[EP_X0FF]

Dropper packed with UPX.

Installs rootkit driver aec<random chars>.sys into system3\drivers folder (some social engineering to fool users because of legitimate aec.sys present in Windows installation).
In my case rootkit driver was named aecq.sys.

Inside driver contains payload dll to be injected into address space from kernel mode.
Set's CreateProcess notification callback (see MSDN PsSetCreateProcessNotifyRoutine)

Registry and file is not hidden. Again to fool users rootkit driver has Version Info block (InternalName: "Kernel Driver").
Rootkit does not survived after regedit attack.

According to rootkit driver internals payload code injected into services.exe and explorer.exe

below is dump of readable strings from user mode part

vip888.eu hronomail.com DnsQuery_A DnsRecordListFree ntdll.dll NtDelayExecution GetVolumeInformationA VirtualFree VirtualAlloc
Sleep CloseHandle ExitThread CreateThread WSAIoctl select htons gethostbyname WSAStartup shutdown connect closesocket socket send
recv dnsapi.dll kernel32.dll ws2_32.dll GetProcAddress LoadLibraryExA D:\ C:\ yahoo.com gmail.com
Proxy-Connection: :// HTTP/1.0 500 Internal Server Error
Content-Length: 25
500 Internal Server Error HTTP/1.0 502 Bad Gateway
Content-Length: 15
502 Bad Gateway HTTP/1.0 400 Bad Request
Content-Length: 15
400 Bad Request HTTP/1.1 200 OK

VirusTotal
http://www.virustotal.com/analisis/4c74 ... 1268764475

MD5
6afcac353e5e4f3781cc208eba3adecc

SHA1
c38436398bbfc679008201ef49df5047c410ccbf