A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #17327  by thisisu
 Fri Dec 21, 2012 9:38 pm
Xylitol wrote:http://blogs.mcafee.com/mcafee-labs/tro ... us-offense
McAfee discovered Reveton :roll:
I thought this one was kind of unique (variant with runctf.lnk).

The ransom screen does not appear if no network connection is detected (even in Normal Mode). I'm guessing the author finds no reason for victim to type in moneypak codes if there is no internet connection to transmit the data back to himself/herself. :?
 #17328  by EP_X0FF
 Fri Dec 21, 2012 10:22 pm
thisisu wrote:The ransom screen does not appear if no network connection is detected (even in Normal Mode). I'm guessing the author finds no reason for victim to type in moneypak codes if there is no internet connection to transmit the data back to himself/herself. :?
It is more simple than you think. If it cannot establish connection with C&C it is unable to download scary page and render it in browser window as the next startup stage. So this code is simple stuck in infinite wait.
 #17420  by Tigzy
 Fri Dec 28, 2012 2:34 pm
Anyone got the latest version of H1N1?
It modifies a dll path of windows service among other things (unknown)
¤¤¤ Entrees de registre : 8 ¤¤¤
[STARTUP][Rans.Gendarm] runctf.lnk @christophe : C:\Windows\System32\rundll32.exe|C:\Users\CHRIST~1\wgsdgsdgdsgsd.exe,H1N1 -> SUPPRIMÉ
[HJ DLL][Rans.Gendarm] HKLM\[...]\ControlSet001\Services\winmgmt\Parameters : ServiceDll (C:\Users\christophe\wgsdgsdgdsgsd.exe) -> REMPLACÉ (C:\windows\system32\wbem\WMIsvc.dll)
 #17423  by Maxstar
 Fri Dec 28, 2012 3:21 pm
I have not seen of heard that before, and so far as I know is this variant easy to kill.
Code: Select all
C:\Users\Steffi\wgsdgsdgdsgsd.dll (Trojan.FakeMS) -> Succesvol in quarantaine geplaatst en verwijderd.
C:\ProgramData\dsgsdgdsgdsgw.pad (Exploit.Drop.GSA) -> Succesvol in quarantaine geplaatst en verwijderd.
C:\Users\Steffi\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runctf.lnk (Trojan.Ransom.SUGen) -> Succesvol in quarantaine geplaatst en verwijderd.
Topic: http://www.pcwebplus.nl/phpbb/viewtopic ... 206&t=8534

Edit:
MD5: f38085e3951e0d4796d3797fa339c2ac
Code: Select all
C:\Windows\System32\rundll32.exe C:\Users\Acer\wpbt0.dll,H1N1
https://www.virustotal.com/file/cde9eda ... 356709630/
Attachments
(119.87 KiB) Downloaded 81 times
 #17426  by Quads
 Fri Dec 28, 2012 6:02 pm
This (attached)

The .pad file name is the reverse of the .exe file name

Quads
Attachments
Ransom Treaty.jpg
Ransom Treaty.jpg (276.84 KiB) Viewed 720 times
 #17730  by Blaze
 Wed Jan 16, 2013 2:03 pm
Another one. Injects into explorer.exe and svchost.exe.
"path"="C:\\Users\\username\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\runctf.lnk"
"command"="C:\\Windows\\System32\\rundll32.exe c:\\users\\username\\appdata\\local\\temp\\wlsidten.dll,H1N1"
MD5: 868918982cb43a9c763160c30b69d09b
https://www.virustotal.com/file/2ec7b44 ... /analysis/

MD5: 81150f1afd0afa0d8f274df9b712f067
https://www.virustotal.com/file/7666908 ... /analysis/
Attachments
(124.17 KiB) Downloaded 106 times
  • 1
  • 6
  • 7
  • 8
  • 9
  • 10
  • 16