WinNT/Simda

Forum for analysis and discussion about malware.

WinNT/Simda

Postby swirl » Sat Apr 24, 2010 5:47 pm

some additional info to this: hxxp://blog.inreverse.net/2010/04/backdoorrohimafo.html
pw for zip: infected

asterixdylan.com: 91.213.174.3 - VolgaHost / Bondarenko Dmitriy Vladimirovich
aaron99999999.com: 91.213.174.3
anabalikss.com: 193.105.207.10 - ALFAHOSTNET / Romanov Artem Alekseevich / 193.105.207.0 - 193.105.207.255
navlot.com: 193.105.174.51 - COLO-NET / Volovik Elena Sergiyvna / 193.105.174.0 - 193.105.174.255
anxious-seat.com: 74.54.82.212 - NETBLK-THEPLANET-BLK-14 / Theplanet.net

and seems they have some problems with their php ^^

Image
Image
You do not have the required permissions to view the files attached to this post.
swirl
 
Posts: 15
Joined: Wed Apr 21, 2010 5:11 pm
Reputation point: 8

Re: Backdoor.Rohimafo

Postby EP_X0FF » Sun Apr 25, 2010 4:19 pm

Hi,

thank you for interesting analysis and posting sample.
Did you investigated when it uses kill_os function?

Regards.
Ring0 - the source of inspiration
User avatar
EP_X0FF
Global Moderator
 
Posts: 4748
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Reputation point: 560

Re: Backdoor.Rohimafo

Postby swirl » Sun Apr 25, 2010 4:56 pm

the !kill_os command is sent from the c&c, I let it run for some time but didn't received it, so
I don't know what triggers it :\

My guess is that they could have some check on c&c side for known sandboxes based on the received
info from the bot: username/computername/botid (which is generated from the volume serial number).
something like this hxxp://evilcodecave.wordpress.com/2009/ ... awareness/ but
implemented on server side, but it's just a guess ;)
swirl
 
Posts: 15
Joined: Wed Apr 21, 2010 5:11 pm
Reputation point: 8

Win32/Simda

Postby gjf » Thu Nov 25, 2010 9:13 pm

Here is some crap, works most likely as password stealer. The original files are packed with UPX, here is original and unpacked files. (Password is virus).

Active file kills explorer process everyt time when it focesses at AVZ, Combofix and other similar utility preventing to run them.

I could not run these file nether in VMWare, nor in Sandboxie possibly because it detects them. But Anubis in some way could cheat the malware: report 1 and report 2. Looks like this shit starts from userinit reg key.

Can somebody perform a deeper analysis?
VirusInfo / Defendium / SafeZone Helpers Crew
User avatar
gjf
 
Posts: 198
Joined: Mon Mar 15, 2010 10:23 am
Location: Where I lay my head is home
Reputation point: 26

Re: Trojan.Win32.Jorik.Shiz.hx

Postby EP_X0FF » Fri Nov 26, 2010 4:15 am

Here is the brief for R.exe (sww and gostev included)

After UPX it's crypted and packed again.

Malware has Russian origin
averi_sosut_hui


Main executable contains specific code against Kaspersky, AVG, Prevx, Avira, Windows Defender, CA HIPS.

Image

Operates with ntvdm (also checks for presence of KB977165 - MS10-015 patch). Contains list of IP addresses and default passwords.

soccer abc123 password1 football1 fuckyou monkey iloveyou1 superman1 slipknot1 jordan23 princess1 liverpool1
monkey1 baseball1 123abc qwerty1 blink182 myspace1 pop user111 098765 qweryuiopas qw qwe qwer qwert qwerty asdfg
chort nah xak xakep 111111 12 12345 2013 2007 2207 110 5554 775 65 5 46 354 43 23 31 1982 13 123 password
123456


Detects Sandbox.

