A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #1238  by Quads
 Fri Jun 04, 2010 9:27 pm
I Found one in the download links on the TDL3 thread and tried that one

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\[file name].exe
C:\WINDOWS\system32\ernel32.dll
C:\System Volume Information\_restore{3CE24A12-6763-49ED-BA82-A731C C696DD0}\RP1\A0000056.dll
C:\WINDOWS\system32\spool\prtprocs\w32x86\[random].dll (can be a few created in that folder)
C:\documents and settings\[username]\application data\[random].exe
Scheduler change: Tasks: d:\windows\tasks\mswd-[random].job

DNS Changer
O17 - HKLM\System\CCS\Services\Tcpip\..\{8F5D3DA0-7FC8-4 9DF-B703-88E747973326}: NameServer = 93.188.162.167,93.188.166.198
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 93.188.162.167,93.188.166.198
O17 - HKLM\System\CS1\Services\Tcpip\..\{8F5D3DA0-7FC8-4 9DF-B703-88E747973326}: NameServer = 93.188.162.167,93.188.166.198
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 93.188.162.167,93.188.166.198
O17 - HKLM\System\CS3\Services\Tcpip\..\{8F5D3DA0-7FC8-4 9DF-B703-88E747973326}: NameServer = 93.188.162.167,93.188.166.198
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 93.188.162.167,93.188.166.198

Quads
 #2018  by SecConnex
 Mon Aug 16, 2010 9:32 pm
I've been investigating a newer rootkit, which seems to be keeping up with Google redirects even after the machine appears to be disinfected. (I have three users with the same issue even after full disinfection)

I will show a couple of sample logs below, but first I want to say is that in searching for TDL3, the search failed. And in searching for a Goored infection, the search failed. Lastly, in searching for Max++ infection, the search failed. All of which means those infections did not exist.

So, my issue is, is finding out what has been infected, and attempting to disinfect it. Whatever it is, it has evaded every rootkit tool, and malware scanner. It must be pretty close to the kernel, possibly at Ring1.

========================

Analysis of first computer infected...

had TDL3, and XUL infection. Delete infection, via these files:

==ComboFix==

c:\documents and settings\Miki\Local Settings\Application Data\{3DA17406-C493-440F-A1C9-7D19A583FF4A}
c:\documents and settings\Miki\Local Settings\Application Data\{3DA17406-C493-440F-A1C9-7D19A583FF4A}\chrome.manifest
c:\documents and settings\Miki\Local Settings\Application Data\{3DA17406-C493-440F-A1C9-7D19A583FF4A}\chrome\content\_cfg.js
c:\documents and settings\Miki\Local Settings\Application Data\{3DA17406-C493-440F-A1C9-7D19A583FF4A}\chrome\content\overlay.xul
c:\documents and settings\Miki\Local Settings\Application Data\{3DA17406-C493-440F-A1C9-7D19A583FF4A}\install.rdf
c:\program files\Shared
c:\windows\ahamukimupewu.dll
c:\windows\Downloaded Program Files\popcaploader.inf
c:\windows\eqorahemile.dll
c:\windows\msvcirt32.dll
c:\windows\ojudetayol.dll
c:\windows\opixixoyen.dll
c:\windows\system32\Drivers\tjrrkyur.sys
c:\windows\udusuzog.dll
c:\windows\uhoyojiyedohaqit.dll
c:\windows\unexaxeda.dll
c:\windows\xdrhiscl.dll
c:\windows\Rdesexasuxomo.bin
c:\windows\Sradupu.dat

Infected copy of c:\windows\system32\drivers\compbatt.sys was found and disinfected

==Malwarebytes' Anti-Malware==

C:\Documents and Settings\Miki\Local Settings\Application Data\rssuxikfq\wmbfgmmtssd.exe (Rogue.AntivirusSuite.Gen) -> Quarantined and deleted successfully.
C:\Documents and Settings\Miki\Local Settings\temp\svchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\isnxibtt (Rogue.AntivirusSuite.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\isnxibtt (Rogue.AntivirusSuite.Gen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.

==Dr. Web CureIt==
rexiy.exe;c:\documents and settings\miki\application data\ytki;Trojan.PWS.Panda.354;Deleted

-----------

However, the infection still showed its face.

I found evidence of Trojan.SpyEye:
C:\CLEANSWEPX.EXE\CLEANSWEPX.EXE

However, on trying to delete it, the tool says the file or folder cannot be found.

I have attached logs that I would need reviewed, if anyone is willing to help me find this infection.

-RKU
-SpiderKill

Right now, I am going to have the user re-run RootkitUnhooker.

Let's see what can be found.
Attachments
(85.2 KiB) Downloaded 47 times
(111.77 KiB) Downloaded 44 times
 #2020  by EP_X0FF
 Tue Aug 17, 2010 4:30 am
Hello,
C:\CLEANSWEPX.EXE\CLEANSWEPX.EXE

However, on trying to delete it, the tool says the file or folder cannot be found.
Did you tried Wipe file from tools menu in RKU?

