Win32/Zeus (alias Zbot) - Page 11

Re: Trojan Zeus (alias ZBot)

#12962 by rkhunter
Mon Apr 30, 2012 4:44 pm

EP_X0FF wrote:
thisisu wrote:
rkhunter wrote:Critical analysis of Microsoft Operation B71 (against ZBot/Zeus/SpyEye botnet)
http://blog.fox-it.com/2012/04/12/criti ... ation-b71/
"One of the botnets was up and running again within 24 hours of the takedown on a brand new c&c server and continued with its business as usual."

Is this true?
When you are running botnet and really thinking about it security you always have a plan B. Backup/alternative C&C servers, and maybe reserved bot version (Kelihos example). Only a complete takedown combined with law enforcement actions can guarantee that botnet is really dead at forever. So it is not a something unusual, or a fault from Microsoft. Authors of this article should do something instead of searching for mistakes in others actions.

MS gave all the evidence and materials to Federals. These data also were used for civil suits. Moreover I think this is impossible task for liquidation overall ZBot botnet with all it versions...

Username

rkhunter

Posts

1156

Joined

Mon Mar 15, 2010 12:51 pm

Location

Russian Federation

Contact

Re: Trojan Zeus (alias ZBot)

#12997 by Neurofunk
Wed May 02, 2012 10:29 pm

https://www.virustotal.com/file/699f404 ... /analysis/
Detection Ratio: 8/42
MD5: c46566045f4e77f366299479746dc0ea

Attachments

zbot.zip

password: infected
(140.48 KiB) Downloaded 82 times

Username

Neurofunk

Posts

28

Joined

Tue Oct 25, 2011 5:28 pm

Re: Malware Requests

#13424 by rough_spear
Fri May 25, 2012 2:07 pm

Hi All,

I m looking for following Zeus sample with md5.

MD5 : 19e00292094b2dfb6954419e93916e23
SHA1 : 03f0c26c6ba77c05152a1e0cc8bc5657f0c83119

Thanks in advance. :)

rough_spear.

Username

rough_spear

Posts

163

Joined

Mon Oct 18, 2010 4:46 pm

Location

India

Re: Malware Requests

#13425 by rkhunter
Fri May 25, 2012 3:21 pm

rough_spear wrote:Hi All,

I m looking for following Zeus sample with md5.

MD5 : 19e00292094b2dfb6954419e93916e23
SHA1 : 03f0c26c6ba77c05152a1e0cc8bc5657f0c83119

Thanks in advance. :)

rough_spear.

ZeuS Ransomware Feature: http://www.f-secure.com/weblog/archives/00002367.html. (thx Kafeine for link mention)

Attachments

19e00292094b2dfb6954419e93916e23.zip

pass:infected
(121.24 KiB) Downloaded 69 times

Username

rkhunter

Posts

1156

Joined

Mon Mar 15, 2010 12:51 pm

Location

Russian Federation

Contact

Re: Trojan Zeus (alias ZBot)

#13426 by rkhunter
Fri May 25, 2012 3:22 pm

Zeus with ransomware feature http://www.kernelmode.info/forum/viewto ... 425#p13425.

Username

rkhunter

Posts

1156

Joined

Mon Mar 15, 2010 12:51 pm

Location

Russian Federation

Contact

Re: Trojan Zeus (alias ZBot)

#13934 by 360Tencent
Tue Jun 12, 2012 7:03 pm

http://www.abuse.ch/?p=3810

Username

360Tencent

Posts

116

Joined

Thu Dec 15, 2011 12:47 pm

Re: Trojan Zeus (alias ZBot)

#14095 by 360Tencent
Mon Jun 18, 2012 5:46 pm

http://blog.trendmicro.com/evolved-bank ... r-systems/

Username

360Tencent

Posts

116

Joined

Thu Dec 15, 2011 12:47 pm

Re: Trojan Zeus (alias ZBot)

#14283 by 360Tencent
Tue Jun 26, 2012 6:44 am

http://blogs.mcafee.com/mcafee-labs/upp ... igh-roller

Building on established Zeus and SpyEye tactics, this ring adds many breakthroughs: bypasses for physical “chip and pin” authentication, automated mule account databases, server-based fraudulent transactions, and attempted transfers to mule business accounts as high as €100,000 ($130,000 USD)

Username

360Tencent

Posts

116

Joined

Thu Dec 15, 2011 12:47 pm

Re: Trojan Zeus (alias ZBot)

#14301 by erikloman
Tue Jun 26, 2012 5:27 pm

Since last March, Zeus stole more than 35 million EUR from at least 5000 accounts in The Netherlands:
http://translate.google.com/translate?s ... anten.html

Dutch National Police (KLPD) starts large investigation regarding the bank fraud by ZeuS mutant:
http://translate.google.com/translate?s ... utant.html

Last edited by erikloman on Tue Jun 26, 2012 5:41 pm, edited 1 time in total.

Erik Loman [HitmanPro]
SurfRight B.V. - www.surfright.com

Username

erikloman

Posts

70

Joined

Sun Mar 14, 2010 8:53 am

Re: Trojan Zeus (alias ZBot)

#14422 by rkhunter
Tue Jul 03, 2012 5:17 pm

Interesting case of decryptor/unpacker - some anti-emu features. By behaviour this is ZBot.

