A forum for reverse engineering, OS internals and malware analysis 

Backdoor Bot (including unnamed IRC bots)

Forum for analysis and discussion about malware.

Re: Backdoor Bot

 #4693  by EP_X0FF
 Mon Jan 24, 2011 11:40 am
Written on dotnet and not crypted.
Runs through HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run as Documents and Settings\Username\application data\air\mute\1.0.0.0\updater.exe

Contact hxxp://isthisactuallyadomain.info/check_update.php to update itself and download new list of youtube videos (hxxp://isthisactuallyadomain.info/download/tubelist.dat).

Has project string inside C:\xampp\htdocs\matthewfree\bot_master\mute\obj\Debug\explorer.pdb

Re: trojan

 #4808  by EP_X0FF
 Sat Jan 29, 2011 3:24 pm
VM aware
SYSTEM\ControlSet001\Enum\IDE\DiskVirtual_HD______________________________1._1____
SYSTEM\ControlSet001\Enum\IDE\CdRomNECVMWar_VMware_IDE_CDR10_______________1.00____
SYSTEM\ControlSet001\Enum\IDE\CdRomVBOX_CD-ROM_____________________________1.0_____
dbghelp.dll
SbieDll.dll
55274-640-2673064-23950 76487-644-3177037-23510 76487-640-1457236-23837 ProductId
irc backdoor with usual pack of features:
spread.usb
update-md5
update
uninstall
download-md5
download
server
:!spread.msn
pingfreq
botkiller
stealer
spread.msn
spread.rarzip
ddos.tcp
ddos.udp
uptime
off
silence
usort
sort
visit
steals info from

