Trojan:Win32/Vcaredrix.A

#14714 by thisisu
Wed Jul 18, 2012 9:00 am

http://www.microsoft.com/security/porta ... 2147308562
http://www.sophos.com/en-us/threat-cent ... lysis.aspx
https://www.virustotal.com/file/DE7D591 ... /analysis/

MD5: 4d2c7f452deede232907ce3c42eee75b - Known - missing sample
MD5: c6fcea2f9bc9f471f94d3fe0ef54cc07 - Known - missing sample

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
[XSECVA] = %USERPROFILE%\Application Data\XSECVA\XSECVA.EXE -S

Related:
PRC - [2012/07/06 23:55:34 | 000,205,824 | ---- | M] (System) -- C:\Users\bb\AppData\Roaming\xsecva\xsecva.exe

I suspect as related:

Code: Select all

c:\users\bb\AppData\Roaming\Microsoft\~DFK5cd8f51.tmp
c:\users\bb\AppData\Roaming\Microsoft\1eaadjc.dll
c:\users\bb\AppData\Roaming\Microsoft\bass.dll
c:\users\bb\AppData\Roaming\Microsoft\cxaadji.dll
c:\users\bb\AppData\Roaming\Microsoft\kfgresk.dll
c:\users\bb\AppData\Roaming\Microsoft\khaadjf.dll
c:\users\bb\AppData\Roaming\Microsoft\ncaadjg.dll
c:\users\bb\AppData\Roaming\Microsoft\peaadje.dll
c:\users\bb\AppData\Roaming\Microsoft\qwadjb.dll
c:\users\bb\AppData\Roaming\Microsoft\rsaadjd.dll
c:\users\bb\AppData\Roaming\Microsoft\vqaadjh.dll
c:\users\bb\AppData\Roaming\Microsoft\wqaadjj.dll
c:\users\bb\AppData\Roaming\Microsoft\wqabdjj.dll
c:\users\bb\AppData\Roaming\Microsoft\wqacdjj.dll
c:\users\bb\AppData\Roaming\Microsoft\wqaddjj.dll

Last edited by thisisu on Wed Jul 18, 2012 9:24 am, edited 2 times in total.

Username

thisisu

Posts

362

Joined

Sun Feb 26, 2012 8:57 am

Contact

Re: Trojan:Win32/Vcaredrix.A

#14717 by rkhunter
Wed Jul 18, 2012 9:19 am

Hm, something fresh...
take dropper

SHA1: 90310cf112621570c3d60ba224b56a6e337f8864
MD5: 4d2c7f452deede232907ce3c42eee75b

Attachments

c6fcea2f9bc9f471f94d3fe0ef54cc07.zip

pass:infected
(148.6 KiB) Downloaded 57 times

4d2c7f452deede232907ce3c42eee75b.zip

pass:infected
(83.59 KiB) Downloaded 45 times

Username

rkhunter

Posts

1156

Joined

Mon Mar 15, 2010 12:51 pm

Location

Russian Federation

Contact

Re: Trojan:Win32/Vcaredrix.A

#14764 by thisisu
Fri Jul 20, 2012 6:40 am

Inside xsecva folder is:
xsecva.exe - 128kb - Process
xseacc.xse - 1.10kb - Data file

Code: Select all

Date||20.07.2012||a=0;b=0;c=0;

P||1000000000||C62A5B599C7D9052368DA60FEE31D769

P||1000000000||EB465A9A32E90473114D3B1EE7E286E6

P||1000000000||E11FF5C325BC95041FFFF68F2BE7D0B8

P||1000000000||214A2DC069DAEFD6339A407F1CC7FAC9

P||1000000000||47957DA0532602943067516E2063B3A7

P||1000000000||781B54D14F37A7D49975873E018E304B

P||1000000000||5580552156703A90686EE68118BB2403

P||1000000000||8F2412ABE549CC308025D8C5BF7CEFBA

P||1000000000||742DE646C7BD013C2418E5186C521D6A

P||1000000000||E8A09A594883B886F0001A62C35DDD9A

P||1000000000||69B4DB727DE966861F25D3ECB62B4968

P||1000000000||1B3D909A66CAB8C1723A677054C9C9E7

P||1000000000||70E9985EE06394374043946A4F3078EE

P||1000000000||4B5531972D30CDEFDBF85B1294A91B17

P||1000000000||A5678BBBB399A50901E54772C3F5F91D

P||1000000000||46776AD4BA9AB4A861B2F715FBCD812F

P||1000000000||8FAA7FBD6F78086E379DCEF9DFF9AD32

P||1000000000||AB9458B671487DF580084C37ECCE0678

P||1000000000||53C97559BD2D8D73D35B42C6FBE514F1

P||1000000000||636A949598BB1C1B342AE30EBF8C4C5D

P||1000000000||BE3C27E52CAA3D81CBD4C335AE5BC1CE

P||1000000000||BA7C53D22C84ADBE965D73B9C8127F85

Just by Googling BE3C27E52CAA3D81CBD4C335AE5BC1CE will point to you to hXXp://www.o2online.de/. Or 636A949598BB1C1B342AE30EBF8C4C5D to hXXp://www.1und1.de/
Perhaps affiliates of the author :?
Sorry for the lack of details.

Malwarebytes detects as Backdoor.Bot.h

Seems quite a few people are getting hit by this lately. Popular on anti-malware forums at least.

__

Edit: http://www.threatexpert.com/report.aspx ... 3c42eee75b arrived

Username

thisisu

Posts

362

Joined

Sun Feb 26, 2012 8:57 am

Contact