Spyware or what ? [Archive] - RCE Messageboard's Regroupment

View Full Version : Spyware or what ?

seven

January 14th, 2007, 20:19

Hi all , I Found this proggy in TEMP FOLDER

deleted more than 1000 timez returned again

iz it a spyware or trojan or virus or what ?

blurcode

January 14th, 2007, 20:23

All three together?

esther

January 14th, 2007, 21:59

Please delete the attachment.Yes it is 3 in 1.

you might need to boot in safe mode and get rid of it

Kayaker

January 15th, 2007, 01:05

Yep, Mcafee calls this Generic AdClicker.b Trojan. So, should we delete the attachment, or is this a reversing forum? What about using this as a real-life miniproject target?

Sure, cracking shareware is instructional and builds up a reversers skills. Doing crackmes is a pleasant pastime. Neither of these have much "danger" factor to them.

What if you want to get into the AV/anti malware field, where companies are actually begging for qualified people who have the expertise to handle the "hot" targets such as this one. You got the skillz to deal with such a beast as this one? Got a VM set up? How's your outgoing firewall? Can you analyze it without inadvertantly destroying your system?

Maybe as a group project those with more experience can guide those with less who might be a bit hesitant to work with such a file.

Wanna try?

blabberer

January 15th, 2007, 04:14

malwares are fun to play with

this looks like it uses gdi to write text to where ever it is going to write

ok when dealing with malwares one doesnt start out debugging it one atleast would have a cursory glance statically before proceeding to load it in debugger else some clever little tricks may simply trick you into falling for the baits

those who prefer to use thier favourite hexeditor or lordpe or whatever are free to use them

ill use ollydbg only

let go

unzip the attachment (use a virtual machine to follow dont use your production machine to follow unless you are absolutely sure you can deal with consequnces successfully )

start ollydbg
view -> file --> load the 12345678.exe

go to offset 0
right click ->special --> pe header

what do you notice (if you are familiar already with pe header formats it doesnt look like a normal pe header so you can be sure that this is not a normal binary it could be packed crypted obfuscated whatever

so no point loading it directly in a debugger lets poke around a little bit more
lets find the entry point and see if we could deciper some more things before taking the plunge

ok we see te section headers we see its virtual address is 24000 at pointer to raw size is 200 and address of entry point is 27462

so its located pysically at
27462 - 24000 + 200 lets do ctrl+g

and type in 3662

we pore over the diassembly and all we see are few calls and short jumps within viewable distances only one jump in there that sticks out like a sore thumb
can you identify it and tell why it could be usefull enough
from the jump can you really identify the oep ?? just with basic information and the opcodes ??

and can you follow your gut instinct and prove your hypothesis is rigth ?

you havent yet loaded it in debugger or a real disassembler that would make your life little easier but you can still be about 99.9% sure about the oep you would decipher at this stage

ill post my hypothesis later
any one else ???

some of the imports it resolves and some strings generated after unpacking are like this what do you find if you hunt down information on the urls ?

Code:



