[rkhunter]

Mmm...

Cabinet is not valid.
Filetable full.%Can not change to destination folder.
Setup could not find a drive with %s KB free disk space to install the program. Please free up some space first and press RETRY or press CANCEL to exit setup.KThat folder is invalid. Please make sure the folder exists and is writable.IYou must specify a folder with fully qualified pathname or choose Cancel.!Could not update folder edit box.5Could not load functions required for browser dialog.7Could not load Shell32.dll required for browser dialog.
(Error creating process <%s>. Reason: %s1The cluster size in this system is not supported.,A required resource appears to be corrupted.QWindows 95 or Windows NT 4.0 Beta 2 or greater is required for this installation.
Error loading %shGetProcAddress() failed on function '%s'. Possible reason: incorrect version of advpack.dll being used./Windows 95 or Windows NT is required to install
Could not create folder '%s'
To install this program, you need %s KB disk space on drive %s. It is recommended that you free up the required disk space before you continue.
Do you still want to continue?
Error retrieving Windows folder
$NT Shutdown: OpenProcessToken error.)NT Shutdown: AdjustTokenPrivileges error.!NT Shutdown: ExitWindowsEx error.}Extracting file failed. It is most likely caused by low memory (low disk space for swapping file) or corrupted Cabinet file.aThe setup program could not retrieve the volume information for drive (%s) .
System message: %s.xSetup could not find a drive with %s KB free disk space to install the program. Please free up some space and try again.eThe installation program appears to be damaged or corrupted. Contact the vendor of this application.
;Command line option syntax error. Type Command /? for Help.
Command line options:
/Q -- Quiet modes for package,
/T:<full path> -- Specifies temporary working folder,
/C -- Extract files only to the folder when used also with /T.
/C:<Cmd> -- Override Install Command defined by author.
sYou must restart your computer before the new settings will take effect.
Do you want to restart your computer now?
eAnother copy of the '%s' package is already running on your system. Do you want to run another copy?
Could not find the file: %s.
You do not have administrator privileges on this machine. Some installations cannot be completed correctly unless they are run by an administrator.
:The folder '%s' does not exist. Do you want to create it?hAnother copy of the '%s' package is already running on your system. You can only run one copy at a time.OThe '%s' package is not compatible with the version of Windows you are running.SThe '%s' package is not compatible with the version of the file: %s on

rundll32.exe %s,InstallHinfSection %s 128 %s
SHELL32.DLL
SHGetSpecialFolderLocation
SHBrowseForFolder
SHGetPathFromIDList
DefaultInstall
DefaultInstall
DoInfInstall
Software\Microsoft\Windows\CurrentVersion\RunOnce
System\CurrentControlSet\Control\Session Manager
PendingFileRenameOperations
System\CurrentControlSet\Control\Session Manager\FileRenameOperations
wextract_cleanup%d
%s /D:%s
rundll32.exe %sadvpack.dll,DelNodeRunDLL32 "%s"
Command.com /c %s
WEXTRACT
*MEMCAB
rundll32.exe %s,InstallHinfSection %s 128 %s

It crashes in my case, but by static analyze...

[Buster_BSA]

REPORT.TXT

Report generated with Buster Sandbox Analyzer 1.71 at 21:08:16 on 24/06/2012

[ General information ]
* File name: c:\m\test\bigfish.exe
* File length: 414208 bytes
* File signature (PEiD): Microsoft Visual C++ ?.? *
* File signature (Exeinfo): generic check : MS IExpress x.x - CAB installer ( in section II )
* File type: EXE
* TLS hooks: NO
* File entropy: 7.72729 (96.5911%)
* Adobe Malware Classifier: Unknown
* MD5 hash: b2c471ad35c2a906d1a62e68b419c672
* SHA1 hash: 2aeb8a81bde6fb81ea840c64aef9c9f13173c44c
* SHA256 hash: 197cbb7a3c033afa7f4a98e5d60cfc0ab0e0221dc55737054baf514daa380ce3

[ Changes to filesystem ]
* Deletes file C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\vbc.exe
* Creates file C:\Documents and Settings\Buster\Datos de programa\vdlet.dll
File length: 126976 bytes
File type: DLL
File entropy: 7.24213 (90.5266%)
Adobe Malware Classifier: Unknown
MD5 hash: 85cbf94d068bc9bc9687079d6088c9f8
SHA1 hash: 8b7a22a339b0e7dc7b8a6f3edd15cc08a7ed0247
SHA256 hash: 0c6d480bde5adf6f3b2bd8b98f2a3e7397a9c92d04772500f3a616df0595324a