Image

Writes to HKLM\software\microsoft\windows nt\currentversion\winlogon, under UserInit param, changes registry key security attributes.
Nanocephalous Kaspersky Lab


Injects dll (maps) into winlogon.exe, explorer.exe and performs hooking of several API's.
[428]winlogon.exe-->kernel32.dll-->CreateFileW, Type: Inline - DirectJump 0x7C8107F0-->01AF0000 [unknown_code_page]
[428]winlogon.exe-->kernel32.dll-->GetFileAttributesExW, Type: Inline - DirectJump 0x7C811185-->01B20000 [unknown_code_page]
[428]winlogon.exe-->advapi32.dll-->CryptEncrypt, Type: Inline - DirectJump 0x77DDE340-->01B50000 [unknown_code_page]
[428]winlogon.exe-->user32.dll-->GetWindowTextA, Type: Inline - DirectJump 0x7E38216B-->01E80000 [unknown_code_page]
[428]winlogon.exe-->wininet.dll-->InternetWriteFile, Type: Inline - DirectJump 0x771E8BB9-->01F10000 [unknown_code_page]
[428]winlogon.exe-->ws2_32.dll-->getaddrinfo, Type: Inline - DirectJump 0x71A92A6F-->01F40000 [unknown_code_page]
[428]winlogon.exe-->ws2_32.dll-->inet_addr, Type: Inline - DirectJump 0x71A92EE1-->01FA0000 [unknown_code_page]
[428]winlogon.exe-->ws2_32.dll-->send, Type: Inline - DirectJump 0x71A94C27-->01EB0000 [unknown_code_page]
[428]winlogon.exe-->ws2_32.dll-->gethostbyname, Type: Inline - DirectJump 0x71A95355-->01F70000 [unknown_code_page]
[428]winlogon.exe-->ws2_32.dll-->WSASend, Type: Inline - DirectJump 0x71A968FA-->01EE0000 [unknown_code_page]
[1104]explorer.exe-->kernel32.dll-->GetFileAttributesW, Type: Inline - DirectJump 0x7C80B7DC-->01D00000 [unknown_code_page]
[1104]explorer.exe-->kernel32.dll-->CreateFileW, Type: Inline - DirectJump 0x7C8107F0-->01890000 [unknown_code_page]
[1104]explorer.exe-->kernel32.dll-->GetFileAttributesExW, Type: Inline - DirectJump 0x7C811185-->019C0000 [unknown_code_page]
[1104]explorer.exe-->advapi32.dll-->CryptEncrypt, Type: Inline - DirectJump 0x77DDE340-->019F0000 [unknown_code_page]
[1104]explorer.exe-->user32.dll-->GetMessageW, Type: Inline - DirectJump 0x7E3691C6-->01C60000 [unknown_code_page]
[1104]explorer.exe-->user32.dll-->PeekMessageW, Type: Inline - DirectJump 0x7E36929B-->01C00000 [unknown_code_page]
[1104]explorer.exe-->user32.dll-->GetMessageA, Type: Inline - DirectJump 0x7E37772B-->01C30000 [unknown_code_page]
[1104]explorer.exe-->user32.dll-->PeekMessageA, Type: Inline - DirectJump 0x7E37A340-->01BD0000 [unknown_code_page]
[1104]explorer.exe-->user32.dll-->GetClipboardData, Type: Inline - DirectJump 0x7E380DBA-->01C90000 [unknown_code_page]
[1104]explorer.exe-->user32.dll-->GetWindowTextA, Type: Inline - DirectJump 0x7E38216B-->01A20000 [unknown_code_page]
[1104]explorer.exe-->wininet.dll-->InternetWriteFile, Type: Inline - DirectJump 0x771E8BB9-->01AB0000 [unknown_code_page]
[1104]explorer.exe-->ws2_32.dll-->getaddrinfo, Type: Inline - DirectJump 0x71A92A6F-->01AE0000 [unknown_code_page]
[1104]explorer.exe-->ws2_32.dll-->inet_addr, Type: Inline - DirectJump 0x71A92EE1-->01B40000 [unknown_code_page]
[1104]explorer.exe-->ws2_32.dll-->send, Type: Inline - DirectJump 0x71A94C27-->01A50000 [unknown_code_page]
[1104]explorer.exe-->ws2_32.dll-->gethostbyname, Type: Inline - DirectJump 0x71A95355-->01B10000 [unknown_code_page]
[1104]explorer.exe-->ws2_32.dll-->WSASend, Type: Inline - DirectJump 0x71A968FA-->01A80000 [unknown_code_page]


