possibble rootkit kdjfq.exe [Archive] - RCE Messageboard's Regroupment

blabberer

June 6th, 2007, 04:28

this kdfjq.exe was hidden deep and it took me quiet an efffort to leech it off the disk

im not sure about the update.sys thats accompanying this zip folder
but i think it is an accomplice (dont remmeber seeng an update.sys before)

didnt have time to check either of it (didnt even google for information)

and the zip is NOT PASSSWORDED the comp in question didnt have winzip or winrar i used xp default -> send to zip never used it didnt know how to password sendto

could some mod do me favour and password it ?

MALWRE BEWARE UNPASSWORDED

blabberer

June 6th, 2007, 04:59

ok msdn has some info on update.sys

so it could be my mistake to attach it

http://support.microsoft.com/kb/885626

and this kdfjq starts its act by creating thread

and closing its handle right off and then calling ExitThread on it then does a fake moveFile and virtual protects Peheadr and adds export table entries to it

00400158 A0F10000 DD 0000F1A0 ; Export Table address = F1A0
0040015C 96000000 DD 00000096 ; Export Table size = 96 (150.)
modiffies immport table address

00400160 04E60000 DD 0000E604 ; Import Table address = E604
00400164 A0000000 DD 000000A0 ; Import Table size = A0 (160.)

adds reloc table address
00400180 00000100 DD 00010000 ; Relocation Table address = 10000
00400184 00100000 DD 00001000 ; Relocation Table size = 1000 (4096.)

adds import data table address

004001B8 00100000 DD 00001000 ; Import Address Table address = 1000
004001BC 00020000 DD 00000200 ; Import Address Table size = 200 (512.)

Handles, item 5
Handle=00000010
Type=Thread
Refs= 4.
Access=001F03FF SYNCHRONIZE|WRITE_OWNER|WRITE_DAC|READ_CONTROL|DELETE|QUERY_STATE|MODIFY_STATE|3FC

looks like some kind of advertiser

Code:



00401380  ....................................HttpSendRequestW....HttpSend

004013C0  RequestA....wininet.dll.send....recv....wsock32.dll.RegisterBind

00401400  StatusCallback..urlmon.dll..NtDeleteValueKey....NtSetValueKey...

00401440  NtQueryDirectoryFile....NtCreateThread..Referer: %s.get.%s%d....

00401480  h@.........X@.—\@.................H@.Ґ]@.................8@.

004014C0  ыY@.................,@.g[@.....................................

00401500  ........@..........@.sX@.................ь@.7Y@.............

00401540  ....м@.ё^@.................Ь@.-_@.................М@.*_@.....

00401580  ............ј@.`@.........................................Find

004015C0  NextFileW...FindNextFileA...FindFirstFileW..FindFirstFileA..Crea

00401600  teProcessW..CreateProcessA..kernel32.dll....RegEnumKeyA.RegEnumK

00401640  eyExA...RegEnumValueW...RegEnumValueA...advapi32.dll....iexplore

00401680  .exe....OpenThread..h.ряя...DebugActiveProcess..№.......OpenProc

004016C0  ess... . . . . . . . . .(.(.(.(.(. . . . . . . . . . . . . . . .

search engine hooker itsseems

Code:



00401E00  ..................../web?.../web/results?.../results.aspx?..resu

00401E40  lts.asp.search../search./ie?..../custom?..../search?....settings

00401E80  .aspx...scoope=./video/./local/./encarta/.../desktop/.../news/..

00401EC0  /....ask.com.altavista.com...search.live.....search.msn..

00401F00  shopping.yahoo..search.yahoo....www.google..ask.....altavista...

00401F40  .live....msn.....yahoo..google..loginnet.passport.../ocget.dll..

00401F80  http://64.28.180.211/frame.php..clsid\%s....%s\%s.dll...%s;%s;%s

00401FC0  ;...1063....hello...http://%s%s&id=%d&qnaes=%s..%s&qnaes=%s.....

00402000  ask2.pricegrabber.com...askcareers.com..searchmarketing.yahoo...

00402040  answers.yahoo...microsoft.com...?as_q=..&as_q=..&p=.?p=.&q=.?q=.

00402080  Ш'@.Ф'@.Р'@.М'@.И'@.Д'@.А'@.ј'@.ё'@.ґ'@.°'@.¬'@.Ё'@.¤'@.*'@.....

004020C0  œ'@.˜'@.”'@.ђ'@.Œ'@.Ш'@.ˆ'@.„'@.€'@.|'@.x'@.t'@.p'@.l'@.h'@.....

00402100  T'@.D'@.8'@.'@.'@.ф&@.Ь&@.И&@.ё&@.¤&@.˜&@.ˆ&@.x&@.d&@.X&@.@&@.

00402140  ,&@.&@.&@.ф%@.Ь%@.А%@.¤%@.ђ%@.€%@.h%@.X%@.P%@.'@.<%@.0%@. %@.

00402180  %@.ь$@.р$@.а$@.Ф$@.И$@.ґ$@.*$@.Œ$@.p$@.d$@.H$@.8$@.,$@.$@..$@.

004021C0  ь#@.м#@.Ш#@.Д#@.°#@.*#@.Œ#@.x#@.`#@.H#@.8#@. #@..#@.ш"@.д"@.Р"@.

00402200  ј"@.¤"@.ђ"@.„"@.l"@.X"@.D"@.8"@.("@.....ynotmasters.com.ynotbob.

00402240  com.www.x-forum.info....www.webtown.info....www.webhostingtalk.r

00402280  u...www.v7n.com.www.umaxforum.com...www.techmonkeys.co.uk...www.