- In the beginning call GetCommandLineA
- Checks presence of SYSTEM\CurrentControlSet\Control\WOW
- Uses VirtualAllocEx instead VirtualAlloc
- In decryption loop called this commands

Thrd d0 0040177B GetWindowsDirectoryW( 260) -> 0x0000000A ( "C:\WINDOWS")
Thrd d0 0040181A lstrcatW( "C:\WINDOWS" "\system32\cscript.exe") -> "C:\WINDOWS\system32\cscript.exe"
Thrd d0 00401836 CreateFileW( "C:\WINDOWS\system32\cscript.exe" 0x00000001 FILE_SHARE_READ | FILE_SHARE_WRITE [0x00000000] NULL OPEN_EXISTING FILE_ATTRIBUTE_NORMAL NULL) -> 0x000007C0

(that hanged Windbg logexts API logger)

- Uses TLS after first "phase"
- Also logexts print API log errors

Unable to remove breakpoint 1 at 004014bb, Win32 error 0n487
"Attempt to access invalid address."

Log on decryption loop (fragment):

Code: Select all

Thrd d0 77E781F9 HeapAlloc( 0x00140000 0x00000000 0x00000070) -> 0x009969D0
Thrd d0 77E8C9B6 RegOpenKeyExW( HKEY_LOCAL_MACHINE "Software\Microsoft\Rpc\PagedBuffers" 0x00000000 KEY_QUERY_VALUE | KEY_ENUMERATE_SUB_KEYS | KEY_NOTIFY) -> ERROR_FILE_NOT_FOUND [FAIL] ( [0x0012F234] -> 0x00000000)
Thrd d0 77E8C7CE RegOpenKeyExA( HKEY_LOCAL_MACHINE "Software\Microsoft\Rpc" 0x00000000 KEY_QUERY_VALUE | KEY_ENUMERATE_SUB_KEYS | KEY_NOTIFY) -> ERROR_SUCCESS ( [0x0012EF70] -> 0x00000750)
Thrd d0 77E8C7FE RegQueryValueExA( 0x00000750 "MaxRpcSize" [0x00000000] NULL) -> ERROR_FILE_NOT_FOUND [FAIL] ( [0x0012EF6C] -> 0x00000750 [0x0012EF74] -> 0xCC [0x0012EF68] -> 0x00000004)
Thrd d0 77E8C813 RegCloseKey( 0x00000750) -> ERROR_SUCCESS
Thrd d0 77E8C885 RegOpenKeyExW( HKEY_LOCAL_MACHINE "Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dropper.exe\RpcThreadPoolThrottle" 0x00000000 KEY_QUERY_VALUE | KEY_ENUMERATE_SUB_KEYS | KEY_NOTIFY) -> ERROR_FILE_NOT_FOUND [FAIL] ( [0x0012EF70] -> 0x00000000)
Thrd d0 77E8CFF1 RegOpenKeyExW( HKEY_LOCAL_MACHINE "Software\Policies\Microsoft\Windows NT\Rpc" 0x00000000 KEY_QUERY_VALUE | KEY_ENUMERATE_SUB_KEYS | KEY_NOTIFY) -> ERROR_FILE_NOT_FOUND [FAIL] ( [0x0012F244] -> 0x00000000)
Thrd d0 77E8D036 GlobalMemoryStatusEx() -> TRUE ( [0x0012F1E8] -> 0x00000040 , 0x00000021 , 0x1FF7C000 , 0x00000000  , 0x154A5000 , 0x00000000  , 0x35EA7000 , 0x00000000  , 0x2E611000 , 0x00000000  , 0x7FFE0000 , 0x00000000  , 0x7DA78000 , 0x00000000  , 0x00000000 , 0x00000000  )
Thrd d0 77E781F9 HeapAlloc( 0x00140000 0x00000000 0x00000038) -> 0x009974C0
Thrd d0 77E781F9 HeapAlloc( 0x00140000 0x00000000 0x00000018) -> 0x00997510
Thrd d0 77E781F9 HeapAlloc( 0x00140000 0x00000000 0x00000014) -> 0x00997578
Thrd d0 77E781F9 HeapAlloc( 0x00140000 0x00000000 0x00000054) -> 0x009975A8
Thrd d0 77E8C735 LoadLibraryW( "rpcrt4.dll") -> 0x77E70000
Thrd d0 77E781F9 HeapAlloc( 0x00140000 0x00000000 0x00000020) -> 0x00933B90
Thrd d0 77E781F9 HeapAlloc( 0x00140000 0x00000000 0x00000012) -> 0x009979A8
Thrd d0 77E781F9 HeapAlloc( 0x00140000 0x00000000 0x0000001A) -> 0x00997EB8
Thrd d0 77E781F9 HeapAlloc( 0x00140000 0x00000000 0x00000034) -> 0x009983D8
Thrd d0 77E766F4 HeapFree( 0x00140000 0x00000000 0x009979A8) -> TRUE
Thrd d0 77E766F4 HeapFree( 0x00140000 0x00000000 0x00000000) -> TRUE
Thrd d0 77E766F4 HeapFree( 0x00140000 0x00000000 0x00997EB8) -> TRUE
Thrd d0 77E766F4 HeapFree( 0x00140000 0x00000000 0x00000000) -> TRUE
Thrd d0 77E766F4 HeapFree( 0x00140000 0x00000000 0x00933B90) -> TRUE
Thrd d0 77E781F9 HeapAlloc( 0x00140000 0x00000000 0x00000084) -> 0x00998BE8
Thrd d0 77E7E0D7 GetCurrentProcess() -> 0xFFFFFFFF
Thrd d0 77E7E0E6 GetCurrentThread() -> 0xFFFFFFFE
