[xqrzd]

This is a semi-nasty backdoor/rootkit. Since I am very new to malware analysis, I have the payload only, not anything on how it works. Anyway, when exectuted, it drops a BHO (setupapi.dll) into C:\Program Files\Internet Explorer. It runs every time IE is opened. It also drops SMWinPrn.dat into C:\Windows\System32\spool\PRTPROCS\W32X86 and it drops sfcfiles.dat into C:\Windows\System32.

The driver it drops (C:\Windows\System32\drivers\sfc.sys) seems to load very late, about 30 seconds after I log in. GMER/RootRepeal didn't detect the driver, possibly because the driver file is deleted after it is loaded.

It also has some way of having other processes do it's dirty work (code/dll injection?), I caught various processes (including winlogon.exe) trying to connect to various URLS:

Code: Select all

traufard.info/pics/page.php?query=2DC28D19A18B339E&id=a6&key=7&uid=a6
www.erotic-baby-girl.com/i/origami/page.php?link=2DC28D19A18B339E&cookie=us&article=us&client=0&hl=tr7

Anyway, that is the payload (what I have seen). I've probably missed lots of things, so someone who actaully knows what they are doing should probably look at this :)

Here are the files I rounded up. Apart from SMWinPrn.dat (13/41) and sfcfiles.dll (17/41), AV detection was quite bad. Interestingly the dropper has a digital signature. I have attached all the files, along with the dropper (1.exe). I got the file from malwaredomainlist.com.

1.exe VT 7/39
sfc.sys VT 7/41
setupapi.exe VT 3/41
sfcfiles.dll VT 17/41
SMWinPrn.dat VT 13/41

[EP_X0FF]

Thank you for sample.
I can add to your info:

sfc.sys setup LoadImage/CreateProcess notify callbacks and driver seems to be loaded from user mode part.
From my test it also performs IAT modification of ntdll.dll for IEXPLORE.exe

Not seems to be stealth rootkit, because all components are visible and nothing is hidden (driver, key, file).

[nullptr]

It also loads mssfc.dll into winlogon.