EP_X0FF wrote:Nothing new, just statement of the fact known for a few weeks.They read kernelmode.info in the r/o mode? [this is sarcasm]
A forum for reverse engineering, OS internals and malware analysis
I don't think they even knows about it. Otherwise they are really slowpokes. Remember Prevx, captain obvious from prevx was lurking here during TDL4 discovery and immediatelly copy-pasted everything in it's blog when TDL4 was found and confirmed.
Ring0 - the source of inspiration
MD5: e90703d319811d4ec6995044353ab873
https://www.virustotal.com/file/0317335 ... /analysis/
https://www.virustotal.com/file/0317335 ... /analysis/
Attachments
pass: infected
(146.77 KiB) Downloaded 107 times
(146.77 KiB) Downloaded 107 times
EP_X0FF wrote:I don't think they even knows about it. Otherwise they are really slowpokes. Remember Prevx, captain obvious from prevx was lurking here during TDL4 discovery and immediatelly copy-pasted everything in it's blog when TDL4 was found and confirmed.Man,that's really bad :( .Did you do anything about it?As i've already mentioned,it's funny how some very talented and skilled persons are "getting wasted in a forum"(Please don't get this wrong) when they could work for other companies,EP_X0FF,Rkhunter,evilcry,xylitol and many others.
ZeroAcess hiding in a Serial wwx.crackzone.net/data/Super_Mp3_Download_Version_3.3.4.6_serial_keys_gen-bee3afe71a.html
The never ending same old story :D .
Cant tell about everyone, but we are not *wasted* in meaning of work :D
Ring0 - the source of inspiration
Just posting this for reference ;)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}
Default should be: %SystemRoot%\system32\shdocvw.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}
Default should be: %SystemRoot%\system32\shdocvw.dll
ZeroAccess - Sirefef
74acfbfc68968af240fe363e22716c5e
https://www.virustotal.com/file/28db4e9 ... /analysis/
win7
Created process: C:\Windows\system32\cmd.exe,(null),(null)
Detected privilege modification
Hide file from user: C:\Users\tachion\AppData\Local\{faf34395-144d-8d43-9bc7-3d2837deeab2}\@
Hide file from user: C:\Users\tachion\AppData\Local\{faf34395-144d-8d43-9bc7-3d2837deeab2}\n
Hide folder from user: C:\Users\tachion\AppData\Local\{faf34395-144d-8d43-9bc7-3d2837deeab2}
xp
74acfbfc68968af240fe363e22716c5e
https://www.virustotal.com/file/28db4e9 ... /analysis/
win7
Created process: C:\Windows\system32\cmd.exe,(null),(null)
Detected privilege modification
Hide file from user: C:\Users\tachion\AppData\Local\{faf34395-144d-8d43-9bc7-3d2837deeab2}\@
Hide file from user: C:\Users\tachion\AppData\Local\{faf34395-144d-8d43-9bc7-3d2837deeab2}\n
Hide folder from user: C:\Users\tachion\AppData\Local\{faf34395-144d-8d43-9bc7-3d2837deeab2}
xp
Attachments
password: sg
(149.9 KiB) Downloaded 104 times
(149.9 KiB) Downloaded 104 times
tachion wrote:ZeroAccess - SirefefWinXP SP3
74acfbfc68968af240fe363e22716c5e
https://www.virustotal.com/file/28db4e9 ... /analysis/
Dropped/downloaded files.
C:\WINDOWS\assembly\GAC\Desktop.ini [Trojan:Win32/Sirefef.AB]
MD5: 85c5dec9b6b5d6b9de2c0331a102ad71
https://www.virustotal.com/file/6f93dd7 ... 337674035/
C:\WINDOWS\Installer\{c7a1ab8a-9f87-85f5-545d-aad1ae1a181e}\@
C:\WINDOWS\Installer\{c7a1ab8a-9f87-85f5-545d-aad1ae1a181e}\n [VirTool:Win32/Obfuscator.XI / Backdoor.Win32.ZAccess.sgi]
MD5: 767665fffe4b774169c50d691a5490d0
https://www.virustotal.com/file/f0cf149 ... 337674295/
C:\WINDOWS\Installer\{c7a1ab8a-9f87-85f5-545d-aad1ae1a181e}\L\00000008.@ [BitCoinMiner]
MD5: 64645e81435058738c137a67df84a5c5
https://www.virustotal.com/file/02db0f2 ... 337674917/
C:\WINDOWS\Installer\{c7a1ab8a-9f87-85f5-545d-aad1ae1a181e}\U\00000004.@
MD5: c36a656d37f30ce9e8a79ae7713d0896
https://www.virustotal.com/file/84d3236 ... 337675240/
C:\WINDOWS\Installer\{c7a1ab8a-9f87-85f5-545d-aad1ae1a181e}\U\00000008.@ [BitCoinMiner]
MD5: 72ced4cebd0baa4692f241e47e6836b2
https://www.virustotal.com/file/68042f0 ... 337675263/
C:\WINDOWS\Installer\{c7a1ab8a-9f87-85f5-545d-aad1ae1a181e}\U\80000000.@ [Trojan:Win32/Sirefef.AG]
MD5: 2ddce8374ef6f99a987acf620ed5c1d1
https://www.virustotal.com/file/42a9734 ... /analysis/
C:\WINDOWS\Installer\{c7a1ab8a-9f87-85f5-545d-aad1ae1a181e}\U\000000cb.@
MD5: f2b2477ca78d7fb19e7491220f3a7981
https://www.virustotal.com/file/43119a8 ... 337675407/
C:\WINDOWS\Installer\{c7a1ab8a-9f87-85f5-545d-aad1ae1a181e}\U\80000032.@ [Trojan:Win32/Sirefef.AK]
MD5: 1b584c668b85ff4e352cb7b6b9401b4d
https://www.virustotal.com/file/7a50311 ... /analysis/
In attach.
Attachments
pass:infected
(554.17 KiB) Downloaded 117 times
(554.17 KiB) Downloaded 117 times
thisisu wrote:Just posting this for reference ;)Don't remember that it was before, but...
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}
Default should be: %SystemRoot%\system32\shdocvw.dll
Now you need block access to all CLSID key because it will reinfect key with another CLSID.
Also if remove it files from C:\WINDOWS\Installer in malware active state, it drops it again, but destination folder similar to "C:\Documents and Settings\root\Local Settings\Application Data\{GUID}\" [in my case].
One more ZeroAccess trojan dropper with similar behaviour.
MD5: 2b7083e65c670f754f718600eb292cfb
https://www.virustotal.com/file/75f0f21 ... /analysis/
MD5: 2b7083e65c670f754f718600eb292cfb
https://www.virustotal.com/file/75f0f21 ... /analysis/
Attachments
pass:infected
(146.33 KiB) Downloaded 106 times
(146.33 KiB) Downloaded 106 times