Thrd d0 77E7E0F0 DuplicateHandle( INVALID_HANDLE_VALUE 0xFFFFFFFE INVALID_HANDLE_VALUE 0x00000000 FALSE DUPLICATE_SAME_ACCESS) -> TRUE ( [0x00998BF0] -> 0x00000740)
Thrd d0 77E781F9 HeapAlloc( 0x00140000 0x00000000 0x00000020) -> 0x00996998
Thrd d0 77E781F9 HeapAlloc( 0x00140000 0x00000000 0x00000012) -> 0x00933B90
Thrd d0 77E781F9 HeapAlloc( 0x00140000 0x00000000 0x00000002) -> 0x0080E1B8
Thrd d0 77E781F9 HeapAlloc( 0x00140000 0x00000000 0x0000001E) -> 0x009979A8
Thrd d0 77E781F9 HeapAlloc( 0x00140000 0x00000000 0x000000D0) -> 0x00998C88
Thrd d0 77E781F9 HeapAlloc( 0x00140000 0x00000000 0x00000016) -> 0x00998D70
Thrd d0 77E781F9 HeapAlloc( 0x00140000 0x00000000 0x00000004) -> 0x009160F0
Thrd d0 77E781F9 HeapAlloc( 0x00140000 0x00000000 0x00000240) -> 0x00998DA0
Thrd d0 77E8C067 CreateIoCompletionPort( INVALID_HANDLE_VALUE NULL 0x00000000 0x00000000) -> 0x0000073C
Thrd d0 77E8C07C CreateIoCompletionPort( INVALID_HANDLE_VALUE NULL 0x00000000 0xFFFFFFFF) -> 0x00000738
Thrd d0 77E8C08F GetCurrentProcess() -> 0xFFFFFFFF
Thrd d0 77E781F9 HeapAlloc( 0x00140000 0x00000000 0x00000008) -> 0x008F5470
Thrd d0 77E781F9 HeapAlloc( 0x00140000 0x00000000 0x00000008) -> 0x0093BAE0
Thrd d0 77E8C12E DuplicateHandle( INVALID_HANDLE_VALUE 0x0000073C INVALID_HANDLE_VALUE 0x00000000 FALSE DUPLICATE_SAME_ACCESS) -> TRUE ( [0x0012F1E0] -> 0x00000734)
Thrd d0 77E781F9 HeapAlloc( 0x00140000 0x00000000 0x000002AC) -> 0x00999030
Thrd d0 77E781F9 HeapAlloc( 0x00140000 0x00000000 0x0000020C) -> 0x009992F8
Thrd d0 77E766F4 HeapFree( 0x00140000 0x00000000 0x00998D70) -> TRUE
Thrd d0 77E766F4 HeapFree( 0x00140000 0x00000000 0x009983D8) -> TRUE
Thrd d0 77E781F9 HeapAlloc( 0x00140000 0x00000000 0x000000D0) -> 0x00999520
Thrd d0 77E7FD61 GetCurrentThread() -> 0xFFFFFFFE
Thrd d0 77E7FD7F GetLastError() -> 0x000003F0
Thrd d0 77E781F9 HeapAlloc( 0x00140000 0x00000000 0x00000040) -> 0x00999608
Thrd d0 77E781F9 HeapAlloc( 0x00140000 0x00000000 0x000001FC) -> 0x00999660
Thrd d0 77E781F9 HeapAlloc( 0x00140000 0x00000000 0x00000158) -> 0x00999878
Thrd d0 77E84468 GetCurrentThread() -> 0xFFFFFFFE
Thrd d0 77E84B92 CreateFileW( "\\.\PIPE\lsarpc" GENERIC_READ | GENERIC_WRITE FILE_SHARE_READ | FILE_SHARE_WRITE [0x00000000] NULL OPEN_EXISTING 0x40000000 NULL) -> 0x0000072C
Thrd d0 77E84BB6 SetNamedPipeHandleState( 0x0000072C 0x0012F1C0 [0x00000000] NULL [0x00000000] NULL) -> TRUE
Thrd d0 77E84EA0 CreateIoCompletionPort( 0x0000072C 0x0000073C 0xFFFF0000 0x00000000) -> 0x0000073C
Thrd d0 77E781F9 HeapAlloc( 0x00140000 0x00000000 0x00000108) -> 0x00999A20
Thrd d0 77E781F9 HeapAlloc( 0x00140000 0x00000000 0x00000408) -> 0x00999B40
Thrd d0 77E766F4 HeapFree( 0x00140000 0x00000000 0x00000000) -> TRUE
Thrd d0 77E80F68 TransactNamedPipe( 0x0000072C 0x00999A28 0x00000038 0x00999B48 0x00000400 0x00999814) -> FALSE ( [0x0012F1C0] -> 0x00000400)
Thrd d0 77E80F76 GetLastError() -> 0x000003E5
Thrd d0 77E781F9 HeapAlloc( 0x00140000 0x00000000 0x0000001C) -> 0x00999F60
Thrd d0 77E781F9 HeapAlloc( 0x00140000 0x00000000 0x000000D0) -> 0x00999F98
Thrd d0 77E766F4 HeapFree( 0x00140000 0x00000000 0x00000000) -> TRUE
Thrd d0 77E766F4 HeapFree( 0x00140000 0x00000000 0x00000000) -> TRUE
Thrd d0 77E766F4 HeapFree( 0x00140000 0x00000000 0x00998C88) -> TRUE
Thrd d0 77E766F4 HeapFree( 0x00140000 0x00000000 0x00000000) -> TRUE
Thrd d0 77E80F68 TransactNamedPipe( 0x0000072C 0x00999A28 0x0000002E 0x00999B48 0x00000400 0x00999814) -> FALSE ( [0x0012F1D4] -> 0x00000400)