Regards.
 #2188  by CloneRanger
 Mon Aug 23, 2010 12:22 am
M Zip - PW = infected

update.exe

Scanner results : (1/36) found malware! BitDefender Gen:Trojan.Heur.VP.mmW@aGT0kUmO - http://virscan.org/report/7955a7546852e ... 6982b.html

windows_protection_suite.exe

Scanners did not find malware! - http://virscan.org/report/a2075aa7bd18a ... 117fd.html
Attachments
(1 MiB) Downloaded 50 times
 #2191  by EP_X0FF
 Mon Aug 23, 2010 1:05 am
It's Security Tool fake av and something with VB :)

//fake av and SpyEye :)
 #2482  by Jaxryley
 Sun Aug 29, 2010 8:00 am
For perusal if interested.
hxxp://movierapid.com/flash_player.exe
flash_player.exe - 11/ 41
http://www.virustotal.com/file-scan/rep ... 1283068001

Droppers:
coiub.exe - 12/ 40
http://www.virustotal.com/file-scan/rep ... 1283067844

sbmon.exe - 15/ 41 - Mal/TDSSPack-CC
http://www.virustotal.com/file-scan/rep ... 1283067848

Buster Sandbox Analyzer:
Created process: (null),"C:\Users\ADMINI~1\a.bat" ,C:\Users\Administrator
Created process: (null),"C:\Users\ADMINI~1\AppData\Local\Temp\7ZSfx000.cmd" ,C:\Users\Administrator\Desktop
Created process: C:\Users\Administrator\coiub.exe,"C:\Users\Administrator\coiub.exe" ,C:\Users\Administrator
Created process: C:\Users\Administrator\immon.exe,"C:\Users\Administrator\immon.exe" ,C:\Users\Administrator
Created process: C:\Users\Administrator\sbmon.exe,"C:\Users\Administrator\sbmon.exe" ,C:\Users\Administrator
Created process: C:\Users\Administrator\usmon.exe,"C:\Users\Administrator\usmon.exe" ,C:\Users\Administrator
Created process: C:\Windows\System32\cmd.exe,"C:\Windows\System32\cmd.exe" /c tasklist&&del usmon.exe,C:\Users\Administrator
Created process: C:\Windows\system32\svchost.exe,(null),(null)
Created process: C:\Windows\System32\tasklist.exe,tasklist,C:\Users\Administrator
Defined file type created: C:\Users\Administrator\AppData\coiub.exe
Defined file type created: C:\Users\Administrator\AppData\Desktop\flash_player.exe
Defined file type created: C:\Users\Administrator\AppData\sbmon.exe
Detected backdoor listening on port: 0
Detected keylogger functionality
Detected process privilege elevation
Enumerated running processes
Injected code into process: c:\bsa\bsa.exe
Injected code into process: c:\program files\microsoft virtual pc\virtual pc.exe
Injected code into process: c:\program files\mythicsoft\agent ransack\agentransack.exe
Injected code into process: c:\program files\returnil\returnil.exe
Injected code into process: c:\users\administrator\desktop\flash_player.exe
Injected code into process: c:\users\administrator\network indicator\networkindicator.exe
Injected code into process: c:\windows\system32\dllhost.exe
Injected code into process: c:\windows\system32\lsm.exe
Injected code into process: c:\windows\system32\smss.exe
Injected code into process: c:\windows\system32\svchost.exe
Injected code into process: c:\windows\system32\taskhost.exe
Injected code into process: c:\windows\system32\wininit.exe
Injected code into process: h:\sandbox\administrator\testings\user\current\sbmon.exe
Internet connection: H:\Sandbox\Administrator\Testings\user\current\sbmon.exe Connects to "91.188.60.19" on port 443 (TCP - HTTPS).
Listed all entry names in a remote access phone book
Opened a service named: rasman
Opened a service named: Sens
Opened a service named: spooler
Query DNS: 68b6b6b6.com
Pass:
infected

(289.4 KiB) Downloaded 55 times
 #2554  by Jaxryley
 Tue Aug 31, 2010 7:07 am
Could one of the experts have a look at these if you have time please. (Thanks to ColPeters)
Code: Select all
hxxp://http://www.dnusax.com/10222009/converter7.exe
hxxp://http://www.dnusax.com/10222009/e4u.exe
hxxp://http://www.dnusax.com/10222009/exrev.exe
converter7.exe - 13/ 43
http://www.virustotal.com/file-scan/rep ... 1283237727

e4u.exe - 10/ 43
http://www.virustotal.com/file-scan/rep ... 1283237742

exrev.exe - 10/ 43
http://www.virustotal.com/file-scan/rep ... 1283237740
(1.59 MiB) Downloaded 54 times