A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #1156  by ConanTheLibrarian
 Sun May 23, 2010 8:45 pm
PRAGMA********

Anyone seen this new TDSS variant?

I locks up the service key so that you can't remove it even when you remove the supporting files. I think its corrupts the key somehow. Regdelnull doesn't help.
 #1159  by EP_X0FF
 Mon May 24, 2010 3:05 am
This one? :)

http://www.virustotal.com/analisis/d159 ... 1274670145
http://www.threatexpert.com/report.aspx ... 1fd314779d

edit:

look like a multiple dropper for Security Center fake av. Container with multiple embedded malwares inside.
Last one embedded malware is a downloader for Data Protection fake av with ability to uninstall detected antimalware products.
C:\WINDOWS\system32\msiexec.exe /i "
UninstallString
Shectro`ocb&#u&ghropotsu&ui`rqgtc&bcrcercb&ih&
ist&eikvsrct(&_is&hccb&ri&tckipc&#u&ui`rqgtc&`it&eittcer&ivctgroih&i`&rnc&#u(
Grrchroih<&O`&
is&bih
r&tckipc&#u&ui`rqgtc*&rnc&vct`itkghec&i`&
ist&eikvsrct&qojj&btgkgroegjj
&bcatgbc(
Vtcuu&$IM$&ri&tckipc&rnc&#u(
Software\Microsoft\Windows\CurrentVersion\Uninstall\
%PROGRAMFILES%\CyberScrub Privacy Suite\unins000.exe
%PROGRAMFILES%\Loaris\Trojan Remover\unins000.exe
{E58B329B-FB28-4874-90DE-0D7CB2709267}
%PROGRAMFILES%\BullGuard Ltd\BullGuard\uninst.exe
%PROGRAMFILES%\eScan\unins000.exe
"%ALLUSERSPROFILE%\Application Data\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}\Ad-AwareInstallation.exe" REMOVE=TRUE MODIFY=FALSE
"%PROGRAMFILES%\Spyware Doctor\unins000.exe" /LOG
%PROGRAMFILES%\Zone Labs\ZoneAlarm\zauninst.exe
"%PROGRAMFILES%\Enigma Software Group\SpyHunter\Uninstall.exe" "%PROGRAMFILES%\Enigma Software Group\SpyHunter\install.log"
"%PROGRAMFILES%\Hitman Pro 3.5\HitmanPro35.exe" /uninstall
%PROGRAMFILES%\Agnitum\Outpost Firewall Pro\unins000.exe
"%PROGRAMFILES%\AVG\AVG9\setup.exe" /UNINSTALL
"%PROGRAMFILES%\InstallShield Installation Information\{BBE2F69C-4338-11D7-8F0C-00A0244F4E2D}\setup.exe" -runfromtemp -l0x0009
removeonly
"%PROGRAMFILES%\InstallShield Installation Information\{D1DA2BA7-2592-4036-9BB2-DCCABDE8DC1A}\SETUP.exe" -l0x9 -removeonly
%PROGRAMFILES%\Tall Emu\Online Armor\unins000.exe
"%PROGRAMFILES%\Common Files\Symantec Shared\SymSetup\{77FFBA7E-0973-4F39-BBDB-AC2F537578D2}_15_0_0_58\Setup.exe" /X
"%PROGRAMFILES%\COMODO\COMODO Internet Security\cfpconfg.exe" -u
"%PROGRAMFILES%\Microsoft Security Essentials\setup.exe" /x
AVG8Uninstall
{A6F4DE62-BA95-45B5-B27D-39E5ABB4E77D}
{9D8B0949-7C47-476F-9F06-F900D3B078EA}
{BB0500E8-A6D5-4D66-A4F9-1457530E5B6F}
{E8EA933E-03A2-4E62-9F52-812C72BE2A6B}
{D591CD44-8362-41B4-9765-E315AFFF54FC}
{BDF62CC9-FE60-4F9D-8194-8EB7E6E1412D}
{15C418EB-7675-42be-B2B3-281952DA014D}
{17071117-5BB2-4737-B05B-C5FABD367313}
{034759DA-E21A-4795-BFB3-C66D17FAD183}
InstallWIX_InstallWIX{943B6738-4801-4982-90EC-0442EF7AEB16}
InstallWIX_{8CB14A64-CEF4-4C8F-B1C8-1C3B8752CB55}
InstallWIX_{6580C5A3-2336-4EC5-85F1-3448C5F6208A}
CyberScrub Privacy Suite
Loaris Trojan Remover
Prot Antivirus
BullGuard
E scan
Ad-Aware
Spyware Doctor
ZoneAlarm
SpyHunter
Hitman Pro 3.5
Outpost Firewall Pro
AVG9
Dr. Web
Panda Security
Online Armor
COMODO Internet Security
Microsoft Security Essentials
F-Secure Product 444
F-Secure Pegasus Engine
F-Secure Management Agent
F-Secure Localization API
F-Secure Internet Shield
F-Secure HIPS
F-Secure Help
F-Secure GUI
F-Secure Gemini
F-Secure GateKeeper Interface
F-Secure FWES
F-Secure E-mail Scanning
F-Secure Diagnostics
F-Secure DAAS
F-Secure Automatic Update Agent
F-Secure Anti-Virus Client Security Installer
F-Secure Anti-Virus
F-Secure Anti-Spyware Scanner
F-Secure Anti-Spyware
Malwarebytes' Anti-Malware_is1
NOD32
Agnitum Outpost Security Suite Pro_is1
Avira AntiVir Desktop
MSC
avast!
AntiVir PersonalEdition Classic
AVG8
NIS
Spycheck Antispyware
Kaspersky Internet Security
Symantec
Priwate FireWall
Malwarebytes
Bit Defender
Sophos
Sophos Client Firewall
Sophos Antivirus
Kaspersky 2010
Kaspersky 2008
Kaspersky 2009
F-Secure Web Filter
F-Secure Uninstall
F-Secure TNB
F-Secure Spam Scanner
F-Secure Spam Control
F-Secure Protocol Scanner
regsvr32 /s "
URLInfoAbout
Publisher
DisplayVersion
DisplayName
DisplayIcon
_favdata.dat
ver
subid
affid
Printers\Connections
Installer
%s%s/readdatagateway.php?type=stats&affid=%s&subid=%s&installok&version=%s
-support
-settings
-scan
-buy
-activate
-about
-update
Image
Attachments
pass: malware
(375.15 KiB) Downloaded 78 times
 #1407  by EP_X0FF
 Sun Jul 04, 2010 4:17 am
Comes from hxxp://highsecurityscan.com/?affid=336&subid=landing, fake AV scanner page.
Code: Select all
  window.downloadUrl="/dl.php?f=NTcrNjkjNmU1MyE2NX02MyQ3NSo3Ml82OTc0Nzk0OSE2ZS03Mzc0NjEtNmMhNmMpNjU3MjJlfTY1JTc4NjU=";
    window.exploitUrl="/dl.php?f=NTcrNjkjNmU1MyE2NX02MyQ3NSo3Ml82OTc0Nzk0OSE2ZS03Mzc0NjEtNmMhNmMpNjU3MjJlfTY1JTc4NjU=";
    window.malwareScanner.SetCookie("affid", "402");
    window.malwareScanner.SetCookie("subid", "landing");    
Drops downloader

