A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #7145  by EP_X0FF
 Fri Jul 08, 2011 2:01 pm
There is seems to be bug in IntMayak or injector code (or in both). It always crashes Internet Explorer x86 version after IntMayak injection (at least on our machines). And what about second dll that currently stub - I believe this is not yet ready x64 injection payload.

Image

btw here is link to currently active v1 download (in attach)

hxxp://porno-maniacs.com/porno-maloletka18.exe
Attachments
pass: malware
(72.18 KiB) Downloaded 162 times
 #7153  by rkhunter
 Fri Jul 08, 2011 4:11 pm
My research shows that on x64 OS, x32-browsers falling, but x64-browsers working correct. And small dll in x64 driver seems is debug stub.
 #7211  by rkhunter
 Mon Jul 11, 2011 1:12 pm
I test some AV-products on detect/cure my x64 Windows 7 system with Rootkit.Cidox active. And I saw these results:

KIS 2011 successfully detection and cure on quick scan
MSSE 2.1 detection failed on quick scan
ESET NOD32 detection failed
Dr.Web 6.0 successfully detection and cure on quick scan
Trend Micro Titanium Internet Security failed on quick scan
 #7520  by Flopik
 Fri Jul 22, 2011 6:52 pm
Some update on this rootkit:

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows @Appinit_Dlls
C:\Windows\SysWOW64\rzjhlwl.dll

Inline hooks in
Iexplore x64 : C:\Windows\SysWOW64\ws2_32.dll
Connect,recv,select etc

Injected DLL also found in Iexplore, WerFault.exe, Mscorsvw.exe
 #7522  by rkhunter
 Fri Jul 22, 2011 7:22 pm
Probably they update it for x64 system - x64 browsers. Previous version not working correct for x32 browsers (on start, browser was crashed) in x64 system. And not working for x64 browsers (no banner).
 #7558  by EP_X0FF
 Sat Jul 23, 2011 5:27 pm
Flopik wrote:Some update on this rootkit:

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows @Appinit_Dlls
C:\Windows\SysWOW64\rzjhlwl.dll

Inline hooks in
Iexplore x64 : C:\Windows\SysWOW64\ws2_32.dll
Connect,recv,select etc

Injected DLL also found in Iexplore, WerFault.exe, Mscorsvw.exe
Do you have actual sample? If yes, please attach it here. Otherwise there is no point to post update info without actual malware file. This malware is not so well distributed.
 #7662  by Flopik
 Tue Jul 26, 2011 2:35 pm
EP_X0FF wrote:
Flopik wrote:Some update on this rootkit:

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows @Appinit_Dlls
C:\Windows\SysWOW64\rzjhlwl.dll

Inline hooks in
Iexplore x64 : C:\Windows\SysWOW64\ws2_32.dll
Connect,recv,select etc

Injected DLL also found in Iexplore, WerFault.exe, Mscorsvw.exe
Do you have actual sample? If yes, please attach it here. Otherwise there is no point to post update info without actual malware file. This malware is not so well distributed.
This is from one of the sample posted, just wanted to give some more analysis details
  • 1
  • 2
  • 3
  • 4
  • 5
  • 9