FileZilla
FireFox
IE
Trillian

Have no idea what its name, but inside found string
Surreal 8 * :Endless

Re: Malware/Not classified

 #5873  by Xylitol
 Sat Apr 09, 2011 12:24 pm
markusg wrote:http://virusscan.jotti.org/de/scanresul ... 01a6e3f6c6
malware copy himself in \%appdata%\ with the name 'svmrss.exe' with hidden attribut
Code: Select all
*\AC:\Users\DB\Desktop\Partie Banker - Copie - Copie\Project1.vbp
@Classifica
COBEIN_FTP_CLASS
anonymous
SHELLHOOK
kernel32
advapi32
user32
ntdll
ExitProcess
SetUnhandledExceptionFilter
CreateProcessW
SeCreateTokenPrivilege
SeAssignPrimaryTokenPrivilege
SeLockMemoryPrivilege
SeIncreaseQuotaPrivilege
SeUnsolicitedInputPrivilege
SeMachineAccountPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeSystemProfilePrivilege
SeSystemtimePrivilege
SeProfileSingleProcessPrivilege
SeChangeNotifyPrivilege
SeIncreaseBasePriorityPrivilege
SeCreatePagefilePrivilege
SeCreatePermanentPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeShutdownPrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeRemoteShutdownPrivilege
appdata
svmrss
.exe
SetFileAttributesW
smrss
Internet Explorer
Mozilla Firefox
https:
Heuristic Https
.txt
.jpg
HH:mm:ss
veTX3yyfA
W9j5xu
Z0cjt
COMPUTERNAME
USERNAME
*.txt
GetForegroundWindow
BitBlt
GetAsyncKeyState
facebook.
google.
yahoo.
live.
Version
Update
temp
update.exe
*.jpg
firefox|WWW_GetWindowInfo
gdi32
iexplore|WWW_GetWindowInfo
GetParent
GetWindowTextLength
GetWindowTextW
GetWindowDC
StretchBlt
{557CF401-1A04-11D3-9A73-0000F81EF32E}
{1D5BE4B5-FA4A-452D-9CDD-5DB35105E7EB}
Cannot save the image. GDI+ Error:
wininet.dll
InternetOpenW
InternetConnectW
FtpGetCurrentDirectoryW
FtpCreateDirectoryW
FtpRemoveDirectoryW
FtpSetCurrentDirectoryW
FtpPutFileW
FtpGetFileW
FtpDeleteFileW
FtpRenameFileW
InternetGetLastResponseInfoW
User32.dll
CreateWindowExW
EDIT
SetWindowsHookExA
RegisterWindowMessageW
user32.dll
SetClipboardViewer
SetWindowLongA
UnhookWindowsHookEx
DestroyWindow
] Ventana Activa: 
IsClipboardFormatAvailable
] Portapaples: 
GetClassNameW
kernel32.dll
lstrlenW
GetCurrentProcess
SetPriorityClass
CreateFileW
CreateFileMappingA
MapViewOfFile
VirtualProtect
UnmapViewOfFile
CloseHandle
GetModuleFileNameA
:*:Enabled:
RegCreateKeyW
SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
RegSetValueExW
RegCloseKey
Software\Microsoft\Windows\CurrentVersion\Run
wininet
Testing123
InternetOpenUrlW
http://h1.ripway.com/forza130/
urlmon
URLDownloadToFileW
shell32.dll
ShellExecuteW
open
SOFTWARE\Microsoft\Security Center
UACDisableNotify
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
EnableLUA
@*\AC:\Users\DB\Desktop\Partie Banker - Copie - Copie\Project1.vbp
VS_VERSION_INFO
VarFileInfo
Translation
StringFileInfo
CompanyName
Microsoft
ProductName
System
FileVersion
ProductVersion
InternalName
OriginalFilename
p.exe
!This program cannot be run in DOS mode.
Rich
.text
`.data
.rsrc
MSVBVM60.DLL
h;Gs
nEs
sEskbFs
DssnEs?|Es
Cs$FEs
DsDRDs\TEs
Dsz_Ds
DsE`Ds
kEs
kEs
lEsf
002043Smrss
System
System
Form1
DateModifie
Timer2
UpdateVersion
Update
ScreenCapCount
Timer3
Picture1
TextWindow
Timer1
TextURL
System
Smrss
System
mGetUrl
mNameWindow
mScreenCap
cFTP
mKeylogger
mProcessPriority
mEngine
mFireWall
mProtection
mActiveX
mEncryption
mMutex
mCheckCommand
mDownload
mAntiUAC
Smrss
Update
ScreenCapCount
C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
Picture1
TextURL
Form
Timer1
Timer3
Timer2
TextWindow
DateModifie
UpdateVersion
kernel32
