A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #2042  by Jaxryley
 Wed Aug 18, 2010 5:07 am
The microjoin exploit below drops heaps of other exploits of which I can harvest all except one.

At each run of the exploit it drops a random named .sys file at 768 kb.

Can't seem to do anything with that .sys file in that it won't upload to VT or move it anywhere.

Kaspersky TDSSKiller picks it up as suspicious and can delete it at reboot but can anyone show me how I can grab it and archive away?

The microjoin exploit will drop an exe killing rogue "Security suite" as well so it's best to have Task Manager up before executing the exploit.

Image

Image
Pass:
infected

(2.47 MiB) Downloaded 79 times
 #2043  by EP_X0FF
 Wed Aug 18, 2010 5:35 am
Hello,

well from what I see now:

a lot of trojans loaded and working, and TDL3 also installed from this pack.

not sure about this locked driver. Did you tried to copy it with rku -> wipe/copy file feature? Or by WinHex?

tdl stuff
She would come over and slip into the water
Everything was new, and everything was fun
[main]
version=3.273
quote=Dude, meet me in Montana XX00, Jesus (H. Christ)
botid=74f8e63e-5915-4beb-a4e7-44bba20d02e1
affid=20034
subid=0
installdate=18.8.2010 5:24:3
builddate=11.8.2010 9:55:11
rnd=1292428093
[injector]
*=tdlcmd.dll
[tdlcmd]
servers=hxxps://nichtadden.in/;hxxps://91.212.226.67/;hxxps://li1i16b0.com/;hxxps://zz87jhfda88.com/;hxxps://n16fa53.com/;hxxps://01n02n4cx00.cc/;hxxps://lj1i16b0.com/
wspservers=hxxp://zl00zxcv1.com/;hxxp://zloozxcv1.com/;hxxp://71ha6dl01.com/;hxxp://axjau710h.com/;hxxp://rf9akjgh716zzl.com/;hxxp://dsg1tsga64aa17.com/;hxxp://l1i1e3e3oo8as0.com/;hxxp://7gafd33ja90a.com/;hxxp://n1mo661s6cx0.com/
popupservers=hxxp://clkh71yhks66.com/
version=3.941
dropped trojans, pass: malware
Attachments
(2.3 MiB) Downloaded 415 times
 #2044  by Jaxryley
 Wed Aug 18, 2010 5:48 am
EP_X0FF wrote:Hello,
not sure about this locked driver. Did you tried to copy it with rku -> wipe/copy file feature? Or by WinHex?
No but I will give a go, thanks EP_X0FF.
 #2045  by EP_X0FF
 Wed Aug 18, 2010 6:00 am
I just did a full cleanup of this malware pack with rku+explorer+autoruns+internal remover for tdl3.

edit: around 30 items removed/cured (files, infected driver, registry entries).
 #2048  by Jaxryley
 Wed Aug 18, 2010 9:08 am
EP_X0FF wrote:I just did a full cleanup of this malware pack with rku+explorer+autoruns+internal remover for tdl3.

edit: around 30 items removed/cured (files, infected driver, registry entries).
Yes these microjoin exploits are my favourites. LOL :twisted:

Malwarebytes Antimalware does a good job in zapping these types and their droppers with a need to rename mbam.exe to firefox.exe in order for it to start if the exe killer rogue is active.
 #2066  by PX5
 Thu Aug 19, 2010 6:32 am
//ceberd.com/wev/bushzany.php
//ceberd.com/wev/files/backoffmove.pdf
//ceberd.com/wev/files/kissassupbeat.jar
//ceberd.com/wev/files/nitwitinshakysituation.jar
//ceberd.com/wev/foolwrite.php
//ceberd.com/wev/js/smallitdoestwash.js
//ceberd.com/wev/mothersdarlingcross.php?ids=MDAC
//ceberd.com/wev/pissantcolor.php?unique=1
//ceberd.com/wev/yettiownssomelilz.php?e=3&n=0

;)

After this runs it course, the clusterfuck comes, which is where your root is loaded at, usually iframedollars load.
 #2103  by CloneRanger
 Fri Aug 20, 2010 3:58 am
dropped trojans

malware.rar (2.3 MiB)

Downloaded 344 times

WOW ! Is this a record or ?