[thisisu]

It just export symbol name, it can be random and different in your case.

So the DUMPBIN tool can't be used to detect the malicious .DLL?

Is there another tool that may assist? I'm thinking if the .DLL contains "AInputStream" and is in a place such as root of %appdata% or %localappdata% then most likely can be determined as suspicious if not always malicious. :|

[EP_X0FF]

Dll you are looking can be encrypted and these exports may also be random for each new encryption.

[thisisu]

Thanks for the information. I will leave this variant alone.. for now :lol:

[thisisu]

May have found a way

Suspicious HKLM\..\Run entries found. Trojan:JS/Medfos.B?
Val Name Type Value Data
======== ==== ==========

rscsdv REG_SZ rundll32.exe "C:\Documents and Settings\thisisu\Application Data\rscsdv.dll",AStartUp
rtcone REG_SZ rundll32.exe "C:\Documents and Settings\thisisu\Application Data\rtcone.dll",get_tIME

[Horgh]

Trojan:Win32/Medfos.AF
Slight changes in the loader.

Trojan.Win32.Medfos.AF.7z

pwd : infected
(77.92 KiB) Downloaded 58 times

[thisisu]

MD5: d38e8faf289de7a2ad818884fa6a976d

https://www.virustotal.com/en/file/6379 ... 370730312/

[thisisu]

Hi,

Couple more Medfos samples courtesy of B-boy/StyLe/

These seem a bit different than previous variants encountered.

sidapr.dl_ -- b01e81e1b02198fe3e249f9a1b93847c -- https://www.virustotal.com/en/file/e62e ... 373531509/
stspb.dl_ -- 8c03298e8b1b2b9181d8ef7fdf1e65af -- https://www.virustotal.com/en/file/522e ... 373531656/

The filename of the .DLL is also created as a registry value here: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion (see below)

Code: Select all

Searching for "sidapr"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion]
"sidapr"="ODUuMTcuMTQ3LjMzOwAA"

Source: http://pastebin.com/4D213JBA

Anything special about this "ODUuMTcuMTQ3LjMzOwAA" data in the value? It doesn't seem so random as I found it in another topic as well (see below) :

Code: Select all

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion
ctroc - ODUuMTcuMTQ3LjMzOwAA

Source: http://www.bleepingcomputer.com/forums/ ... try3070135

The .DLL in both cases is located in %appdata% (as with previous variants). What I find interesting is that this .DLL doesn't appear to be running. No scans are detecting it as loaded into a process, isn't utlizing rundll32.exe, no autorun / startup value in the registry as I would expect. The only reference that I can see to the .DLL was located at HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion but the data of the value here isn't to the filepath; it's just "ODUuMTcuMTQ3LjMzOwAA". Is this .DLL only ran once (RunOnce) and just left on the system ?

More analysis appreciated.

[EP_X0FF]

"ODUuMTcuMTQ3LjMzOwAA"

base64 = 85.17.147.33;

[thisisu]

"ODUuMTcuMTQ3LjMzOwAA"

base64 = 85.17.147.33;

That IP address is C&C?

More info. This registry data value (string / IP address) was used in the past: ODUuMTcuMTMyLjU0OwAA ( not to be confused wtih the newer ODUuMTcuMTQ3LjMzOwAA )

Source: http://pastebin.com/qNwscqPA

http://home.mcafee.com/virusinfo/virusp ... 67561#none

[EP_X0FF]

"ODUuMTcuMTQ3LjMzOwAA"

base64 = 85.17.147.33;

That IP address is C&C?

More info. This registry data value (string / IP address) was used in the past: ODUuMTcuMTMyLjU0OwAA ( not to be confused wtih the newer ODUuMTcuMTQ3LjMzOwAA )

Source: http://pastebin.com/qNwscqPA

http://home.mcafee.com/virusinfo/virusp ... 67561#none

I mean this strange string is base64 encoded value of IP address.
In this "sidapr"="ODUuMTcuMTQ3LjMzOwAA" name depends on DLL name, if you rename sidapr.DLL to test.DLL it will create key "test"="ODUuMTcuMTQ3LjMzOwAA"
As for IP address 85.17.147.33 this is ppcper2adwertising.com, name is quite obvious.
This DLL itself unnoticed to write anything else in registry/fs and works only from browser process. So autorun entry must be set by dropper and likely it does it through rundll32 <random export name>. If there is no such entry on infected computer it means it was already removed by user/other program.