Dll also packed with UPX.

http://www.virustotal.com/file-scan/report.html?id=9da64d6f7fd3589fa133ac61eef4c1810abc393eecffdeaa400adcf527c19ebd-1290745139

Unpacked dll contains another blacklist (AVZ, Kaspersky, HijackThis Anti-Malware, OSAM). Soft detected via EnumWindows.
Антивирусная утилита AVZ random's system information tool - © random/random
ThunderRT6FormDC hijackthis AVP.MainWindow Kaspersky Virus Removal Tool 2010 Malwarebytes' Anti-Malware #32770 OSAM: Autorun Manager


In attach dump of dll strings and IDA enough friendly partially unpacked binary.
You do not have the required permissions to view the files attached to this post.
Ring0 - the source of inspiration
User avatar
EP_X0FF
Global Moderator
 
Posts: 4748
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Reputation point: 560

Re: Trojan.Win32.Jorik.Shiz.hx

Postby kmd » Fri Nov 26, 2010 8:45 am

can you share extracted dll?
User avatar
kmd
 
Posts: 268
Joined: Mon Mar 15, 2010 4:09 am
Location: Russian Federation
Reputation point: 17

Re: Trojan.Win32.Jorik.Shiz.hx

Postby EP_X0FF » Fri Nov 26, 2010 10:07 am

Here it is.

both extracted and partially unpacked.
You do not have the required permissions to view the files attached to this post.
Ring0 - the source of inspiration
User avatar
EP_X0FF
Global Moderator
 
Posts: 4748
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Reputation point: 560

Rloader.A Virscan 4/37

Postby fatdcuk » Fri Aug 05, 2011 6:47 pm

FakeAlert/downloader that loves a system driver.

http://r.virscan.org/62cad9d89302a118801480cc205666fc

Code: Select all
VirSCAN.org Scanned Report :
Scanned time   : 2011/08/06 02:41:35 (CST)
Scanner results: 24% Scanner(s) (9/37) found malware!
File Name      : fix_pack107i_231.exe
File Size      : 302080 byte
File Type      : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5            : c35903e1a14e11a915da9a239028aa7b
SHA1           : d6d3f6ffb2f8b237fd0525217c3d6d918d162039
Online report  : http://r.virscan.org/62cad9d89302a118801480cc205666fc

