A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #3305  by Jaxryley
 Thu Nov 04, 2010 12:59 am
Dropped by a ltpro32.exe and drops a few others.

dichmnv.sys - 6/43 - Avast - Win32:Bubak - MD5 : afc5c30cdc47c439e77d8c4d14608e17
http://www.virustotal.com/file-scan/rep ... 1288831065

Not sure on the dropped exe below?
xitb.exe - 0/43 - MD5 : 5323b78dcbc859bf5acd4d7f625e5786
http://www.virustotal.com/file-scan/rep ... 1288831049
Attachments
(811.88 KiB) Downloaded 75 times
 #3307  by nullptr
 Thu Nov 04, 2010 5:24 am
xitb.exe copies itself to System32\srvuvideo.exe

runs via:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\userinit.exe]
"Debugger"="srvuvideo.exe"

hooks:
winlogon.exe-->ntdll.dll-->NtSetValueKey, Type: Inline - RelativeJump 0x7C90DDCE-->00000000 [unknown_code_page]
explorer.exe-->kernel32.dll-->CreateProcessW, Type: Inline - RelativeJump 0x7C802336-->00000000 [unknown_code_page]
explorer.exe-->wininet.dll-->InternetReadFile, Type: Inline - RelativeJump 0x3D94654B-->00000000 [unknown_code_page]
explorer.exe-->wininet.dll-->HttpQueryInfoA, Type: Inline - RelativeJump 0x3D94878D-->00000000 [unknown_code_page]
explorer.exe-->wininet.dll-->InternetCloseHandle, Type: Inline - RelativeJump 0x3D949088-->00000000 [unknown_code_page]
explorer.exe-->wininet.dll-->InternetQueryDataAvailable, Type: Inline - RelativeJump 0x3D94BF7F-->00000000 [unknown_code_page]
explorer.exe-->wininet.dll-->HttpOpenRequestA, Type: Inline - RelativeJump 0x3D94D508-->00000000 [unknown_code_page]
explorer.exe-->wininet.dll-->InternetConnectA, Type: Inline - RelativeJump 0x3D94DEAE-->00000000 [unknown_code_page]
explorer.exe-->wininet.dll-->HttpSendRequestW, Type: Inline - RelativeJump 0x3D94FABE-->00000000 [unknown_code_page]
explorer.exe-->wininet.dll-->InternetOpenA, Type: Inline - RelativeJump 0x3D95D690-->00000000 [unknown_code_page]
explorer.exe-->wininet.dll-->HttpSendRequestA, Type: Inline - RelativeJump 0x3D95EE89-->00000000 [unknown_code_page]
explorer.exe-->wininet.dll-->InternetReadFileExW, Type: Inline - RelativeJump 0x3D963349-->00000000 [unknown_code_page]
explorer.exe-->wininet.dll-->InternetReadFileExA, Type: Inline - RelativeJump 0x3D963381-->00000000 [unknown_code_page]

What could it be doing? :lol:
 #3308  by EP_X0FF
 Thu Nov 04, 2010 6:14 am
xitb.exe

