[RageMachine]

Please feel free to remove this if this is not malware, but I have been working with it and have been finding it coupled with some unstable userland malware that uses APPINIT_DLL to load on startup (Search toolbar stuff - causes pretty bad system instability including services not responding to control requests and inability to boot to normal mode). This set comes in two DLL's, the winXXprop goes into the APPINIT_DLL entry under WindowsNT\CurrentVersion\Windows and then, with that in there, will look for WinXXcert. There is no company name, no detections, and the main module only has two exports, including BZInvoke which appears to check which process is loaded and act accordingly. At BZInvoke+55 there is a function that appears to start making keys if Firefox or Chrome are present, but I just do not have the skill yet to figure out how to handle this. Mostly because this would be my first DLL, and I'm not really sure how to monitor what its doing, so i just called the DLL exports manually in OllyDBG but didn't get very far.

Feel free to move the topic if I posted this in error.

[EP_X0FF]

win32prop sets splicing hooks on several ntdll API's

Code: Select all

LdrLoadDll
NtTerminateProcess
NtCreateFile
NtDeleteFile
NtOpenFile
NtCreateDirectoryObject
NtOpenDirectoryObject
NtSetInformationFile

advapi32 API's

Code: Select all

RegSetValueW
RegSetValueExW
RegSetKeyValueW
RegDeleteValueW
RegDeleteKeyValueW
RegDeleteKeyW
RegDeleteKeyExW
RegDeleteKeyTransactedW
RegDeleteTreeW

Ws2_32.dll API's

Code: Select all

bind
connect
ConnectEx
listen
socket
WSAConnect
WSASocketW
WSAConnectByList
WSAConnectByNameW
WSAStartup

wininet.dll API's

Code: Select all

InternetOpenW
InternetGoOnlineW
InternetCheckConnectionW
InternetAttemptConnect

As you see, some can be used to counteract removal.

Code: Select all

void __cdecl HookAPIs()
{
  HMODULE hNtdll; 
  HANDLE hOurThread; 

  hNtdll = GetModuleHandleW(L"ntdll.dll");
  if ( hNtdll )
  {
    pNtTerminateProcess = GetProcAddress(hNtdll, "NtTerminateProcess");
    if ( pNtTerminateProcess )
    {
      sub_10004220();
      hOurThread = GetCurrentThread();
      tlocal_lock(hOurThread);
      SetHook(&pNtTerminateProcess, NtTerminateProcessHook);
      tlocal_unlock();
    }
  }
  HookAdvapi();
  HookLdrLoadDllCondition();
  hookNTDLL();
  bHooked = TRUE;
}

thread local lock procedure at @10004A70, thread unlock procedure at @10004480, HookFn primitive at @10004B30, HookCode procedure at @10004B50.

Can you attach actual dropper?

[malwarian]

Hi,

These DLLs are part of search results toolbar.

[markusg]

do you have dropper of search results dropping this dll, because not every search results toolbar having this dll i think

[RageMachine]

do you have dropper of search results dropping this dll, because not every search results toolbar having this dll i think

It is indeed part of search results toolbar, but I cannot find a dropper on any machines I have come across because typically those machines have been put in such a state its hard to find it (left on there for a very long time with an AV running - - tsk tsk). I will still search for it and when I find it I will post it. I do have the search results toolbar copies as well, its almost always accompanied by Search Results Toolbar & Datamngr, and Sendori is usually now present with this as well. I will keep hunting and post it as soon as I find one. Here is a sample that goes alongside it.