Page 1 of 13

Backdoor Andromeda (waahoo, alias Gamarue)

PostPosted:Wed Dec 14, 2011 8:50 am
by p4r4n0id
Hi Guys,

I am looking for a relatively new sample (AFAIK :)) - Andromeda bot. Anyone?

Thx,

p4r4n0id

Re: Malware Requests

PostPosted:Wed Dec 14, 2011 9:36 am
by dcmorton
p4r4n0id wrote:Hi Guys,

I am looking for a relatively new sample (AFAIK :)) - Andromeda bot. Anyone?

Thx,

p4r4n0id
Well here's the best I can do with an incredibly vague request IMO. Might be what you're looking for, might not be

Google is your friend btw.. I went from vague name "Andromeda bot" to actual name "Worm:Win32/Gamarue.A/B" to VirusTotal result with MD5 to finding a sample of the MD5 using nothing but Google.

Thanks to Kobayashi from vxheavens for the sample as well

Edit:
The sample in the attach is Gamarue.B. MD5 for a Gamarue.A sample is 4a64dd57fbfe0acdf700709b38bd8e69

Re: Malware Requests

PostPosted:Wed Dec 14, 2011 11:04 am
by p4r4n0id
Hi dcmorton,

First thx for your fast replay and sorry for the vague request.

I will try to explain my self better :)

Andromeda is a bot (AFAIK it is similar to Zeus and Spyeye, also a modularized program which can be functionally developed and supported using plug-ins.) that one of his final payloads is the sample you have sent me.

http://www.maikmorgenstern.de/wordpress/?tag=botnets

Check the attached SC - the bot webpanel.
1.JPG

BTW, I think I have heard about google somewhere :) - he returned nothing interesting regarding this sample.





dcmorton wrote:
p4r4n0id wrote:Hi Guys,

I am looking for a relatively new sample (AFAIK :)) - Andromeda bot. Anyone?

Thx,

p4r4n0id
Well here's the best I can do with an incredibly vague request IMO. Might be what you're looking for, might not be

Google is your friend btw.. I went from vague name "Andromeda bot" to actual name "Worm:Win32/Gamarue.A/B" to VirusTotal result with MD5 to finding a sample of the MD5 using nothing but Google.

Thanks to Kobayashi from vxheavens for the sample as well

Edit:
The sample in the attach is Gamarue.B. MD5 for a Gamarue.A sample is 4a64dd57fbfe0acdf700709b38bd8e69

Re: Malware Requests

PostPosted:Thu May 10, 2012 9:25 pm
by leeno
Request for sample

Andromeda bot
for details : http://cyb3rsleuth.blogspot.in/2012/02/ ... a-bot.html

Backdoor.Andromeda

PostPosted:Sat May 26, 2012 1:30 pm
by Xylitol

Re: Backdoor Andromeda (alias Gamarue)

PostPosted:Sun May 27, 2012 5:29 pm
by hx1997
Hi,

is this an Andromeda bot?
Dr.Web identified it as BackDoor.Andromeda.22

Re: Backdoor Andromeda (alias Gamarue)

PostPosted:Sun May 27, 2012 7:13 pm
by thisisu
Pretty sure this is another one.
MD5: 1592ea251ea1a81244f4487276506f8f
https://www.virustotal.com/file/3f57a21 ... /analysis/
Some notes I was able to gather:

Creates a bad value under this key: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Registry Value = SunJavaUpdateSched
File path = c:\documents and settings\all users\svchost.exe (same MD5)
Opens this port: 53382
Interesting string from process (no clue what it means)
Code: Select all
hsk\ehs\dihviceh\serhlsethntrohntcohurrehem\chsyst

Re: Backdoor Andromeda (alias Gamarue)

PostPosted:Mon May 28, 2012 7:00 am
by rkhunter
Gamarue/Andromeda from my collection.

Worm:Win32/Gamarue.B
MD5: b2a537545dafd9d32c92c38d6091afb4

Worm:Win32/Gamarue.F
MD5: 3eb121fa5647244a8ee15870348aa782
MD5: b07f32cf40a39272d5e0bd597ee11be8
MD5: e13578369bc48a3fbda95335a337cd20
MD5: 6482dfa77d942a2506bb72f2b0edf2d4
MD5: bad248a697c9530b26062ab7ecbfa2ec
MD5: d54c067b972f9ba284bd52d659911b3c
MD5: e0c057d0973841cbbbb739426f2ea572

Re: Backdoor Andromeda (alias Gamarue)

PostPosted:Mon May 28, 2012 7:35 am
by EP_X0FF
hx1997 wrote:Hi,

is this an Andromeda bot?
Dr.Web identified it as BackDoor.Andromeda.22
Yes, Gamarue.F variant, written on assembler.
hxxp://smoxserv10.in/smox3/image.php
hxxp://smoxserv20.in/smox5/image.php
hxxp://smoxserv30.in/smox7/image.php
hxxp://smoxserv40.in/smox9/image.php
hxxp://smoxserv50.in/smox9/image.php
hxxp://smoxserv60.in/smox11/image.php
%ALLUSERSPROFILE%\svchost.exe SOFTWARE\Microsoft\Windows\CurrentVersion\Run Software\Microsoft\Windows\CurrentVersion\Run SunJavaUpdateSched
Payload injected into zombified wuauclt.exe process.

Re: Backdoor Andromeda (alias Gamarue)

PostPosted:Mon May 28, 2012 12:04 pm
by rkhunter
Worm:Win32/Gamarue.F
MD5: 3eb121fa5647244a8ee15870348aa782

Copies itself to
Code: Select all
C:\Documents and Settings\All Users\Local Settings\Temp\msdubmn.bat
Runs from
Code: Select all
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\XXXX
Starts wuauclt.exe and patches it in memory, after it, died.
Sets special permissions for Run key for complicates deletion. After permissions was changed, it deletes fine.
Image