[EP_X0FF]

This is PowerLoader Alureon cross-platform dropper.

[main]
srvurls=hxxp://r.gigaionjumbie.biz/images/gx.php;hxxp://x.dailyradio.su/images/gx.php;hxxp://w.kei.su/images/gx.php
srvdelay=15
srvretry=2
buildid=REE

here deobfuscated

https://www.virustotal.com/en/file/843f ... 369101506/
https://www.virustotal.com/en/file/6a9c ... 369101315/

Posts moved.

[markusg]

2 files
r.gigaionjumbie.biz/images/gx.php

[EP_X0FF]

2 files
r.gigaionjumbie.biz/images/gx.php

Second file f97834fh9348 is Dorkbot downloader with these links

hxxp://url9.de/Dvm?id=
hxxp://fur.ly/9jnk?foto=
hxxp://is.gd/21aJ2N?user=
hxxp://bit.ly/10K2VJY?profil=
hxxp://ow.ly/lfqd6?jpg=

[tomatto007]

I've recently received a malware sample .

Spreading mechanisms: you receive a chat message from an skype contact saying (in spanish)
"esta es una foto muy amable de tu parte "
(It's gramatically correct but it doesn't sound natural in spanish)
And the the following URL:
hXXp://goo.gl/lLGdM?png=<your_skype_contact_name>
In fact parameters are irelevant.
Independently to the parameters it allways expands to:
hXXp://dc663.4shared.com/download/arUNCWir?clientType=BASE_WEB

The malware comes into a ZIP file and inside the EXE named: fotos_facebook-20052013-png.exe
SHA1: 882da1b7838bc087c753a14b0dd1e40cd3db78d3
Here you have the sample.
Right now it's almost undetected in virustotal (3/47).
I'm not good at reverse engineering and deep malware analysis, but I've used malwr.com to do a dynamic analysis (https://malwr.com/analysis/ZDdkOWViY2Qy ... TJjZTU5N2E)
Obviously it's nothing good. It tries to contact hXXp://r.gigaionjumbie.biz/images/gx.php

Is it a known malware?

New registry key:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\eefdfdcdfsacfsfdsf: “”%Common Appdata%\eefdfdcdfsacfsfdsf.exe”"

New file:
%Common Appdata%\eefdfdcdfsacfsfdsf.exe

https://www.virustotal.com/ru/file/2c33 ... 369228217/

[Blaze]

Yep, saw the same today.

https://www.virustotal.com/nl/file/6cd9 ... /analysis/

Code: Select all

hXXp://r.gigaionjumbie.biz/images/gx.php
hXXp://x.dailyradio.su/images/gx.php
hXXp://w.kei.su/images/gx.php

HKEY_CURRENT_USER\SOFTWARE\ebdfecfcbfsacfsfdsf

Related blogpost:
http://bartblaze.blogspot.com/2013/05/a ... -worm.html

[PX5]

Same here but am having troubles with collecting the file while online, in either normal or safe mode, which I think is hilarious given fact Ive been doing this a while and am so out of practice, I barely remember how to infect anything!

Damn the bad luck!!!!! :lol:

[EP_X0FF]

Well, removal of this bot is trivial. You can do it without any additional tools. Just taskmanager, explorer and regedit (or Process Explorer, Process Monitor and Autoruns if you want to do this quick).

Autorun entry located in HKCU\Software\Microsoft\Windows\CurrentVersion\Run
File stored in %ALLUSERSPROFILE%\AppData, e.g. C:\Documents and Settings\All Users\Application Data\dbadacbbesacfsfdsf.exe

While work this Alureon injects itself into explorer.exe address space using Shell_TrayWnd trick or by NtQueueApcThread. This injected code running payload thread (thread id can be determined with ProcMon), that overwrites malware binary on disk every second as a part of antiremoval (same for registry key).

Variant A
1) Terminate explorer.exe with taskmanager;
2) Restart it from taskmanager, injected code still in newly created explorer? Do not worry, this is because of shared section trick this malware previously used. Even if this code is inside new explorer it is not executed;
3) Remove file, remove registry key.

Variant B
1) Determine Alureon payload thread with Process Monitor (filter by Explorer.exe, Disk I/O activity, also at call Stack page you can reveal memory address in Explorer VA space where Alureon sits);
2) Terminate this thread by Process Explorer;
3) Remove file, remove registry key (Autoruns).

Run full AV scan, as it can be more malware downloaded by this bot.

[PX5]

Thanks EP,

This is a clear example of how long I been outa the loop, not so sure I was ever in the loop, tbh! :lol:

Should be some more fun somewhere to get back into the swing of things, especially since our tools section does good to "Suck Wind"!!!!!!!!!!

Best, I shhhhh before i get myself into troubles at work. ;)

Cheers,

MJ

[EP_X0FF]

And PowerLoader itself, seems builder widely used by various script-kiddies.

Code: Select all

[main]
srvurls=hxxp://u.eastmoon.pl/p/c1.php;hxxp://t.richlab.pl/p/c1.php;hxxp://y.opennews.su/p/c1.php
srvdelay=15
srvretry=2
buildid=build1

VT

SHA256: 43aad379e0ef5cb7f09a6efa77ee3e3ea40ac529ef37efe66d0f96155fe80855
SHA1: 96881d0dbfce6087dc3217e9d144a0992456a882
MD5: 0a617c203e1f1b0acf18ed2ff8d84840

https://www.virustotal.com/en/file/43aa ... /analysis/

Original and decrypted dropper + extracted x64 loader attached.

x64
https://www.virustotal.com/en/file/4582 ... 369895728/

[Xylitol]

There is also a mining pool u.eastmoon.pl/1/index.php
Pool Hashrate: 172.34 GH/s Pool Workers: 12597
wtf ?