Log in

View Full Version : does this tmp5.tmp install any driver

blabberer
August 29th, 2008, 15:01
found this in %alluserprofile%\startup folder seems to be autorunning
av doesnt sound any alarm

creates two three files using MoveFileEx (....,...,DELAY_UNTIL_REBOOT)


and LoadLibs this tmp_tmp# (i did not let it and just grabbed this)

the original launcher is Finding DeviceIoControl through GetProcAddress

so if someone want to check if there is any driver involved

i googled the random name of MOVEFILE (msupd123456 blah)

looks like a driver is involved from google

http://support.microsoft.com/kb/894278

but i couldnt locate any random driver

so may be it was dormant and hadnt yet spat out its venom coz the comp in question hasnt been rebooted for some time


MALWARE BEWARE

password malware
Kayaker
August 30th, 2008, 03:00
Hi

The exe definitely looks for a randomly named driver and will call several DeviceIoControl IOCTL's if present. I could not however get it to generate a driver per se, so it's possible the driver is a downloaded file (or created from one) and not one embedded and executed from the exe, or dll.

This looks like the dropper file variously known as


Trojan-Downloader:W32/Injecter.GX
http://www.f-secure.com/v-descs/trojan-downloader_w32_injecter_gx.shtml

Troj/Murlo-BH
http://www.sophos.com/security/analyses/trojmurlobh.html

Troj/Agent-GIH
http://www.sophos.com/security/analyses/viruses-and-spyware/trojagentgih.html

TrojanDropper:Win32/Cavitate.A
http://onecare.live.com/standard/en-us/virusenc/VirusEncInfo.htm?VirusName=TrojanDropper:Win32/Cavitate.A


The f-secure description is the best one, pretty much exactly what the attached file does. There is no mention in any of the descriptions though of a driver or its possible function.


Both the exe file and the dll (embedded in the exe file and loaded as tmp*.tmp) are VM-aware. Since the dll is loaded dynamically it becomes tiring to have to break on the dll loading and manually bypass the VM check each time you're running a live analysis. I found that you can easily bypass the VM check in both files by patching the exe in 2 places.

In the exe the check is right at the start. The result of the VM check (based on an encrypted SIDT test) is to return an index value into a call table:

Code:


.text:00404C80 50                   push    eax

.text:00404C81 E8 3A F6 FF FF       call    Check_VM



    ; returns 3 under VM, returns 6 otherwise

    

.text:00404C86 6A 00                push    0

.text:00404C88 FF 14 85 54 E8 40+   call    CallTable[eax*4]



Also embedded in the exe in the .data section is the code for the DLL, and its VM check. It is identical and also run at DLL initialization:

Code:


.data:0040C010 6A 01                push    1

.data:0040C012 E8 71 FE FF FF       call    Check_VM_DLL



    ; returns 3 under VM, returns 6 otherwise

    

.data:0040C017 6A 00                push    0

.data:0040C019 FF 14 85 F4 8F 00+   call    dword ptr ds:10008FF4h[eax*4]



What you can do is patch both locations, overwriting the Check_VM call entirely with the instruction
MOV EAX, 6 (plus appropriate NOPS)
which will force the correct (infective) call to be indexed from the call table.



Without a driver to analyze it's...kinda hard to analyze the driver...
However it looks like there may be several possible IOCTL codes available, and not all called by this particular exe. This makes me wonder if this is a somewhat "generic" malware driver with multiple functions, possibly downloaded from a remote site, that could be used with a family of this type of trojan.

There are 3 hardcoded IOCTL's used by DeviceIoControl calls in this malware:

220020h
220024h
220040h

and 2 more taken from an indexed table of possible IOCTL values:

.data:00406004 dd 22007Ch
.data:00406008 dd 220080h
.data:0040600C dd 220084h
.data:00406010 dd 220088h
.data:00406014 dd 22008Ch
.data:00406018 dd 220090h
.data:0040601C dd 220094h
.data:00406020 dd 220098h
.data:00406024 dd 22009Ch
.data:00406028 dd 2200A0h


That leaves 8 potential IOCTL's unused. Maybe they exist in the driver, maybe they're being developed, or maybe this is just sloppy programming, who knows? It would be interesting to find the driver..
blabberer
August 30th, 2008, 14:48
thanks kayaker

yes it would be interesting to find the driver though i couldnt locate it

your analysis pretty much matches mine including the iocontrolcodes

Code:




0006F238   100067E7  /CALL to SetWindowsHookExA from tmp5.100067E5

0006F23C   00000004  |HookType = WH_CALLWNDPROC

0006F240   100068F0  |Hookproc = tmp5.100068F0

0006F244   10000000  |hModule = 10000000 (tmp5)

0006F248   00000DA4  \ThreadID = DA4



this is from that tmp5



all below from the exe





References in shit:UPX0 to 0040E8BC..0040E8BF

Address     Disassembly                          Comment

00401C67    MOV     DWORD PTR DS:[40E8BC], EAX

00402045    CALL    NEAR DWORD PTR DS:[40E8BC]   kernel32.DeviceIoControl

004020EC    CALL    NEAR DWORD PTR DS:[40E8BC]   kernel32.DeviceIoControl

0040218C    CALL    NEAR DWORD PTR DS:[40E8BC]   kernel32.DeviceIoControl

004021E5    CALL    NEAR DWORD PTR DS:[40E8BC]   kernel32.DeviceIoControl

00402260    CALL    NEAR DWORD PTR DS:[40E8BC]   kernel32.DeviceIoControl



0012EA80   001447D0  |FileName = "\\.\wduyuyfs"

0012EA84   C0000000  |Access = GENERIC_READ|GENERIC_WRITE

0012EA88   00000000  |ShareMode = 0

0012EA8C   00000000  |pSecurity = NULL

0012EA90   00000003  |Mode = OPEN_EXISTING  

0012EA94   00000080  |Attributes = NORMAL

0012EA98   00000000  \hTemplateFile = NULL



Handles, item 5

 Handle=00000040

 Type=File (dev)

 Refs=   2.

