A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #15161  by retrogad
 Mon Aug 13, 2012 10:55 am
tnx very much for deep explanation
i have exported the functions and the functions are:

refreshdev
createentry
initcache
revertcache
vaidateentry
initshellex
setwindowevent
shellnotifyuser
shellnotifyuserex
dllregisterserver
globaldeleteatoml


from http://www.securelist.com


Creates events: '{12258790-A76B}', 'Global\RasSrvReady'

All functionality is implemented in 'RevertCache' export. The module starts its main thread and then returns. The main thread waits for the '{12258790-A76B}' event and continuously checks for the presence of anti-malware software.

'ValidateEntry' signals the '{12258790-A76B}' event, allowing for the main thread to work for 3 seconds before terminating it.

Writes log file: %temp%\~gdl.tmp

The log file entries are compressed with Zlib.
By querying disk enum in registry, it also tries to identify whether the storage is USB-connected or not by searching 'USBSTOR' string in their information.

When a drive contains '.thumbs.db' file, its contents are read and checked for the valid magic number 0xEB397F2B. If it matches, the module creates %commonprogramfiles%\system\wabdat.dat and writes the data to this file, and then deletes '.thumbs.db'.

Then, it infects the USB drives by creating directories with the names .Backup0[D-M] and .Backup00[D-M]


how to call the function that will infect the USB ? i tried "rundll32 gaus.dll,RevertCache " but nothing happened
 #15217  by mirchi
 Wed Aug 15, 2012 7:49 pm
any body can help me in detail to execute Gauss sample dll to generate the infected system CnC communication.
help on above will be highly appreciated.

thanks

mirchi
 #15248  by dfine
 Sat Aug 18, 2012 5:00 pm
mikeinhouston wrote:
dfine wrote:Some (or all) of the samples are DLL's. So if u want to run them use rundll. Use dumpbin or debugger to find out the exports of the DLL's. See http://support.microsoft.com/kb/164787 for more info about running a DLL.
Hi dfine, Any parameters needed?
Well, that depends on the DLL itself.
 #15260  by retrogad
 Mon Aug 20, 2012 8:11 am
dfine wrote:
mikeinhouston wrote:
dfine wrote:Some (or all) of the samples are DLL's. So if u want to run them use rundll. Use dumpbin or debugger to find out the exports of the DLL's. See http://support.microsoft.com/kb/164787 for more info about running a DLL.
Hi dfine, Any parameters needed?
Well, that depends on the DLL itself.

the one with RevertCache function... how to execute this func ?
 #15262  by dfine
 Mon Aug 20, 2012 3:13 pm
retrogad wrote:
the one with RevertCache function... how to execute this func ?
I did a fast disassembly of the RevertCache function. It seems it doesn't accept any arguments so u can run it without any arguments. Go to a cmd and enter 'rundll32 MyTrojan.dll, RevertCache'. That will start the DLL at the entrypoint RevertCache.
The function RevertCache will start a thread. That thread starts execution at MyTrojan.dll:0x100043C3. Get yourself a debugger/disassembler and the sysinternals to check out what that code does.
 #15263  by mikeinhouston
 Mon Aug 20, 2012 4:43 pm
I am interested in talking with someone who has been able to generate a computer infection with any of the Gauss samples available here.

I have tried doing so on an XP SP3 Professional laptop (rundll32 {sample}) and have not been successful yet.

Thanks