A forum for reverse engineering, OS internals and malware analysis 

Win32/Bublik.B (alias Bebloh)

Forum for analysis and discussion about malware.

Re: Trojan Zeus (alias ZBot)

 #10740  by EP_X0FF
 Mon Jan 02, 2012 3:13 am
markusg wrote:winuvsrv.exe
MD5   : 618ad0154c4d941c7fcdf371dc123aeb
https://www.virustotal.com/file-scan/re ... 1325089794
Not Zeus. This is different trojan downloader.

Three stage decryption process - Obfuscator -> UPX -> Delphi -> payload decryption. Sensitive strings from the inside
ASWgf02 ntdll shell32 explorer.exe SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System shlwapi ole32 version -update " -autorun -autorun &osver= &ipcnf= &sckport= &cmobj= &SHID= gdi32 6A57BEED userinit.exe SeDebugPrivilege csrss.exe smss.exe .dll iphlpapi 255.255.255.255 192.168.8.4 SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\userinit.exe Debugger advapi32 EnableLUA win video def mem dns setup user logon hlp mixer pack mon srv exec play SYSTEM\ControlSet001\Control\Session Manager\AppCertDlls SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit winlogon.exe Software\Microsoft\Windows\CurrentVersion\Run
Performs API hooking.
[1336]explorer.exe-->kernel32.dll-->CreateProcessW, Type: Inline - RelativeJump 0x7C802336-->011D1B60 [unknown_code_page]
[1336]explorer.exe-->wininet.dll-->HttpOpenRequestA, Type: Inline - RelativeJump 0x771B2AF9-->011CE248 [unknown_code_page]
[1336]explorer.exe-->wininet.dll-->InternetConnectA, Type: Inline - RelativeJump 0x771B3452-->011CDE64 [unknown_code_page]
[1336]explorer.exe-->wininet.dll-->InternetCloseHandle, Type: Inline - RelativeJump 0x771B4D8C-->011D0B48 [unknown_code_page]
[1336]explorer.exe-->wininet.dll-->InternetOpenA, Type: Inline - RelativeJump 0x771B578E-->011CDE10 [unknown_code_page]
[1336]explorer.exe-->wininet.dll-->HttpSendRequestA, Type: Inline - RelativeJump 0x771B60A1-->011CF338 [unknown_code_page]
[1336]explorer.exe-->wininet.dll-->HttpQueryInfoA, Type: Inline - RelativeJump 0x771B79C2-->011D0AEC [unknown_code_page]
[1336]explorer.exe-->wininet.dll-->InternetReadFile, Type: Inline - RelativeJump 0x771B82EA-->011D0898 [unknown_code_page]
[1336]explorer.exe-->wininet.dll-->InternetQueryDataAvailable, Type: Inline - RelativeJump 0x771C89F7-->011D04AC [unknown_code_page]
[1336]explorer.exe-->wininet.dll-->InternetReadFileExW, Type: Inline - RelativeJump 0x771E83F9-->011D0A84 [unknown_code_page]
[1336]explorer.exe-->wininet.dll-->InternetReadFileExA, Type: Inline - RelativeJump 0x771E9100-->011D0A1C [unknown_code_page]
[1336]explorer.exe-->wininet.dll-->HttpSendRequestW, Type: Inline - RelativeJump 0x77202EBC-->011CFA2C [unknown_code_page]
First hook for self-propagation via injection.

Malicious code has been found in the following processes:

winlogon.exe
explorer.exe

For removal navigate to

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\userinit.exe
key "Debugger" will point to malicious file (in this case it was logonruser.exe). Delete key, reboot, delete dropper.

p.s.
Fun part. Dr.Web detects it differently depending of decryption process - first (completely incorrect) BackDoor.Zbot, decrypted detected as Trojan.DownLoader, additionally decrypted detected as Trojan.Packed ^^

Posts moved.

Re: Trojan:Win32/Bublik.B

 #10741  by rkhunter
 Mon Jan 02, 2012 3:25 am
Seems, not Dr.Web only :)
What's different with Zeus? they are so alike ...

Re: Trojan:Win32/Bublik.B

 #10742  by EP_X0FF
 Mon Jan 02, 2012 3:28 am
rkhunter wrote:What's different with Zeus? they are so alike ...
Well first of all it is written on C/C++ and has a bigger functionality and different behavior, take a look in Zeus 2 sources.

Re: Trojan:Win32/Bublik.B

 #10996  by rkhunter
 Fri Jan 13, 2012 9:47 am
One more Bublik.B

13/43

MD5: d28c114c8fc8df9da83f2293db301a4c

Drops to %windir%\system32\defp.exe,
Runs from HKLM\​SOFTWARE\​Microsoft\​Windows NT\​CurrentVersion\​Image File Execution Options\​userinit.exe - Debugger -> defp.exe
Outgoing connections to vogijwpemcugf.com -> 212.124.114.118 : 80
Attachments
pass:infected
(144.48 KiB) Downloaded 62 times

Re: Trojan:Win32/Bublik.B

 #13334  by rkhunter
 Sun May 20, 2012 5:48 pm
Oh, yes Mcafee 'Zbot'-story this is epic...almost all stealers are ZBot. By behaviour this is Bublik.
I thought about users...it's confusing for them.
 Return to “Malware”