77D40000   Module C:\WINDOWS\system32\user32.dll

0042750B   COND: ReleaseDC

0042750B   COND: GlobalFree

0042750B   COND: GlobalLock

0042750B   COND: GlobalUnlock

0042750B   COND: LocalAlloc

0042750B   COND: LocalFree

0042750B   COND: MultiByteToWideChar

0042750B   COND: ReadFile

0042750B   COND: SetEndOfFile

0042750B   COND: SetFilePointer

0042750B   COND: Sleep

0042750B   COND: WideCharToMultiByte

0042750B   COND: WinExec

0042750B   COND: WriteFile

0042750B   COND: lstrcatA

0042750B   COND: lstrcmpA

0042750B   COND: lstrcmpiA

0042750B   COND: lstrcpyA

0042750B   COND: lstrcpynA

0042750B   COND: lstrlenA

0042750B   COND: GlobalAlloc

0042750B   COND: GetVersionExA

0042750B   COND: GetTickCount

0042750B   COND: GetTempPathA

0042750B   COND: GetSystemDirectoryA

0042750B   COND: GetModuleFileNameA

0042750B   COND: GetCurrentProcess

0042750B   COND: CloseHandle

0042750B   COND: HeapFree

0042750B   COND: HeapAlloc

0042750B   COND: GetProcessHeap

0042750B   COND: GetFileSize

0042750B   COND: CopyFileA

0042750B   COND: CreateFileA

0042750B   COND: DeleteFileA

0042750B   COND: ExitProcess

77F10000   Module C:\WINDOWS\system32\GDI32.dll

77DD0000   Module C:\WINDOWS\system32\advapi32.dll

0042750B   COND: OpenProcessToken

0042750B   COND: LookupPrivilegeValueA

0042750B   COND: RegCloseKey

0042750B   COND: RegOpenKeyExA

0042750B   COND: RegSetValueExA

0042750B   COND: AdjustTokenPrivileges

77E70000   Module C:\WINDOWS\system32\RPCRT4.dll

771B0000   Module C:\WINDOWS\system32\wininet.dll

77C10000   Module C:\WINDOWS\system32\msvcrt.dll

77F60000   Module C:\WINDOWS\system32\SHLWAPI.dll

77A80000   Module C:\WINDOWS\system32\CRYPT32.dll

77B20000   Module C:\WINDOWS\system32\MSASN1.dll

77120000   Module C:\WINDOWS\system32\OLEAUT32.dll

774E0000   Module C:\WINDOWS\system32\ole32.dll

773D0000   Module C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll

0042750B   COND: InternetCloseHandle

0042750B   COND: HttpSendRequestA

0042750B   COND: HttpOpenRequestA

0042750B   COND: FindNextUrlCacheEntryA

0042750B   COND: FindFirstUrlCacheEntryA

0042750B   COND: DeleteUrlCacheEntryA

0042750B   COND: InternetConnectA

77260000   Module C:\WINDOWS\system32\urlmon.dll

0042750B   COND: URLDownloadToFileA

77C00000   Module C:\WINDOWS\system32\VERSION.dll

7C9C0000   Module C:\WINDOWS\system32\shell32.dll

0042750B   COND: ShellExecuteA

0042750B   COND: GetTextExtentPoint32A

0042750B   COND: GetObjectA

0042750B   COND: DeleteObject

0042750B   COND: PatBlt

0042750B   COND: CreateFontA

0042750B   COND: CreateCompatibleDC

0042750B   COND: CreateCompatibleBitmap

0042750B   COND: SelectObject

0042750B   COND: StretchBlt

0042750B   COND: TextOutA

0042750B   COND: CreateDIBitmap

0042750B   COND: CreateDIBSection

0042750B   COND: DeleteDC

0042750B   COND: OleInitialize

0042750B   COND: OleUninitialize

0042750B   COND: CoCreateInstance

0042750B   COND: VariantInit

0042750B   COND: SysFreeString

0042750B   COND: SysAllocString



Text strings referenced in 47547792:

Address    Disassembly                               Text string

00401000   PUSH    EBP                               (Initial CPU selection)

0040121F   PUSH    47547792.00408C3D                 ASCII "complete"

0040125F   PUSH    47547792.00408C48                 ASCII "interactive"

0040127C   PUSH    47547792.00408C54                 ASCII "HL_"

00401281   PUSH    47547792.00408000                 ASCII "http://greeng.biz:2080/rd/rep.php?er[0]="

0040128D   PUSH    47547792.00408C58                 ASCII "HD_"

00401292   PUSH    47547792.00408000                 ASCII "http://greeng.biz:2080/rd/rep.php?er[0]="

004012A9   PUSH    47547792.00408C5C                 ASCII "DO_"

004012AE   PUSH    47547792.00408000                 ASCII "http://greeng.biz:2080/rd/rep.php?er[0]="

004012BA   PUSH    47547792.00408C60                 ASCII "IW_"

004012BF   PUSH    47547792.00408000                 ASCII "http://greeng.biz:2080/rd/rep.php?er[0]="

004013FC   PUSH    47547792.00408C64                 ASCII "7search.com/scripts/security/validate.asp"

00401479   PUSH    47547792.00408C94                 ASCII "http://66.199.179.8/search.php"

0040148D   PUSH    47547792.00408CB4                 ASCII "http://65.39.170.123/search.php"

004014B8   PUSH    47547792.00408CD4                 ASCII "http://66.250.74.152/click_second"

00401781   PUSH    47547792.00408CFC                 ASCII "NC2_"

00401786   PUSH    47547792.00408000                 ASCII "http://greeng.biz:2080/rd/rep.php?er[0]="

004017A6   PUSH    47547792.00408D04                 ASCII "NW_"

004017AB   PUSH    47547792.00408000                 ASCII "http://greeng.biz:2080/rd/rep.php?er[0]="

004017CE   PUSH    47547792.0040853E                 ASCII "winlogon.exe"

004017F0   PUSH    47547792.0040853E                 ASCII "winlogon.exe"

0040184C   PUSH    47547792.0040854B                 ASCII "%d.%d-"

00401863   PUSH    47547792.00408000                 ASCII "http://greeng.biz:2080/rd/rep.php?er[0]="

00401878   PUSH    47547792.004084EB                 ASCII "no"

0040187D   PUSH    47547792.004084E2                 ASCII "PopupMgr"

00401882   PUSH    47547792.00408487                 ASCII "Software\Microsoft\Internet Explorer\New Windows"

00401891   PUSH    47547792.004084EB                 ASCII "no"

00401896   PUSH    47547792.004084F2                 ASCII "Display Inline Images"

0040189B   PUSH    47547792.004084B8                 ASCII "Software\Microsoft\Internet Explorer\Main"

