A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #14075  by rkhunter
 Mon Jun 18, 2012 9:01 am
Confirms that ComboFix removes it.
After reboot, services.exe clean, malicious files were deleted.
Log in attach.
Infected services.exe has view:
Image
[as we can see, not ads, but ea information uses]
Attachments
(1.65 KiB) Downloaded 42 times
 #14079  by SecConnex
 Mon Jun 18, 2012 10:34 am
I have seen the IAT of infected x86 system of ZA...it shows the hooks.

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Windows\system32\services.exe[616] @ C:\Windows\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 00100002
IAT C:\Windows\system32\services.exe[616] @ C:\Windows\system32\services.exe [KERNEL32.dll!CreateProcessW] 00100000

IAT C:\Program Files\AVAST Software\Avast\AvastUI.exe[1072] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [71F2F6A0] C:\Program Files\AVAST Software\Avast\aswCmnBS.dll (Common functions/AVAST Software)
IAT C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1668] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [71F2F6A0] C:\Program Files\AVAST Software\Avast\aswCmnBS.dll (Common functions/AVAST Software)


Either that or I'm just crazy!
 #14080  by kmd
 Mon Jun 18, 2012 10:36 am
how you manage to infect anything with last dropper? For me it do nothing - usual CLSID zeroaccess.
rkhunter wrote:Guys, it infects x32 services.exe too :)
it was confirmed a while ago here several pages left
 #14082  by rkhunter
 Mon Jun 18, 2012 10:45 am
DragonMaster Jay wrote:I have seen the IAT of infected x86 system of ZA...it shows the hooks.
Can't confirm, no hooks in my case, just infected services.exe.
 #14083  by kmd
 Mon Jun 18, 2012 11:00 am
rkhunter wrote:
kmd wrote:it was confirmed a while ago here several pages left
Told that he 'can'...infected x32 services.exe was not presented
http://www.kernelmode.info/forum/viewto ... 963#p13963

can you tell how to infect?
it does nothing here, no infect on win32 xp, no infected on win32 7
DragonMaster Jay wrote:IAT C:\Windows\system32\services.exe[616] @ C:\Windows\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 00100002
IAT C:\Windows\system32\services.exe[616] @ C:\Windows\system32\services.exe [KERNEL32.dll!CreateProcessW] 00100000
that a bs or gmer bug, even if they really hooked, there is no any sense in _IAT_ hooks in services.exe
  • 1
  • 15
  • 16
  • 17
  • 18
  • 19
  • 56