Thrd d0 77E80F76 GetLastError() -> 0x000003E5
Thrd d0 77E766F4 HeapFree( 0x00140000 0x00000000 0x00000000) -> TRUE
Thrd d0 77E80F68 TransactNamedPipe( 0x0000072C 0x00999A28 0x0000002E 0x00999B48 0x00000400 0x00999814) -> FALSE ( [0x0012F1D4] -> 0x00000400)
Thrd d0 77E80F76 GetLastError() -> 0x000003E5
Thrd d0 77E766F4 HeapFree( 0x00140000 0x00000000 0x00000000) -> TRUE
Thrd d0 77E80F68 TransactNamedPipe( 0x0000072C 0x00999A28 0x0000002C 0x00999B48 0x00000400 0x00999814) -> FALSE ( [0x0012F1E4] -> 0x00000400)
Thrd d0 77E80F76 GetLastError() -> 0x000003E5
Thrd d0 77E766F4 HeapFree( 0x00140000 0x00000000 0x00999F60) -> TRUE
Thrd d0 77E7670A CloseHandle() -> TRUE ( 0x00000730)
Thrd d0 77E766F4 HeapFree( 0x00140000 0x00000000 0x00999878) -> TRUE
Thrd d0 77E8875C CloseHandle() -> TRUE ( 0x0000072C)
Thrd d0 77E766F4 HeapFree( 0x00140000 0x00000000 0x00000000) -> TRUE
Thrd d0 77E766F4 HeapFree( 0x00140000 0x00000000 0x00999660) -> TRUE
Thrd d0 77E766F4 HeapFree( 0x00140000 0x00000000 0x00933B90) -> TRUE
Thrd d0 77E766F4 HeapFree( 0x00140000 0x00000000 0x0080E1B8) -> TRUE
Thrd d0 77E766F4 HeapFree( 0x00140000 0x00000000 0x009979A8) -> TRUE
Thrd d0 77E766F4 HeapFree( 0x00140000 0x00000000 0x00000000) -> TRUE
Thrd d0 77E766F4 HeapFree( 0x00140000 0x00000000 0x00996998) -> TRUE
Thrd d0 77E766F4 HeapFree( 0x00140000 0x00000000 0x00999608) -> TRUE
Thrd d0 77E766F4 HeapFree( 0x00140000 0x00000000 0x00999520) -> TRUE
Thrd d0 77E766F4 HeapFree( 0x00140000 0x00000000 0x00000000) -> TRUE
Thrd d0 77E766F4 HeapFree( 0x00140000 0x00000000 0x00000000) -> TRUE
Thrd d0 77E766F4 HeapFree( 0x00140000 0x00000000 0x00999F98) -> TRUE
Thrd d0 77F64186 lstrlenW( "{210A4BA0-3AEA-1069-A2D9-08002B30309D}") -> 0x00000026
Thrd d0 7CA23617 GetWindowsDirectoryW( 260) -> 0x0000000A ( "C:\WINDOWS")
Thrd d0 7CA2321E GetFileAttributesW( "C:\WINDOWS") -> FILE_ATTRIBUTE_DIRECTORY
Thrd d0 77F66789 lstrlenW( "C:\WINDOWS") -> 0x0000000A
Thrd d0 77F66798 LocalAlloc( LMEM_ZEROINIT 0x00000016) -> 0x00996998
Thrd d0 77F66EA5 lstrlenW( "C:\WINDOWS") -> 0x0000000A
Thrd d0 77F674D8 lstrlenW( "C:\WINDOWS\") -> 0x0000000B
Thrd d0 77F66A47 CompareStringW( 0x00000409 0x00000001 ":\WINDOWS\" 0xFFFFFFFF ":\" 0xFFFFFFFF) -> 0x00000003
Thrd d0 77F66EA5 lstrlenW( "C:\") -> 0x00000003
Thrd d0 7C9EEDD4 GetCurrentThread() -> 0xFFFFFFFE
Thrd d0 7C9EF01A RegCreateKeyExW( HKEY_CURRENT_USER "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" 0x00000000 NULL REG_OPTION_RESERVED 0x02000000 [0x00000000] NULL) -> ERROR_SUCCESS ( [0x0012F404] -> 0x00000728 [0x00000000] NULL)
Thrd d0 77F642B7 RegQueryValueExW( 0x00000728 "AppData" [0x00000000] NULL) -> ERROR_SUCCESS ( [0x0012F400] -> 0x00000002 [0x0012F408] -> 0x25 [0x0012F3FC] -> 0x0000003E)
Thrd d0 7C9EF0AF lstrlenW( "C:\Documents and Settings\root\Application Data") -> 0x0000002F
Thrd d0 7C9EF0D7 lstrlenW( "C:\Documents and Settings\root\Application Data") -> 0x0000002F
Thrd d0 77F66E28 lstrlenW( "\\") -> 0x00000002
Thrd d0 77F66A47 CompareStringW( 0x00000409 0x10000000 "\Documents and Settings\root\Application Data" 0x00000002 "\\" 0x00000002) -> 0x00000003
Thrd d0 77F66A47 CompareStringW( 0x00000409 0x10000000 "\root\Application Data" 0x00000002 "\\" 0x00000002) -> 0x00000003
Thrd d0 77F66A47 CompareStringW( 0x00000409 0x10000000 "\Application Data" 0x00000002 "\\" 0x00000002) -> 0x00000003
Thrd d0 7C9EEF5D RegCloseKey( 0x00000728) -> ERROR_SUCCESS