Scanner        Engine Ver      Sig Ver           Sig Date    Time   Scan result
a-squared      5.1.0.3         20110806001306    2011-08-06  0.35   -
AhnLab V3      ...             ..                --          1.70   -
AntiVir        8.2.6.28        7.11.12.220       2011-08-05  0.35   TR/Dropper.Gen
Antiy          2.0.18          20110804.11725727 2011-08-04  0.03   -
Arcavir        2011            201107140423      2011-07-14  0.20   -
Authentium     5.1.1           201108050953      2011-08-05  1.55   -
AVAST!         4.7.4           110805-1          2011-08-05  0.05   -
AVG            8.5.850         271.1.1/3812      2011-08-05  2.37   -
BitDefender    7.90123.8709932 7.38520           2011-08-06  4.46   Gen:Heur.VIZ.2
ClamAV         0.97.1          13403             2011-08-05  0.29   -
Comodo         5.1             9635              2011-08-05  1.93   Packed.Win32.Krap.AS
CP Secure      1.3.0.5         2011.08.04        2011-08-04  0.16   -
Dr.Web         5.0.2.3300      2011.07.23        2011-07-23  13.23  -
F-Prot         4.6.2.117       20110805          2011-08-05  0.84   -
F-Secure       7.02.73807      2011.08.05.05     2011-08-05  0.40   Packed.Win32.Katusha.o [AVP]
Fortinet       4.2.257         13.513            2011-08-04  0.26   -
GData          22.1542         20110805          2011-08-05  0.12   -
ViRobot        20110805        2011.08.05        2011-08-05  0.34   -
Ikarus         T3.1.32.20.0    2011.08.05.79010  2011-08-05  4.82   -
JiangMin       13.0.900        2011.08.05        2011-08-05  1.58   -
Kaspersky      5.5.10          2011.08.05        2011-08-05  0.29   Packed.Win32.Katusha.o
KingSoft       2009.2.5.15     2011.8.5.18       2011-08-05  0.91   -
McAfee         5400.1158       6429              2011-08-05  10.27  -
Microsoft      1.7104          2011.08.05        2011-08-05  3.81   -
NOD32          3.0.21          6349              2011-08-04  0.58   -
Norman         6.07.10         6.07.00           2011-08-05  14.02  -
Panda          9.05.01         2011.08.05        2011-08-05  2.26   Trj/Krap.AZ         
Trend Micro    9.200-1012      8.334.08          2011-08-05  0.50   -
Quick Heal     11.00           2011.08.05        2011-08-05  1.08   -
Rising         20.0            23.69.03.03       2011-08-04  3.27   [Suspicious]
Sophos         3.22.0          4.68              2011-08-06  4.14   Mal/Agent-IE
Sunbelt        3.9.2497.2      10074             2011-08-05  1.34   VirTool.Win32.Obfuscator.hg!b (v)
Symantec       1.3.0.24        20110804.002      2011-08-04  0.10   -
nProtect       20110803.04     12178473          2011-08-03  6.71   -
The Hacker     6.7.0.1         v00271            2011-08-04  0.66   -
VBA32          3.12.16.4       20110804.0825     2011-08-04  3.84   -
VirusBuster    5.3.0.4         14.0.153.0/58014262011-08-05  0.00   -


Win32.RLoader.a (Kaspersky)

Code: Select all
VirSCAN.org Scanned Report :
Scanned time   : 2011/08/06 02:56:35 (CST)
Scanner results: 11% Scanner(s) (4/37) found malware!
File Name      : 231.sys
File Size      : 98560 byte
File Type      : PE32 executable for MS Windows (native) Intel 80386 32-bit
MD5            : 48385d7fd35f2fdaa4c4a5a3f843e304
SHA1           : f33b8a40f806b23ab1e0f1549a8749f770e85bf3
Online report  : http://r.virscan.org/7f0e5a811a0d7f6e3cb85171535cc019