 Access=0012019F SYNCHRONIZE|READ_CONTROL|READ_DATA|WRITE_DATA|APPEND_DATA|READ_EA|WRITE_EA|READ_ATTRIBUTES|WRITE_ATT RIBUTES

 Name=\Device\wduyuyfs





0012EF6C   00000040  |hDevice = 00000040 (window)

0012EF70   00220098  |IoControlCode = 220098

0012EF74   00000000  |InBuffer = NULL

0012EF78   00000000  |InBufferSize = 0

0012EF7C   00143820  |OutBuffer = 00143820

0012EF80   00000014  |OutBufferSize = 14 (20.)

0012EF84   0012EFA4  |pBytesReturned = 0012EFA4

0012EF88   00000000  \pOverlapped = NULL



00143820  62 00 3A 00 5C 00 31 00 2E 00 65 00 78 00 78 00  b.:.\.1...e.x.x.

00143830  00 00 00 00                                      ....



0012EF9C   80000002  |hKey = HKEY_LOCAL_MACHINE

0012EFA0   0012F688  |Subkey = "Software\Microsoft\Internet Explorer\PUID"

0012EFA4   00000000  |Reserved = 0

0012EFA8   00000001  |Access = KEY_QUERY_VALUE

0012EFAC   0012EFC0  \pHandle = 0012EFC0



0012EAF4   00000000  |CodePage = CP_ACP

0012EAF8   00000000  |Options = 0

0012EAFC   0012F584  |StringToMap = "\Registry\Machine\Software\Microsoft\Internet Explorer\PUID"

0012EB00   FFFFFFFF  |StringSize = FFFFFFFF (-1.)

0012EB04   0012EB30  |WideCharBuf = 0012EB30

0012EB08   0000003C  \WideBufSize = 3C (60.)





0012EB00   00000040  |hDevice = 00000040 (window)

0012EB04   00220024  |IoControlCode = 220024

0012EB08   00000000  |InBuffer = NULL

0012EB0C   00000000  |InBufferSize = 0

0012EB10   0012EB30  |OutBuffer = 0012EB30

0012EB14   0000046C  |OutBufferSize = 46C (1132.)

0012EB18   0012EB2C  |pBytesReturned = 0012EB2C

0012EB1C   00000000  \pOverlapped = NULL



0012EB30  5C 00 52 00 65 00 67 00 69 00 73 00 74 00 72 00  \Registr

0012EB40  79 00 5C 00 4D 00 61 00 63 00 68 00 69 00 6E 00  y\Machin

0012EB50  65 00 5C 00 53 00 6F 00 66 00 74 00 77 00 61 00  e\Softwa

0012EB60  72 00 65 00 5C 00 4D 00 69 00 63 00 72 00 6F 00  re\Micro

0012EB70  73 00 6F 00 66 00 74 00 5C 00 49 00 6E 00 74 00  soft\Int

0012EB80  65 00 72 00 6E 00 65 00 74 00 20 00 45 00 78 00  ernet Ex

0012EB90  70 00 6C 00 6F 00 72 00 65 00 72 00 5C 00 50 00  plorer\P

0012EBA0  55 00 49 00 44 00 00                             UID.







Memory map, item 27

 Address=02AE0000

 Size=00009000 (36864.)

 Owner=         02AE0000 (itself)

 Section=

 Type=Map  00041004

 Access=RW

 Initial access=RW

 Mapped as=\Device\HarddiskVolume1\DOCUME~1\*******\LOCALS~1\Temp\tmp5.tmp



0012EF6C   00000040  |hDevice = 00000040 (window)

0012EF70   00220098  |IoControlCode = 220098

0012EF74   00000000  |InBuffer = NULL

0012EF78   00000000  |InBufferSize = 0

0012EF7C   00143820  |OutBuffer = 00143820

0012EF80   00000014  |OutBufferSize = 14 (20.)

0012EF84   0012EFA4  |pBytesReturned = 0012EFA4

0012EF88   00000000  \pOverlapped = NULL



00143820  62 00 3A 00 5C 00 31 00 2E 00 65 00 78 00 78 00  b.:.\.1...e.x.x.

00143830  00 00 00 00                                      ....





Memory map, item 27

 Address=02AE0000

 Size=00001000 (4096.)

 Owner=         02AE0000 (itself)

 Section=

 Type=Map  00041004

 Access=RW

 Initial access=RW

 Mapped as=\Device\HarddiskVolume1\DOCUME~1\*****\LOCALS~1\Temp\tmpE.bat





:loop

del "C:\Documents and Settings\***************\Desktop\foo\somevirus\shit.exe"

 if exist "C:\Documents and Settings\***************\Desktop\foo\somevirus\shit.exe" goto loop 

del "C:\DOCUME~1\*******\LOCALS~1\Temp\tmpE.bat"







0012E7E8   004050AA  /CALL to WinExec from shit.004050A8

0012E7EC   0012E8A8  |CmdLine = "C:\DOCUME~1\******\LOCALS~1\Temp\tmpE.bat"

0012E7F0   00000000  \ShowState = SW_HIDE

0012E7F4   7C81E85C  kernel32.DeleteFileA