I have attached an old copy of ComboFIx. Thank you for taking a look at this.
Attachments
(4.44 MiB) Downloaded 44 times
A forum for reverse engineering, OS internals and malware analysis
2 PEVSystemStart; "C:\32788R22FWJFW\pev.3XE" EXEC /i CSCRIPT.exe //NOLOGO //E:VBSCRIPT //B //T:15 "C:\32788R22FWJFW\KNetSvcs.vbs" [407 2012-05-20]
EP_X0FF wrote:I've disabled both ZeroAccess working threads suspending infection and it still cannot properly start. Then I manually cleaned registry entries responsible for mapping ZeroAccess payload to explorer.exe (HKCR\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InprocServer32 and {bbd38d41-4b71-40a2-85c6-e2628751e592}), restarted explorer to free from backdoor code and tried Combofix again - without any changes. So I guess since your tool is multicomponent it fails somewhere on installation process, something sets failure marker and cannot work anymore no matter what. You should add detailed logging of startup, because of bunch tools used it is very hard to trace.I assume this was tested on an XP machine. Irregardless of how ComboFix works, here's a simple test.
sUBs wrote:I assume this was tested on an XP machine. Irregardless of how ComboFix works, here's a simple test.Yes.
At the root of C:\, there will be a folder named '32788R22FWJFW'. To access/enter the folder, remove the 'System' attribute from the folder's properties.Cannot reproduce, cmd.3xe working well. But execution of c.bat leads to termination. PEV.3XE thrown STATUS_ACCESS_VIOLATION as second chance exception.
Once inside, you will see a file named cmd.3XE which is actually a renamed copy of Windows' cmd.exe
Double click cmd.3XE to launch it. It gets terminated almost immediately. That's ZeroAccess'' doing.
Now if one copies cmd.3XE to another folder, for example C:\cmd.3XE, then launching it from there would not be a problem.
So long as it isn't in the 32788R22FWJFW folder, it wont get killed. One can even CD (change working directory) back into the 32788R22FWJFW folder without any issues.
Now if one renames 32788R22FWJFW to another name, e.g. XPEOFF, double clicking cmd.3XE from there, still wont work. So I'm thinking this blockade has to be based on a set of conditions.
typedef struct {
ULONG i[2];
ULONG buf[4];
unsigned char in[64];
unsigned char digest[16];
} MD5_CTX;
typedef void (__stdcall *PMD5Init) (MD5_CTX *context);
typedef void (__stdcall *PMD5Update)(MD5_CTX *context, const unsigned char *input, unsigned int inlen);
typedef void (__stdcall *PMD5Final) (MD5_CTX *context);
PMD5Init MD5Init = NULL;
PMD5Update MD5Update = NULL;
PMD5Final MD5Final = NULL;
typedef struct _FILE_FS_VOLUME_INFORMATION {
LARGE_INTEGER VolumeCreationTime;
ULONG VolumeSerialNumber;
ULONG VolumeLabelLength;
BOOLEAN SupportsObjects;
WCHAR VolumeLabel[1];
} FILE_FS_VOLUME_INFORMATION, *PFILE_FS_VOLUME_INFORMATION;
typedef struct _SfUUID {
DWORD value0;
WORD value1;
WORD value2;
BYTE value3;
BYTE value4;
BYTE value5;
BYTE value6;
BYTE value7;
BYTE value8;
BYTE value9;
BYTE value10;
} SfUUID, *PSfUUID;
BOOLEAN SfCalcVolumeMD5(
PBYTE MD5Hash
)
{
OBJECT_ATTRIBUTES obja;
IO_STATUS_BLOCK iost;
UNICODE_STRING str;
NTSTATUS Status;
BOOLEAN result = FALSE;
HANDLE hVolume = NULL;
MD5_CTX ctx;
FILE_FS_VOLUME_INFORMATION fsVolumeInfo;
if ( MD5Hash == NULL )
return result;
RtlInitUnicodeString(&str, L"\\systemroot");
InitializeObjectAttributes(&obja, &str, OBJ_CASE_INSENSITIVE, NULL, NULL);
Status = NtOpenFile(&hVolume, FILE_GENERIC_READ, &obja, &iost,
FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE, FILE_SYNCHRONOUS_IO_NONALERT);
if ( NT_SUCCESS(Status) ) {
Status = NtQueryVolumeInformationFile(hVolume, &iost, &fsVolumeInfo,
sizeof(FILE_FS_VOLUME_INFORMATION), FileFsVolumeInformation);
if ( ( NT_SUCCESS(Status) || Status == STATUS_BUFFER_OVERFLOW ) ) {
MD5Init(&ctx);
MD5Update(&ctx, (unsigned char*)&fsVolumeInfo.VolumeCreationTime, sizeof(LARGE_INTEGER));
MD5Final(&ctx);
memcpy(MD5Hash, &ctx.buf, 16);
result = TRUE;
}
NtClose(hVolume);
}
return result;
}
VOID SfBuildString(
PBYTE MD5Hash,
PWCHAR String
)
{
PSfUUID p = (PSfUUID)MD5Hash;
swprintf(String, L"{%08x-%04x-%04x-%02x%02x-%02x%02x%02x%02x%02x%02x}",
p->value0, p->value1, p->value2, p->value3,
p->value4, p->value5, p->value6, p->value7,
p->value8, p->value9, p->value10);
}
BOOLEAN SfInitMD5(
VOID
)
{
HMODULE hLib = LoadLibraryW(L"Cryptdll.dll");
if ( hLib == NULL )
return FALSE;
MD5Init = (PMD5Init) GetProcAddress(hLib, "MD5Init") ;
MD5Update = (PMD5Update) GetProcAddress(hLib, "MD5Update") ;
MD5Final = (PMD5Final) GetProcAddress(hLib, "MD5Final") ;
return TRUE;
}
VOID SfMain()
{
BYTE Buffer[0x20] = {0};
WCHAR String[0x100] = {0};
SfInitMD5();
SfCalcVolumeMD5(Buffer);
SfBuildString(Buffer, String);
OutputDebugStringW(String);
}
DragonMaster Jay wrote:Looks like Sirefef is opening files from a device driver...Current version has no devices drivers.
then writing MD5 strings in C...what gives? Changing device driver code?No it don't. This is Universally Unique Identifier (UUID) generation for Sirefef folder name. It calcs MD5 for system volume creation time value and converts it in UUID format. It is obvious from code posted above.