004018AA   PUSH    47547792.004084EB                 ASCII "no"

004018AF   PUSH    47547792.00408508                 ASCII "Display Inline Videos"

004018B4   PUSH    47547792.004084B8                 ASCII "Software\Microsoft\Internet Explorer\Main"

004018DE   PUSH    47547792.00408AF1                 ASCII "Regsvr32.exe /s shdocvw.dll"

004019B1   PUSH    47547792.00408D08                 ASCII "&er["

004019B6   PUSH    47547792.00408000                 ASCII "http://greeng.biz:2080/rd/rep.php?er[0]="

004019C5   PUSH    47547792.00408000                 ASCII "http://greeng.biz:2080/rd/rep.php?er[0]="

004019CF   PUSH    47547792.00408D10                 ASCII "]="

004019D4   PUSH    47547792.00408000                 ASCII "http://greeng.biz:2080/rd/rep.php?er[0]="

00401A19   PUSH    47547792.00408D14                 ASCII "SW_"

00401A1E   PUSH    47547792.00408000                 ASCII "http://greeng.biz:2080/rd/rep.php?er[0]="

00401A4C   PUSH    47547792.00408D18                 ASCII "RB_"

00401A51   PUSH    47547792.00408000                 ASCII "http://greeng.biz:2080/rd/rep.php?er[0]="

00401A6A   PUSH    47547792.00408552                 ASCII "ghdfggf6j.tmp"

00401A82   PUSH    47547792.00408000                 ASCII "http://greeng.biz:2080/rd/rep.php?er[0]="

00401D9C   PUSH    47547792.00408D1C                 ASCII "DC_"

00401DA1   PUSH    47547792.00408000                 ASCII "http://greeng.biz:2080/rd/rep.php?er[0]="

00401E06   PUSH    47547792.00408D20                 ASCII "NL_"

00401E0B   PUSH    47547792.00408000                 ASCII "http://greeng.biz:2080/rd/rep.php?er[0]="

00401E28   PUSH    47547792.00408D24                 ASCII "EC_"

00401E2D   PUSH    47547792.00408000                 ASCII "http://greeng.biz:2080/rd/rep.php?er[0]="

00401E40   PUSH    47547792.00408D28                 ASCII "NC_"

00401E45   PUSH    47547792.00408000                 ASCII "http://greeng.biz:2080/rd/rep.php?er[0]="

00401E65   PUSH    47547792.00408D2C                 ASCII "OW_"

00401E6A   PUSH    47547792.00408000                 ASCII "http://greeng.biz:2080/rd/rep.php?er[0]="

00401EC7   PUSH    47547792.00408D30                 ASCII "testovaya hren"

0040200B   PUSH    47547792.004085B8                 ASCII "Suurch

findnseek

shopzil

www.suurch.com

"

00402078   PUSH    47547792.00408566                 ASCII "add to card

checkout

continue shopping

download

submit

click here

cart

"

00402223   PUSH    47547792.00408D40                 ASCII "Im_"

00402228   PUSH    47547792.00408000                 ASCII "http://greeng.biz:2080/rd/rep.php?er[0]="

00402284   PUSH    47547792.00408D44                 ASCII "Lim_"

00402289   PUSH    47547792.00408000                 ASCII "http://greeng.biz:2080/rd/rep.php?er[0]="

004022BC   PUSH    47547792.00408D4C                 ASCII "Tc_"

004022C1   PUSH    47547792.00408000                 ASCII "http://greeng.biz:2080/rd/rep.php?er[0]="

004022D0   PUSH    47547792.00408000                 ASCII "http://greeng.biz:2080/rd/rep.php?er[0]="

004023C9   PUSH    47547792.00408D50                 ASCII "Mc_"

004023CE   PUSH    47547792.00408000                 ASCII "http://greeng.biz:2080/rd/rep.php?er[0]="

004023F5   PUSH    47547792.00408D54                 ASCII "Lp_"

004023FA   PUSH    47547792.00408000                 ASCII "http://greeng.biz:2080/rd/rep.php?er[0]="

00402634   PUSH    47547792.00408D5C                 ASCII "value=no_spyware"

004026EA   PUSH    47547792.00408D70                 ASCII "f1"

0040271B   PUSH    47547792.00408D74                 ASCII "f3"

00402752   PUSH    47547792.00408D78                 ASCII "None"

00402765   PUSH    47547792.00408D80                 ASCII "none"

0040283E   PUSH    47547792.00408D88                 ASCII "FC_"

00402843   PUSH    47547792.00408000                 ASCII "http://greeng.biz:2080/rd/rep.php?er[0]="

004029F7   PUSH    47547792.00408D8C                 ASCII "Im_"

004029FC   PUSH    47547792.00408000                 ASCII "http://greeng.biz:2080/rd/rep.php?er[0]="

