A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #872  by swirl
 Sat Apr 24, 2010 5:47 pm
some additional info to this: hxxp://blog.inreverse.net/2010/04/backdoorrohimafo.html
pw for zip: infected

asterixdylan.com: 91.213.174.3 - VolgaHost / Bondarenko Dmitriy Vladimirovich
aaron99999999.com: 91.213.174.3
anabalikss.com: 193.105.207.10 - ALFAHOSTNET / Romanov Artem Alekseevich / 193.105.207.0 - 193.105.207.255
navlot.com: 193.105.174.51 - COLO-NET / Volovik Elena Sergiyvna / 193.105.174.0 - 193.105.174.255
anxious-seat.com: 74.54.82.212 - NETBLK-THEPLANET-BLK-14 / Theplanet.net

and seems they have some problems with their php ^^

Image
Image
Attachments
(4.94 KiB) Downloaded 136 times
 #878  by EP_X0FF
 Sun Apr 25, 2010 4:19 pm
Hi,

thank you for interesting analysis and posting sample.
Did you investigated when it uses kill_os function?

Regards.
 #879  by swirl
 Sun Apr 25, 2010 4:56 pm
the !kill_os command is sent from the c&c, I let it run for some time but didn't received it, so
I don't know what triggers it :\

My guess is that they could have some check on c&c side for known sandboxes based on the received
info from the bot: username/computername/botid (which is generated from the volume serial number).
something like this hxxp://evilcodecave.wordpress.com/2009/01/27/sandbox-awareness/ but
implemented on server side, but it's just a guess ;)
 #3720  by gjf
 Thu Nov 25, 2010 9:13 pm
Here is some crap, works most likely as password stealer. The original files are packed with UPX, here is original and unpacked files. (Password is virus).

Active file kills explorer process everyt time when it focesses at AVZ, Combofix and other similar utility preventing to run them.

I could not run these file nether in VMWare, nor in Sandboxie possibly because it detects them. But Anubis in some way could cheat the malware: report 1 and report 2. Looks like this shit starts from userinit reg key.

Can somebody perform a deeper analysis?
 #3724  by EP_X0FF
 Fri Nov 26, 2010 4:15 am
Here is the brief for R.exe (sww and gostev included)

After UPX it's crypted and packed again.

Malware has Russian origin
averi_sosut_hui
Main executable contains specific code against Kaspersky, AVG, Prevx, Avira, Windows Defender, CA HIPS.

Image

Operates with ntvdm (also checks for presence of KB977165 - MS10-015 patch). Contains list of IP addresses and default passwords.
soccer abc123 password1 football1 fuckyou monkey iloveyou1 superman1 slipknot1 jordan23 princess1 liverpool1
monkey1 baseball1 123abc qwerty1 blink182 myspace1 pop user111 098765 qweryuiopas qw qwe qwer qwert qwerty asdfg
chort nah xak xakep 111111 12 12345 2013 2007 2207 110 5554 775 65 5 46 354 43 23 31 1982 13 123 password
123456
Detects Sandbox.

