YolrotX
written in Visual Basic 6.0
MD5 Checksum : cb702c3319a27e792b84846d3d6c61ad
Size : 61493 Bytes
Extract itself to %windir%\System32 with 3 different names : update.exe, security.exe, avg.exe
it's also open the internet explorer and tends to surf golo.com website.
Seems it also uses the following library : Microsoft Base Cryptographic Provider v1.0
usename of the author is Basic, so we can name the author Basic .
Also trying to download the following files to system32 .
Open a Handle to Cmd.exe .
seems, there's no hooking behavior available in this sample .
set itself as startup to the following key with 3 different entries:
vt result : Result: 6/42 (14.29%)
vt perma link :
http://www.virustotal.com/analisis/ec89 ... 1270075998
sample attached ... .
written in Visual Basic 6.0
MD5 Checksum : cb702c3319a27e792b84846d3d6c61ad
Size : 61493 Bytes
Extract itself to %windir%\System32 with 3 different names : update.exe, security.exe, avg.exe
it's also open the internet explorer and tends to surf golo.com website.
Seems it also uses the following library : Microsoft Base Cryptographic Provider v1.0
usename of the author is Basic, so we can name the author Basic .
Also trying to download the following files to system32 .
Code: Select all
hxxp://www.oviedolocal3476.com/mail/bin/msm.exe
\system32\updates.exe
Code: Select all
hxxp://www.oviedolocal3476.com/mail/bin/plugoff.exe
\system32\securitys.exe
Code: Select all
when start to executing, it's also drop a driver named "drive.sys" and "drive.sys.off" to system32\Drivers, had some rootkit behavior, while scanning with RKU it reports try to hide process update.exe .hxxp://www.oviedolocal3476.com/mail/bin/regdllhelper.exe
\system32\drivess.exe
Open a Handle to Cmd.exe .
seems, there's no hooking behavior available in this sample .
set itself as startup to the following key with 3 different entries:
Code: Select all
HKLM\SOFTWARE\MICROSOFT\WINDOWS\CurrentVersion\Run
Code: Select all
easy to kill, just terminate update.exe , security.exe and globo.exe, so the malware become inactive .\System32\avg.exe
\System32\update.exe
\System32\security.exe
vt result : Result: 6/42 (14.29%)
vt perma link :
http://www.virustotal.com/analisis/ec89 ... 1270075998
sample attached ... .
Attachments
password : Infected
(37.81 KiB) Downloaded 82 times
(37.81 KiB) Downloaded 82 times
Last edited by __Genius__ on Thu Apr 01, 2010 10:12 am, edited 3 times in total.
- Individuality