Thrd d0 7CA2321E GetFileAttributesW( "C:\Documents and Settings\root\Application Data") -> FILE_ATTRIBUTE_READONLY | FILE_ATTRIBUTE_HIDDEN | FILE_ATTRIBUTE_DIRECTORY
Thrd d0 7C9EF01A RegCreateKeyExW( HKEY_CURRENT_USER "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders" 0x00000000 NULL REG_OPTION_RESERVED 0x02000000 [0x00000000] NULL) -> ERROR_SUCCESS ( [0x0012F648] -> 0x00000728 [0x00000000] NULL)
Thrd d0 7CA23271 lstrlenW( "C:\Documents and Settings\root\Application Data") -> 0x0000002F
Thrd d0 7CA23287 RegSetValueExW( 0x00000728 "AppData" 0x00000000 0x00000001 [0x0043FA50] -> 0x43 0x00000060) -> ERROR_SUCCESS
Thrd d0 7CA23290 RegCloseKey( 0x00000728) -> ERROR_SUCCESS
Thrd d0 77F66789 lstrlenW( "C:\Documents and Settings\root\Application Data") -> 0x0000002F
Thrd d0 77F66798 LocalAlloc( LMEM_ZEROINIT 0x00000060) -> 0x00998C88
Thrd d0 77F674D8 lstrlenW( "C:\Documents and Settings\root\Application Data") -> 0x0000002F
Thrd d0 77F66A47 CompareStringW( 0x00000409 0x00000001 ":\Documents and Settings\root\Application Data" 0xFFFFFFFF ":\" 0xFFFFFFFF) -> 0x00000003
Thrd d0 7C9EEDD4 GetCurrentThread() -> 0xFFFFFFFE
Thrd d0 7C9EF01A RegCreateKeyExW( HKEY_CURRENT_USER "Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" 0x00000000 NULL REG_OPTION_RESERVED 0x02000000 [0x00000000] NULL) -> ERROR_SUCCESS ( [0x0012F404] -> 0x00000728 [0x00000000] NULL)
Thrd d0 77F642B7 RegQueryValueExW( 0x00000728 "Local AppData" [0x00000000] NULL) -> ERROR_SUCCESS ( [0x0012F400] -> 0x00000002 [0x0012F408] -> 0x25 [0x0012F3FC] -> 0x0000005C)
Thrd d0 7C9EF0AF lstrlenW( "C:\Documents and Settings\root\Local Settings\Application Data") -> 0x0000003E
Thrd d0 7C9EF0D7 lstrlenW( "C:\Documents and Settings\root\Local Settings\Application Data") -> 0x0000003E
Thrd d0 77F66E28 lstrlenW( "\\") -> 0x00000002
Thrd d0 77F66A47 CompareStringW( 0x00000409 0x10000000 "\Documents and Settings\root\Local Settings\Application Data" 0x00000002 "\\" 0x00000002) -> 0x00000003
Thrd d0 77F66A47 CompareStringW( 0x00000409 0x10000000 "\root\Local Settings\Application Data" 0x00000002 "\\" 0x00000002) -> 0x00000003
Thrd d0 77F66A47 CompareStringW( 0x00000409 0x10000000 "\Local Settings\Application Data" 0x00000002 "\\" 0x00000002) -> 0x00000003
Thrd d0 77F66A47 CompareStringW( 0x00000409 0x10000000 "\Application Data" 0x00000002 "\\" 0x00000002) -> 0x00000003
Thrd d0 7C9EEF5D RegCloseKey( 0x00000728) -> ERROR_SUCCESS
Thrd d0 7CA2321E GetFileAttributesW( "C:\Documents and Settings\root\Local Settings\Application Data") -> FILE_ATTRIBUTE_HIDDEN | FILE_ATTRIBUTE_DIRECTORY
Thrd d0 7C9EF01A RegCreateKeyExW( HKEY_CURRENT_USER "Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders" 0x00000000 NULL REG_OPTION_RESERVED 0x02000000 [0x00000000] NULL) -> ERROR_SUCCESS ( [0x0012F648] -> 0x00000728 [0x00000000] NULL)
Thrd d0 7CA23271 lstrlenW( "C:\Documents and Settings\root\Local Settings\Application Data") -> 0x0000003E
Thrd d0 7CA23287 RegSetValueExW( 0x00000728 "Local AppData" 0x00000000 0x00000001 [0x0043FC58] -> 0x43 0x0000007E) -> ERROR_SUCCESS
Thrd d0 7CA23290 RegCloseKey( 0x00000728) -> ERROR_SUCCESS
Thrd d0 77F66789 lstrlenW( "C:\Documents and Settings\root\Local Settings\Application Data") -> 0x0000003E
Thrd d0 77F66798 LocalAlloc( LMEM_ZEROINIT 0x0000007E) -> 0x00998D00
Thrd d0 77F674D8 lstrlenW( "C:\Documents and Settings\root\Local Settings\Application Data") -> 0x0000003E
Thrd d0 77F66A47 CompareStringW( 0x00000409 0x00000001 ":\Documents and Settings\root\Local Settings\Application Data" 0xFFFFFFFF ":\" 0xFFFFFFFF) -> 0x00000003