crypted + UPX 3.04
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
shlwapi ole32 -update " -autorun -autorun &osver= &ipcnf= &sckport= &cmobj= ROLEWWQCV
userinit.exe SeDebugPrivilege csrss.exe smss.exe .dll iphlpapi 255.255.255.255 192.168.8.4
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\userinit.exe Debugger
advapi32 EnableLUA win video def mem dns setup user logon hlp mixer pack mon srv exec play
SYSTEM\ControlSet001\Control\Session Manager\AppCertDlls
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit winlogon.exe
Software\Microsoft\Windows\CurrentVersion\Run
RkU Version: 5.2.710.2300, Type VX2 (VX+)
==============================================
OS Name: Windows XP
Version 5.1.2600 (Service Pack 3)
Number of processors #1
==============================================
[400]winlogon.exe-->ntdll.dll-->NtSetValueKey, Type: Inline - RelativeJump 0x7C90DDB0-->01514AB8 [unknown_code_page]
[1148]explorer.exe-->kernel32.dll-->CreateProcessW, Type: Inline - RelativeJump 0x7C802336-->02C60B34 [unknown_code_page]
[1148]explorer.exe-->kernel32.dll-->CreateProcessInternalW, Type: Inline - RelativeJump 0x7C81979C-->007F866A [unknown_code_page]
[1148]explorer.exe-->wininet.dll-->HttpOpenRequestA, Type: Inline - RelativeJump 0x771B2AF9-->02C5D590 [unknown_code_page]
[1148]explorer.exe-->wininet.dll-->InternetConnectA, Type: Inline - RelativeJump 0x771B3452-->02C5D2C8 [unknown_code_page]
[1148]explorer.exe-->wininet.dll-->InternetCloseHandle, Type: Inline - RelativeJump 0x771B4D8C-->02C5FA3C [unknown_code_page]
[1148]explorer.exe-->wininet.dll-->InternetOpenA, Type: Inline - RelativeJump 0x771B578E-->02C5D274 [unknown_code_page]
[1148]explorer.exe-->wininet.dll-->HttpSendRequestA, Type: Inline - RelativeJump 0x771B60A1-->02C5E480 [unknown_code_page]
[1148]explorer.exe-->wininet.dll-->HttpQueryInfoA, Type: Inline - RelativeJump 0x771B79C2-->02C5F9FC [unknown_code_page]
[1148]explorer.exe-->wininet.dll-->InternetReadFile, Type: Inline - RelativeJump 0x771B82EA-->02C5F7F4 [unknown_code_page]
[1148]explorer.exe-->wininet.dll-->InternetQueryDataAvailable, Type: Inline - RelativeJump 0x771C89F7-->02C5F4F4 [unknown_code_page]
[1148]explorer.exe-->wininet.dll-->InternetReadFileExW, Type: Inline - RelativeJump 0x771E83F9-->02C5F9AC [unknown_code_page]
[1148]explorer.exe-->wininet.dll-->InternetReadFileExA, Type: Inline - RelativeJump 0x771E9100-->02C5F95C [unknown_code_page]
[1148]explorer.exe-->wininet.dll-->HttpSendRequestW, Type: Inline - RelativeJump 0x77202EBC-->02C5EB10 [unknown_code_page]
t e x t g z i p d e f l a t e   − share ITINITPRM=| ITHOST=| ITPAGE=| ITREFERER=| ITURL=| ITOPTIONAL=| ITSUCCESS=| ITINITHOST=| ITINITPAGE=| ITMETHOD=| ITREAD=| |End [ITBEGINBLOCKHOOK] [ITENDBLOCKHOOK]
INJECTFILE ITINITIALIZE=| ITLOCKADDRESS=| ITONERR=| ITIFCONTEXT=| ITINITIFCN=| ITINITIFREQ=| ITINITRXPREQ=| ITINITNAME=| ITINITSTART=| ITINITEND=| ITINITXPRREG=| ITREQRXPREQ=| ITREQSRVERR=| ITREQMATH=| ITREQCOUNT=| ITSRVDATA=| ITDRL=| ITINJHOST=| ITINJPAGE=| ITINJIFREQ=| ITINJSTART=| ITINJEND=| ITINJRXPREG=| ITINJCODE=| ITINJRXPREQ=| ITINJPASTE=| ITINJFRM=| ITINJIFFOUND=| ITINJPASTEMN=| ITIFINIT=| ITSUCCTRHOST=| ITSUCCTRPAGE=| ITSUCCTRCNR=| ITSUCCTRTHEN=| ITSUCCTRELSE=| ITSUCCTRIFREQ=| ITSUCCTRPRM=| ITCMPACCHOST=| ITCMPACCPAGE=| ITCMPACCIF=| ITCMPPRXPNAME=| ITCMPRXPREQ=| ITCMPACCPRC=| ITCMPPRM=| ITCMPREGNAME=| ITCMPACCNAME=| ITCMPACCREQ=| ITCMPSRVERR=| ITHEADERSCRTIMER=| ITHEADERSCRLIMIT=| ITHEADERSCRMINDELAY=| ITNOTIFINAME=| ITNOTIFIPRM=| ITNOTIFIIF=| ITNOTIFITHEN=| ITNOTIFIELSE=| ITNOTIFISRVDATA=| ITSCRHOST=| ITSCRPAGE=| ITSCRONSUCCESS=| ITSUCCTRSTR=| ITSUCCTRFALSE=| ITBLOCKURLHOST=| ITBLOCKURLPAGE=| ITBLOCKURLIFREQ=| google.com gzip deflate %AMOUNT% %ITENABLED% %ITSUCCESSHOST% ?tver= &vcmd= Edit &shy;<wbr/> & ITOK ITERR IT_STOP DIS1 MSIE Referer: %CMPACC% %TRANSFERTYPE% %ITSTATUS% Accept-Lang CMP
Location:
location: >CV CMP
>SU HTTP/1.1 100 Continue >CV URL: Content-Type: application/x-www-form-urlencoded CMD0 Accept-Encoding: nspr4
thebat.exe msimn.exe iexplore.exe explorer.exe myie.exe firefox.exe mozilla.exe avant.exe maxthon.exe OUTLOOK.EXE ftpte.exe
coreftp.exe filezilla.exe TOTALCMD.EXE cftp.exe FTPVoyager.exe SmartFTP.exe WinSCP.exe opera.exe navigator.exe safari.exe
chrome.exe <BEGIN> <END> POST .exe USER PASS wsock32 sa.windows.com domain= Set-Cookie: Keep-Alive: Accept-Charset:
Accept-Language: User-Agent: Accept: Cookie: https:// http:// FTP MAIL wininet oleaut32 urlmon GET Host: HTTP/1.
Transfer-Encoding: Content-Length: content-length: \Internet Explorer\iexplore.exe MozillaUIWindowClass Frame Tab
Software\Microsoft\Windows\CurrentVersion\Internet Settings User Agent Win32 Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 1609 IEFrame TabWindowClass msctls_statusbar32 msctls_progress32 WorkerW ReBarWindow32
Address Band Root ComboBoxEx32 ComboBox &AUML; &UUML; &OUML; svchost.exe Referer:
Content-Type: application/x-www-form-urlencoded MSIE 7.0
UA-CPU: x86
Accept-Encoding: gzip, deflate SOFTWARE\Microsoft\Windows NT\CurrentVersion SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\3CA1458D\
Windows NT C:\ CurrentVersion Content-Encoding:
dnsresl-125-18.cc/nau/dmp.php
rende-128-k15.com/nau/dmp.php
dnsresl-105-18.com/nau/dmp.php
 #3310  by Jaxryley
 Thu Nov 04, 2010 7:31 am
Thanks for checking EP_X0FF and nullptr. 8-)