[ Changes to registry ]
* Creates value "vdlet=rundll32.exe "C:\Documents and Settings\Buster\Datos de programa\vdlet.dll",ReplaceCharsW" in key HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Run
* Modifies value "Count=0000007B" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore
old value "Count=0000007A"
* Modifies value "Time=DC070600000018001300080015009002" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore
old value "Time=DC07060003001400010039000100D102"

[ Network services ]
* No changes

[ Process/window/string information ]
* Keylogger functionality.
* Enables process privileges.
* Gets user name information.
* Gets volume information.
* Gets computer name.
* Checks for debuggers.
* Creates process "(null),C:\DOCUME~1\BUSTER\CONFIG~1\Temp\IXP000.TMP\youtube.exe,(null)".
* Creates an event named "Global\CorDBIPCSetupSyncEvent_2996".
* Creates process "(null),C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe,(null)".
* Enables privilege SeDebugPrivilege.
* Creates process "(null),C:\DOCUME~1\BUSTER\CONFIG~1\Temp\IXP000.TMP\C32938~1.EXE,(null)".
* Creates process "C:\WINDOWS\system32\cmd.exe,(null),(null)".
* Creates a mutex "{0eed63da-ca46-664d-a41e-131750c04576}".
* Creates a mutex "Shell.CMruPidlList".
* Contains string Traces of AutoStart registry key ("Software\Microsoft\Windows\CurrentVersion\Run")

ANALYSIS.TXT

Report generated with Buster Sandbox Analyzer 1.71 at 21:08:16 on 24/06/2012

Detailed report of suspicious malware actions:

Checked for debuggers
Created a mutex named: {0eed63da-ca46-664d-a41e-131750c04576}
Created a mutex named: Shell.CMruPidlList
Created an event named: Global\CorDBIPCSetupSyncEvent_2996
Created process: (null),C:\DOCUME~1\BUSTER\CONFIG~1\Temp\IXP000.TMP\C32938~1.EXE,(null)
Created process: (null),C:\DOCUME~1\BUSTER\CONFIG~1\Temp\IXP000.TMP\youtube.exe,(null)
Created process: (null),C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe,(null)
Created process: C:\WINDOWS\system32\cmd.exe,(null),(null)
Defined file type created: C:\Documents and Settings\Buster\Datos de programa\vdlet.dll
Defined registry AutoStart location created or modified: machine\software\microsoft\Windows\CurrentVersion\Run\vdlet = rundll32.exe "C:\Documents and Settings\Buster\Datos de programa\vdlet.dll",ReplaceCharsW
Defined string contained: Traces of AutoStart registry key ("Software\Microsoft\Windows\CurrentVersion\Run")
Detected privilege modification
Detected process privilege elevation
Got computer name
Got user name information
Got volume information

Risk evaluation result: High

[rkhunter]

Need dropped dll for further analyze.

[markusg]

this is all what i got from joebox report

[rkhunter]

gkaiogto.dr - this is driver, but not rootkit.
This is LanMan redirector.

d:\nt\base\fs\rdr2\rdbss\smb.mrx\smbcedb.c
d:\nt\base\fs\rdr2\rdbss\smb.mrx\transprt.c
d:\nt\base\fs\rdr2\rdbss\smb.mrx\smbadmin.c
d:\nt\base\fs\rdr2\rdbss\smb.mrx\fsctl.c
d:\nt\base\fs\rdr2\rdbss\smb.mrx\devfcb.c

\Device\LanmanRedirector

MD5: f3aefb11abc521122b67095044169e98
SHA1: 52eff61934a595ebd9faa6e291e1f01e72d4b9ff

[Waves97]

So... rootkit guys?

[markusg]

yes its original, sorry have not deleted this file from archive, but it was also send by joebox

[EP_X0FF]

rootkit?

Yes. Sirefef. Initial dropper is self-extracting archive, inside two files. One of it Sirefef dropper protected by dotnet. Attached Sirefef related extracted data.
Posts moved.

[rkhunter]

One of it Sirefef dropper protected by dotnet.

youtube.ex1
MD5: c4a946cc851e2ee6407c2c8c9680cf18
SHA1: ae641cb785644297f7bb34ea58e19fc826f1132a

[Tigzy]

What do you mean by "protected by .net" ?