Thrd d0 7CA41380 GetModuleFileNameW( NULL 0x00000104) -> 0x00000013 ( "C:\Test\dropper.exe")
Thrd d0 7CA413B5 LocalAlloc( LMEM_ZEROINIT 0x00000030) -> 0x009979A8
Thrd d0 7CA41380 GetModuleFileNameW( NULL 0x00000104) -> 0x00000013 ( "C:\Test\dropper.exe")
Thrd d0 7CA413B5 LocalAlloc( LMEM_ZEROINIT 0x00000030) -> 0x009979A8
Thrd d0 77F66A47 CompareStringW( 0x00000409 0x10000000 "C:\Test\dropper.exe" 0x00000002 "-m" 0x00000002) -> 0x00000001
Thrd d0 77F674D8 lstrlenW( "Ives") -> 0x00000004
Thrd d0 77F66A47 CompareStringW( 0x00000409 0x00000001 "ves" 0xFFFFFFFF ":\" 0xFFFFFFFF) -> 0x00000003
Thrd d0 77F674D8 lstrlenW( "asis") -> 0x00000004
Thrd d0 77F66A47 CompareStringW( 0x00000409 0x00000001 "sis" 0xFFFFFFFF ":\" 0xFFFFFFFF) -> 0x00000003
Thrd d0 77F78CDE lstrlenW( ".exe") -> 0x00000004
Thrd d0 77F78CE6 lstrlenW( "C:\Documents and Settings\root\Application Data\Ives\asis") -> 0x00000039
Thrd d0 7C9EEC61 lstrcpynW( "" "C:\WINDOWS" 0x00000104) -> "C:\WINDOWS"
Thrd d0 77F66EA5 lstrlenW( "C:\WINDOWS") -> 0x0000000A
Thrd d0 77F674D8 lstrlenW( "C:\WINDOWS\") -> 0x0000000B
Thrd d0 77F66A47 CompareStringW( 0x00000409 0x00000001 ":\WINDOWS\" 0xFFFFFFFF ":\" 0xFFFFFFFF) -> 0x00000003
Thrd d0 77F66EA5 lstrlenW( "C:\") -> 0x00000003
Thrd d0 77F674D8 lstrlenW( "hoacu") -> 0x00000005
Thrd d0 77F66A47 CompareStringW( 0x00000409 0x00000001 "oacu" 0xFFFFFFFF ":\" 0xFFFFFFFF) -> 0x00000003
Thrd d0 77F78CDE lstrlenW( ".aki") -> 0x00000004
Thrd d0 77F78CE6 lstrlenW( "C:\Documents and Settings\root\Local Settings\Application Data\hoacu") -> 0x00000044
Thrd d0 77F674D8 lstrlenW( "Ives\asis.exe") -> 0x0000000D
Thrd d0 77F66A47 CompareStringW( 0x00000409 0x00000001 "ves\asis.exe" 0xFFFFFFFF ":\" 0xFFFFFFFF) -> 0x00000003
Thrd d0 77F67D78 GetFileAttributesW( "C:\Documents and Settings\root\Application Data\Ives\asis.exe") -> FILE_ATTRIBUTE_ARCHIVE
ModLoad: 77b40000 77b62000   C:\WINDOWS\system32\Apphelp.dll
Thrd 300 77C1F0C0 TlsGetValue( 0x00000005) -> NULL [FAIL]
Thrd 300 77C2C1DB HeapAlloc( 0x003D0000 HEAP_ZERO_MEMORY 0x00000088) -> 0x003D3DA0
Thrd 300 77C1F0E5 TlsSetValue( 0x00000005 0x003D3DA0) -> TRUE
Thrd 300 77C1F0F6 GetCurrentThreadId() -> 0x00000300
Thrd 300 77C01180 TlsSetValue( 0x0000000F 0x00000000) -> TRUE
Thrd 300 71AB6AE0 lstrcpy( "" "WinSock 2.0") -> "WinSock 2.0"
Thrd 300 71AB6AEE lstrcpy( "" "Running") -> "Running"
Thrd 300 71AB737E GetProcAddress( 0x71AB0000 "accept") -> 0x71AC1040
Thrd 300 77E781F9 HeapAlloc( 0x00140000 0x00000000 0x00000020) -> 0x00953D10
Thrd 300 77E781F9 HeapAlloc( 0x00140000 0x00000000 0x00000012) -> 0x00953D48
Thrd 300 77E781F9 HeapAlloc( 0x00140000 0x00000000 0x0000001A) -> 0x00953D78
Thrd 300 77E781F9 HeapAlloc( 0x00140000 0x00000000 0x00000034) -> 0x00953DB0
Thrd 300 77E766F4 HeapFree( 0x00140000 0x00000000 0x00953D48) -> TRUE
Thrd 300 77E766F4 HeapFree( 0x00140000 0x00000000 0x00000000) -> TRUE
Thrd 300 77E766F4 HeapFree( 0x00140000 0x00000000 0x00953D78) -> TRUE
Thrd 300 77E766F4 HeapFree( 0x00140000 0x00000000 0x00000000) -> TRUE
Thrd 300 77E766F4 HeapFree( 0x00140000 0x00000000 0x00953D10) -> TRUE
Thrd 300 77E781F9 HeapAlloc( 0x00140000 0x00000000 0x00000084) -> 0x00953CD8
Thrd 300 77E7E0D7 GetCurrentProcess() -> 0xFFFFFFFF
Thrd 300 77E7E0E6 GetCurrentThread() -> 0xFFFFFFFE
Thrd 300 77E7E0F0 DuplicateHandle( INVALID_HANDLE_VALUE 0xFFFFFFFE INVALID_HANDLE_VALUE 0x00000000 FALSE DUPLICATE_SAME_ACCESS) -> TRUE ( [0x00953CE0] -> 0x00000700)
Thrd 300 77E781F9 HeapAlloc( 0x00140000 0x00000000 0x00000020) -> 0x00953D78