004022C0  ruwebmaster.com.www.promoforum.ru...www.pereroboard.com.www.nast

00402300  raforum.com.www.master-x.com....www.lavasoftsupport.com.www.jahe

00402340  wi.nl...www.greenguyandjim.com..www.gofuckyourself.com..www.doma

00402380  intalk.ru...www.dndialog.com....www.crutop.nu...www.castlecops.c

004023C0  om..www.armadaboard.com.webmastersarea.com..videoscash.com..vide

00402400  osboard.com.thinkreel.com...tgpalliance.com.temerc.com..seochase

00402440  .com....securitygarden.blogspot.com.rusawm.com..reseller.adverts

00402480  tats.com....pornstarkings.com...pornresource.com....peppersboard

004024C0  .com....netpond.com.netadmin.ws.master-x.com....luxuru.com..logi

00402500  n.advertstats.com...krawl.biz...klikforum.com...jmbsoft.com.gree

00402540  nguyandjim.com..gfy.com.germesia.com....gaywebmasterchat.com....

00402580  gaytraffic.nl...gaymarketforum.com..gallerytrafficservice.com...

004025C0  forum.securitycadets.com....forum.searchengines.ru..forum.ru-boa

00402600  rd.com..forum.krawl.com.forum.kaspersky.com.forum.hostobzor.ru..

00402640  forum.adultinter.com....foogie.com..extremebullshit.com.earnforu

00402680  m.com...domenforum.net..crutop.nu...charliechoice.com...boards.x

004026C0  biz.com.bigboynetwork.com...bbs.mediumpimpin.com....gofuckyourse

00402700  lf.net..gofuckyourself.com..bbs.adultwebmasterinfo.com..awm.name

00402740  ....askdamagex.com..adultchamber.com....247.152.141.140.137.130.

00402780  88..29..5...75..59..70..241.203.998.380.993.373.371.370.996.995.

004027C0  372.420.357.375.374.994.7...Control Panel\International.iCountry

00402800  ....Control Panel\International\Geo.Nation..Software\Microsoft\I

00402840  nternet Explorer\TypedURLs......@.*@..*@.ф)@.И)@.ђ)@.Œ@.ˆ@.

00402880  x)@.h)@.T)@.P)@.H)@....@)@.,)@.)@.....ГуP0µ˜П»‚.Є.ЅОв.....

004028C0  А......FЕЙкyщєОŒ‚.Є.K©<|"©ŽРŒ°.*Й-їиR;єGСё3.АOЙі€Эї~*У

00402900  ¤Е.АOrЦёпН«‰А€ОOўж _«QASDGFDHJDGJSDFG#....ZXFJSDGTJTYUASD#....

00402940  conf....kdid....kd..SEXFGHDFJZHFHSFD#...KEBDHORDCZGLTA#.PEGFSDGH

00402980  XCBGTR#.ss..Run.Software\Microsoft\Windows NT\CurrentVersion\Win

004029C0  logon...Software\Microsoft\Windows\CurrentVersion...csrss.exe...

00402A00  winlogon.exe....explorer.exe....•B.‹..{%s}....Content-Type: %s

00402A40  ....Microsoft Internet Explorer.Referer: %s.....MS Internet Expl

00402A80  orer....%x %x...”*@.64.28.184.5.http://%s/..System..NtQueryValue

00402AC0  Key.NtEnumerateValueKey.NtQueryInformationFile..NtQueryObject...

00402B00  NtOpenThread....NtQueryInformationThread....NtQueryInformationPr

00402B40  ocess...NtQuerySystemInformation....GetModuleFileNameExA....Enum

00402B80  ProcessModules..psapi.dll...Process32Next...Process32First..%s%s

00402BC0  %c..GetProcAddress..LoadLibraryA....exe.%s\%s...%s\%s%c%c%c.%s..

00402C00  ...yahoo.com...aol.com.WorkProc....InstallHook.яяяяяяяя......

and damn jumps into stack

0041277F FFD4 CALL NEAR ESP

ESP=0035FFB0

0035FFB0 58 POP EAX
0035FFB1 58 POP EAX
0035FFB2 C3 RETN

0035FFB0 A2C35858
0035FFB4 0040A136 kdfjqroo.0040A136 <----- oep

0035FFB8 7C80B50B RETURN to kernel32.7C80B50B
0035FFBC 00000000

possibly keylogger too

Code:

0040AC03  |.  50            PUSH    EAX                           ; /pThreadId = A2C35858

0040AC04  |.  33C0          XOR     EAX, EAX                      ; |

0040AC06  |.  50            PUSH    EAX                           ; |CreationFlags = DETACHED_PROCESS|CREATE_NEW_CONSOLE|IDLE_PRIORITY_CLASS|CREATE_SEPARATE_WOW_VDMCREATE_SHARED_WOW_VDM |PROFILE_KERNEL|82C34000

0040AC07  |.  FF75 0C       PUSH    DWORD PTR SS:[EBP+C]          ; |pThreadParm = NULL

0040AC0A  |.  FF75 08       PUSH    DWORD PTR SS:[EBP+8]          ; |ThreadFunction = kdfjqroo.00412140

0040AC0D  |.  50            PUSH    EAX                           ; |StackSize = A2C35858 (-1564256168.)

0040AC0E  |.  50            PUSH    EAX                           ; |pSecurity = A2C35858

0040AC0F  |.  FF15 F0104000 CALL    NEAR DWORD PTR DS:[4010F0]    ; \CreateThread

any one wants to take on from here

TCM

June 8th, 2007, 12:53

I can take a look at it. Were you using IDA? If so, throw up you .IDB file.

blabberer

June 9th, 2007, 00:49

sorry TCM i do not use ida much i dont have the professional version and ida free sucks and is probably crippled as well in my opininion (when ever i tried using it for something it invariably crashed on me)

i prefer ollydbg to ida if it is an x86win32pe

so i cannot throw you an idb sorry