A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #1767  by Quads
 Wed Aug 04, 2010 9:42 pm
DragonMaster Jay wrote:Just to make a quick comment...it sounds somewhat like the Black Internet Bootkit.
That's what I was thinking about with the symptoms of invisable music /ads and iexplore.exe running even if the user has not actually started IE, See the GMER log in the Bootkit thread, shows iexplore.exe running.

MBRCheck is easier to use than Bootkit remover and comes back stating it it is Whistler /Black Internet, As far as I know Combofix won't do Bookits, as also seen on Bleeping Computer when the helper doesn't realise quick enough and has the user running Combofix first

MBRCheck, version 1.1.1
(c) 2010, AD

\\.\C: --> \\.\PhysicalDrive0
Size Device Name MBR Status
--------------------------------------------
149 GB \\.\PhysicalDrive0 Known-bad MBR code detected (Whistler / Black Internet)!

Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:

Options:
[1] Dump the MBR of a physical disk to file.
[2] Restore the MBR of a physical disk with a standard boot code.
[3] Exit.

Enter your choice: Enter the physical disk number to fix (0-99, -1 to cancel): Available MBR codes:

[ 0] Default (Windows XP)
[ 1] Windows XP
[ 2] Windows Server 2003
[ 3] Windows Vista
[ 4] Windows 2008
[ 5] Windows 7
[-1] Cancel

Please select the MBR code to write to this drive:
Do you want to fix the MBR code? Type 'YES' and hit ENTER to continue: Successfully wrote new MBR code!
Please reboot your computer to complete the fix.

Done! Press ENTER to exit...

Quads
Last edited by Quads on Wed Aug 04, 2010 9:56 pm, edited 1 time in total.
 #1768  by Every1is=
 Wed Aug 04, 2010 9:48 pm
DragonMaster Jay wrote:Do you have ComboFix installed?
Yes. You think I should stop wasting time and just run it?
It would take a bit of the joy out of beating it by hand... but a lot of time has gone into it by now. So I guess its ok to try.
If I'm not mistaken, I already ran it about a week ago. Didn't solve it at that time.

Edit: logs attached
Attachments
(22.58 KiB) Downloaded 29 times
(82.04 KiB) Downloaded 28 times
(105.29 KiB) Downloaded 28 times
 #1770  by Every1is=
 Wed Aug 04, 2010 10:10 pm
And the last one.

Am going to play around a bit with it and then goto bed. Really tired :( <- that one looks like me with the "rims" under his eyes ;)

Edit: ran and added combofix(.log)

See some strange stuff, especially in the registry part again at the end. Stays locked, keys under the BTHPORT.SYS entry are locked and stay locked. Acces denied. Using GMER's registry viewer/editor I could gain access to view them last week, but that's it. They were marked red and could not be deleted, also not by using GMERS built in scripting/command window option that spews out a reg file... And because I couldn't sleep, I made this CF log, skimmed it. Not sure, but I think I saw a couple of strange dll's. I'll check tomorrow. But if last weeks events are any indication, then its gonna be a bust again. Curious to see if GMER, rootrepeal etc will pass the full scans without crashing the system.

G'night gents!
Attachments
(32.23 KiB) Downloaded 31 times
(22.44 KiB) Downloaded 29 times
 #1784  by SecConnex
 Thu Aug 05, 2010 4:33 am
Go to VirusTotal.com and upload this file and have it scanned:

c:\windows\System32\shsvcs.dll

Post the link here. :D
 #1792  by Every1is=
 Thu Aug 05, 2010 8:50 am
Hehe... Look! I learned something. This is called a "NOP"
http://www.virustotal.com/analisis/8cac ... 1280997870
Correct? :D

Although...
( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x1dfd3 0x1e000 6.43 8358e6ee6ac67519ef4c60597299e85d
.data 0x1f000 0xcc8 0xe00 1.00 8c93b338a52da5bbfdb0cd4044437b1d
.rsrc 0x20000 0x1bd68 0x1be00 3.84 09abc7989cf9dd7533b80deafc1ecf45
.reloc 0x3c000 0x15d8 0x1600 6.74 4e8bf4ed0aa819280d60e32b825046ea
Why use names like: viradd virsiz?
 #1793  by EP_X0FF
 Thu Aug 05, 2010 8:52 am
Please upload this dll file here. It has 0 import functions and 0 export. If it is not resource dll, then it's corrupted.
name viradd virsiz rawdsiz ntrpy md5
This is Virtual Address, Virtual Size, Raw Data Size, Entropy.
 #1795  by Every1is=
 Thu Aug 05, 2010 9:02 am
Cool, thanks! Little handle handlebars I can hold on to and wiki :)
0 import and 0 export would mean it just sits there and does nothing, correct?
And resource dll meaning exactly that: its not needed to do stuff, just to be able to be reached into by something which gets stuff?
Why does it say: (6 imports) and (6 exports)
Attachments
Here ya go :)
(91.65 KiB) Downloaded 32 times
 #1797  by Every1is=
 Thu Aug 05, 2010 9:38 am
I must have messed up. I am far too tired... sh*t, sorry.

When I upload the dll, I get to this page:
http://www.virustotal.com/reanalisis.ht ... 1281000811
there it says it is analyzed already, I tell it to reanalyze. This is what is shown on the page of the file that somebody else analyzed earlier sometime:
http://www.virustotal.com/analisis/8cac ... 1281000282
That is the 0 entries one.
And this is the one I scanned just now
http://www.virustotal.com/analisis/8cac ... 1281000811
Which is the one with the 6 entries.

I'm sorry for messing that one up :(

Oh and by the way, I run GMER partly again, so combofix did do something. Post logs which I am able to create from GMER, RKU, Rootrepeal?

Edit: I don't get it. Now it shows them both with different scan time stamps AND with 0 and 0 entries. And I have just that one file in my temp directory.

The infected machine has no access to the internet since I blocked its mac adress in the router using ddwrt. The windows folder on that machine I have shared on my LAN. I have a standard temp directory on my laptops HDD for this kind of stuff. I copied the DLL over the LAN from the machine named Heavenly-ONE to this laptop in the temp dir. I uploaded it to antivirustotal.com.

Just to be sure I will do again and make screenshots. I mean... I'm tired, yes. But not crazy. Although some might argue otherwise ;)
Last edited by Every1is= on Thu Aug 05, 2010 9:49 am, edited 2 times in total.