http://www.virustotal.com/analisis/132b ... 1278216246

Downloader packed with packer related to TDL2 family (.SRT)

Unpacked downloader readable string
UNKNOWN
%s%s%d.tmp
TMP
Azerbaijan
Belarus
Kazakhstan
Kyrgyzstan
Russia
Uzbekistan
Ukraine
Czech Republic
Poland
.exe
_favdata.dat
\AAB647AB-4C1A-4cf0-9DE5-DD056FABF1F9
Russia
Downloads additional malware from
hxxp://Traffic-Photos.com/ms05/ad
hxxp://www.easysecurityscan.com/ms05/ad
hxxp://www.fastanyprime.com/ms05/ad
http://www.virustotal.com/analisis/ea47 ... 1278216348

Similar to earlier analyzed by me http://forum.sysinternals.com/rootkit-t ... age23.html
Both downloader and payload in attach.
Attachments
pass: malware
(417.9 KiB) Downloaded 76 times
 #14269  by nullptr
 Mon Jun 25, 2012 2:23 pm
lol
In the next issue we will give an overview of QVOD worm family which extracts rootkit driver to hide start up registry keys.
I can hardly wait!
 #19031  by EP_X0FF
 Sun Apr 21, 2013 3:29 pm
Two TDL2 droppers.

SHA256: 3393dc36f22eff6a277e19dea4cadc7907341f32191903d2c268076cd6393e85
SHA1: a930fe38105a9ad7642a5827e000658119f53894
MD5: 1e8f09925bea0f1d7ffbc002830be876

https://www.virustotal.com/en/file/3393 ... /analysis/

SHA256: fa80397a641ea515d717f96855e1b2a5dbb85957b521755f84c02d26f3118125
SHA1: 6e3bf0397e8b52106290dbc88e8d382cedc48ce1
MD5: 1d87e3882a8b7775ac184fc58518cd81

https://www.virustotal.com/en/file/fa80 ... /analysis/

This crap still can be found ITW.
Attachments
pass: infected
(169.32 KiB) Downloaded 73 times