[wealllbe20]

Creates cpl and exe file on the usb stick. in The recycler\(sid) of the usb stick.

Autorun has a bunch of what appears garbage data.

Inside the autorun.inf is hidden:

oFZNCPaKpFqnypMvunsJAUxaulHmNGcfpxcxQWpTWyPLPRKSQjsQhufI
QoxPwiaWhAexFmbQfCMkhSKPqerQopYyGAhHorvIPPREcrSUnACLyfRtyQaRqI
srGYVFTeEeNyyeKVSICYaVrwxoLRvgTMtsPfDoSIjdpqmZkLAgKdU
UePqxwFZoNubGgTFYLfpmYELeDkWsNVeXnGdjUObhqyrhMAErRqscxkakCplNWQhBFZOGgh
aYvQfnbdwreDkCxhnEyhplBaADYULsoWuGegXGgjuJtZXwBqb
[autorun]
action=Open
icon=%WinDir%\system32\shell32.dll,4
shellexecute=\RECYCLER\S-7-8-43-5010723741-8584364467-787650441-0075\hqiRHBJM.exe
shell\explore\command=\RECYCLER\S-7-8-43-5010723741-8584364467-787650441-0075\hqiRHBJM.exe
USEAUTOPLAY=1
shell\Open\command=\RECYCLER\S-7-8-43-5010723741-8584364467-787650441-0075\hqiRHBJM.exe
kTxSrBsVFIdVCQrfZDDOqweGuedBBMtoIaoWovaKaqPduMpQFmNBKQyDFYBJoicxILbnC
wNCJnZlQQwmhfEvOijCDKYOBrDOcEpyMsCbpBcRSVISXJpepadpsLjVimAIXFcytgSUmoOEyAPSrCaXOcpibyix

also infects c:\program files and current user startup folder.

[Meriadoc]

Thanks. Create Win32.Ramnit + TDL4.03, mbr infected but then I receive a STOP: unknown hard error.

edit :

Modifies registry key HKEY_LOCAL_MACHINE\software\microsoft\windows NT\currentVersion\Winlogon\UserInit (C:\WINDOWS\system32\userinit.exe,)
is changed to <C:\WINDOWS\system32\userinit.exe,,C:\Program Files\McXQeAiBþ¯¸•Ëvpjtxjct.exe\vpjtxjct.exe>

Registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Program Files\Internet Explorer\IEXPLORE.EXE
set to <C:\Program Files\Internet Explorer\IEXPLORE.EXE:*:Enabled:Internet Explorer>

created C:\Documents and Settings\user\Start Menu\Programs\Startup\vpjtxjct.exe

process IEXPLORE.EXE

infects MBR with Bootkit

TDL 4.03

[main]
version=0.03
aid=40592
sid=0
rnd=1757981266
knt=1291690128
[inject]
*=cmd.dll
* (x64)=cmd64.dll
[cmd]
srv=hxxps://zz87lhfda88.com/;hxxps://01n02n4cx00.com/;hxxps://1l1i16b0.com/;hxxps://zz87ihfda88.com/;hxxps://10n02n4cx00.com/
wsrv=hxxp://pxlaratotor.com/;hxxp://aurelenopkin.com/;hxxp://teiretorkei.com/;hxxp://backlistcheck.com/;hxxp://cilkcpixleabn.com/
psrv=hxxp://advcpworld.com/
version=0.15
bsh=c388ec50962a4978a3cdb1cef1c864884e520578
delay=7200
csrv=hxxp://z0g7yail0.com/

[Jaxryley]

Dropper 7.tmp hit by MBAM as Root.TDSS.Gen.

7.tmp - 17/43 - MD5 : 5f258adfbdac0ca5e05d9ae382583ec1
http://www.virustotal.com/file-scan/rep ... 1291702890

7.rar

Pass:
infected
(126.9 KiB) Downloaded 55 times

[wealllbe20]

http://virscan.org/report/d1df877dbe44d ... 9f519.html

Infects autorun.inf

appears to make long random file name on the usb drive.

Also puts itself in %appdata%\bdepdf.exe so it can infect other usb drives... That is all I could find sandboxed software doesn't appear to show much on this malware.