00402A44   PUSH    47547792.00408D90                 ASCII "66.250.74.152/kw_img/img_gen.php"

00402BB4   PUSH    47547792.00408DB4                 ASCII "Im_"

00402BB9   PUSH    47547792.00408000                 ASCII "http://greeng.biz:2080/rd/rep.php?er[0]="

00402C6D   PUSH    47547792.00408DBC                 ASCII "Tc_"

00402C72   PUSH    47547792.00408000                 ASCII "http://greeng.biz:2080/rd/rep.php?er[0]="

00402C81   PUSH    47547792.00408000                 ASCII "http://greeng.biz:2080/rd/rep.php?er[0]="

00402D78   PUSH    47547792.00408DC0                 ASCII "Mc_"

00402D7D   PUSH    47547792.00408000                 ASCII "http://greeng.biz:2080/rd/rep.php?er[0]="

00402F06   PUSH    47547792.00408DC4                 ASCII "fc"

00402F0B   PUSH    47547792.00408000                 ASCII "http://greeng.biz:2080/rd/rep.php?er[0]="

0040304D   PUSH    47547792.00408DC8                 ASCII "ac"

00403052   PUSH    47547792.00408000                 ASCII "http://greeng.biz:2080/rd/rep.php?er[0]="

00403176   PUSH    47547792.00408DCC                 ASCII "rc"

0040317B   PUSH    47547792.00408000                 ASCII "http://greeng.biz:2080/rd/rep.php?er[0]="

00403414   PUSH    47547792.00408DD0                 ASCII "BODY_"

00403419   PUSH    47547792.00408000                 ASCII "http://greeng.biz:2080/rd/rep.php?er[0]="

00403568   PUSH    47547792.00408443                 ASCII "grdsfsd.bat"

00403598   PUSH    47547792.0040844F                 ASCII ":gl234sh

del %1

if exist %1 goto gl234sh

del %0"

004035AB   PUSH    47547792.0040844F                 ASCII ":gl234sh

del %1

if exist %1 goto gl234sh

del %0"

004035C8   ASCII   ""%s"",0

004035D2   PUSH    47547792.004035C8                 ASCII ""%s""

004035F3   PUSH    47547792.00408482                 ASCII "open"

00403759   PUSH    47547792.004085E7                 ASCII "\drivers\etc\hosts"

004038DF   PUSH    47547792.00408DD8                 ASCII "text="

004038F7   PUSH    47547792.00408DE0                 ASCII "&url="

00403911   ASCII   "Content-Type: ap"

00403921   ASCII   "plication/x-www-"

00403931   ASCII   "form-urlencoded",0

0040394A   PUSH    47547792.00408DE8                 ASCII "MyAgent"

0040396B   PUSH    47547792.00408428                 ASCII "greeng.biz"

00403989   PUSH    47547792.00408437                 ASCII "ht/post.php"

0040398E   PUSH    47547792.00408DF0                 ASCII "POST"

004039B0   PUSH    47547792.00403911                 ASCII "Content-Type: application/x-www-form-urlencoded"

00403A4D   PUSH    47547792.00408DF8                 ASCII "Shell DocObject View"

00403A61   PUSH    47547792.00408E0D                 ASCII "Internet Explorer_Server"

00403CA5   MOV     EDI, 47547792.0040863A            ASCII "Arial"

00403D89   PUSH    47547792.00408E26                 ASCII "%ld_%ld_%ld"

00403DA4   PUSH    47547792.00408000                 ASCII "http://greeng.biz:2080/rd/rep.php?er[0]="

004042E2   PUSH    47547792.00408E34                 ASCII "%lX.png"

00404473   PUSH    47547792.00408E3C                 ASCII "RZ_"

00404478   PUSH    47547792.00408000                 ASCII "http://greeng.biz:2080/rd/rep.php?er[0]="

004044CE   PUSH    47547792.00408E40                 ASCII "Arial"

004045BD   PUSH    47547792.00408E48                 ASCII "%lX.png"

004048EC   PUSH    47547792.00408560                 ASCII "-%lX-"

00404907   PUSH    47547792.00408000                 ASCII "http://greeng.biz:2080/rd/rep.php?er[0]="

00404931   PUSH    47547792.00408ADD                 ASCII "SeShutdownPrivilege"



00408000   ASCII   "http://greeng.bi"

00408010   ASCII   "z:2080/rd/rep.ph"

00408020   ASCII   "p?er[0]=",0

00408428   ASCII   "greeng.biz",0

00408437   ASCII   "ht/post.php",0

00408443   ASCII   "grdsfsd.bat",0

0040844F   ASCII   ":gl234sh

del %1"

0040845F   ASCII   "

if exist %1 go"

0040846F   ASCII   "to gl234sh

del "