Image

Writes to HKLM\software\microsoft\windows nt\currentversion\winlogon, under UserInit param, changes registry key security attributes.
Nanocephalous Kaspersky Lab
Injects dll (maps) into winlogon.exe, explorer.exe and performs hooking of several API's.
[428]winlogon.exe-->kernel32.dll-->CreateFileW, Type: Inline - DirectJump 0x7C8107F0-->01AF0000 [unknown_code_page]
[428]winlogon.exe-->kernel32.dll-->GetFileAttributesExW, Type: Inline - DirectJump 0x7C811185-->01B20000 [unknown_code_page]
[428]winlogon.exe-->advapi32.dll-->CryptEncrypt, Type: Inline - DirectJump 0x77DDE340-->01B50000 [unknown_code_page]
[428]winlogon.exe-->user32.dll-->GetWindowTextA, Type: Inline - DirectJump 0x7E38216B-->01E80000 [unknown_code_page]
[428]winlogon.exe-->wininet.dll-->InternetWriteFile, Type: Inline - DirectJump 0x771E8BB9-->01F10000 [unknown_code_page]
[428]winlogon.exe-->ws2_32.dll-->getaddrinfo, Type: Inline - DirectJump 0x71A92A6F-->01F40000 [unknown_code_page]
[428]winlogon.exe-->ws2_32.dll-->inet_addr, Type: Inline - DirectJump 0x71A92EE1-->01FA0000 [unknown_code_page]
[428]winlogon.exe-->ws2_32.dll-->send, Type: Inline - DirectJump 0x71A94C27-->01EB0000 [unknown_code_page]
[428]winlogon.exe-->ws2_32.dll-->gethostbyname, Type: Inline - DirectJump 0x71A95355-->01F70000 [unknown_code_page]
[428]winlogon.exe-->ws2_32.dll-->WSASend, Type: Inline - DirectJump 0x71A968FA-->01EE0000 [unknown_code_page]
[1104]explorer.exe-->kernel32.dll-->GetFileAttributesW, Type: Inline - DirectJump 0x7C80B7DC-->01D00000 [unknown_code_page]
[1104]explorer.exe-->kernel32.dll-->CreateFileW, Type: Inline - DirectJump 0x7C8107F0-->01890000 [unknown_code_page]
[1104]explorer.exe-->kernel32.dll-->GetFileAttributesExW, Type: Inline - DirectJump 0x7C811185-->019C0000 [unknown_code_page]
[1104]explorer.exe-->advapi32.dll-->CryptEncrypt, Type: Inline - DirectJump 0x77DDE340-->019F0000 [unknown_code_page]
[1104]explorer.exe-->user32.dll-->GetMessageW, Type: Inline - DirectJump 0x7E3691C6-->01C60000 [unknown_code_page]
[1104]explorer.exe-->user32.dll-->PeekMessageW, Type: Inline - DirectJump 0x7E36929B-->01C00000 [unknown_code_page]
[1104]explorer.exe-->user32.dll-->GetMessageA, Type: Inline - DirectJump 0x7E37772B-->01C30000 [unknown_code_page]
[1104]explorer.exe-->user32.dll-->PeekMessageA, Type: Inline - DirectJump 0x7E37A340-->01BD0000 [unknown_code_page]
[1104]explorer.exe-->user32.dll-->GetClipboardData, Type: Inline - DirectJump 0x7E380DBA-->01C90000 [unknown_code_page]
[1104]explorer.exe-->user32.dll-->GetWindowTextA, Type: Inline - DirectJump 0x7E38216B-->01A20000 [unknown_code_page]
[1104]explorer.exe-->wininet.dll-->InternetWriteFile, Type: Inline - DirectJump 0x771E8BB9-->01AB0000 [unknown_code_page]
[1104]explorer.exe-->ws2_32.dll-->getaddrinfo, Type: Inline - DirectJump 0x71A92A6F-->01AE0000 [unknown_code_page]
[1104]explorer.exe-->ws2_32.dll-->inet_addr, Type: Inline - DirectJump 0x71A92EE1-->01B40000 [unknown_code_page]
[1104]explorer.exe-->ws2_32.dll-->send, Type: Inline - DirectJump 0x71A94C27-->01A50000 [unknown_code_page]
[1104]explorer.exe-->ws2_32.dll-->gethostbyname, Type: Inline - DirectJump 0x71A95355-->01B10000 [unknown_code_page]
[1104]explorer.exe-->ws2_32.dll-->WSASend, Type: Inline - DirectJump 0x71A968FA-->01A80000 [unknown_code_page]
Dll also packed with UPX.

http://www.virustotal.com/file-scan/rep ... 1290745139

Unpacked dll contains another blacklist (AVZ, Kaspersky, HijackThis Anti-Malware, OSAM). Soft detected via EnumWindows.
Антивирусная утилита AVZ random's system information tool - © random/random
ThunderRT6FormDC hijackthis AVP.MainWindow Kaspersky Virus Removal Tool 2010 Malwarebytes' Anti-Malware #32770 OSAM: Autorun Manager
In attach dump of dll strings and IDA enough friendly partially unpacked binary.
Attachments
(12.28 KiB) Downloaded 69 times
pass: malware
(76.76 KiB) Downloaded 102 times
 #3728  by EP_X0FF
 Fri Nov 26, 2010 10:07 am
Here it is.

both extracted and partially unpacked.
Attachments
pass: malware
(120.52 KiB) Downloaded 107 times
 #7863  by fatdcuk
 Fri Aug 05, 2011 6:47 pm
FakeAlert/downloader that loves a system driver.