Thrd 300 77E781F9 HeapAlloc( 0x00140000 0x00000000 0x00000012) -> 0x00953E00
Thrd 300 77E781F9 HeapAlloc( 0x00140000 0x00000000 0x00000002) -> 0x0093AE70
Thrd 300 77E781F9 HeapAlloc( 0x00140000 0x00000000 0x0000001E) -> 0x00953E30
Thrd 300 77E781F9 HeapAlloc( 0x00140000 0x00000000 0x000000D0) -> 0x0099B730
Thrd 300 77E781F9 HeapAlloc( 0x00140000 0x00000000 0x00000016) -> 0x00953EA0
Thrd 300 77E766F4 HeapFree( 0x00140000 0x00000000 0x00953EA0) -> TRUE
Thrd 300 77E766F4 HeapFree( 0x00140000 0x00000000 0x00953DB0) -> TRUE
Thrd 300 77E781F9 HeapAlloc( 0x00140000 0x00000000 0x000000D0) -> 0x0099B818
Thrd 300 77E7FD61 GetCurrentThread() -> 0xFFFFFFFE
Thrd 300 77E7FD7F GetLastError() -> 0x000003F0
Thrd 300 77E781F9 HeapAlloc( 0x00140000 0x00000000 0x00000040) -> 0x00953EA0
Thrd 300 77E781F9 HeapAlloc( 0x00140000 0x00000000 0x000001FC) -> 0x0099B900
Thrd 300 77E781F9 HeapAlloc( 0x00140000 0x00000000 0x00000158) -> 0x0099BB18
Thrd 300 77E84468 GetCurrentThread() -> 0xFFFFFFFE
Thrd 300 77E84B92 CreateFileW( "\\.\PIPE\lsarpc" GENERIC_READ | GENERIC_WRITE FILE_SHARE_READ | FILE_SHARE_WRITE [0x00000000] NULL OPEN_EXISTING 0x40000000 NULL) -> 0x000006F8
Thrd 300 77E84BB6 SetNamedPipeHandleState( 0x000006F8 0x015CF1B8 [0x00000000] NULL [0x00000000] NULL) -> TRUE
Thrd 300 77E84EA0 CreateIoCompletionPort( 0x000006F8 0x0000073C 0xFFFF0000 0x00000000) -> 0x0000073C
Thrd 300 77E781F9 HeapAlloc( 0x00140000 0x00000000 0x00000108) -> 0x0099BCC0
Thrd 300 77E781F9 HeapAlloc( 0x00140000 0x00000000 0x00000408) -> 0x0099BDE0
Thrd 300 77E766F4 HeapFree( 0x00140000 0x00000000 0x00000000) -> TRUE
Thrd 300 77E80F68 TransactNamedPipe( 0x000006F8 0x0099BCC8 0x00000038 0x0099BDE8 0x00000400 0x0099BAB4) -> FALSE ( [0x015CF1B8] -> 0x00000400)
Thrd 300 77E80F76 GetLastError() -> 0x000003E5
Thrd 300 77E781F9 HeapAlloc( 0x00140000 0x00000000 0x0000001C) -> 0x0099C200
Thrd 300 77E781F9 HeapAlloc( 0x00140000 0x00000000 0x000000D0) -> 0x0099C238
Thrd 300 77E766F4 HeapFree( 0x00140000 0x00000000 0x00000000) -> TRUE
Thrd 300 77E766F4 HeapFree( 0x00140000 0x00000000 0x00000000) -> TRUE
Thrd 300 77E766F4 HeapFree( 0x00140000 0x00000000 0x0099B730) -> TRUE
Thrd 300 77E766F4 HeapFree( 0x00140000 0x00000000 0x00000000) -> TRUE
Thrd 300 77E80F68 TransactNamedPipe( 0x000006F8 0x0099BCC8 0x0000002E 0x0099BDE8 0x00000400 0x0099BAB4) -> FALSE ( [0x015CF1CC] -> 0x00000400)
Thrd 300 77E80F76 GetLastError() -> 0x000003E5
Thrd 300 77E766F4 HeapFree( 0x00140000 0x00000000 0x00000000) -> TRUE
Thrd 300 77E80F68 TransactNamedPipe( 0x000006F8 0x0099BCC8 0x0000002E 0x0099BDE8 0x00000400 0x0099BAB4) -> FALSE ( [0x015CF1CC] -> 0x00000400)
Thrd 300 77E80F76 GetLastError() -> 0x000003E5
Thrd 300 77E766F4 HeapFree( 0x00140000 0x00000000 0x00000000) -> TRUE
Thrd 300 77E80F68 TransactNamedPipe( 0x000006F8 0x0099BCC8 0x0000002C 0x0099BDE8 0x00000400 0x0099BAB4) -> FALSE ( [0x015CF1DC] -> 0x00000400)
Thrd 300 77E80F76 GetLastError() -> 0x000003E5
Thrd 300 77E766F4 HeapFree( 0x00140000 0x00000000 0x0099C200) -> TRUE
Thrd 300 77E7670A CloseHandle() -> TRUE ( 0x000006FC)
Thrd 300 77E766F4 HeapFree( 0x00140000 0x00000000 0x0099BB18) -> TRUE
Thrd 300 77E8875C CloseHandle() -> TRUE ( 0x000006F8)
Thrd 300 77E766F4 HeapFree( 0x00140000 0x00000000 0x00000000) -> TRUE
Thrd 300 77E766F4 HeapFree( 0x00140000 0x00000000 0x0099B900) -> TRUE
Thrd 300 77E766F4 HeapFree( 0x00140000 0x00000000 0x00953E00) -> TRUE
Thrd 300 77E766F4 HeapFree( 0x00140000 0x00000000 0x0093AE70) -> TRUE