0040847F   ASCII   "%0",0

00408482   ASCII   "open",0

00408487   ASCII   "Software\Microso"

00408497   ASCII   "ft\Internet Expl"

004084A7   ASCII   "orer\New Windows"

004084B7   ASCII   0

004084B8   ASCII   "Software\Microso"

004084C8   ASCII   "ft\Internet Expl"

004084D8   ASCII   "orer\Main",0

004084E2   ASCII   "PopupMgr",0

004084EB   ASCII   "no",0

004084EE   ASCII   "yes",0

004084F2   ASCII   "Display Inline I"

00408502   ASCII   "mages",0

00408508   ASCII   "Display Inline V"

00408518   ASCII   "ideos",0

0040853E   ASCII   "winlogon.exe",0

0040854B   ASCII   "%d.%d-",0

00408552   ASCII   "ghdfggf6j.tmp",0

00408560   ASCII   "-%lX-",0

00408566   ASCII   "add to card

che"

00408576   ASCII   "ckout

continue "

00408586   ASCII   "shopping

downlo"

00408596   ASCII   "ad

submit

clic"

004085A6   ASCII   "k here

cart

",0

004085B8   ASCII   "Suurch

findnsee"

004085C8   ASCII   "k

shopzil

www."

004085D8   ASCII   "suurch.com

",0

004085E7   ASCII   "\drivers\etc\hos"

004085F7   ASCII   "ts",0

004085FA   ASCII   "ABCDEFGHIJKLMNOP"

0040860A   ASCII   "QRSTUVWXYZabcdef"

0040861A   ASCII   "ghijklmnopqrstuv"

0040862A   ASCII   "wxyz0123456789+_"

0040863A   ASCII   "Arial",0

00408640   ASCII   "Century Gothic",0

0040864F   ASCII   "Haettenschweiler"

0040865F   ASCII   0

00408660   ASCII   "Times New Roman",0

00408670   ASCII   "MS Sans Serif",0

0040867E   ASCII   "AvantGarde Bk BT"

0040868E   ASCII   0

0040868F   ASCII   "Comic Sans MS",0

0040869D   ASCII   "Courier New",0

00408ADD   ASCII   "SeShutdownPrivil"

00408AED   ASCII   "ege",0

00408AF1   ASCII   "Regsvr32.exe /s "

00408B01   ASCII   "shdocvw.dll",0

00408C3D   ASCII   "complete",0

00408C48   ASCII   "interactive",0

00408C54   ASCII   "HL_",0

00408C58   ASCII   "HD_",0

00408C5C   ASCII   "DO_",0

00408C60   ASCII   "IW_",0

00408C83   ASCII   "lidate.asp",0

00408C94   ASCII   "http://66.199.17"

00408CA4   ASCII   "9.8/search.php",0

00408CB4   ASCII   "http://65.39.170"

00408CC4   ASCII   ".123/search.php",0

00408CD4   ASCII   "http://66.250.74"

00408CE4   ASCII   ".152/click_secon"

00408CF4   ASCII   "d",0

00408CFC   ASCII   "NC2_",0

00408D04   ASCII   "NW_",0

00408D08   ASCII   "&er[",0

00408D10   ASCII   "]=",0

00408D14   ASCII   "SW_",0

00408D18   ASCII   "RB_",0

00408D1C   ASCII   "DC_",0

00408D20   ASCII   "NL_",0

00408D24   ASCII   "EC_",0

00408D28   ASCII   "NC_",0

00408D2C   ASCII   "OW_",0

00408D30   ASCII   "testovaya hren",0

00408D40   ASCII   "Im_",0

00408D44   ASCII   "Lim_",0

00408D4C   ASCII   "Tc_",0

00408D50   ASCII   "Mc_",0

00408D54   ASCII   "Lp_",0

00408D5C   ASCII   "value=no_spyware"

00408D6C   ASCII   0

00408D70   ASCII   "f1",0

00408D74   ASCII   "f3",0

00408D78   ASCII   "None",0

00408D80   ASCII   "none",0

00408D88   ASCII   "FC_",0

00408D8C   ASCII   "Im_",0

00408D90   ASCII   "66.250.74.152/kw"

00408DA0   ASCII   "_img/img_gen.php"

00408DB0   ASCII   0

00408DB4   ASCII   "Im_",0

00408DBC   ASCII   "Tc_",0

00408DC0   ASCII   "Mc_",0

00408DC4   ASCII   "fc",0

00408DC8   ASCII   "ac",0

00408DCC   ASCII   "rc",0

00408DD0   ASCII   "BODY_",0

00408DD8   ASCII   "text=",0

00408DE0   ASCII   "&url=",0

00408DE8   ASCII   "MyAgent",0

00408DF0   ASCII   "POST",0

00408DF8   ASCII   "Shell DocObject "

00408E08   ASCII   "View",0

00408E0D   ASCII   "Internet Explore"

00408E1D   ASCII   "r_Server",0

00408E26   ASCII   "%ld_%ld_%ld",0

00408E34   ASCII   "%lX.png",0

00408E3C   ASCII   "RZ_",0

00408E40   ASCII   "Arial",0

00408E48   ASCII   "%lX.png",0

esther

January 15th, 2007, 04:59

Hi all,

Its packed with fsg v1.33 (ol' peid says)

well after fixing the imports.it still have problems runing

well this "crackme" doe runs in 2k sp4 but does nothing.