http://r.virscan.org/62cad9d89302a118801480cc205666fc
Code: Select all
VirSCAN.org Scanned Report :
Scanned time   : 2011/08/06 02:41:35 (CST)
Scanner results: 24% Scanner(s) (9/37) found malware!
File Name      : fix_pack107i_231.exe
File Size      : 302080 byte
File Type      : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5            : c35903e1a14e11a915da9a239028aa7b
SHA1           : d6d3f6ffb2f8b237fd0525217c3d6d918d162039
Online report  : http://r.virscan.org/62cad9d89302a118801480cc205666fc

Scanner        Engine Ver      Sig Ver           Sig Date    Time   Scan result
a-squared      5.1.0.3         20110806001306    2011-08-06  0.35   -
AhnLab V3      ...             ..                --          1.70   -
AntiVir        8.2.6.28        7.11.12.220       2011-08-05  0.35   TR/Dropper.Gen
Antiy          2.0.18          20110804.11725727 2011-08-04  0.03   -
Arcavir        2011            201107140423      2011-07-14  0.20   -
Authentium     5.1.1           201108050953      2011-08-05  1.55   -
AVAST!         4.7.4           110805-1          2011-08-05  0.05   -
AVG            8.5.850         271.1.1/3812      2011-08-05  2.37   -
BitDefender    7.90123.8709932 7.38520           2011-08-06  4.46   Gen:Heur.VIZ.2
ClamAV         0.97.1          13403             2011-08-05  0.29   -
Comodo         5.1             9635              2011-08-05  1.93   Packed.Win32.Krap.AS
CP Secure      1.3.0.5         2011.08.04        2011-08-04  0.16   -
Dr.Web         5.0.2.3300      2011.07.23        2011-07-23  13.23  -
F-Prot         4.6.2.117       20110805          2011-08-05  0.84   -
F-Secure       7.02.73807      2011.08.05.05     2011-08-05  0.40   Packed.Win32.Katusha.o [AVP]
Fortinet       4.2.257         13.513            2011-08-04  0.26   -
GData          22.1542         20110805          2011-08-05  0.12   -
ViRobot        20110805        2011.08.05        2011-08-05  0.34   -
Ikarus         T3.1.32.20.0    2011.08.05.79010  2011-08-05  4.82   -
JiangMin       13.0.900        2011.08.05        2011-08-05  1.58   -
Kaspersky      5.5.10          2011.08.05        2011-08-05  0.29   Packed.Win32.Katusha.o
KingSoft       2009.2.5.15     2011.8.5.18       2011-08-05  0.91   -
McAfee         5400.1158       6429              2011-08-05  10.27  -
Microsoft      1.7104          2011.08.05        2011-08-05  3.81   -
NOD32          3.0.21          6349              2011-08-04  0.58   -
Norman         6.07.10         6.07.00           2011-08-05  14.02  -
Panda          9.05.01         2011.08.05        2011-08-05  2.26   Trj/Krap.AZ         
Trend Micro    9.200-1012      8.334.08          2011-08-05  0.50   -
Quick Heal     11.00           2011.08.05        2011-08-05  1.08   -
Rising         20.0            23.69.03.03       2011-08-04  3.27   [Suspicious]
Sophos         3.22.0          4.68              2011-08-06  4.14   Mal/Agent-IE
Sunbelt        3.9.2497.2      10074             2011-08-05  1.34   VirTool.Win32.Obfuscator.hg!b (v)
Symantec       1.3.0.24        20110804.002      2011-08-04  0.10   -
nProtect       20110803.04     12178473          2011-08-03  6.71   -
The Hacker     6.7.0.1         v00271            2011-08-04  0.66   -
VBA32          3.12.16.4       20110804.0825     2011-08-04  3.84   -
VirusBuster    5.3.0.4         14.0.153.0/58014262011-08-05  0.00   -
Win32.RLoader.a (Kaspersky)
Code: Select all
VirSCAN.org Scanned Report :
Scanned time   : 2011/08/06 02:56:35 (CST)
Scanner results: 11% Scanner(s) (4/37) found malware!
File Name      : 231.sys
File Size      : 98560 byte
File Type      : PE32 executable for MS Windows (native) Intel 80386 32-bit
MD5            : 48385d7fd35f2fdaa4c4a5a3f843e304
SHA1           : f33b8a40f806b23ab1e0f1549a8749f770e85bf3
Online report  : http://r.virscan.org/7f0e5a811a0d7f6e3cb85171535cc019

