A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #923  by xqrzd
 Wed Apr 28, 2010 10:14 pm
This is a semi-nasty backdoor/rootkit. Since I am very new to malware analysis, I have the payload only, not anything on how it works. Anyway, when exectuted, it drops a BHO (setupapi.dll) into C:\Program Files\Internet Explorer. It runs every time IE is opened. It also drops SMWinPrn.dat into C:\Windows\System32\spool\PRTPROCS\W32X86 and it drops sfcfiles.dat into C:\Windows\System32.

The driver it drops (C:\Windows\System32\drivers\sfc.sys) seems to load very late, about 30 seconds after I log in. GMER/RootRepeal didn't detect the driver, possibly because the driver file is deleted after it is loaded.

It also has some way of having other processes do it's dirty work (code/dll injection?), I caught various processes (including winlogon.exe) trying to connect to various URLS:
Code: Select all
traufard.info/pics/page.php?query=2DC28D19A18B339E&id=a6&key=7&uid=a6
www.erotic-baby-girl.com/i/origami/page.php?link=2DC28D19A18B339E&cookie=us&article=us&client=0&hl=tr7
Anyway, that is the payload (what I have seen). I've probably missed lots of things, so someone who actaully knows what they are doing should probably look at this :)

Here are the files I rounded up. Apart from SMWinPrn.dat (13/41) and sfcfiles.dll (17/41), AV detection was quite bad. Interestingly the dropper has a digital signature. I have attached all the files, along with the dropper (1.exe). I got the file from malwaredomainlist.com.

1.exe VT 7/39
sfc.sys VT 7/41
setupapi.exe VT 3/41
sfcfiles.dll VT 17/41
SMWinPrn.dat VT 13/41
Attachments
password is infected
(274.96 KiB) Downloaded 98 times
 #927  by EP_X0FF
 Thu Apr 29, 2010 1:51 am
Thank you for sample.
I can add to your info:

sfc.sys setup LoadImage/CreateProcess notify callbacks and driver seems to be loaded from user mode part.
From my test it also performs IAT modification of ntdll.dll for IEXPLORE.exe

Not seems to be stealth rootkit, because all components are visible and nothing is hidden (driver, key, file).