Silkut
February 14th, 2010, 10:30
http://www.virustotal.com/analisis/3a4b84557ffbbd32cdaf43efbc0ba5d11a5b22d690580da5930a79da0027b662-1266157076 8/41

Also submitted on TE/Jotti/CWSandbox/Norman/Sunbelt
Reg change and Network activity is interesting...
Ensure to run at every start
Code:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "TOY5KNQ8OC" = C:\DOKUME~1\ADMINI~1\LOKALE~1\Temp\Hm1.exe
Drops shit (bet its a backdoor)
Code:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SSHNAS\Parameters "ServiceDll" = [REG_EXPAND_SZ, value: C:\WINDOWS\system32\sshnas21.dll]
Change filetype association:
Code:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.cpp ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.cpp "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.cpp "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.cpp "ScriptOk"
Crypted config to avoid e-z detection
Code:
HKEY_CURRENT_USER\Software\TOY5KNQ8OC "Hr0" = tSLPLpWL7R22spR48AI743bz2Kge8sERw0qmuz25hgohx8cxtNMwr8rBWqitGUb/zraVBDDj5hLpEwYXNxEcPXZ9sJFaDKKtXmxIvCsKfL3BUK2YmKdwy0wP+mREmBu3qeV4TyHp6lc/8xIj6ehCR1T2ygeXbopFSi+wcuZzVX7WEc60vs/gvM40+JErmIzaB2QhZba725R1sr2kOfmVOMnMlPUv0JruzRQ9mA==
Abuse your TCP/IP network
Code:
\Device\Tcp
\Device\Ip
\Device\Ip
\Device\Tcp6
\Device\RasAcd
Adds tasks (and hide them)
Code:
C:\WINDOWS\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job
Checks for nifty tools
Code:
Open File: \\.\SICE (OPEN_EXISTING)
Open File: \\.\NTICE (OPEN_EXISTING)
Open File: \\.\SIWVIDSTART (OPEN_EXISTING)
Open File: \\.\VMDRV (OPEN_EXISTING)
Open File: \\.\PIPE\ROUTER (OPEN_EXISTING)
Post shit to infected sites
Code:
http://66.199.229.230/bbgfvdfv.php?data=v26MmjSySdemXz907AUYROBra+ftI9M9b4xfTXYnLRkHCVTSihWLzGqhA0jEdVaN1M6V6shGcAiBMF4QEH bzbYSRtufQpaX/NPttvu7rkw== (workartsstudio.com)
http://64.20.38.251/logos/2aac1e812a13a04cf10ec85187f31ca7b22154fc7b77b63fec5e37e6648b5f8a317d04508db39388c/64d84457f3e/logo.gif (homeartscenter.com)
http://94.75.228.24/werber/34f8b457d37/217.gif (multiartshouse.com)
http://69.10.35.253/perce/9acc6e112a53a02cf1fef83147c3fc073291b47c8b77c66ffccea7e6e42baf7ae11d94007d4333783/24a874f7a37/qwerce.gif (tangoartsshow.com)
http://208.43.125.180/oms.php (yourgot.com)
http://66.197.161.246/resolution.php (motorolam.com)
http://66.197.161.247/borders.php (easyaw.com)
etc etc...
MMPC report status (so they can shut this prick down): https://www.microsoft.com/security/portal/Submission/SubmissionHistory.aspx?SubmissionId=e3d2c8a8-480b-4228-bdf3-5b7f2f302ba2&n=1