F5E8}
{C5840F71-67D1-4b13-AF88-513BC2C43FB9}
{DC0DE040-F93F-434a-B57F-0F3773AC28B4}
{06C7C366-2D08-4fd6-B889-14DB7917DBC2}
{07A2E0B2-E7FC-445c-A14F-8B6BE7654690}
{C32E5C51-AA72-4c0a-9281-CE5ADC06058E}
{748BDD9B-FF3C-4e30-8EBD-B0B1197E0483}
{042F72E3-EDFD-4c91-BC11-8160507800D1}
{B5DAF164-DF64-4900-9882-04559912D6AC}
5AFC5A39-AA03-424d-8917-BC95C3FA9C5B
AA712152-8A6B-4450-B59C-F72D56160896

Targeted to facebook:

graph.facebook.com
/me/friends?access_token=
access_token=
developers.facebook.com
/docs/reference/api/
GET
Cookie:
/ajax/mercury/send_messages.php?__a=1
&message_batch[0][specific_to_list][1]=fbid%3A
&message_batch[0][specific_to_list][0]=fbid%3A
&message_batch[0][body]=
&message_batch[0][author]=fbid%3A
message_batch[0][action_type]=ma-type%3Auser-generated-message&message_batch[0][timestamp]=1333995680955&message_batch[0][timestamp_absolute]=Mon%20Apr%2009%202012%2020%3A21%3A20%20GMT%2B0200%20(Central%20European%20Daylight%20Time)&message_batch[0][timestamp_relative]=a%20few%20seconds%20ago&message_batch[0][is_unread]=false&message_batch[0][is_cleared]=false&message_batch[0][source]=source%3Achat%3Aweb&message_batch[0][has_attachment]=false&message_batch[0][is_html]=false&&message_batch[0][message_id]=%3C1333995680955%3A3792557053-1782695666%40mail.projektitan.com%3E&message_batch[0][thread_id]=
message_batch[0][action_type]=ma-type%3Auser-generated-message&message_batch[0][timestamp]=1333995680955&message_batch[0][timestamp_absolute]=Mon%20Apr%2009%202012%2020%3A21%3A20%20GMT%2B0200%20(Central%20European%20Daylight%20Time)&message_batch[0][timestamp_relative]=a%20few%20seconds%20ago&message_batch[0][is_unread]=false&message_batch[0][is_cleared]=false&message_batch[0][source]=source%3Achat%3Aweb&message_batch[0][has_attachment]=false&message_batch[0][is_html]=false&&message_batch[0][thread_id]=&message_batch[0][author]=fbid%3A&message_batch[0][specific_to_list][0]=fbid%3A&message_batch[0][specific_to_list][1]=fbid%3A&message_batch[0][message_id]=%3C1333995680955%3A3797777053-1678697866%40mail.projektitan.com%3E&message_batch[0][body]=
"thread_id":"
/ajax/mercury/thread_info.php?__a=1
&messages[user_ids][
&messages[user_ids][]=10&
threads[user_ids][0]=
/ajax/updatestatus.php?__a=1

User-Agent:
Cookie:
hxxp://www.facebook.com
Host:

Injects code and hooks into Explorer:



IE




It restored autorun-key before reboot as a part of self-defence.

[Buster_BSA]

MD5: 3e50b76c0066c314d224f4fd4cbf14d5
SHA1: 8284814c5c5cb0f37fe200b918b65ef89c259a0a

In my case:

Copies itself to:

C:\Documents and Settings\root\Local Settings\Application Data\lxopab.exe

Runs from:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\nkdxrrl

[...]

Under Sandboxie it crashes and under virtual machine too:

http://malwr.com/analysis/a282daf513791 ... 48cdf8610/

Could you explain why it runs fine in your test environment?

[rkhunter]

It also copies itself to

C:\Documents and Settings\root\Start Menu\Programs\Startup\random

Steps to remove (with procexp):

- Suspend all processes in the list above
- Kill main module - process that always resident in memory
- Kill all processes from the list above
- Run explorer.exe (from procexp of course)
- Remove main malware's module from two places
- Run regedit
- Remove autostart key
- Reboot

[rkhunter]

Could you explain why it runs fine in your test environment?

Nothing special.

[Buster_BSA]

Nothing special.

Did you run it under a virtual machine?

[STRELiTZIA]

Nothing special.

Did you run it under a virtual machine?

Hi BSA,
Working fine under VMWare (Win Xp SP3 Updated)

[rkhunter]

Nothing special.

Did you run it under a virtual machine?

Hi BSA,
Working fine under VMWare (Win Xp SP3 Updated)

For me too.

[Xylitol]

http://www.cert.pl/news/5587/langswitch_lang/en

[Buster_BSA]

If I am not wrong this malware (MD5: 3e50b76c0066c314d224f4fd4cbf14d5) does API hooking.

Could someone put a list of hooked APIs, please? I need the information for an improvement in Buster Sandbox Analyzer.

Additional question: how many bytes are changed for the JMP?

[rkhunter]

Could someone put a list of hooked APIs, please?
Additional question: how many bytes are changed for the JMP?

http://www.kernelmode.info/forum/viewto ... =10#p14221