Scanner        Engine Ver      Sig Ver           Sig Date    Time   Scan result
a-squared      5.1.0.3         20110806001306    2011-08-06  0.30   -
AhnLab V3      ...             ..                --          1.44   -
AntiVir        8.2.6.28        7.11.12.220       2011-08-05  0.28   -
Antiy          2.0.18          20110804.11725727 2011-08-04  0.02   -
Arcavir        2011            201107140423      2011-07-14  0.04   -
Authentium     5.1.1           201108050953      2011-08-05  1.53   -
AVAST!         4.7.4           110805-1          2011-08-05  0.01   -
AVG            8.5.850         271.1.1/3812      2011-08-05  0.29   -
BitDefender    7.90123.8709932 7.38520           2011-08-06  4.28   -
ClamAV         0.97.1          13403             2011-08-05  0.02   -
Comodo         5.1             9635              2011-08-05  1.77   Heur.Packed.Unknown
CP Secure      1.3.0.5         2011.08.04        2011-08-04  0.07   -
Dr.Web         5.0.2.3300      2011.07.23        2011-07-23  13.22  -
F-Prot         4.6.2.117       20110805          2011-08-05  0.83   -
F-Secure       7.02.73807      2011.08.05.05     2011-08-05  0.20   -
Fortinet       4.2.257         13.513            2011-08-04  0.24   -
GData          22.1542         20110805          2011-08-05  0.11   -
ViRobot        20110805        2011.08.05        2011-08-05  0.34   -
Ikarus         T3.1.32.20.0    2011.08.05.79010  2011-08-05  4.64   -
JiangMin       13.0.900        2011.08.05        2011-08-05  1.75   -
Kaspersky      5.5.10          2011.08.05        2011-08-05  0.11   -
KingSoft       2009.2.5.15     2011.8.5.18       2011-08-05  0.83   -
McAfee         5400.1158       6429              2011-08-05  9.29   Downloader-CEW
Microsoft      1.7104          2011.08.05        2011-08-05  3.42   -
NOD32          3.0.21          6349              2011-08-04  0.03   a variant of Win32/Rootkit.Kryptik.DF trojan
Norman         6.07.10         6.07.00           2011-08-05  12.01  -
Panda          9.05.01         2011.08.05        2011-08-05  2.18   -
Trend Micro    9.200-1012      8.334.08          2011-08-05  0.05   -
Quick Heal     11.00           2011.08.05        2011-08-05  0.96   -
Rising         20.0            23.69.03.03       2011-08-04  2.22   -
Sophos         3.22.0          4.68              2011-08-06  3.90   Mal/GSPFX-A
Sunbelt        3.9.2497.2      10074             2011-08-05  1.08   -
Symantec       1.3.0.24        20110804.002      2011-08-04  0.21   -
nProtect       20110803.04     12178473          2011-08-03  1.15   -
The Hacker     6.7.0.1         v00271            2011-08-04  0.49   -
VBA32          3.12.16.4       20110804.0825     2011-08-04  3.90   -
VirusBuster    5.3.0.4         14.0.153.0/58014262011-08-05  0.00   -
http://r.virscan.org/7f0e5a811a0d7f6e3cb85171535cc019

TDSS killer killing it 8-)
Code: Select all
2011/08/05 19:30:30.0531 0596	Detected object count: 1
2011/08/05 19:30:30.0531 0596	Actual detected object count: 1
2011/08/05 19:30:49.0343 0596	ACPI            (d8fb7d1c3f5bfa3f53fe9cc6367e9e99) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/08/05 19:30:50.0234 0596	Backup copy found, using it..
2011/08/05 19:30:50.0265 0596	C:\WINDOWS\system32\DRIVERS\ACPI.sys - will be cured after reboot
2011/08/05 19:30:50.0265 0596	Virus.Win32.Rloader.a(ACPI) - User select action: Cure 
2011/08/05 19:30:55.0250 0352	Deinitialize success
Attachments
pass: infected
(271.75 KiB) Downloaded 61 times
pass: infected
(79.56 KiB) Downloaded 65 times
 #7864  by vaber
 Fri Aug 05, 2011 8:26 pm
fatdcuk wrote: TDSS killer killing it 8-)
KIS/KAV also detect and cure that is rootkit-infector ;)