A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #4931  by PX5
 Mon Feb 07, 2011 12:49 pm
LookLike version of Slenfbot
 #4933  by nullptr
 Mon Feb 07, 2011 1:43 pm
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
InstallShield Update Service REG_SZ QPService.exe

Has a blacklist of applications that it calls TerminateProcess on.
Connects to:
* schn.in
* compartetuspelis.in
* pixeloverflow.net

Internal strings and APIs pretty much give away what it does.
Wireshark
tcpview
MSASCui
msmpeng
asdc.exe
asdc
alxx.exe
alxx
alx.exe
alx
avcx.exe
avcx
nvsvc32.exe
NVIDIA driver monitor
winnew.exe
Software\Microsoft\Windows NT\CurrentVersion\Windows
load
ranga.exe
panga.exe
Software\Microsoft\Windows\CurrentVersion\Run
Service Noits
SERVICES.EXE
WINLOGON.EXE
hidserv.exe
explorer.exe
netsh firewall add allowedprogram %s 1 ENABLE
dbghelp.dll
SbieDll.dll
currentuser
vmware
honey
sandbox
ntdll.dll
ZwQueryInformationProcess
ZwQuerySystemInformation
C:\sample.exe
T/host.txt
compartetuspelis.in
\System32\drivers\etc\hosts
open
ERROR
.?AV_com_error@@
.?AVtype_info@@
KERNEL32.DLL
ADVAPI32.dll
MSVCRT.dll
ole32.dll
OLEAUT32.dll
SHELL32.dll
SHLWAPI.dll
USER32.dll
WSOCK32.dll
Module32First
CreateToolhelp32Snapshot
GetWindowsDirectoryA
Process32Next
Process32First
GetModuleFileNameA
GetModuleHandleA
CreateProcessA
GetTempPathA
GetTickCount
CopyFileA
ExitProcess
ReleaseMutex
WriteFile
CreateFileA
CreateThread
SetFileAttributesA
CreateMutexA
GetCurrentProcess
GetProcAddress
GlobalUnlock
GlobalLock
GlobalAlloc
ExitThread
GetVersionExA
GetVolumeInformationA
GetDriveTypeA
GetLogicalDriveStringsA
Sleep
DeleteFileA
Module32Next
LocalFree
WideCharToMultiByte
MultiByteToWideChar
lstrlenW
GetStartupInfoA
lstrlenA
InterlockedDecrement
OpenProcess
TerminateProcess
GetLastError
CloseHandle
RegQueryValueExA
RegDeleteValueA
RegOpenKeyExA
RegCreateKeyA
RegSetValueExA
RegCreateKeyExA
GetUserNameA
RegCloseKey
_controlfp
__dllonexit
_onexit
_stricmp
wcslen
_CxxThrowException
__set_app_type
__p__fmode
__p__commode
_adjust_fdiv
__setusermatherr
_initterm
__getmainargs
_acmdln
exit
_XcptFilter
_exit
isalpha
islower
isupper
isdigit
_ftol
??1type_info@@UAE@XZ
ceil
toupper
_except_handler3
fprintf
remove
rename
fgets
strncpy
_snprintf
strcpy
free
realloc
sprintf
malloc
__CxxFrameHandler
??3@YAXPAX@Z
??2@YAPAXI@Z
strncmp
strcmp
strcat
strstr
fclose
fwrite
fopen
strtok
strlen
memset
strtol
rand
srand
time
strrchr
CoInitialize
CoCreateInstance
CoUninitialize
SHGetSpecialFolderLocation
SHGetPathFromIDListA
ShellExecuteA
PathAppendA
ShowWindow
EmptyClipboard
wsprintfA
CharLowerA
CloseClipboard
OpenClipboard
VkKeyScanA
keybd_event
SetFocus
SetForegroundWindow
BlockInput
SetClipboardData
 #5212  by EP_X0FF
 Mon Feb 28, 2011 3:23 pm
markusg wrote:Adobe Photoshop CS5 -EXTENDED- Keygen.exe
http://www.virustotal.com/file-scan/rep ... 1298897237
Packed by UPX VB dropper for VB.NET trojan. While work extracts it and runs.

Dropper copies itself to
Documents and Settings\User Name\Application Data\Directory

Rungs through HKLM\..\Run

DotNet trojan attached.

One more funny thing about this crap.

Seems to be it sets itself as Critical system process, so termination of it executable leads to immediately BSOD (CRITICAL_OBJECT_TERMINATION).
The same for example will be if you will terminate csrss.exe (legit critical system process).
Attachments
pass: malware
(87.71 KiB) Downloaded 45 times