[EP_X0FF]

Another Alureon of the new generation (7 if count).

Trojan downloader, works from explorer.exe as first stage and then from zombified svchost.exe.

Contain small x64 loader which only purpose is to launch specified by command line file using syswow64\rundll32.exe

Dropper uses NTFS encryption for own made directory, autorun via HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad as "wow.dll".

Call home in the following format
hello/2.6/101/4434dd11-6b41-4414-8a6d-a9ca7a8e9164/5.1.2600_3.0_32/1/00000000._..o.S.

List of servers
newagelimp.com:80;
newfogfrom.com:80;
95.211.203.99:80;

All strings from dropper

% s % \ s % s IsWow64Process kernel32 shell32.dll \ b a s e n a m e d o b j e c t s \ { % 0 8 x - % 0 4 x - % 0 4 x - % 0 4 x - % 0 4 x % 0 8 x } newagelimp.com:80;newfogfrom.com:80;95.211.203.99:80; j f l s d k j f 0 0 1 . d a t %[^:]:%[^;] 101 2.6 hello %s/%s/%s/%s/%s/%d/%08x google.com %d % S t m p . " % s " 7 " % s " % S W i n S t a 0 \ D e f a u l t GetNativeSystemInfo %d.%d.%d_%d.%d_%d SOFTWARE\Microsoft\Cryptography MachineGuid % s : d e l s o f t w a r e \ c l a s s e s \ c l s i d \ { f b e b 8 a 0 5 - b e e e - 4 4 4 2 - 8 0 4 e - 4 0 9 d 6 c 4 5 1 5 e 9 } \ i n p r o c s e r v e r 3 2 s o f t w a r e \ c l a s s e s \ c l s i d \ { f b e b 8 a 0 5 - b e e e - 4 4 4 2 - 8 0 4 e - 4 0 9 d 6 c 4 5 1 5 e 9 } \ i n p r o c s e r v e r 3 2 s v c h o s t . e x e - k n e t s v c s 6 4 . d l l % w i n d i r % \ s y s t e m 3 2 \ s v c h o s t . e x e - k n e t s v c s s v c h o s t . e x e SHEmptyRecycleBinW r u n d l l 3 2 . e x e % w i n d i r % \ s y s w o w 6 4 \ s v c h o s t . e x e - k n e t s v c s SHQueryRecycleBinW % t e m p % % s \ w o w . d l l r u n d l l 3 2 % s , 0 e x p l o r e r . e x e

VT

SHA256: 130cdda63e85e616e6f7116dfa73356b9ae02c3e18256165b69a67eec3e036a9
SHA1: 7dc4e3f885797f1e4cd3e0947ecdf34b04533668
MD5: 2d63009761960169773bd1f4c5082a36

https://www.virustotal.com/en/file/130c ... /analysis/

[r3shl4k1sh]

I am looking for Backdoor.Tranwos (Symantec), here is the article about it:
http://www.symantec.com/connect/blogs/b ... c-analysis

In short this file protect itself by encrypting the location it is in using EFS.

The detail page have the following info:

When the Trojan is executed, it creates the following files:
%CurrentFolder%\jflsdkjf001.dat
%Temp%\s[RANDOM ASCII CHARACTERS]\s[RANDOM ASCII CHARACTERS]\wow.dll
%Temp%\s[RANDOM ASCII CHARACTERS]\s[RANDOM ASCII CHARACTERS]\wow64.dll

The Trojan then creates the following registry entry:
HKEY_CURRENT_USER\Software\Classes\CLSID\{fbef8a05-beee-4442-804e-409d6c45
15e9}\InprocServer32\"Default" = "%Temp%\s[RANDOM ASCII CHARACTERS]\s[RANDOM ASCII
CHARACTERS]\wow.dll"

Next, the Trojan may connect to one or more of the following remote locations to open a back door on the compromised computer:
[http://]typerttsx.com
[http://]typicalsx.com
[http://]85.17.26.220

*************************************************************************

I don't have hash for this file, hope you can find it based on the information above.

Thanks.

[Xylitol]

detected as Tranwos
https://www.virustotal.com/en/file/153b ... 370810576/
https://www.virustotal.com/en/file/82c9 ... 370810578/

[EP_X0FF]

I am looking for Backdoor.Tranwos (Symantec), here is the article about it:
http://www.symantec.com/connect/blogs/b ... c-analysis

A bit too late, but this is Alureon.

New Alureon generation based malware moved in separate topic.

[thisisu]

wow.dll

MD5 7d0463045f947477919491d2a0d025d8
SHA1 a34041f7a80bd165943673e887197807753be784
SHA256 a00d64fa5ff2a92f5d58cf06b0c0df67014c7ed19a1b34ec8c509fdda6e4f3da
https://www.virustotal.com/en/file/a00d ... 403386063/

wow.ini

Code: Select all

[main]
servers=f5f5dc.com;ffeed5.com;31.184.192.215;194.28.174.45
logs=1
aid=453

[Kimberly]

Seen on March 2, 2014 as part of a triple click fraud:
http://stopmalvertising.com/rootkits/an ... hreat.html

MD5: cc108b012ed2e9ed687d1406ffef92b0

[EP_X0FF]

ZeroAccess has nothing to do with Alureon this is completely different malware families. As well as this Alureon branch has nothing to do with old rootkits.

[Kimberly]

Whoops, you're right. The wow.dll part is what got me confused, sorry for that. Thanks for setting it straight :)

[Kimberly]

Disregard the last post, fixed Za reference, thanks for pointing it out :)