A forum for reverse engineering, OS internals and malware analysis 

Win32/Unknown.95112.dam!wSock

Forum for analysis and discussion about malware.

Win32/Unknown.95112.dam!wSock

 #19980  by TETYYSs
 Fri Jul 05, 2013 7:10 pm
VT: https://www.virustotal.com/en/file/09bf ... 373050784/
SHA256: 09bfe80900b4efe99a7384d4594164386e9dabf2dbb3ce9cc05376172825b496
SHA1: 22a2fa170c50ef38d73e6cffa3bc1bdddfc1fda7
MD5: dd95e6e1d64b279fca51cf8f5f7abf36

I found this thing in friends PC, when he noticed that the desktop shows (like Win+D) out of nowhere when playing games, unusual behaviour for virus, but it was in his processes, then I found out that .js file was creating wSock.exe when ran with wscript.exe. Folder structure looks file firefox, but there's no firefox.exe, but wSock.exe instead, which has no valid digital signature (http://i.imgur.com/PvTjC1G.png). This folder was in C:\Program Files (x86)\Common Files.
Attachments
passwd:infected
(9.45 MiB) Downloaded 48 times

Re: Unknown malware (wSock.exe)

 #19983  by EP_X0FF
 Sat Jul 06, 2013 8:32 am
This infection is incomplete or damaged.
It uses strings obfuscation, decoding proc located at @00412704 (dynamically GetProcAddress of various API's, including wininet, user32, psapi and kernel32), proxy hidden process launch (valid firefox.exe renamed to lupdater.exe), fake certificate in overlay. And this crapware has a general bug, sometimes it doing infinite loop in attempt to find Mozilla window, resulting in impact of overall system performance. Piece of delphi junk.

Re: Unknown malware (wSock.exe)

 #19986  by TETYYSs
 Sat Jul 06, 2013 9:52 am
Does this "crapware" have a name, or can I name it :D ? Good to know that it was malware, and it was removed.

Also, Process hacker 2.

Re: Unknown malware (wSock.exe)

 #19992  by EP_X0FF
 Sat Jul 06, 2013 4:33 pm
Xylitol wrote:it also do a SW_HIDE on process explorer
Probably due to bug in windows enumeration code. It look for all windows with "Mozilla" string in caption.
TETYYSs wrote:Does this "crapware" have a name, or can I name it ?
Call it whatever you want. I don't see it doing anything. Probably it works only in pack with other malware. It has wininet functionality but like many other funcs they are nowhere referenced.
Code: Select all
  hwininet = LoadLibraryA(WinInetDll);
  if ( hwininet )
  {
    v97 = 94;
    v96 = 140;
    DecodeString(47, &v94);
    v1 = System::__linkproc___LStrToPChar(v59, v60, v61, v62, v63, v64, v65, v66);
    Sysutils::IntToStr(hwininet, 0);
    v2 = Sysutils::StrToInt();
    pInternetOpenA = GetProcAddress_0(v2, v1);
    DecodeString(48, &v93);
    v3 = System::__linkproc___LStrToPChar(v59, v60, v61, v62, v63, v64, v65, v66);
    Sysutils::IntToStr(hwininet, 0);
    v4 = Sysutils::StrToInt();
    pInternetConnectA = GetProcAddress_0(v4, v3);
    v97 = 81;
    v96 = 156;
    DecodeString(49, &v92);
    v5 = System::__linkproc___LStrToPChar(v59, v60, v61, v62, v63, v64, v65, v66);
    Sysutils::IntToStr(hwininet, 0);
    v6 = Sysutils::StrToInt();
    pHttpOpenRequestA = GetProcAddress_0(v6, v5);
    DecodeString(50, &v91);
    v7 = System::__linkproc___LStrToPChar(v59, v60, v61, v62, v63, v64, v65, v66);
    Sysutils::IntToStr(hwininet, 0);
    v8 = Sysutils::StrToInt();
    pHttpSendRequestA = GetProcAddress_0(v8, v7);
    DecodeString(51, &v90);
    v9 = System::__linkproc___LStrToPChar(v59, v60, v61, v62, v63, v64, v65, v66);
    Sysutils::IntToStr(hwininet, 0);
    v10 = Sysutils::StrToInt();
    pInternetCloseHandle = GetProcAddress_0(v10, v9);
  }
First submission 2011-01-31 13:25:24 UTC (2 years, 5 month ago)
Maybe just maybe it is a part of some strange application that can be not malicious itself.
 Return to “Malware”