A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #9838  by Neurofunk
 Tue Nov 22, 2011 10:56 pm
Hi there I believe I have a sample of what you're looking for. I just found it on one of our machines. InstallFlashPlayer.exe (signed w/ Adobe cert which appears to be the same as the article's) located in the user's temp folder with msimg32.dll both hidden and flagged as system files. Ran sample on a test machine here then scanned with TDSSKiller Rootkit.Win32.ZeroAccess.K infection found.

Image

I would provide Virus Total links but in its usual fashion it is down when I need to use it :(

edit: was able to get virus total to load 0 detections on the DLL File:
http://www.virustotal.com/file-scan/rep ... 1322003773

File name: msimg32.dll
Submission date: 2011-11-22 23:16:13 (UTC)
Current status: finished
Result: 0 /43 (0.0%)
MD5 : 4e9a37688bc1fa27397575ae9f367894
SHA1 : 50c05dde4ae7e3beaed0bc0877179376ab2ff1a4
SHA256: cfca3aefa86d3260e68b8f2307707bd26c61bac36a5f6b0a06f885edd625cf6d
ssdeep: 3072:v1R9uBG/SEeWnqHsKf8zp6XXbRFFP7tlpy5EJdOdIQ:tR9o29eWqHs5zp8b/Fzt7JdOyQ
Attachments
password: infected
(3.66 MiB) Downloaded 81 times
Last edited by Neurofunk on Wed Nov 23, 2011 3:18 am, edited 1 time in total.
 #9842  by Neurofunk
 Wed Nov 23, 2011 3:17 am
Just checking but they might have been compressed with the hidden /system flag on them. I'll strip those off and reupload it. Small oversight ;)

edit: fixed should be cleared of the hidden/system file flags reuploaded the new zip same password as before.
 #9843  by a_d_13
 Wed Nov 23, 2011 3:21 am
Hello,

Yes, files were compressed with system + hidden attributes. Both files are present and seem to be correct malware - thank you for sharing.

Thanks,
--AD
 #9858  by markusg
 Wed Nov 23, 2011 3:41 pm
are you sure the exe file is a malware, when i delete dll file from folder the exe file is in it only starts flash player so i think the adobe installer is clean or im wrong?
 #9860  by erikloman
 Wed Nov 23, 2011 3:44 pm
markusg wrote:are you sure the exe file is a malware, when i delete dll file from folder the exe file is in it only starts flash player so i think the adobe installer is clean or im wrong?
It is msimg32.dll that gets loaded by the genuine official Flash Player Installer. The whole certificate thing, as McAfee wrote, plays NO ROLE.

The dll just makes use of the LoadLibrary hijacking 'feature' that loads DLLs in the current working folder BEFORE the dll in the system32 folder.
See also: http://www.computerworld.com/s/article/ ... ts_go_wild

Don't be fooled by VirusTotal not listing the msimg32.dll as malicious. It IS malicious and drops ZeroAccess.
Last edited by erikloman on Wed Nov 23, 2011 3:49 pm, edited 1 time in total.
  • 1
  • 15
  • 16
  • 17
  • 18
  • 19
  • 38