Thrd 300 77E766F4 HeapFree( 0x00140000 0x00000000 0x00953E30) -> TRUE
Thrd 300 77E766F4 HeapFree( 0x00140000 0x00000000 0x00000000) -> TRUE
Thrd 300 77E766F4 HeapFree( 0x00140000 0x00000000 0x00953D78) -> TRUE
Thrd 300 77E766F4 HeapFree( 0x00140000 0x00000000 0x00953EA0) -> TRUE
Thrd 300 77E766F4 HeapFree( 0x00140000 0x00000000 0x0099B818) -> TRUE
Thrd 300 77E766F4 HeapFree( 0x00140000 0x00000000 0x00000000) -> TRUE
Thrd 300 77E766F4 HeapFree( 0x00140000 0x00000000 0x00000000) -> TRUE
Thrd 300 77E766F4 HeapFree( 0x00140000 0x00000000 0x0099C238) -> TRUE
Thrd 300 7CA23626 GetSystemDirectoryW( 260) -> 0x00000013 ( "C:\WINDOWS\system32")
Thrd 300 7CA2321E GetFileAttributesW( "C:\WINDOWS\system32") -> FILE_ATTRIBUTE_DIRECTORY
Thrd 300 77F66789 lstrlenW( "C:\WINDOWS\system32") -> 0x00000013
Thrd 300 77F66798 LocalAlloc( LMEM_ZEROINIT 0x00000028) -> 0x00953D78
Thrd 300 77F674D8 lstrlenW( "dwm.exe") -> 0x00000007
Thrd 300 77F66A47 CompareStringW( 0x00000409 0x00000001 "wm.exe" 0xFFFFFFFF ":\" 0xFFFFFFFF) -> 0x00000003
Thrd 300 7C9EEC61 lstrcpynW( "" "C:\WINDOWS\system32" 0x00000104) -> "C:\WINDOWS\system32"
Thrd 300 77F674D8 lstrlenW( "taskhost.exe") -> 0x0000000C
Thrd 300 77F66A47 CompareStringW( 0x00000409 0x00000001 "askhost.exe" 0xFFFFFFFF ":\" 0xFFFFFFFF) -> 0x00000003
Thrd 300 7C9EEC61 lstrcpynW( "" "C:\WINDOWS\system32" 0x00000104) -> "C:\WINDOWS\system32"
Thrd 300 77F674D8 lstrlenW( "taskeng.exe") -> 0x0000000B
Thrd 300 77F66A47 CompareStringW( 0x00000409 0x00000001 "askeng.exe" 0xFFFFFFFF ":\" 0xFFFFFFFF) -> 0x00000003
Thrd 300 7C9EEC61 lstrcpynW( "" "C:\WINDOWS\system32" 0x00000104) -> "C:\WINDOWS\system32"
Thrd 300 77F674D8 lstrlenW( "wscntfy.exe") -> 0x0000000B
Thrd 300 77F66A47 CompareStringW( 0x00000409 0x00000001 "scntfy.exe" 0xFFFFFFFF ":\" 0xFFFFFFFF) -> 0x00000003
Thrd 300 7C9EEC61 lstrcpynW( "" "C:\WINDOWS\system32" 0x00000104) -> "C:\WINDOWS\system32"
Thrd 300 77F674D8 lstrlenW( "ctfmon.exe") -> 0x0000000A
Thrd 300 77F66A47 CompareStringW( 0x00000409 0x00000001 "tfmon.exe" 0xFFFFFFFF ":\" 0xFFFFFFFF) -> 0x00000003
Thrd 300 7C9EEC61 lstrcpynW( "" "C:\WINDOWS\system32" 0x00000104) -> "C:\WINDOWS\system32"
Thrd 300 77F674D8 lstrlenW( "rdpclip.exe") -> 0x0000000B
Thrd 300 77F66A47 CompareStringW( 0x00000409 0x00000001 "dpclip.exe" 0xFFFFFFFF ":\" 0xFFFFFFFF) -> 0x00000003
Thrd 300 7C9EEC61 lstrcpynW( "" "C:\WINDOWS" 0x00000104) -> "C:\WINDOWS"
Thrd 300 77F674D8 lstrlenW( "explorer.exe") -> 0x0000000C
Thrd 300 77F66A47 CompareStringW( 0x00000409 0x00000001 "xplorer.exe" 0xFFFFFFFF ":\" 0xFFFFFFFF) -> 0x00000003
Thrd 300 77F674D8 lstrlenW( "hoacu.aki") -> 0x00000009
Thrd 300 77F66A47 CompareStringW( 0x00000409 0x00000001 "oacu.aki" 0xFFFFFFFF ":\" 0xFFFFFFFF) -> 0x00000003
Thrd 5f4 77C1F0C0 TlsGetValue( 0x00000005) -> NULL [FAIL]
Thrd 5f4 77C2C1DB HeapAlloc( 0x003D0000 HEAP_ZERO_MEMORY 0x00000088) -> 0x003D3E40
Thrd 5f4 77C1F0E5 TlsSetValue( 0x00000005 0x003D3E40) -> TRUE
Thrd 5f4 77C1F0F6 GetCurrentThreadId() -> 0x000005F4
Thrd 5f4 77C01180 TlsSetValue( 0x0000000F 0x00000000) -> TRUE
Thrd 5f4 77F674D8 lstrlenW( "Wuicot") -> 0x00000006
Thrd 5f4 77F66A47 CompareStringW( 0x00000409 0

Probably Symantec tells about it in fresh post http://www.symantec.com/connect/blogs/r ... emulations

Attachments

612700F68E7E9C62C3C754CDEFF6CAA5.zip

pass:infected
(256.74 KiB) Downloaded 76 times

Username

rkhunter

Posts

1156

Joined

Mon Mar 15, 2010 12:51 pm

Location

Russian Federation

Contact