[EP_X0FF]

This thread contains posts moved from thread TrojanDownloader:Win32/Harnig.S and its payload
This trojan downloader along with TDL3 was previously part of malware bundle distributed by keygen.name malware distribution site

/* original message below */

Dropped by a ltpro32.exe

ltpro32.exe multiple downloader.

http://www.virustotal.com/file-scan/rep ... 1288860456

Cryptor + UPX 2.90

Open > nul /c del COMSPEC ver62 %sjaqlgavztf.php?adv=adv447&code1=%s&code2=%s&id=%d&p=%s %u %sjesggmkk.exe %stkbvqkfdls.php?adv=adv447 %swrbq.exe %sgtovqub.php?adv=adv447 %shslyg.exe %sgtbwqys.php?adv=adv447 %samrvomw.exe %simdysnucxe.php?adv=adv447 %sdjlyquj.exe %scfjeyt.php?adv=adv447 %sfgyxjx.exe %sxbsnusnvp.php?adv=adv447 %sxitb.exe %saaick.php?adv=adv447 %sbwffwif.exe %serztbwqyg.php?adv=adv447 %skdyejm.exe %srhlgoidbwq.php?adv=adv447 %snhijh.exe %sermtbvqls.php?adv=adv447 %staerwln.exe %soovqlsahc.php?adv=adv447 %s%d %sivcxfzu.php?adv=adv447 http://dapaper.com/ibemh/ http://cacrazy.com/ibemh/ C:\ psapi.dll ddraw.dll urlmon.dll shell32.dll kernel32.dll user32.dll wininet.dll SeDebugPrivilege ntdll.dll NtMapViewOfSection \svchost.exe explorer.exe

dichmnv.sys

Rootkit driver. Looks like old good Rustock alike clon.

Performs DKOH based modification for CmpRegistryType object Parse procedure. Uses CmRegistry callback to filter registry requests (rootkit driver registry entries hiding/protection from deletion).
Intercepts IRP_MJ_CREATE, IRP_MJ_INTERNAL_DEVICE_CONTROL handlers for NTFS.sys

NTFS hooks used to deny read/write access to rootkit driver.

[PX5]

Notice the ver62, this has to be in the user-agent for the download to complete.

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)ver62

Links look like:

cacrazy.com/dwmucwryg/eidksa.php?adv=adv448
cacrazy.com/dwmucwryg/xofnlsa.php?adv=adv448
cacrazy.com/ibemh/ivcxfzu.php?adv=adv448
cacrazy.com/ibemh/jaqlgavztf.php?adv=adv448&code1=HNIG&code2=0141&id=-186345958&p=1
cacrazy.com/ibemh/oovqlsahc.php?adv=adv448
cacrazy.com/ibemh/qulgaickf.php?id=-186345958&p=1
cacrazy.com/ibemh/tkbvqkfdls.php?adv=adv448

These folks at darkgt/iframedollars recently change servers again, seems almost related to old RBN people. :roll:

[EP_X0FF]

You are right, changing user agent gives you access to downloads.

Grabbed data in attach.

http://www.virustotal.com/file-scan/rep ... 1288861481
http://www.virustotal.com/file-scan/rep ... 1288861486
http://www.virustotal.com/file-scan/rep ... 1288861494

[PX5]

I must thank my russian buddy Alexey for the heads up on that one. :)

[fatdcuk]

IFrame$ bundle always been great source of fugly stuff,

Hey PX5 when ya gonna change your board name to WR6 or SS7 :lol:

[markusg]

found inside an torrent download
http://www.virustotal.com/file-scan/rep ... 1292157100

[EP_X0FF]

Cryptor + UPX 2.90.

Trojan downloader.

Strings inside.

Open
> nul
/c del
COMSPEC
ver64
%szptfzubjhp.php?adv=adv612&code1=%s&code2=%s&id=%d&p=%s&b=%s
Safari
Chrome
Firefox
Opera
Internet Explorer
http
open
%sfarvjcd.exe
%ssjnlgn.php?adv=adv612
%sovblnd.exe
%styfnhc.php?adv=adv612
%smcmrvdud.exe
%sxbvqxsa.php?adv=adv612
%sycmnfy.exe
%sxavdxsz.php?adv=adv612
%skrty.exe
%shyfaitavt.php?adv=adv612
%snwtvpei.exe
%sqhlkrzhf.php?adv=adv612
%svoty.exe
%skbwdyfeyta.php?adv=adv612
%sohgytuvl.exe
%smmaucwe.php?adv=adv612
%sfjxdjyst.exe
%scptrlg.php?adv=adv612
%sesky.exe
%sizgowq.php?adv=adv612
%sjdhaql.exe
%siztbjhowu.php?adv=adv612
%sultamgbih.php?adv=adv612
hxxp://befiest.com/timuo/
hxxp://aebrook.com/timuo/
psapi.dll
ddraw.dll
urlmon.dll
shell32.dll
kernel32.dll
user32.dll
wininet.dll
SeDebugPrivilege
ntdll.dll
NtMapViewOfSection
\svchost.exe
explorer.exe

[markusg]

http://www.virustotal.com/file-scan/rep ... 1294056159

[EP_X0FF]

Payload, key ver64.

%sfarvjcd.exe
%ssjnlgn.php?adv=adv612
%sovblnd.exe
%styfnhc.php?adv=adv612
%smcmrvdud.exe
%sxbvqxsa.php?adv=adv612
%sycmnfy.exe
%sxavdxsz.php?adv=adv612
%skrty.exe
%shyfaitavt.php?adv=adv612
%snwtvpei.exe %sqhlkrzhf.php?adv=adv612
%svoty.exe
%skbwdyfeyta.php?adv=adv612
%sohgytuvl.exe
%smmaucwe.php?adv=adv612
%sfjxdjyst.exe
%scptrlg.php?adv=adv612
%sesky.exe
%sizgowq.php?adv=adv612
%sjdhaql.exe
%siztbjhowu.php?adv=adv612
%sultamgbih.php?adv=adv612
hxxp://befiest.com/timuo/
hxxp://aebrook.com/timuo/

[markusg]

http://www.virustotal.com/file-scan/rep ... 1294605632