A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #4362  by cjbi
 Sat Jan 08, 2011 3:31 pm
Stupid KillAV.
It tries to kill some antivirus.

Strings
drive (2).sys wrote:\\DosDevices\\xxx
\\Device\\xxx
\\DosDevices\\xxx
\\Device\\HarddiskVolume1\\Arquivos de programas\\GbPlugin\\gbpsv.exe
\\Device\\HarddiskVolume1\\Arquivos de programas\\GbPlugin\\gbiehcef.dll
\\Device\\HarddiskVolume1\\Arquivos de programas\\GbPlugin\\gbieh.gmd
\\Device\\HarddiskVolume1\\Arquivos de programas\\GbPlugin\\cef.gpc
\\Device\\HarddiskVolume1\\Arquivos de programas\\GbPlugin\\gbieh.dll
\\Device\\HarddiskVolume1\\Arquivos de programas\\GbPlugin\\gbpdist.dll
\\Device\\HarddiskVolume1\\Arquivos de programas\\GbPlugin\\bb.gpc
\\Device\\HarddiskVolume1\\Arquivos de programas\\GbPlugin\\gbpkm.sys
\\Device\\HarddiskVolume1\\Arquivos de programas\\Scpad\\scpIBCfg.bin
\\Device\\HarddiskVolume1\\Arquivos de programas\\GbPlugin\\gbpsv.exe
\\Device\\HarddiskVolume1\\Arquivos de programas\\Scpad\\scpMIB.dll
\\Device\\HarddiskVolume1\\Arquivos de programas\\Scpad\\scpsssh2.dll
\\Device\\HarddiskVolume1\\Arquivos de programas\\Scpad\\sshib.dll
\\Device\\HarddiskVolume1\\Arquivos de programas\\Alwil Software\\Avast4\\ashLogV.exe
\\Device\\HarddiskVolume1\\Arquivos de programas\\Alwil Software\\Avast4\\VisthUpd.exe
\\Device\\HarddiskVolume1\\Arquivos de programas\\Alwil Software\\Avast4\\VisthUpd.exe
\\Device\\HarddiskVolume1\\Arquivos de programas\\Alwil Software\\Avast4\\ashWebSv.exe
\\Device\\HarddiskVolume1\\Arquivos de programas\\Alwil Software\\Avast4\\aswUpdSv.exe
\\Device\\HarddiskVolume1\\Arquivos de programas\\Alwil Software\\Avast4\\ashUpd.exe
\\Device\\HarddiskVolume1\\Arquivos de programas\\Avira\\AntiVir Desktop\\avscan.exe
\\Device\\HarddiskVolume1\\Arquivos de programas\\Avira\\AntiVir Desktop\\update.exe
\\Device\\HarddiskVolume1\\Arquivos de programas\\Avira\\AntiVir Desktop\\updfix.exe
\\Device\\HarddiskVolume1\\Arquivos de programas\\Avira\\AntiVir Desktop\\avupgsvc.exe
\\Device\\HarddiskVolume1\\WINDOWS\\system32\\scpsssh2.dll
\\Device\\HarddiskVolume1\\WINDOWS\\system32\\drivers\\gbpkm.sys
\\Device\\HarddiskVolume1\\WINDOWS\\Downloaded Program Files\\scpsssh2.inf
\\Device\\HarddiskVolume1\\WINDOWS\\Downloaded Program Files\\abn.gpc
\\Device\\HarddiskVolume1\\WINDOWS\\Downloaded Program Files\\erma.inf
\\Device\\HarddiskVolume1\\WINDOWS\\Downloaded Program Files\\gbieh.gmd
\\Device\\HarddiskVolume1\\WINDOWS\\Downloaded Program Files\\gbiehabn.dll
\\Device\\HarddiskVolume1\\WINDOWS\\Downloaded Program Files\\gbiehuni.dll
\\Device\\HarddiskVolume1\\WINDOWS\\Downloaded Program Files\\GbPluginABN.inf
\\Device\\HarddiskVolume1\\WINDOWS\\Downloaded Program Files\\GbPluginuni.inf
\\Device\\HarddiskVolume1\\WINDOWS\\Downloaded Program Files\\uni.gpc
String:%08X/n
String1:%08X/n

...

String33:%08X/n
c:\\dd\\objfre_wxp_x86\\i386\\ddr.pdb
IoDeleteSymbolicLink
RtlInitUnicodeString
IoCreateFile
IoFreeIrp
KeSetEvent
fDereferenceObject
WaitForSingleObject
fCallDriver
GetCurrentThread
KeInitializeEvent
IoAllocateIrp
IoGetRelatedDeviceObject
ObReferenceObjectByHandle
IoFileObjectType
ZwClose
DbgPrint
CreateSymbolicLink
VirusTotal results
http://www.virustotal.com/file-scan/rep ... 1285460267
http://www.virustotal.com/file-scan/rep ... 1282089116
http://www.virustotal.com/file-scan/rep ... 1294498825
http://www.virustotal.com/file-scan/rep ... 1280846955
http://www.virustotal.com/file-scan/rep ... 1288712133
http://www.virustotal.com/file-scan/rep ... 1294491347
http://www.virustotal.com/file-scan/rep ... 1271858091
Attachments
pass: infected
(18.83 KiB) Downloaded 153 times
 #6447  by cjbi
 Fri May 20, 2011 8:05 pm
Aliases: Rootkit.Win64.Banker.a
Rootkit.Win32.Banker.dy

It tries to kill G-Buster Browser Defense component.

More information:
Rootkit Banker - now also to 64-bit: http://www.securelist.com/en/blog/11266 ... _to_64_bit

VirusTotal results
Rootkit.Win64.Banker.a: http://www.virustotal.com/file-scan/rep ... 1305918530
Rootkit.Win32.Banker.dy: http://www.virustotal.com/file-scan/rep ... 1305921831
Attachments
pass: malware
(114.37 KiB) Downloaded 280 times
 #6522  by Vrtule
 Tue May 24, 2011 8:33 pm
Hmmm, is it really a rootkit? I quickly looked to the 32bit driver and it seems that it only attempts to destroy some blacklisted products and probably to do something with hosts file. But it seems to me that the driver does not perform any hiding attempts.

Is 64-bit driver the same?
 #6529  by Evilcry
 Wed May 25, 2011 5:47 am
Hi,

This is not a real 'rootkit', it's more an agent driver that basically:

-> Removes G-Buster Browser Defender components
-> Updates two entries into Hosts config

x64 edition works in the sameway

Regards,
Evilcry