A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #3953  by EP_X0FF
 Sun Dec 12, 2010 3:31 pm
Trojan dropper, thanks goes to PX5 for providing link to sample.

http://www.virustotal.com/file-scan/rep ... 1292162080

Drops payload ntcore.dll to windows\system32 folder, changes file creation time to hide new dll.

ntcore.dll
http://www.virustotal.com/file-scan/rep ... 1292166320

ntcore.dll mapped to winlogon.exe memory and performs network requests.

Disables SFC, loads itself at reboot through infestation of system dll - ole32.dll, in case of Vista takes ownership over protected system file to patch it.
Infects also ole32.dll copy in dllcache. While infestation process creates temp file in system32 folder.

infected library
http://www.virustotal.com/file-scan/rep ... 1292166476

ole32.dll entry point overwritten to jump in malicious code at dll load.

If installation is failed - dropper is trying to contact C&C server (hxxp://freeav-update.com/com/i.php?) with installation report.

Drops several data files in system32 folder
a.dll
d.dll
m.dll
n.dll
o.dll
p.dll
Creates registry keys
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Driversx64]
"C:\\WINDOWS\\system32\\a.dll"=dword:03659445
"C:\\WINDOWS\\system32\\m.dll"=dword:05388ab0
"C:\\WINDOWS\\system32\\d.dll"=dword:033f587c
"C:\\WINDOWS\\system32\\n.dll"=dword:01662dcb
"C:\\WINDOWS\\system32\\o.dll"=dword:0310d42e
"C:\\WINDOWS\\system32\\p.dll"=dword:043ea255
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Driversx]
"C:\\WINDOWS\\system32\\d.dll"=dword:033f587c
This is link to ThreatExpert analysis of the another sample
http://www.threatexpert.com/report.aspx ... 32b55658dd
Attachments
pass: malware
(1.23 MiB) Downloaded 48 times