Thats all for now

blabberer

January 15th, 2007, 05:46

well it uses queer oleinitialize and cocreateinstance and calls somewhere in rpcrt dlls an in there it sits waitingfor multiple mesages whose mask are

Qs_KEY,QS_MOUSEMOVE,QS_HOTKEY and a few other QS_

so it looks like its doing nothing this file may be a part of a multiple droppers

and is probably looking for some events to happen before it can spew its venom

and it seems many of te antivir out there arent able to definately classify it

plain kaspersky file scanner gave this file a clean chit

Quote:

You're clean!
Scanned file: 475477922.exe

Statistics:
Known viruses: 258503 Updated: 15-01-2007
File size (Kb): 16 Virus bodies: 0
Files: 1 Warnings: 0
Archives: 0 Suspicious: 0

so i went to virus total and it seems none of the results are definitive

Code:





Antivirus Version Update Result 

AntiVir 7.3.0.21 01.09.2007  no virus found 

Authentium 4.93.8 01.12.2007 Possibly a new variant of W32/Dlr-Trojan-Malware-based!Maximus 

Avast 4.7.936.0 01.13.2007 Win32:Agent-BSU 

AVG 386 01.15.2007  no virus found 

BitDefender 7.2 01.15.2007 Trojan.Downloader.Popmup.A 

CAT-QuickHeal 9.00 01.12.2007 (Suspicious) - DNAScan 

ClamAV devel-20060426 01.15.2007 Trojan.Clicker-21 

DrWeb 4.33 01.15.2007 DLOADER.Trojan 

eSafe 7.0.14.0 01.15.2007 suspicious Trojan/Worm 

eTrust-InoculateIT 23.73.113 01.13.2007  no virus found 

eTrust-Vet 30.3.3329 01.15.2007  no virus found 

Ewido 4.0 01.14.2007  no virus found 

Fortinet 2.82.0.0 01.13.2007 suspicious 

F-Prot 3.16f 01.12.2007 Possibly a new variant of W32/Dlr-Trojan-Malware-based!Maximus 

F-Prot4 4.2.1.29 01.12.2007 W32/Dlr-Trojan-Malware-based!Maximus 

Ikarus T3.1.0.27 01.09.2007  no virus found 

Kaspersky 4.0.2.24 01.15.2007  no virus found 

McAfee 4938 01.12.2007 Generic AdClicker.b 

Microsoft 1.1904 01.15.2007  no virus found 

NOD32v2 1980 01.15.2007 a variant of Win32/TrojanDownloader.Small.CYF 

Norman 5.80.02 01.15.2007  no virus found 

Panda 9.0.0.4 01.14.2007 Suspicious file 

Prevx1 V2 01.15.2007  no virus found 

Sophos 4.13.0 01.13.2007 Mal/Packer 

Sunbelt 2.2.907.0 01.12.2007 VIPRE.Suspicious 

TheHacker 6.0.3.148 01.14.2007  no virus found 

UNA 1.83 01.12.2007  no virus found 

VBA32 3.11.2 01.15.2007  no virus found 

VirusBuster 4.3.19:9 01.15.2007 novirus:Packed/FSG 





Aditional Information 

File size: 16224 bytes 

MD5: 649ef54499d2c97a7ff975a1e51288e0 

SHA1: 0a66df3e99e4985a26744cb348c2b5da38f12af9 

packers: FSG 

packers: FSG 

packers: FSG 

Sunbelt info: VIPRE.Suspicious is a generic detection for potential threats that are deemed suspicious through heuristics.

so it might really be a good target to practice with collectively

anyone up to the task with good com interface calls expertise could jump in and create fun analysing it (especially explaining wat interface its calling whats the clsctx (clascontext looks like its using CLASSCTX_IN_PROC_SERVER CLSCTX_LOCAL_SERVER)

thats all for now got work to do

ps ( btw esther did you check browsing a few forums after it apparantly did not run in your computer ?? are you able to see images still ?? ) i believe it would have successfully set
hkcu/software/m$/ie/main/--> display inline images to no

seven

January 15th, 2007, 08:43

Quote:

All three together

Quote:

you might need to boot in safe mode and get rid of it

i did that but no hope beside i start to love this trojan

Quote:

kaspersky file scanner gave this file a clean chit

antivirus cant discover (trojan + virus) when packed coz packing
hide everything . i know coz i dealed with both 4 long time .

