A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #14438  by rkhunter
 Wed Jul 04, 2012 9:32 pm
SHA1: 53b1ce48f2b0cf3c7028184676be7b21485bd45a
MD5: ab551ebc28e4cbcdcb44b1175e14038b


Some "trash" or script-kiddie...targeted on profit extraction from games and AhnLab-V3 AV killing. By it this is Dropper/Win32.OnlineGameHack.
Under UPX with driver on board and dll (in resourse section).

Driver:
SHA1: dc0a214282c96306586ac3dffd1540af3f547d42
MD5: 52d513b5bf0dbbfdc9ecc928415a8457


Trojan/Win32.KillAV by AhnLab-V3
5/42 https://www.virustotal.com/file/1c87c17 ... /analysis/

Targeted for kill processes:
naveragent.exe
nsavsvc.npc
nsvmon.npc
nvcagent.npc
nvc.npc
nvcopt.npc
v3lsyc.exe.exe
v3ltray.exe
v3light.exe
v3medic.exe
syrtsry.aye
ayagent.aye
alyac.aye
ayupdsrv.aye
aytask.aye
naveragent.exe
nvcsvcmgr.npc
nvcupgrade.exe
AYTask.aye
Targeted for unhook splicing of SSDT-services that hooks by driver AhnRghNt.sys.

Image

:facepalm:

Just for fun:
\??\My_Link
\Device\my_Device
d:\desktop\öÝÀöïÒ2222\SYS\i386\DDK_HelloWorld.pdb
Dropped driver to C:\WINDOWSJytVKZN.sys

:facepalm:

Dll:

SHA1: fe852d011be23db6d560528bd027f03dcd80274a
MD5: 3ba32ad45dcb77eb14fd375a843f10cc


Trojan/Win32.OnlineGameHack by AhnLab-V3
23 / 42 https://www.virustotal.com/file/9b6c4c9 ... /analysis/

Masked as WinSock Helper
Image

Dropped to: C:\WINDOWS\system32\WinSocketA.dll
Autorun from AppInit: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs

Targeted for kill:
AYAgent.aye
AYUpdSrv.aye
AYServiceNT.aye
AYRTSrv.aye
SystemMon.exe
SkyMon.exe
nsvmon.npc
nvc.npc
nvcagent.npc
Nsavsvc.npc
V3LTray.exe
V3LSvc.exe
V3Light.exe
SgSvc.exe
sgrun.exe
InjectWinSockServiceV3.exe

Targeted for hooking a lot of functions in processes:
iexplore.exe
dnf.exe
MapleStory.exe
lin.bin
ff2client.exe
heroes.exe
ExLauncher.exe
TERA.exe
OTP.exe
AION.bin
wow.exe
fairyclient.exe
dkonline.exe
Diablo III.exe
explorer.exe
Attachments
pass:infected
(2.6 KiB) Downloaded 51 times
pass:infected
(28.52 KiB) Downloaded 53 times
pass:infected
(36.94 KiB) Downloaded 57 times
 #14457  by Xylitol
 Thu Jul 05, 2012 8:35 pm
If i remember Nicolas Brulez from Kaspersky have wrote an article about this malware on a French IT mag (Multi-system & Internet Security Cookbook)
But i can't find wich mag number it was... i've probably lost it.
 #14460  by WawaSeb
 Thu Jul 05, 2012 9:33 pm
Hello, hi Xylit0l,
If i remember Nicolas Brulez from Kaspersky have wrote an article about this malware on a French IT mag (Multi-system & Internet Security Cookbook)
But i can't find wich mag number it was... i've probably lost it.
--> Are you talking about "Win32/PSW.OnlineGames.OUM" from MISC 56 (july-august 2011) ?
--> If so, it's written by Sébastien Duquette.

Best regards,
 #14461  by Xylitol
 Fri Jul 06, 2012 12:07 am
WawaSeb wrote:Hello, hi Xylit0l,
If i remember Nicolas Brulez from Kaspersky have wrote an article about this malware on a French IT mag (Multi-system & Internet Security Cookbook)
But i can't find wich mag number it was... i've probably lost it.
--> Are you talking about "Win32/PSW.OnlineGames.OUM" from MISC 56 (july-august 2011) ?
--> If so, it's written by Sébastien Duquette.

Best regards,
ah, yeah possible mistake, i've not my 2011 books.
 #14480  by rkhunter
 Fri Jul 06, 2012 2:27 pm
DWS94 wrote:I would like to know this KillAV Trojan is how to kill the Kaspersky, and the McAfee and micropoint (china), Please the detailed description . . .
He-he, with simple technique...just hang debugger on processes (including Kaspersky, Dr.Web, Avast and others).

List of processes it targeted:
Code: Select all
360hotfix.exe	
360rp.exe	
360rpt.exe	
360safe.exe	
360safebox.exe	
360sd.exe	
360se.exe	
360SoftMgrSvc.exe	
360speedld.exe	
360tray.exe	
afwServ.exe	
ast.exe	
AvastUI.exe	
avcenter.exe	
avfwsvc.exe	
avgnt.exe	
avguard.exe	
avmailc.exe	
avp.exe	
avshadow.exe	
avwebgrd.exe	
bdagent.exe	
CCenter.exe	
ccSvcHst.exe	
dwengine.exe	
egui.exe	
ekrn.exe	
FilMsg.exe	
kavstart.exe	
kissvc.exe	
kmailmon.exe	
kpfw32.exe	
kpfwsvc.exe	
kpopserver.exe	
krnl360svc.exe	
ksmgui.exe	
ksmsvc.exe	
kswebshield.exe	
KVMonXP.exe	
KVMonXP.kxp	
KVSrvXP.exe	
kwatch.exe	
kwstray.exe	
kxedefend.exe	
kxesapp.exe	
kxescore.exe	
kxeserv.exe	
kxetray.exe	
livesrv.exe	
Mcagent.exe	
mcmscsvc.exe	
McNASvc.exe	
Mcods.exe	
McProxy.exe	
McSACore.exe	
Mcshield.exe	
mcsysmon.exe	
mcvsshld.exe	
MpfSrv.exe	
MPMon.exe	
MPSVC.exe	
MPSVC1.exe	
MPSVC2.exe	
msksrver.exe	
qutmserv.exe	
RavMonD.exe	
RavTask.exe	
RsAgent.exe	
rsnetsvr.exe	
RsTray.exe	
safeboxTray.exe	
ScanFrm.exe	
sched.exe	
seccenter.exe	
SfCtlCom.exe	
spideragent.exe	
SpIDerMl.exe	
spidernt.exe	
spiderui.exe	
TMBMSRV.exe	
TmProxy.exe	
Twister.exe	
UfSeAgnt.exe	
vsserv.exe	
zhudongfangyu.exe	
РЮёґ№¤ѕЯ.exe
Image

Also it from Korea...
With "rootkit" on board - "Simona"
\Device\Simona
\??\Simona
\Driver\Tcpip
\WINDOWS\system32
C:\sys.pdb
Intercepts FSD-dispatch functions for hiding itself
Image

Also payload in dll - dmutilio.dll that injected info svchost (hidden on disk).
d:\Work\Order\Dlft2\trunk\Dlft\Release\DLFT.pdb
 #14493  by madshus
 Fri Jul 06, 2012 8:52 pm
rkhunter wrote:He-he, with simple technique...just hang debugger on processes (including Kaspersky, Dr.Web, Avast and others).
What do you think why the bad guys install a rootkit while AVs are killed anyway?