GetTickCount
user32
GetLastInputInfo
SendFindFileJpg
SendFindFileTxt
TakeScreenShot
IsAFK
BlackList
UpdateMe
FileExists
CallWindowProcW
Status
CreateMutexA
advapi32.dll
AdjustTokenPrivileges
"AnG
advapi32
LookupPrivilegeValueA
GetCurrentProcess
OpenProcessToken
ntdll.dll
NtSetInformationProcess
RegOpenKeyExA
Class
RegSetValueExA
RegCloseKey
VBA6.DLL
user32.dll
PostMessageA
CallWindowProcA
hPA@
SendMessageA
VBA
Shell32
RtlMoveMemory
"C:\Windows\SysWow64\MSVBVM60.DLL\3
VBRUN
wininet.dll
InternetCloseHandle
FtpFindFirstFileA
InternetFindNextFileA
lstrlenA
Connect
Disconnect
GetCurrentDirectory
CreateDirectory
DeleteDirectory
SetCurrentDirectory
EnumDirectories
FC:\Program Files (x86)\Microsoft Visual Studio\VB98\VBA6.dll
PutFile
GetFile
DeleteFile
RenameFile
EnumFiles
InternetReadFile
GetWindowRect
GDIPlus
GdiplusStartup
GdiplusShutdown
GdipCreateBitmapFromHBITMAP
GdipDisposeImage
GdipSaveImageToFile
ole32
CLSIDFromString
wininet
DeleteUrlCacheEntryA
hlJ@
anonymous
ZlP
ZlP
ZlP
ZlL
Zlp
Rlp
XlT
XlT
Zlh
Zlh
Rlp
Zld
Zld
Rlt
ZlX
Zll
ZlX
Rlt
Zlt
lTime
fName
sURL
sUsername
sPassword
lPort
bPassiveSemantic
eAccessType
sProxyName
sProxyBypass
sDir
sFilter
sLocalFile
sRemoteFile
sFile
sNewName
ZlX
Rlh
Rlh
Rlt
Rlt
CkR
Rld
Rll
XYYYY@
ZlH
Zll
Zll
Zlp
Dlp
Dlp
MSVBVM60.DLL
MethCallEngine
EVENT_SINK_AddRef
DllFunctionCall
EVENT_SINK_Release
EVENT_SINK_QueryInterface
__vbaExceptHandler
ProcCallEngine
wBx
\l7s(l7s
7sXS=s,
=Gs =Gs(=Gs0=Gs8=Gs@=GsH=GsP=GsX=Gs`=Gsh=Gsp=Gsx=Gs
>Gs >Gs(>Gs0>Gs8>Gs@>GsH>GsP>GsX>Gs`>Gsh>Gsp>Gsx>Gs
?Gs ?Gs(?Gs0?Gs8?Gs@?GsH?GsP?GsX?Gs`?Gsh?Gsp?Gsx?Gs
@Gs @Gs(@Gs0@Gs8@Gs@@GsH@GsP@GsX@Gs`@Gsh@Gsp@Gsx@Gs
AGs
AGs
AGs
AGs AGs(AGs0AGs8AGs@AGsHAGsPAGsXAGs`AGshAGspAGsxAGs
AGs
AGs
AGs
AGs
AGs
AGs
AGs
AGs
AGs
AGs
AGs
AGs
AGs
AGs
AGs
AGs
BGs
BGs
BGs
BGs BGs(BGs0BGs8BGs@BGsHBGsPBGsXBGs`BGshBGspBGsxBGs
BGs
BGs
BGs
BGs
BGs
BGs
BGs
BGs
BGs
BGs
BGs
BGs
BGs
BGs
BGs
BGs
CGs
CGs
CGs
CGs CGs(CGs0CGs8CGs@CGsHCGsPCGsXCGs`CGshCGspCGsxCGs
CGs
CGs
CGs
CGs
CGs
CGs
CGs
CGs
CGs
CGs
CGs
CGs
CGs
CGs
CGs
CGs
DGs
DGs
DGs
DGs DGs(DGs0DGs8DGs@DGsHDGsPDGsXDGs`DGshDGspDGsxDGs
DGs
DGs
DGs
DGs
DGs
DGs
DGs
DGs
DGs
DGs
DGs
DGs
DGs
DGs
DGs
DGs
EGs
EGs
EGs
EGs EGs(EGs0EGs8EGs@EGsHEGsPEGsXEGs`EGshEGspEGsxEGs
EGs
EGs
EGs
EGs
EGs
EGs
EGs
EGs
EGs
EGs
EGs
EGs
EGs
EGs
EGs
EGs
FGs
FGs
FGs
FGs FGs(FGs0FGs8FGs@FGsHFGsPFGsXFGs`FGshFGspFGsxFGs
FGs
FGs
FGs
FGs
FGs
FGs
FGs
FGs
FGs
FGs
FGs
FGs
FGs
FGs
FGs
FGs
GGs
GGs
GGs
GGs GGs(GGs0GGs8GGs@GGsHGGsPGGsXGGs`GGshGGspGGsxGGs
GGs
GGs
GGs
GGs
GGs
GGs
GGs
GGs
GGs
GGs
GGs
GGs
GGs
GGs
GGs
GGs
HGs
HGs
HGs
HGs HGs(HGs0HGs8HGs@HGsHHGsPHGsXHGs`HGshHGspHGsxHGs
HGs
HGs
HGs
HGs
HGs
HGs
HGs
HGs
HGs
HGs
HGs
HGs
HGs
HGs
HGs
HGs
IGs
IGs
IGs
IGs IGs(IGs0IGs8IGs@IGsHIGsPIGsXIGs`IGshIGspIGsxIGs
IGs
IGs
IGs
IGs
IGs
IGs
IGs
IGs
IGs
IGs
IGs
IGs
IGs
IGs
IGs
IGs
JGs
JGs
JGs
JGs JGs(JGs0JGs8JGs@JGsHJGsPJGsXJGs`JGshJGspJGsxJGs
JGs
JGs
JGs
JGs
JGs
wwp
ThreatExpert Report‏: http://www.threatexpert.com/report.aspx ... c8ba5a2ed1
VT: http://www.virustotal.com/file-scan/rep ... 1302352122
Code: Select all
http://h1.ripway.com/forza130/Update.txt
http://h1.ripway.com/forza130/Version.txt
BSoD on WinXP When i try to kill the process.
Last edited by Xylitol on Sat Apr 09, 2011 12:36 pm, edited 1 time in total.

Bot sample for unknown

 #13456  by leeno
 Sun May 27, 2012 8:53 pm
md5=a1bae5e0968f02fee91063fb3aaaf0b3.
help me identifying the actual bot
Attachments
(71.92 KiB) Downloaded 44 times
 Return to “Malware”