A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #13307  by EP_X0FF
 Sat May 19, 2012 1:06 am
I don't think they even knows about it. Otherwise they are really slowpokes. Remember Prevx, captain obvious from prevx was lurking here during TDL4 discovery and immediatelly copy-pasted everything in it's blog when TDL4 was found and confirmed.
 #13326  by Flamef
 Sun May 20, 2012 3:32 pm
EP_X0FF wrote:I don't think they even knows about it. Otherwise they are really slowpokes. Remember Prevx, captain obvious from prevx was lurking here during TDL4 discovery and immediatelly copy-pasted everything in it's blog when TDL4 was found and confirmed.
Man,that's really bad :( .Did you do anything about it?As i've already mentioned,it's funny how some very talented and skilled persons are "getting wasted in a forum"(Please don't get this wrong) when they could work for other companies,EP_X0FF,Rkhunter,evilcry,xylitol and many others.

ZeroAcess hiding in a Serial wwx.crackzone.net/data/Super_Mp3_Download_Version_3.3.4.6_serial_keys_gen-bee3afe71a.html
The never ending same old story :D .
 #13336  by thisisu
 Sun May 20, 2012 7:52 pm
Just posting this for reference ;)

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}
Default should be: %SystemRoot%\system32\shdocvw.dll
 #13348  by tachion
 Mon May 21, 2012 7:03 pm
ZeroAccess - Sirefef
74acfbfc68968af240fe363e22716c5e
https://www.virustotal.com/file/28db4e9 ... /analysis/

win7
Created process: C:\Windows\system32\cmd.exe,(null),(null)
Detected privilege modification
Hide file from user: C:\Users\tachion\AppData\Local\{faf34395-144d-8d43-9bc7-3d2837deeab2}\@
Hide file from user: C:\Users\tachion\AppData\Local\{faf34395-144d-8d43-9bc7-3d2837deeab2}\n
Hide folder from user: C:\Users\tachion\AppData\Local\{faf34395-144d-8d43-9bc7-3d2837deeab2}

xp
Image

Image
Attachments
password: sg
(149.9 KiB) Downloaded 105 times
 #13358  by rkhunter
 Tue May 22, 2012 8:36 am
tachion wrote:ZeroAccess - Sirefef
74acfbfc68968af240fe363e22716c5e
https://www.virustotal.com/file/28db4e9 ... /analysis/
WinXP SP3
Dropped/downloaded files.

C:\WINDOWS\assembly\GAC\Desktop.ini [Trojan:Win32/Sirefef.AB]
MD5: 85c5dec9b6b5d6b9de2c0331a102ad71
https://www.virustotal.com/file/6f93dd7 ... 337674035/

C:\WINDOWS\Installer\{c7a1ab8a-9f87-85f5-545d-aad1ae1a181e}\@
C:\WINDOWS\Installer\{c7a1ab8a-9f87-85f5-545d-aad1ae1a181e}\n [VirTool:Win32/Obfuscator.XI / Backdoor.Win32.ZAccess.sgi]
MD5: 767665fffe4b774169c50d691a5490d0
https://www.virustotal.com/file/f0cf149 ... 337674295/

C:\WINDOWS\Installer\{c7a1ab8a-9f87-85f5-545d-aad1ae1a181e}\L\00000008.@ [BitCoinMiner]
MD5: 64645e81435058738c137a67df84a5c5
https://www.virustotal.com/file/02db0f2 ... 337674917/

C:\WINDOWS\Installer\{c7a1ab8a-9f87-85f5-545d-aad1ae1a181e}\U\00000004.@
MD5: c36a656d37f30ce9e8a79ae7713d0896
https://www.virustotal.com/file/84d3236 ... 337675240/

C:\WINDOWS\Installer\{c7a1ab8a-9f87-85f5-545d-aad1ae1a181e}\U\00000008.@ [BitCoinMiner]
MD5: 72ced4cebd0baa4692f241e47e6836b2
https://www.virustotal.com/file/68042f0 ... 337675263/

C:\WINDOWS\Installer\{c7a1ab8a-9f87-85f5-545d-aad1ae1a181e}\U\80000000.@ [Trojan:Win32/Sirefef.AG]
MD5: 2ddce8374ef6f99a987acf620ed5c1d1
https://www.virustotal.com/file/42a9734 ... /analysis/

C:\WINDOWS\Installer\{c7a1ab8a-9f87-85f5-545d-aad1ae1a181e}\U\000000cb.@
MD5: f2b2477ca78d7fb19e7491220f3a7981
https://www.virustotal.com/file/43119a8 ... 337675407/

C:\WINDOWS\Installer\{c7a1ab8a-9f87-85f5-545d-aad1ae1a181e}\U\80000032.@ [Trojan:Win32/Sirefef.AK]
MD5: 1b584c668b85ff4e352cb7b6b9401b4d
https://www.virustotal.com/file/7a50311 ... /analysis/

In attach.
Attachments
pass:infected
(554.17 KiB) Downloaded 117 times
 #13380  by rkhunter
 Wed May 23, 2012 10:09 am
thisisu wrote:Just posting this for reference ;)

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}
Default should be: %SystemRoot%\system32\shdocvw.dll
Don't remember that it was before, but...
Now you need block access to all CLSID key because it will reinfect key with another CLSID.
Also if remove it files from C:\WINDOWS\Installer in malware active state, it drops it again, but destination folder similar to "C:\Documents and Settings\root\Local Settings\Application Data\{GUID}\" [in my case].
  • 1
  • 2
  • 3
  • 4
  • 5
  • 56