xitb.exe wouldn't run on my XP VM till I put msvcr71.dll into sys32.
FILE ADDED! C:\WINDOWS\system32\execl.exe
FILE DELETED! C:\Documents and Settings\USERNAME\Desktop\xitb.exe
REG ADDED! HKLM SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\userinit.exe
REG ADDED! HKLM SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\A9478D1D
REG ADDED! HKLM SOFTWARE\Microsoft\Cryptography\RNG Seed bin:22nNIjqrjw5mgAq+lK153zZzjvSA9ExM7YpLAzC78HFsTiLw3PDCQkEJ0IDsCMI8ZKGnGNdcUj5aeT8GsjuTToCq2Jejrez7x+95WAigTdw=
REG ADDED! HKLM SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\userinit.exe Debugger "execl.exe"
 #3951  by EP_X0FF
 Sun Dec 12, 2010 1:41 pm
Thread split
 #4005  by nullptr
 Wed Dec 15, 2010 10:52 am
Just a Harnig downloader I was playing with today. For some reason RkU couldn't wipe the 760 k driver that was invited over, though KD had no problem.
Looks for Safari, Chrome, Firefox, Opera and Internet Explorer, so if you're using Browser Bob you might be ok.
Downloader + decrypted/unpacked attached.
Attachments
pass : malware
(32.69 KiB) Downloaded 44 times
 #4007  by PX5
 Wed Dec 15, 2010 11:00 am
Couple of ways to deal with it, if you disable asd or aec, whichever service is being jacked, upon reboot, the sys file moves fine for me.

Is rustock or wanna-be rustock?
 #4008  by EP_X0FF
 Wed Dec 15, 2010 1:08 pm
@nullptr

from your description this is Rustock NewRest. It constantly rewrites it's driver back to disk with help of watchdog system thread.
 #4010  by Jaxryley
 Wed Dec 15, 2010 1:57 pm
nullptr wrote:Just a Harnig downloader I was playing with today. For some reason RkU couldn't wipe the 760 k driver that was invited over, though KD had no problem.
Looks for Safari, Chrome, Firefox, Opera and Internet Explorer, so if you're using Browser Bob you might be ok.
Downloader + decrypted/unpacked attached.
Droppers I could grab which includes the rogue AV Antivirus Action.

effah.sys - 12/43 - Avast - Win32:Bubak - MD5 : de3122254b56dcbf58da1ac61db686f4
http://www.virustotal.com/file-scan/rep ... 1292421308
Pass:
malware

(1.51 MiB) Downloaded 48 times