[markusg]

http://www.virustotal.com/file-scan/rep ... 1293711089

[EP_X0FF]

Thanks. This is dot net container for actual trojan, backdoor.Win32.Agobot.

Dropped to X:\documents and settings\UserName\application data trojan (winmsgr105.exe) runs through

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

registry keys.

LuCaS RuNz DiS ShiT NuKKa!

http://www.virustotal.com/file-scan/rep ... 1293715833

connects with http://678.dyndns.info/

send several requests
pass:serverpass
NICK [RUS|XP|jiwwxbz]
USER zelnrguyjotr "" "lol" :zelnrguyjotr

and some funny answers

VM.CiA.Gov NOTICE AUTH :*** Looking up your hostname
VM.CiA.Gov NOTICE AUTH :*** Couldn't resolve your hostname; using your IP address instead
VM.CiA.Gov 001 [RUS|XP|wcraanm]:Welcome to the CiA IRC Network

and a lot of others replies :)

[markusg]

think it is some similar, but now vt result.

[Evilcry]

Hi,

I've just published a paper on Agobot, here the link

http://quequero.org/AgoBot_Botnet_Reverse_Engineering

Regards

[Brookit]

Great analysing tutorial!
In every of your tutorials I can learn something new.

[markusg]

KeyChanger.exe?
http://www.virustotal.com/file-scan/rep ... 1298895705

[Evilcry]

Thank you Brookit, much appreciated :)

[nullptr]

Drops it's main payload exe to %APPDATA%\svcost.exe
Readable strings from decrypted file -

GetUserNameA
RegCloseKey
RegDeleteValueA
RegCreateKeyExA
RegSetValueExA
ADVAPI32.dll
ShellExecuteA
SHELL32.dll
strstr
fclose
fprintf
fopen
strcat
sprintf
free
memcpy
memset
malloc
strncpy
fread
printf
strchr
_snprintf
strlen
strcpy
rand
_vsnprintf
??2@YAPAXI@Z
??3@YAXPAX@Z
strcmp
strtok
memcmp
srand
MSVCRT.dll
__dllonexit
_onexit
_exit
_XcptFilter
exit
_acmdln
__getmainargs
_initterm
__setusermatherr
_adjust_fdiv
__p__commode
__p__fmode
__set_app_type
_except_handler3
_controlfp
GetModuleHandleA
GetFileAttributesA
GetSystemDirectoryA
ExitProcess
Sleep
WaitForSingleObject
CreateProcessA
GetLastError
CloseHandle
WriteFile
GetTickCount
ExitThread
CreateFileA
CopyFileA
GetModuleFileNameA
SetFileAttributesA
CreateDirectoryA
GetLogicalDriveStringsA
GetTempPathA
CreateThread
lstrcmpiA
GetLocaleInfoA
GetVersionExA
LoadLibraryA
GetProcAddress
TerminateThread
ReleaseMutex
ExpandEnvironmentStringsA
GetDriveTypeA
CreateMutexA
GetStartupInfoA
KERNEL32.dll
dbghelp.dll
dir_watch.dll
api_log.dll
SbieDll.dll
CurrentUser
andy
nepenthes
currentuser
vmware
honey
sandbox
user
UserName
keep goin
\import5pan35ygssgftdoc.tmp
%s Bad URL or DNS Error, error: <%d>
%s Update failed: Error executing file: %s.
%s Process Finished: "%s", Total Running Time: %s.
%.2d:%.2d
%d%s
hours
hour
%s Created process: "%s", PID: <%d>
%s Failed to create process: "%s", error: <%d>
%s Couldn't parse path, error: <%d>
%s File download: %.1fKB to: %s @ %.1fKB/sec.
%s Couldn't open file for writing: %s.
autorun.inf

[autorun]
open=%s
icon=%%SystemRoot%%\system32\SHELL32.dll,7
action=Open Flash Memory Disk
UseAutoPlay=1
shell\open\command=%s
Verified file %s
Created file %s (hopefully)
ekrn.exe
Created file %s
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
Desktop.ini
Created directory %s
%sUpdate_System\13-1-2012\
Infected drive: %s
Failed to infected drive: %s
Infecting drive: %s
abcdABCD\
%s
aiTin
rDeR--]
%s i
Dnt Know u
%s Kill: <%d> threads
%s No threads
%s Killed thread: <%s>
%s %s already running: <%d>.
%s Fail start %s, err: <%d>.
%s logged in.
ReMoVeD By
: %s!%s@%s
Updating...
main thread
mis param
%s Failed to parse command.
Failed
%s Downloading update from: %s to: %s.
%seraseme_%d%d%d%d%d.exe
%s Downloading URL: %s to: %s.
transfer thread
Ping Timeout? (%d-%d)%d/%d
USER %s * 0 :%s
NICK %s
PASS %s
Leaving
QUIT
QUIT %s
PONG %s
PING
NICK
PRIVMSG
NOTICE
QUIT
PART
JOIN
366
PRIVMSG %s :%s
JOIN %s
JOIN %s %s
MODE %s %s %s
MODE %s %s
Error
%s-
WIN-
WIN7-
VISTA-
2K3-
XP-
2K-
ME-
98-
NT-
95-
N-[
PathRemoveFileSpecA
shlwapi.dll
SHChangeNotify
ShellExecuteA
shell32.dll
Mozilla/4.0 (compatible)
InternetCloseHandle
InternetReadFile
InternetCrackUrlA
InternetOpenUrlA
InternetOpenA
InternetConnectA
FtpPutFileA
FtpGetFileA
HttpSendRequestA
HttpOpenRequestA
InternetGetConnectedStateEx
InternetGetConnectedState
wininet.dll
shutdown
closesocket
getpeername
gethostbyname
gethostname
getsockname
setsockopt
recv
sendto
send
htonl
htons
inet_addr
inet_ntoa
connect
socket
WSACleanup
WSAGetLastError
WSASocketA
WSAStartup
ws2_32.dll
IsWindow
user32.dll
GetComputerNameA
kernel32.dll
PING
VERSION
%s!%s@%s
topic
$dec(
433
422
376
005
332
TOPIC
KICK
ERROR
%s\%s
@echo off
:Repeat
del "%s">nul
if exist "%s" goto Repeat
del "%%0"
@echo off
:Repeat
del "%s">nul
ping 0.0.0.0>nul
if exist "%s" goto Repeat
del "%%0"
%s\removeMe%i%i%i%i.bat
Software\Microsoft\Windows\CurrentVersion\Run\
msjbndhk
Zexa
%APPDATA%\
svcost.exe
WindowsUpdate
no1isno1
*@zex
Microsoft Update Manager
Microsoft Update Manager
Microsoft Update Manager
Skype.ms6ol.net
#soma
saxs
[--
Yis Sir...
[--
THREADZ
--]:
[--
IRC
--]
[--
DWN
--]:
[--
UPDT
--]:
[--
SSYN
--]:
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
%s%s
MessageBoxA

Sends lots of traffic to Skype.ms6ol.net
Decrypted svcost.exe attached.

[EP_X0FF]

Windows Key Changer App installer joined with Backdoor Agobot. Packed with UPX and crypted. Contains USB Autorunner functionality.
Starts copy of itself, decrypts itself to it and transfers control to new process.
This time mutex named msjbndhk.

Posts merged with main thread about Agobot.

[markusg]

http://virusscan.jotti.org/de/scanresul ... 02fa67d8b3