Scanner        Engine Ver      Sig Ver           Sig Date    Time   Scan result
a-squared      5.1.0.3         20110806001306    2011-08-06  0.30   -
AhnLab V3      ...             ..                --          1.44   -
AntiVir        8.2.6.28        7.11.12.220       2011-08-05  0.28   -
Antiy          2.0.18          20110804.11725727 2011-08-04  0.02   -
Arcavir        2011            201107140423      2011-07-14  0.04   -
Authentium     5.1.1           201108050953      2011-08-05  1.53   -
AVAST!         4.7.4           110805-1          2011-08-05  0.01   -
AVG            8.5.850         271.1.1/3812      2011-08-05  0.29   -
BitDefender    7.90123.8709932 7.38520           2011-08-06  4.28   -
ClamAV         0.97.1          13403             2011-08-05  0.02   -
Comodo         5.1             9635              2011-08-05  1.77   Heur.Packed.Unknown
CP Secure      1.3.0.5         2011.08.04        2011-08-04  0.07   -
Dr.Web         5.0.2.3300      2011.07.23        2011-07-23  13.22  -
F-Prot         4.6.2.117       20110805          2011-08-05  0.83   -
F-Secure       7.02.73807      2011.08.05.05     2011-08-05  0.20   -
Fortinet       4.2.257         13.513            2011-08-04  0.24   -
GData          22.1542         20110805          2011-08-05  0.11   -
ViRobot        20110805        2011.08.05        2011-08-05  0.34   -
Ikarus         T3.1.32.20.0    2011.08.05.79010  2011-08-05  4.64   -
JiangMin       13.0.900        2011.08.05        2011-08-05  1.75   -
Kaspersky      5.5.10          2011.08.05        2011-08-05  0.11   -
KingSoft       2009.2.5.15     2011.8.5.18       2011-08-05  0.83   -
McAfee         5400.1158       6429              2011-08-05  9.29   Downloader-CEW
Microsoft      1.7104          2011.08.05        2011-08-05  3.42   -
NOD32          3.0.21          6349              2011-08-04  0.03   a variant of Win32/Rootkit.Kryptik.DF trojan
Norman         6.07.10         6.07.00           2011-08-05  12.01  -
Panda          9.05.01         2011.08.05        2011-08-05  2.18   -
Trend Micro    9.200-1012      8.334.08          2011-08-05  0.05   -
Quick Heal     11.00           2011.08.05        2011-08-05  0.96   -
Rising         20.0            23.69.03.03       2011-08-04  2.22   -
Sophos         3.22.0          4.68              2011-08-06  3.90   Mal/GSPFX-A
Sunbelt        3.9.2497.2      10074             2011-08-05  1.08   -
Symantec       1.3.0.24        20110804.002      2011-08-04  0.21   -
nProtect       20110803.04     12178473          2011-08-03  1.15   -
The Hacker     6.7.0.1         v00271            2011-08-04  0.49   -
VBA32          3.12.16.4       20110804.0825     2011-08-04  3.90   -
VirusBuster    5.3.0.4         14.0.153.0/58014262011-08-05  0.00   -


http://r.virscan.org/7f0e5a811a0d7f6e3cb85171535cc019

TDSS killer killing it 8-)

Code: Select all
2011/08/05 19:30:30.0531 0596   Detected object count: 1
2011/08/05 19:30:30.0531 0596   Actual detected object count: 1
2011/08/05 19:30:49.0343 0596   ACPI            (d8fb7d1c3f5bfa3f53fe9cc6367e9e99) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/08/05 19:30:50.0234 0596   Backup copy found, using it..
2011/08/05 19:30:50.0265 0596   C:\WINDOWS\system32\DRIVERS\ACPI.sys - will be cured after reboot
2011/08/05 19:30:50.0265 0596   Virus.Win32.Rloader.a(ACPI) - User select action: Cure
2011/08/05 19:30:55.0250 0352   Deinitialize success
You do not have the required permissions to view the files attached to this post.
Ade Gill
Malwarebytes Researcher
Image
fatdcuk
 
Posts: 46
Joined: Mon Mar 15, 2010 7:45 pm
Reputation point: 78

Re: Rloader.A Virscan 4/37

Postby vaber » Fri Aug 05, 2011 8:26 pm

fatdcuk wrote:TDSS killer killing it 8-)

KIS/KAV also detect and cure that is rootkit-infector ;)
vaber
 
Posts: 10
Joined: Tue Mar 16, 2010 8:36 am
Location: Belarus
Reputation point: 0

Backdoor:Win32/Simda

Postby Win32:Virut » Fri Nov 23, 2012 5:28 pm

Simda?
You do not have the required permissions to view the files attached to this post.
Win32:Virut
 
Posts: 324
Joined: Sat Jun 02, 2012 2:22 pm
Reputation point: 82

Next

Return to Malware

Who is online

Users browsing this forum: No registered users and 8 guests