Quote:

What about using this as a real-life miniproject target?

Kayaker : dont turn my trojan to one of ur projectz coz itz illegal

naides

January 15th, 2007, 09:42

Seven: If all you want is to get rid of the trojan, which I suspect was your only request,
Search around for tools like "kill it" over the net. They are able to remove very clingy parasites, or read the manual removal instructions in one of the Anti-virus serious sites.

ZaiRoN

January 15th, 2007, 11:35

Nice project definitly!

I had a glance at it and seems to be easy to understand what it does so it's a perfect program for curious newbies :-)
I would start with your questions and after that we can proceed with the analysis of the file answering and clearing all the doubts which may arise working on a malware in general. What do you all think?

Silkut

January 15th, 2007, 14:55

From a curious newbie point of view I find it very exciting and interesting, I hopefully got several VMs (a particular one that is 'totally' separated from the host: ideal for malwares ?). I read every post with attention.

_learn the good reflexs
_increase rce analysis performances
_particularities of malware analysis
_use alcohol as stimulant
..

esther

January 16th, 2007, 00:59

hi blabberer,

*ps ( btw esther did you check browsing a few forums after it apparantly did not run in your computer ?? are you able to see images still ?? ) i believe it would have successfully set
hkcu/software/m$/ie/main/--> display inline images to no

oh well I'm on windows 2000 sp4,no vmware.

During running that "47..." it stays in the process
It does all sorts of reading and query,you can see it filemon.
then

'47.....EXE' from your computer wants to connect to 194.230.36.72.reverse.layeredtech.com [72.36.230.194], port 2080

The "47...." auto deletes after that hmmm
well I stopped there coz its not a test machine

I checked my IE loading the forum and yes the pictures ,icons were disabled.

Well you can reset it back on advanced options in IE.

Have fun

blabberer

January 16th, 2007, 13:42

@esther
yeah you can reset it
my question was just to confirm your statement that it does not run

i was just baiting for question to be asked and bait some curious bystander to actually download disassemble and put forward a few more queries
but questions havent yet started pouring in

edit

just noticed that post number is devils favourite number

am i being devils advocate

SiGiNT

January 16th, 2007, 17:44

Well it seems it may be a wanna be browser hijacker, out of curiousity and total disregard for my computer here, I plugged "72.36.230.194 port 2080" into IE7 as a proxy and when restarted it took me directly to a page called funfun.name - source listed below:

<html>
<head>
<title>
funfun.name
</title>

<style>
* { font-family: verdana; font-size: 10pt; COLOR: gray; }
b { font-weight: bold; }
table { height: 50%; border: 1px solid gray;}
td { text-align: center; padding: 25;}

</style>
</head>
<body>
<center>
<br><br><br><br>
<table>
<tr><td>Welcome to the home of <b>funfun.name</b></td></tr>
<tr><td>To change this page, upload your website into the public_html directory</td></tr>
<tr><td><img src="logo.jpg"></td></tr>
<table>

</center>
</body>

</html>

SiGiNT

esther

January 16th, 2007, 23:21

hi blabberer,

I have a language barrier here

*my question was just to confirm your statement that it does not run

It excutes and it runs

update:
It seems its a modified fsg.I'm a newbie in this so anyone would want to confirm about that?

LLXX

January 17th, 2007, 00:25

Did a WHOIS on that IP.

Quote:

Name: Suo-Anttila, Jeremy Paul
Handle: JPS66-ARIN
Company: Layered Technologies
Address: 18816 Preston Road
Address: Suite #100
City: Dallas
StateProv: TX
PostalCode: 75252
Country: US

Hmm... webhost?

Also noticed something interesting:

Quote:

http://66.250.74.152/kw_img/img_gen.php

Hit it with the browser...

Quote:

GET /kw_img/img_gen.php HTTP/1.0
Accept: */*
Accept-Language: en-us,zh;q=0.8,zh-cn;q=0.5,zh;q=0.3
Pragma: no-cache
User-Agent: Mozilla/4.00 (compatible; NetView/1.02; PN-DOS v8.94; MGnX v5.11)
Host: 66.250.74.152
Connection: keep-alive
Accept-encoding: gzip, deflate
======================
HTTP/1.1 200 OK
Date: Wed, 17 Jan 2007 05:13:45 GMT
Server: Apache/*.*.** (Unix) PHP/4.3.8
X-Powered-By: PHP/4.3.8
X-Accelerated-By: PHPA/1.3.3r2
Connection: close
Transfer-Encoding: chunked
Content-Type: image/png

And returns a PNG with some blurry text on it that seems to say "Error: No sid provid"

Using Fravia's art of Guessing, I try

http://66.250.74.152/kw_img/img_gen.php?sid=0123456879

...and get "Error: No pid provid". I'm onto something.

http://66.250.74.152/kw_img/img_gen.php?sid=0123456879&pid=0123456789

Ok, "Error: No string provid".

http://66.250.74.152/kw_img/img_gen.php?sid=0123456879&pid=0123456789&string=0123546789

No luck. Tried s, str, text, also with no luck. Googling the filename and the parameter names also produces no results. Backing up a directory we see img_gen.php and arial.ttf. This is some sort of image generator. Going up to the root produces the single line "hello".

I'm probably getting into security/hacking now, but I'll portscan this target later to see what we can gather.

This is fun.

blabberer

January 17th, 2007, 02:37

@ esther i believe you really dont have any language barriers
but is too much fond of your signature

thats some kind of conviction you hold

truly i dont give a damn to what kind of packer it is as i never go for premade tools ( i mean unpackers ,oep finders , protection identifiers and thier ilk)

i tend to muddle my way all through myself

yeah your guess could be right if it was real fsg then possibly the fsg string has been erased
and if you notice while unpacking it you will see a homebrewed
import string decryptor (although its lame just changed the first charecter of every import name so it will take GxitProcess
and convert it to ExitProcess before getting the ProcAddress via Loadlib() GetProcAddress() (i dont think real fsg did all those trickery also if i remeber well fsg didnt have that kind of jump to oep in its original version and didnt check for some hardcoded const in its way over over there)

well like mcafee said its an adclicker that means it fetches or redirects your queries and clicks on the advertisements in those sites which would fetch the the zombies revenue on those murky pay per click sites

@LLXX
get into the binary a little you will see what string is appended to the url (its decrypted and appended with lstrcat()

or try a detour on lstrcat down deep below and log them and
run wget on those urls

if you notice my strings output you will see the urls with lot of = including the img_gen url in clear

a sample output before decryption

Code:



""""18iuuq;..bnmns/bhjmnq/hogn.bij/qiq>pp<n*rnmd*lhn"18iuuq;..wnoq`hou/bnqhshfiu/nsf.bij/qiq>pp<ctx*c`cx*bshc"12iuuq;..tobk/rdoeunch{/hogn.rd`sbi/qiq>p<f`sedohof*fhgu*rqdbh`m"14iuuq;..gdde/kduihmmr/nsf.bij/qiq>pp<odv*{d`m`oe*fhgu"19iuuq;..uidsd`mm/sd`mqshou/hogn.ylmrd`sbi/qiq>j<bmnrhof*uid*`bihdwdldou*f`q"10iuuq;..knjd/vhohofr/o`ld.ylmrd`sbi/qiq>j<b`mhgnsoh`*u`y*qsdq`sds*cnoe"19iuuq;..ushq3/unxq`sur/hogn.ylmrd`sbi/qiq>j<knc*otsrd*rddjds"14iuuq;..cl/rdoeunch{/hogn.bij/qiq>pp<fbd*m*n*sdrtmu"15iuuq;..31758/rdoeunch{/hogn.ylmrd`sbi/qiq>j<bmnrhof*uid*f`q"

after decryption

Code:



0042289B  ####09http://color.ciklop.info/chk.php?qq=o+sole+mio#09http://vo

004228DB  npaint.copiright.org/chk.php?qq=buy+baby+crib#03http://uncj.send

0042291B  tobiz.info/search.php?q=gardening+gift+special#05http://feed.jet

0042295B  hills.org/chk.php?qq=new+zealand+gift#08http://thereall.realprin

0042299B  t.info/xmlsearch.php?k=closing+the+achievement+gap#01http://joke

004229DB  .winings.name/xmlsearch.php?k=california+tax+preparer+bond#08htt

00422A1B  p://trip2.toyparts.info/xmlsearch.php?k=job+nurse+seeker#05http:

00422A5B  //bm.sendtobiz.info/chk.php?qq=gce+l+o+result#04http://20649.sen

00422A9B  dtobiz.info/xmlsearch.php?k=closing+the+gap#

also just by looking at input and output i think you can guess the algorithm used

Silkut

January 17th, 2007, 10:35

Caesar rotation with one move to the right, ROT1 :-?

blabberer

January 17th, 2007, 12:18

@silkut
test your hypothesis here
it will have an online decoder for all the cipheres

http://www.antilles.k12.vi.us/math/cryptotut/home.htm

Silkut

January 17th, 2007, 12:50

@blabberer: thanks for the link.

owl

January 19th, 2007, 10:29

Most malware will create a separate process that will be start automatically everytime that you reboot your system. This process will check to see if it is already install, if not it will re-install itself. That is why it keeps comming back everytime you remove it. If you knew the process name, you can just go to the services file, and change it from automatic start to manual start or just delete that file.

Usually, the name of the process is not that obvious, they tend to mascarade it with some valid Microsoft file. The best way of finding it, is by using something like process monitor or any other process and register monitor. Re-install the original malware, and see which files is creating, this will give you a good indication on what to look at.